· a hacker or disgruntled employee attack that causes system outages or severe data losses
· a computer virus, worm, or other malicious code that infects critical information systems and renders them unusable
· a hardware failure on a critical computer system
· a network administrator who knows all of the pertinent passwords and network information suddenly resigns or is otherwise incapacitated
· an environmental catastrophe
· a building that is physically damaged or destroyed

These incidents can cost many businesses anywhere from thousands to millions of dollars per hour in lost revenue. There also other consequences such as the time it can take for recovery, loss of market share, and subsequent legal ramifications. Effective disaster recovery and business continuity planning can help organizations:
· sustain mission critical business operations
· mitigate the risks of data loss and other consequences of a disaster
· minimize the number of critical decisions that must be made during a crisis situation
· increase employee and customer safety
· be proactive in protecting business assets such as intellectual and physical property
· protect their market share and reputation
· minimize economic losses
· build customer confidence
· minimize legal liabilities and insurance premiums
· reduce the probability of reoccurrence
· ensure that the time it takes to recover from an incident does not render the entire recovery process useless

Overall, disaster recovery and business continuity plans should address who is responsible for the information systems, what information systems are involved, and when the plans should be enacted. Although the terms disaster recovery and business continuity are often used interchangeably, technically, there is a difference. Disaster recovery concerns the retrieval or recreation of information systems and business functionality to the state they were in before a disaster occurred. Business continuity refers to maintaining a minimum level of business operations in order to fulfill critical operating requirements in the midst of a disaster. Despite the differences in terminology, the concepts for implementing and managing successful disaster recovery and business continuity plans are basically the same.

Although it’s extremely difficult to protect against something that has not happened, certain fundamental steps can be taken to mitigate risks to information systems and critical business functions. The following tips cover the who, what, and when in the disaster recovery and business continuity planning process.

Phase 1 – Discovery
1. Establish a planning team that consists of upper management, information security, IT, HR, or other operations personnel.
2. Define the roles and responsibilities of the planning team.
3. Perform an initial risk assessment to determine current information systems vulnerabilities.
4. Perform an initial business impact analysis to document and understand the interdependencies among business processes and determine how the business would be affected by an information systems outage.
5. Take an inventory of information systems assets such as computer hardware, software, applications, and data.
6. Identify single points of failure within the information systems infrastructure.
7. Identify critical applications, systems, and data.
8. Prioritize key business functions.

Phase 2 – Planning and Implementation
1. Setup offsite facilities for data backup storage and electronic vaulting as well as redundant and reliable standby systems if necessary.
2. Ensure that critical applications, systems, and data are distributed among facilities that are reasonably easy to get to but not so close that they could be affected by the same disaster.
3. Establish written policies, contracts, and service level agreements with third party hosting, collocation, telecommunications, and Internet service providers that facilitate prompt recovery and continuity.
4. Create an incident response team that consists of information security, IT, marketing, HR, legal, and other relevant personnel.
5. Define the roles and responsibilities of the incident response team.
6. Obtain each incident response team member’s contact information.
7. Determine which methods the incident response team members will use to communicate in the event of a disaster.
8. Create a public relations plan to assist with the effective handling of an incident.
9. Assign a manager (such as an IT or Information Security Manager) that has the responsibility and authority to make critical IT decisions.
10. Develop testing standards.
11. Document the disaster recovery and business continuity plans.
12. Distribute copies of the written plans to everyone involved and also store extra copies in an offsite, fireproof vault.

Phase 3 - Ongoing Management
1. Continuously perform data backups, store at least weekly backups offsite, and test those backups regularly for data integrity and reliability.
2. Test plans at least annually, document and review the results, and update the plans as needed.
3. Analyze plans on an ongoing basis to ensure alignment with current business objectives and requirements.
4. Provide security awareness and disaster recovery education for all team members involved.
5. Continuously update information security policies and network diagrams.
6. Secure critical applications and data by patching known vulnerabilities with the latest fixes or software updates.
7. Perform continuous computer vulnerability assessments and audits.

Being unprepared for an information systems disaster can mean severe business interruption or even failure. It takes more than just tape backups or an insurance policy to keep information assets safe. Disaster recovery and business continuity plans are not optional, but rather an essential component of an overall information risk management program. When developed and implemented properly, they are the keys to business survival. Moving forward, companies can leverage the technological benefits inherent in the Internet’s distributed computing environment for offsite data backups and redundant standby equipment to reduce the impact of a disaster. Long term, it is much less expensive to implement proper disaster recovery and business continuity plans than it is to restore business operations and customer confidence. Intrusions and disasters cannot be stopped completely, however, if something does happen and the proper plans are in place, business owners and managers will know they have a contingency plan to follow in order to return to business as usual as quickly and efficiently as possible.

Kevin Beaver is the founder of Principle Logic, LLC. Principle Logic provides information risk management services in the areas of disaster recovery and business continuity planning, vulnerability assessments, and security policy development. Kevin can be reached at kbeaver@principlelogic.com.