Disaster recovery is the process that ensures a company can restore its operations after an interruption caused by an uncommon and damaging event. The best a company can do is to prepare for it through a strong recovery plan, so that it can be ready to face the consequences when a disaster happens.

In a previous article we saw basic definitions and concepts of business continuity and disaster recovery that the 8th CISSP domain is about. In this article, we will explore what one needs to know about disaster recovery plan development for the CISSP and what is in a disaster recovery plan, but before, let’s have an overview of what a recovery plan should have.

What Is a Recovery Plan and What Does It Contain?

Recovery plans, also known as business recovery plans (BRPs), business continuity plans, or business contingency plans (BCPs), are the plans used by a business to maintain or bring back to normal a function or functions lost due to an unscheduled event. Every business unit or department, as well as the business as a whole, should have its own recovery plan, but all the plans should be in accordance with one another. For instance, the IT department refers to the BRP plan first to reactivate its operations and activate the IT continuity plan. Similarly, the BRP gives information to other severely affected department s so that they can activate their own recovery plans.

In general, a recovery plan should include, but is not limited to, the organizational unit and its scope and the link of the plan to other plans, roles, and responsibilities, thoroughly for contact persons in crisis situations, incident assessment procedures, emergency room contact person, invocation and escalation information, business continuity action plan, recovery profile for each endangered activity, logistics information (equipment, maps and directions), communication matrix, and recovery completion procedure.

As a part of the BRP, the disaster recovery plan (DRP) is a specific recovery plan that is concerned particularly with damaged or lost software, data, and/or hardware on one hand, and on overcoming the consequences of that on the other hand. It aims to minimize, as much as possible, potential functional damages caused by a disaster.

Disaster Recovery Plan Development

The DRP development is the first phase of the disaster recovery management cycle after the project initiation and risk impact assessment. It is an ongoing process of planning, developing, testing, and implementing procedures and processes to ensure that the organization can quickly restart its basic activity after an unplanned interruption due to a disaster. It has the same components as any recovery plan, but with a particular emphasis on the IT department, personnel, equipment, facilities, and function.

Disaster Recovery Plan Components
The DRP has many particularities and areas to focus on and that the CISSP certified professional should be aware of:

Emergency Response

Emergency response consists of the first actions undertaken immediately after the disaster.

Nothing is more important than human life in such circumstances. that is why the first measures are to ensure personnel safety by providing first aid and looking for personnel; that should be followed byensuring everyone’s evacuation with the appropriate procedures, avoiding any risk to personnel and supplying the necessary basic needs such as food, water, blankets, etc.

After securing human life comes securing business assets. This includes not only infrastructure but also important logistics, such as vehicles and equipment, particularly IT equipment because of its cost and its necessity for business functions. At this stage, damage can be assessed by external engineers.

Then comes the emergency notification, the responsibility for which is assigned to the response team, which needs to keep the personnel calm and the management updated. Objectivity is the rule to keep in mind.

Personnel and Communications

Having the right person in the right place when a disaster occurs is crucial for the business in order to respond fast and effectively and minimize damages in its workflow. Identifying the right person implies knowing the characteristics of the company’s workers; for instance, it is better to select a person living relatively close to the workplace. A skilled, experienced, and a voluntary person would be also more useful in an emergency situation.

The DRP should be very comprehensive in describing the hierarchy of key personnel involved in disaster management, in each department and for the business as a whole, describing in detail the responsibilities of each person, how and when he/she can be contacted with any available phone number, and the communication channels, which should be diversified by using radios and satellite phones, for instance, they should be different from the ones usually used, just in case there is a service interruption. All personnel should be aware of the plan and prepared for any unplanned event that may happen.

In addition to training (through simulations, for instance), good preparation relies on a well-informed DRP. For that, it may include contact information for any potential stakeholders who may be helpful or should be contacted in a disastrous situation. A hardware provider can supply urgent IT needs, a customer whose data security is threatened can be informed about that, and so forth.

It is also important to decide which person should be contacted if the supposed emergency contact person does not respond to the emergency call. It is important consequently to identify other team members to contact prior to the event of a disaster.

Assessment

Compared to the emergency response assessment, this step has the same principle except that it is more complete and detailed. It involves internal experts but also external ones, such as civil engineers to ensure that the building is safe.

