DR Questions for Your Executive

By Ellen Koskinen-Dodgson

Often, IT Managers make all of the decisions about their IT disaster recovery strategy and disaster recovery site. We know many organizations where this is the case and when disaster strikes, senior management is sometimes shocked to learn that the IT DR Plan didn’t deliver what they expected. Work with your Executive—ask them these questions to keep that from happening.

?No Surprises

We recommend that you offer senior management a presentation of your current IT disaster recovery capabilities. Walk them through what would happen to your operations if you were cyberattacked or underwent a different disaster today.

Explain how different stakeholders would experience the disaster. Walk senior management? through how you would discover the problem and the process that you would follow to get back up and running after the attack. Do this for both the best case, where your backups were clean and in the worst case where they were unusable.

Even in the best case there would be a service outage, data loss and serious operational impact for all departments.

Identify the likelihood that your backups could be compromised and the process by which this could happen.

Let them digest what you’ve told them, then come back on another day to facilitate a DR strategy workshop.?

DR Strategy Workshop

The goal of a strategy workshop is for senior management to gain a high level understanding of IT risk mitigation and disaster recovery so as to determine the balance of what they need and what they can afford.

As part of the discussion, include high level tutorial material to help them understand:

·?How cyber-criminals operate

·?Why cyber-criminals succeed

·?Risk mitigation techniques (disaster prevention) vs. disaster recovery (business resumption)

·?Options for establishing and operating a DR site

·?Elements of a range of cybersecurity programs with ballpark costs

Six Questions

Ask your senior management the following questions as part of the process to find that balance between protection and cost. These questions would focus on the worst case data corruption or loss.

1.?Should we have categories of data that will have different levels of protection from cyberattack or other disaster? As the likely answer is yes, this will lead to a data classification project and a plan to provide different levels of protection.

2.?What criteria should we use to assign data categories?

3.?For the most important data, how many minutes of transactions are we willing to lose completely?

4.?What level of protection should we offer to lower categories of data? For example, some categories of data must be privacy protected but changes quite infrequently.

5.?How long are we willing to be out of commission while we restore data for operational use? This might be at our current site in the case of a cyberattack or at a temporary offsite location in case of a fire or other disaster.

6.?What level of DR site are they willing to fund?

This process will likely require a few iterative sessions.

If you’d like to explore these ideas further or comment on this article, contact me at [email protected].

?This article is reproduced from the September 2023 edition of ?The TMC Advisor

?tmcadvisor.com