Transition from IT Disaster Recovery to?

What is IT Disaster Recovery (DR)?

Disaster recovery (DR) is an area of security planning that aims to protect an organization from the effects of significant negative events. DR allows an organization to maintain or quickly resume mission-critical functions following a disaster.

DR  involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following an incident that prevents the use of that equipment/technology. (i.e. network outage, power outage, natural disaster, chemical spill in area forcing shutdown of equipment and or  preventing you access to your, etc)

DR focus is on speed to resume mission critical functionality that operates the business function and workload on some sort of Technology.

Moving on to Business Continuity Planning )BCP) is the process of creating systems of prevention and recovery to deal with potential threats to an Organization Mission Critical Function. In addition to prevention, the goal is to permit ongoing operation, before and during execution of disaster recovery. Which is based on three important areas to focus on:

1. Prevention – Trying to incorporate effective defense methods with flawless compliance to effectively reduce risk. This is done by Business Impact Analysis: Here, the business will identify functions and related resources that are time-sensitive.
2. Inquiry – Network forensics and metadata analysis opens the doors to complex solutions. Understand the threat and analyze all the opportunities. Which means understanding when loss of a function or process would result in impacting mission critical functions from total outage through performance.
3. Recovery – Effective security mechanisms should be in place to prevent “migration” of the threat(s) to alternative sites. the business must identify and implement steps to recover mission critical business functions.

Next we look at Continuity of Operations (COOP), as an effort to ensure that mission critical functions continue to be performed during a wide range of incidents/emergencies, including

localized acts of nature, accidents and technological or attack-related emergencies.

The ultimate goal is the continuation of ESSENTIAL FUNCTION. This is especially needed when this function provide supports other program/process/procedure  or itself provides function of necessity for basic needs like food, shelter, payments, etc. In order to achieve that goal, the objective for organizations is to identify their Essential Functions (EFs) and ensure that those functions can be continued throughout, or resumed rapidly after, a disruption of normal activities.

• DR is a plan and execution once an event happens to recovery
• BCP is a plan with some contingency built in to limit outage of specific planned events and recovery
• COOP is a plan to provide continuous function through an event and recovery.

Where does your Organization Obligation require you to design, build and practice?

Yes a cost is associated with what you build and practice. The real question is what does it cost when you don’t provide that mission critical functions?  It not the Dollars and Cents you lose during the outage? Did you lose a customer - recurring revenue? Worse case how was your customer impacted during the outage? What kind of burden are you putting on your customers for not providing this service? Now With Governments, Medical and Utilities it is easier to identify the extreme LIFE value proposition of the affect?  

It is important to review IT relationship to the business. If a mission critical function is not available what happens to the life of the business? Will it survive? This is what each business needs to evaluate when

• Limiting Scope and Priority for Continuous Operation
• The plans are not tested
• Flaws and Gaps are identified and never fixed
• Depending heavily on a few or worse only 1 person able to provide services/function during outage/incident/event/fail-over/recovery
• Having Production and DR using the same limited resource
• Not filling open positions that affect area is mission critical function

 And so much more

This is a wake-up call - Organization rely heavily on Technology. What happens to the life of your business if it is not there for 1 hour, 1 day, 1 week, 1 month?  How long with the life of your Business Survive?

Why is this important to note today - This is being shuffled around and no clear ownership, responsibility and appropriate authority to really address the Organization proper recovery actions.

The key to success is making sure the resources required to make this happen during a planned or unplanned event is not leaving the decision up to a Technical Guy doing recovery to decide priority, process or procedural event after 12 plus hours of working next steps. The goal is to elevate this portion of the business to proper level and don't take short cuts. You may be lucky where no events to date. Do Not Risk the business life - Plan, Prepare - TEST - and know it will work, not that looks good on paper. Your business Life depends on it.