Security and Disaster recovery planning is the process of creating a process and document that details the steps your business will take to protect your company information and steps to take to recover from a catastrophic event. The Federal Department of Homeland Security provides useful analysis and resources for Security and Disaster Recovery:
Businesses use information technology to quickly and effectively process information. Employees use electronic mail and Voice Over Internet Protocol (VOIP) telephone systems to communicate. Electronic data interchange (EDI) is used to transmit data including orders and payments from one company to another. Servers process information and store large amounts of data. Desktop computers, laptops and wireless devices are used by employees to create, process, manage and communicate information. What do you when your information technology stops working?
An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.
Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.
- Computer Security Resource Center – National Institute of Standards and Technology (NIST), Computer Security Division Special Publications
- Contingency Planning Guide for Federal Information Systems – NIST Special Publication 800-34 Rev. 1
- Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities – NIST Special Publication 800-84
- Building An Information Technology Security Awareness and Training Program – NIST Special Publication 800-50
- IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals – Information Systems Audit and Control Association
Recovery strategies should be developed for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis. IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.
Information technology systems require hardware, software, data and connectivity. Without one component of the “system,” the system may not run. Therefore, recovery strategies should be developed to anticipate the loss of one or more of the following system components:
- Computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.)
- Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals)
- Connectivity to a service provider (fiber, cable, wireless, etc.)
- Software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.)
- Data and restoration
Some business applications cannot tolerate any downtime. They utilize dual data centers capable of handling all data processing needs, which run in parallel with data mirrored or synchronized between the two centers. This is a very expensive solution that only larger companies can afford. However, there are other solutions available for small to medium sized businesses with critical business applications and data to protect.
Internal Recovery Strategies
Many businesses have access to more than one facility. Hardware at an alternate facility can be configured to run similar hardware and software applications when needed. Assuming data is backed up off-site or data is mirrored between the two sites, data can be restored at the alternate site and processing can continue.
Vendor Supported Recovery Strategies
There are vendors that can provide “hot sites” for IT disaster recovery. These sites are fully configured data centers with commonly used hardware and software products. Subscribers may provide unique equipment or software either at the time of disaster or store it at the hot site ready for use.
Data streams, data security services and applications can be hosted and managed by vendors. This information can be accessed at the primary business site or any alternate site using a web browser. If an outage is detected at the client site by the vendor, the vendor automatically holds data until the client’s system is restored. These vendors can also provide data filtering and detection of malware threats, which enhance cyber security.
Developing an IT Disaster Recovery Plan
Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up.
Identify critical software applications and data and the hardware required to run them. Using standardized hardware will help to replicate and reimage new hardware. Ensure that copies of program software are available to enable re-installation on replacement equipment. Prioritize hardware and software restoration.
Document the IT disaster recovery plan as part of the business continuity plan. Test the plan periodically to make sure that it works.
Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.
Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.
Developing the Data Backup Plan
Identify data on network servers, desktop computers, laptop computers and wireless devices that needs to be backed up along with other hard copy records and information. The plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a network server. Data on the server can then be backed up. Backing up hard copy vital records can be accomplished by scanning paper records into digital formats and allowing them to be backed up along with other digital data.
Options for Data Backup
Tapes, cartridges and large capacity USB drives with integrated data backup software are effective means for businesses to backup data. The frequency of backups, security of the backups and secure off-site storage should be addressed in the plan. Backups should be stored with the same level of security as the original data.
Many vendors offer online data backup services including storage in the “cloud”. This is a cost-effective solution for businesses with an internet connection. Software installed on the client server or computer is automatically backed up.
Data should be backed up as frequently as necessary to ensure that, if data is lost, it is not unacceptable to the business. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective.” Data restoration times should be confirmed and compared with the IT and business function recovery time objectives.
Business Continuity Plan
When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Information technology (IT) includes many components such as networks, servers, desktop and laptop computers and wireless devices. The ability to run both office productivity and enterprise software is critical. Therefore,recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
- Standard on Disaster/Emergency Management and Business Continuity Programs – National Fire Protection Association (NFPA) 1600
- Professional Practices for Business Continuity Professionals – DRI International (non-profit business continuity education and certification body)
- Continuity Guidance Circular 1, Continuity Guidance for Non-Federal Entities – Federal Emergency Management Agency, CGC 1
- Open for Business® Toolkit – Institute for Business & Home Safety
Recovery of a critical or time-sensitive process requires resources. The Business Continuity Resource Requirements worksheet should be completed by business function and process managers. Completed worksheets are used to determine the resource requirements for recovery strategies.
Following an incident that disrupts business operations, resources will be needed to carry out recovery strategies and to restore normal business operations. Resources can come from within the business or be provided by third parties. Resources include:
- Office space, furniture and equipment
- Technology (computers, peripherals, communication equipment, software and data)
- Vital records (electronic and hard copy)
- Production facilities, machinery and equipment
- Inventory including raw materials, finished goods and goods in production.
- Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
- Third party services
Since all resources cannot be replaced immediately following a loss, managers should estimate the resources that will be needed in the hours, days and weeks following an incident.
Cloud Computing’s Role in Disaster Recovery:
What Changes in the Cloud?
Cloud computing, based on virtualization, takes a very different approach to disaster recovery. With virtualization, the entire server, including the operating system, applications, patches and data is encapsulated into a single software bundle or virtual server. This entire virtual server can be copied or backed up to an offsite data center and spun up on a virtual host in a matter of minutes.
Since the virtual server is hardware independent, the operating system, applications, patches and data can be safely and accurately transferred from one data center to a second data center without the burden of reloading each component of the server. This can dramatically reduce recovery times compared to conventional (non-virtualized) disaster recovery approaches where servers need to be loaded with the OS and application software and patched to the last configuration used in production before the data can be restored.
When introduced with the cost-effectiveness of online backup between data centers, tape backup no longer makes sense in the cloud. The cost-effectiveness and recovery speed of online, offsite backup makes it difficult to justify tape backup.
The cloud makes cold site disaster recovery antiquated. With cloud computing, warm site disaster recovery becomes a very cost-effective option where backups of critical servers can be spun up in minutes on a shared or private cloud host platform.
With SAN-to-SAN replication between sites, hot site DR with very short recovery times also becomes a much more attractive, cost-effective option. This is a capability that was rarely delivered with conventional DR systems due to the cost and testing challenges. One of the most exciting capabilities of disaster recovery in the cloud is the ability to deliver multi-site availability. SAN replication not only provides rapid failover to the disaster recovery site, but also the capability to return to the production site when the DR test or disaster event is over.
One of the added benefits of disaster recovery with cloud computing is the ability to finely tune the costs and performance for the DR platform. Applications and servers that are deemed less critical in a disaster can be tuned down with less resources, while assuring that the most critical applications get the resources they need to keep the business running through the disaster.
Critical Path in Disaster Recovery – Networking
With the sea change in IT disaster recovery delivered by cloud computing, network replication becomes the critical path. With fast server recovery at an offsite data center, the critical path for a disaster recovery operation is replicating the production network at the DR site including IP address mapping, firewall rules & VLAN configuration.
Smart data center operators are providing full disaster recovery services that not only replicate the servers between data centers, but also replicate the entire network configuration in a way that recovers the network as quickly as the backed up cloud server.
www.Onlinetech.com provides secure, compliant enterprise cloud.