The traditional way to assess damages qualitatively is the use of questionnaires that need to elicit information from top management as well as end users, whether on their own, by an interviewer, or in a debriefing meeting. This method makes it possible to categorize damages as being low, medium, high, or even critical. The quantitative assessment allows determination of a monetary value for losses and builds on the risk analysis performed before the disaster.

Backups/Offsite Storage

Data backup is the regular process through which business data are saved in hard copies (using tapes, CDs, etc.) or through cloud computing, so that if a disaster occurs and information is lost, it can be restored from what has been backed up.

For security reasons, businesses generally store the saved data in offsite rooms when they safeguard data through hard copies. For more security, businesses are advised to use more than one offsite storage, but cloud computing is even more secure since it is virtual, ensures the integrity of the data, and does not require an additional, distant location. Consequently, it is less costly, because it eliminates costs related to the offsite storage (additional personnel and equipment, transport, maintenance, integrity checks, etc.) and also the potential costs of data loss below the recovery point objective (RPO), which are caused by data integrity loss. Moreover, the cloud can more easily fulfil the business needs of RPO and recovery time objective (RTO); although, the smaller they are, the more costly they would be.

If the offsite storage will serve as the IT operations emergency location following a disaster, it should be well equipped with suitable ventilation and power supply.

External Communications

The business stakeholders should be notified about the state of the organization and the consequences that the unplanned event had on its operations. Any business’s official communication channel can be used: the official website, social networks, media, phone, etc.

Utilities

Utilities such as electricity, water, and gas often become unavailable in a disaster situation, and this inaccessibility should be managed by taking measures such as activating the generator to restore electric power, closing the building if it is on fire and water is not available or if the waste water system does not work anymore.

CISSP Training – Resources (InfoSec)

Logistics/supplies

The emergency team should think of providing the necessary logistics for personnel safety and comfort. They can be categorized as follows:

  • Vital human needs : food, water, blanket, camp beds and sanitation
  • Important technical equipment: tools and spare parts, waste bins, extinguishers, sprinklers, fire/smoke alarms
  • Information and communications: radios, satellite phones, and contact person information

The DRP should contain any information related to the logistics and their supply, whether they are available constantly in the business infrastructure, such as fire alarms, or they need to be available quickly in an emergency situation, with potential suppliers’ information for emergency care, food, and so forth. It is also important to specify quantities when possible; knowing how many camp beds are available will help to forecast the needs in the case of mass recruitment, for instance, and to update the DRP.

Recovery vs. Restoration

Recovery is an umbrella term covering all of the processes that help a business return to normal after a disaster, while restoration has two main dimensions: reparation and/or replacement of equipment, utilities, and business facilities. Restoration is the step following the assessment and prioritization of what needs to be restored first, based on the importance for the business functions in general and the IT operations in particular.

 Conclusion

Developing a comprehensive DRP and communicating it to the business/department personnel is a way to improve processes and a must to mature a business, reduce risk, and safeguard the business’s marketplace.

References

https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/bcm-resilience/bc-plan/business-recovery-plans

http://searchenterprisewan.techtarget.com/definition/disaster-recovery-plan

http://www.disasterrecovery.org/data-backup-and-disaster-recovery.html

http://www.inc.com/john-rampton/does-your-online-startup-have-a-disaster-recovery-plan-if-not-here-s-where-to-st.html

https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-strategies-processes-564

http://www.disasterrecovery.org/

http://www.slideshare.net/narudomr/business-continuity-disaster-recovery-planning-bcp-drp

http://www.computerweekly.com/feature/How-to-write-a-disaster-recovery-plan-and-define-disaster-recovery-strategies

https://www.qtsnet.com/stayinformed/White_Papers/10%20Steps%20to%20Implement%20a%20Disaster%20Recovery%20Plan%20-%20QTS%20White%20Paper.pdf

http://www.slideshare.net/jemtallon/cissp-week-24?qid=2f0900c9-3d69-446b-900c-cccd227ef070&v=&b=&from_search=3

http://www.pearsonitcertification.com/articles/article.aspx?p=1329710&seqNum=3

http://www.lucianolima.org/cissp-domain-business-continuity-and-disaster-recovery-planning/

http://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Business-Continuity_Disaster-Recovery-Plan-Development.pdf

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan