create a right sized disaster recovery plan
TRANSCRIPT
Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.
Add to Library Forward
Your ChallengeTraditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors but is not effective in a crisis.Similarly, the myth that a DRP is only for major disasters and should be risk-based leaves organizations vulnerable to more common incidents.The increased use of cloud vendors and co-lo/MSPs means you may be dependent on vendors to meet your recovery timeline objectives.
View StoryboardINFOGRAPHIC
Our AdviceCritical InsightDR is about service continuity — that means accounting for minor and major events.Remember Murphy’s Law. Failure happens, so focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all systems require fast-failover capability.Impact and ResultCreate an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity, not by completing a one-size-fits-all traditional DRP template. This includes:Defining appropriate objectives for maximum downtime and data loss based on business impact.Creating a DR project roadmap to close the gaps between your current DR capabilities and recovery objectives.Documenting an incident response plan based on a tabletop planning walkthrough that captures all the steps from event detection to data center recovery.ContributorsBernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLCPaul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International LimitedYogi Shulz, President, Corvelle ConsultingGet to Action
Create a DRP pilot project charter Create a DRP pilot team, define project parameters, and establish metrics to measure success.Storyboard: Create a Right-Sized Disaster Recovery PlanDRP Pilot Project Charter TemplateDRP Workbook
Identify key applications and dependencies Determine what would be required to recover from an incident and resume operations. DRP Business Impact Analysis Tool
Determine the desired recovery timeline Set appropriate recovery timeline targets based on business impact.
Determine the current achievable recovery timeline, RTO/RPO gaps, and risks Identify the gap between achievable and desired recovery capability. DRP Vendor Evaluation Questionnaire and Tool
Identify projects to close gaps and mitigate risks Create a DRP project roadmap to achieve the desired recovery timeline. DRP Project Roadmap Tool
Document your incident response plans Define a procedure to restore IT services after an incident, within the desired recovery timeline. DRP Incident Response Management ToolSeverity Definitions and Escalation Rules Template
Complete the DRP for remaining applications Repeat the DRP methodology for remaining applications. DRP Pilot Results Presentation TemplatesGuided Implementation
This guided implementation is a seven call advisory process.Call #1: Create a DRP pilot project charter Set project goals, assign a DRP pilot team, and define roles and responsibilities.Call #2: Identify key applications and dependencies Identify critical business operations and the applications that support those operations, identify application dependencies, and assess your existing incident response plans to establish a baseline DRP metric. Call #3: Determine the desired (target) recovery timeline Conduct a business impact analysis (BIA), and identify RTOs and RPOs.Call #4: Determine the current achievable recovery timeline, RTO/RPO gaps, and risks Conduct a tabletop planning exercise and document the results, determine RTO and RPO gaps, and identify risks. Call #5: Identify and prioritize projects to close gaps and mitigate risks Identify and prioritize projects to close RTO/RPO gaps and mitigate risks, and create a project roadmap. Call #6: Document the incident response plans Use tabletop planning to determine what your incident response plan would be for the desired state (i.e. after the DRP project roadmap is implemented to close gaps), document the step-by-step incident response plans for the desired state and current state, and ensure service management guidelines (e.g. severity definitions and escalation rules) align with DR timeline requirements . Call #7: Complete the DRP for remaining applications Summarize pilot results and obtain approval to continue the DRP process, repeat the DRP methodology for remaining applications, and ensure alignment between your DRP and BCP.
Schedule Your First CallOnsite Workshop
Module 1: Create a Pilot DRP Project Charter (pre-workshop scoping activity)The Purpose
Define roles and responsibilities.Clarify expected outcomes for the pilot.Establish metrics to measure success.
Key Benefits Achieved
Executive buy-in and understanding of the expected outcome.Required resources identified and allocated.
Activities: Outputs:1.1 Create a DRP pilot team. Resources identified and allocated.1.2 Define project parameters. Project goals defined.1.3 Identify metrics to measure DRP status. DRP metrics defined.Module 2: Identify Key Applications and DependenciesThe Purpose
Identify key applications and dependencies based on business needs.
Key Benefits Achieved
Understand the entire IT “footprint” that needs to be recovered for key applications.
Activities: Outputs:2.1 Identify critical business operations. Business-centric perspective on which applications are critical.2.2 Identify applications and dependencies. Key applications identified for the pilot.2.3 Assess your existing incident response plan. Baseline DRP status identified.Module 3: Determine the Desired Recovery TimelineThe Purpose
Quantify application criticality based on business impact.
Key Benefits Achieved
Appropriate recovery time and recovery point objectives (RTOs/RPOs) defined.
Activities: Outputs:3.1 Define a scoring scale to measure impact of downtime. Business impact analysis (BIA) scoring criteria defined.3.2 Estimate the business impact of downtime. Application criticality validated.3.3 Determine the desired RTOs/RPOs. RTOs/RPOs defined for applications and dependencies.Module 4: Determine the Current Achievable Recovery Timeline, RTO/RPO Gaps, and RisksThe Purpose
Determine your baseline DR capability (your current state).
Key Benefits Achieved
Identify the gaps between current and desired DR capability.
Activities: Outputs:4.1 Identify current capabilities via tabletop planning. Current state incident response plan defined.4.2 Determine the RTO/RPO gaps. DR gaps defined that will need to be addressed.4.3 Estimate likelihood and impact of failure of individual dependencies. High-risk dependencies identified.Module 5: Identify Projects to Close Gaps and Mitigate RisksThe Purpose
Determine what projects or initiatives are required to close the gap between current and desired DR capability.
Key Benefits Achieved
DR project roadmap defined.
Activities: Outputs:5.1 Identify DR projects that close recovery gaps. Potential list of DR projects identified.5.2 Prioritize projects based on cost and benefits. Order of project implementation identified.5.3 Create a project implementation timeline. Project schedule identified.Module 6: Document the Incident Response PlansThe Purpose
Clarify how you would respond to an incident based on your current DR capabilities (current state) as well as after DR gaps are closed (desired state).
Key Benefits Achieved
A current-state incident response plan you can follow while you work towards improved DR capability.Validate that the desired-state incident response plan would achieve the desired recovery timeline.
Activities: Outputs:6.1 Use tabletop planning to determine the desired-state incident response plan. Desired-state incident response plan defined.6.2 Document your DR incident response procedures. Current-state and desired-state incident response plans documented.6.3 Align DR and service management. Escalation path defined for service management to disaster recovery for less obvious disaster scenarios.Module 7: Complete the DRP for Remaining Applications (post-workshop follow-up)The Purpose
Summarize and leverage pilot results to obtain executive approval to continue the DRP process for remaining applications.
Key Benefits Achieved
Measured progress in your DR planning.Justification for executive buy-in to continue the DRP process.
Activities: Outputs:7.1 Summarize pilot results (including improvements in DRP metrics). DRP progress demonstrated.7.2 Repeat the DRP methodology for remaining systems. Build on DRP pilot deliverables to complete the overall DRP.7.3 Define how you will incorporate outputs from business continuity planning into the DRP process. A workflow to ensure your DRP and BCP stay in sync as both plans continue to evolve over time.
