Every organization having on-premise infrastructure requires a disaster recovery plan to limit a catastrophic event’s potential to threaten the business’s livelihood. A disaster recovery plan or DR plan outlines how to restore business operations as quickly as possible. Typically, the plan will seek to restore from a hot, warm, or cold backup site. An organization’s budget and maturity will determine which type of restoration site is used; larger businesses will typically deploy hot or warm backup sites. Hot or warm sites have the shortest time to restore operations due to mirrored or some infrastructure already in place. However, a cold site requires much more resources and time to become operational and, thus, lower cost.
Natural disasters are inevitable, and many have the potential to destroy businesses permanently; therefore, having an actional plan to revive critical functions and assets is imperative for any business, whether larger or small. A coherent DRP also ensures the business’s ability to keep its employees safe during a natural disaster and enables communication channels to remain open throughout the crisis.
A disaster recovery (DR) plan is regarded as a formal document being designed by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.
Disruptions as natural disaster can bring to lost revenue, brand damage and dissatisfied customers. And, the longer the recovery time, the greater the adverse business impact. Thus, a good disaster recovery plan should enable rapid recovery from disruptions, regardless of the source of the disruption .Disaster recovery (DR) is an area of security planning that aims to protect an organization from the effects of significant negative events . Having a disaster recovery strategy in place enables an organization to maintain or quickly resume mission-critical functions following a disruption.
A disaster recovery plan is a strategy put in place by an organization or a formal document established that contains detailed instructions to immediately respond to an unplanned incident such as power outages, hurricanes, attacks and any other disruptive events. This strategy minimizes the effects caused by the disaster so that the organization can continue to operate adequately and efficiently.
It is needed to prevent financial loss, customers or shareholders from being dissatisfied and keep the reputation of the company.
Nice call out that the DR plan must exist as a formal document and not solely as a theoretical plan within the organization. For the DR plan to be truly actionable, key stakeholders (CIO, CTO, Facilities managers, etc.) must know where the document is stored and how to execute it. This is where tabletop exercises are helpful to address those obstacles or gaps within the plan before a disaster occurs.
Great points Ornella and Kelly,
To add to this line of thought and further stress the importance of the plan being actionable, I would also like to point out that disaster recovery plans represent the same risk of being nonexistent more or less if tests like the aforementioned tabletop exercises are not conducted. This must be done to ensure that the relevant personnel are actually able to execute the plan in a timely fashion as prescribed by the maximum time objectives for each of the elements of the recovery procedures in the DRP.
A Disaster Recovery Plan (DRP) are procedures created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks, and any other disruptive events. The plan contains strategies on lessening the effects of a disaster, and recover enough data so an organization can quickly continue its functions.
Disruptions can lead to damage and lost revenue. Therefore, a good disaster recovery plan is needed to lessen damages and financial impacts from the disruption. It is also necessary in training employees about safety procedures in case of an emergency.
HI Chris. Great point in addressing the need for DR training. I think an important takeaway from the COVID-19 pandemic was how so many companies were unprepared for such a disaster, and training might have helped both employees and managers be prepared for what was to come. Nice response!
Interesting point, Lauren. It was interesting to see how many companies across many different industries adapted and were able to ensure business continuity in the face of this disaster, despite not having training for it. Although it probably seemed near impossible to reasonably allocate funds for implementing redundancies for this type of disaster where human contact and interaction would be minimized, I think it will likely now remain a relevant element to consider for future disaster recovery plans.
An excellent example of how COVID-19 revealed how many organizations were ill-prepared to adapt to unforeseen events. For my news article, I posit whether incident response for ransomware targeting critical infrastructure (water facilities) should also invoke the disaster recovery plan. As you have explained, I think the scope and type of incidents requiring DR planning are quickly growing and pose a serious threat to business livelihoods if not addressed. Thanks for sharing your thoughts!
I agree with you in regard to your explanation of disaster recovery but you must understand in the same way that those who have been living on the edge without a detailed disaster recovery plan struggled to adapt to the unexpected normality where almost all employees have to work remotely.
I like your definition. It’s simple and clear and it looks like we put the same definition which I believe is not bad. A disaster recovery plan should be in the company priorities as we never know what will happen the next day or hour. A good strategy will help an organization reduces the cost of what a natural disaster can do and immediately respond to an unplanned incident to keep the business going.
