IT Disaster Recovery Plan and BCP

Credited to Mr. Mamane : the IT DR is linked to the BCM and the accountability lies with the Board of Directors. BCM should be the most important piece of the purpose and strategy of any organizations. By such it is owned by a Senior Manager of the organization. Business should not have RTOs nor RPOs. From IT DR prospective, there are RTOs and RPOs. While operated by IT Organization, the IT DR should be owned by the owner of BCM. Business has MTD or MTO (Maximum Tolerable Downtime or Outage), and MTD is the outcome of the Business Impact Analysis (BIA). MTD = RTO + WRT The WRT is the Work Recovery Time, which is the necessary time to recover from the data loss. As there is a loss of data from the last consistent back-up to the disaster, these data or some equivalent information should be reconstructed before resuming normal operations.

Credited to : Wilson

The IT DR is an important part of the BCP. Senior management is responsible for BCP being effective and generally delegating to a Continuity Committee that is made up of the Continuity Manager, VP of Operations, IT VP, Information Security Manager, Risk Manager, Internal Audit (as guest or seer). All together harmoniously develop the BCP. But DR IT is developed in more detail by the IT Area, as is obvious.

During the development of the BCP, the BIA (Business Impact Analysis) and Risk Analysis must be developed. The BIA determines the critical processes, the technological infrastructure that supports it, the RPO, the RTO and the other variables that all of you mentioned, etc. This determines the recovery strategy, replication to an Alternate Site or Backup Copies.

At any given time, it is the Continuity Committee who verifies that the DR IT is effective, efficient and that the RPO and RTO are complied with by means of recovery tests for planned disasters.

Credited to : Nalin

100% that MTD or MTPD is determined during the BIA. It is the first time measurement that has to be set for a product, process or activity, before determining the RTO. I may state the ISO definition, ' MTPD - the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable. Thereafter, the RTO and RPO (if relevant) are determined collectively and consensus obtained. This is a MUST. Those values are then discussed with the IT management and finalised, after making adjustments if necessary.

As mentioned, this the global best practice, adopted by ISO as well as BCI & DRII. As an implementer, reviewer, and auditor, over the past two decades, adhere to this approach and had no issues at all

--

IT DR is a subset of BCM, In the BC Plan development, the RTOs and RPDs are identified and Critical Business Processes are known, all the dependences necessary to bring up those critical processes within the RTO should be in place. It should be tested and validated, including all technology and data/information requirements. This is the crux of your DR plan. Then you should identify strategies and plans to do the job including who will do it.

So there is no need to again ask the business unit or incident co-ordinators to re-validate. However, I recommend you could invite some of them as observers when you do the BCM/DR testing and exercising.