Disaster recovery plan is a set of written procedures that are to be followed in case of natural disaster. Disaster recovery planning brings order to the confusion that surrounds the interruption of an organization’s normal activities. The set of written procedures can ensure the smooth running of technical controls, policies, tools, and procedures. The recovery plan starts after a natural disaster occurs such as a hurricane, fire, terrorist attack, and flood etc. Disaster recovery plans are designed to help guide individuals with clear directions when individuals are in an heighted state and have a hard time focusing. Disaster recovery assumes that the primary site is not recoverable, at least for some time and enables a standby site to be reserved to keep all essential business aspects functioning despite significant disruptive events. Standby sites help ensure that alternate process sites are far enough away from your main site that are unlikely to be affected by the same disaster. The Disaster recovery plan ensures that data is backed up on systems on a regular basis to prevent sudden loss of data. Disasters don’t usually come with advance warning. If real time operation is critical to an organization, it is best to ensure that the backup site is ready to assume primary status at a moment’s notice.
Chapter 18 (ISC2)
I agree with your point that the DRP should be followed in the case of a natural disaster. I would also add that the disaster recovery plan should include / account for other business disruptions that are not natural disasters, such as power failures, loss of life, etc.
Yes Andrew I agree, anything that disrupts business functions and or creates a system failure due to a significant incident it encompasses other events such as a cyber attack or breach within the company. Anything that prepares for the worst possible scenario.
I 100% agree with what Andrew said and also wanted to add that which DRP sounds like something put in place for natural disasters, and while that is key, it is definitely not the major reason. An article I read said that over the past 3 years, only 7% of DRPS were in response to natural disasters, with most being in response to something that was human error. Thought that was interesting. Thanks for both of your thoughts.
A disaster recovery plan (DRP) is a response to a particular event. The organization should have a formal document that details the steps on how to respond to such event. Earthquakes, hurricanes, cyber-attacks, and terror attacks are just a few examples. The DRP will contain information and guidelines on how to minimize the effects of the disaster so the business can continue operating. A DRP is needed so the organization does not lose money, customers, and even the business itself.
I agree with you. I think that the pandemic has made companies to include this recovery plan to their business objective. We are now seeing with the pandemic that working from home has made organizations come up with new policies and procedures to protect their data. Some jobs does not allow you to travel outside the US with your work laptop because they are scared of breaches or power outages especially in Africa. A DRP comes to restore data access and keep the business running.
The pandemic has likely forced so many organizations to make necessary changes in the aspects of their DRP, because remote working has made every organization have to look at every aspect of the organization in an entirely different way, this just being another one of those aspects.
A disaster recovery plan is a company’s document of instructions on how employees and the company should act in the case of an unplanned disaster. These unplanned disasters include events such as natural disasters and power outages. A disaster recovery plan is needed for the sake of business continuity. By having a disaster recovery plan set in place, you are helping prevent data loss, data destruction, and quick IT recovery.
Hi Michael, unplanned disasters are definitely events that management and employees need to be prepared for. As I mentioned in my comment, training is a very necessary step to help staff stay ahead and know what procedures to follow if a disaster should come, so that it will be resolved and business will continue to run efficiently.
Michael,
Because disaster recovery plan is so important for a business to have in place, there are scenarios included so employees understand what to do in a high pressure situation. Not only should scenarios be included, but training should as well.
Great points raised, Michael. Disaster recovery planning enables businesses to maintain a high service quality, regardless of the circumstances. For instance, reacquiring an old customer in the aftermath of an IT disaster can be nearly impossible – a disastrous effect that so many businesses have experienced firsthand.
Good point that I didn’t think about in my response, and a lot of people didn’t bring up either. Not only is it essential to have business functionality able to recover as fast as possible, it’s definitely important to think about the customers as well. In many cases, if an organization poorly responds to a said disaster, the customer would likely feel inclined to take their business elsewhere, and the organization definitely needs to be prepared for how to respond to that possibility.
A disaster recovery plan (DRP) is a holistic plan for a company/organization to follow if and when a disaster occurs. DRP’s are not universal by any means, and it is important for an organization to conduct a risk assessment in order to properly formulate an applicable DRP (for instance, a company based in Hawaii would not typically consider potential threats like blizzards and ice storms when creating a DRP). DRP’s assist in coordinating recovery efforts, and should be regularly tested in order to ensure the DRP works, and is constantly improving. A DRP is critical to an organization to ensure business continuity, as well as the availability of services, in light of a disaster. Without a strong DRP, an organization is risking perseveration of its essential security objectives, which creates both organizational and cybersecurity risk.
Hi Lauren, Good point on regularly testing the DRP. A DRP that has not been tested is no better than an organization not having a DRP. It’s one thing to have all necessary steps written down, but it’s another thing to teach and make sure each key player knows their role in the event of a disaster. Emergencies are stressful, high stakes situations, and a person’s judgement can be impaired by the stress in those situations. So it’s ideal to make sure that person has already experienced that situation in a mock environment and has (hopefully) had all or most of their questions answered.
I also agree it is a good idea to have the DRP tested. My question I would pose is how often should something like this be tested? Is this something that would want to be done monthly, quarterly, annually or even longer? Ideally a DRP would not be used that often so it begs the question of how often something like that should be tested.
I would think annually is the bare minimum for how often you should be doing tabletop exercises. When you do these exercises, often times it’s a different scenario each time. For example, the first time could be a flood took out your manufacturing plant. The second tabletop exercise could be pandemic related (think covid-19 and how many companies needed to transition to having a primarily in-office workforce to a primarily virtual workface). In other words, there’s many different disasters that could happen, and your DRP will respond differently to different disasters.
Disaster recovery plan is a written documented that is being reviewed and approved by higher authority in the company. Which includes the gaps in the business that could be affected during any type of disaster and the remediation process once the disaster has occurred. The disaster could be any type as occurred by nature or human. The natural disaster would be determined based on the geographic location of the business some of the examples of nature disaster would be in tornado, hurricane, fire, storm, flood, earthquakes, or tsunamis. The disaster that could be caused by the human would be though hacking, gaining physical access to the companies devices and damaging them, or caused by the human error. Disaster recovery plan would help organization to resume quickly as possible after the disaster has occurred. As it would have contain the information to help guide business to remediate the threat as quick as possible. If the businesses doesn’t have the disaster recovery plan in place then it could cause them a financial issues or/and would have to keep their business shut down for a long period of time until they have fully recovered from that disaster.
Excellent post. I initially agreed with your point that natural disaster planning should be based on geographic location, which remains valid. However, given the changing climate, that may need re-evaluation. For example, who would have ever predicted Texas would experience a snowstorm! The entire state’s infrastructure was not prepared for such a bizarre natural disaster. These weather anomalies are where a risk assessment would be impactful – it may not be likely to occur, but some thought and planning around the possibility may become an increasing reality—nicely done!
A disaster recovery plan details an organizations procedure when a disaster happens. A disaster in this case can be natural (hurricanes, floods, power shutdowns) or something else (eg. An employee being involved in a fatal incident).
It is needed to protect the business in cases in which a disaster occurs, and helps the business protect itself against loss.
A disaster recovery plan is a document created by an organization, often via special committee, that outlines detailed instructions on how to respond to an unexpected business disruption, e.g. natural disasters, fire, cyber attacks, etc. The disaster recovery plan is informed by business continuity requirements and how the organization will respond to maintain an acceptable level of business operations. (Vacca 36) The disaster recovery plan ensures the business is able to function during unplanned, disruptive events that limit resources and complicate operations. Failure to have a disaster recovery plan could result in additional losses and extended time to recover from the event.
I like how you point out that the disaster recovery plan (DRP) not only applies to natural disasters, but other business disruptions as well (like loss of life, etc.).
I think the more business disruptions that an organization can account for, the better their disaster recovery plan will be, and ultimately will be better prepared in the case that a business disruption occurs, since organizations response is already accounted for in the disaster recovery plan.
It is extremely important for a business to have a DR plan. If an organization does not have a disaster recovery plan, not only is there an extended time to recover from the event but, a business can lose millions and millions of dollars. Additionally, customer data can be lost in the process as well.
Disaster Recovery is the process developed within the organization to ensure the recovery of enterprise mission-critical activities following an unforeseen disruption. Disaster recovery focuses strictly on technology systems supporting critical business functions, which involves keeping all essential aspects running efficiently despite significant incidents.
An IT Disaster Recovery plan, on the other hand, is a document that articulates the steps, procedures, and responsibilities to enable an organization to recover its IT systems and get operations back on track when disaster strikes.
A DR plan is a component of the organization’s Incident Recovery plan; once deployed, the disaster recovery plan must be tested to ascertain its effectiveness in the event of a disruption. The DR plan is essential to ensure that incidents through adversarial attacks, employee errors, structural breakdowns, or environmental disasters are appropriately managed within the approved MTDT (Maximum Tolerable Downtime) and RTO (Recovery Time Objective)
The under-listed are types of disaster recovery plans:
1. Virtualized Disaster Recovery Plan – A replica of the entire IT infrastructure and stores it on an offsite Virtual Machine (VM).
2. Network Disaster Recovery Plan – A network disaster recovery plan helps the IT team respond to an unplanned interruption of network services.
3. Cloud Disaster Recovery Plan – A failover cloud from the initial data center.
4. Data Center Disaster Recovery Plan – A separate facility used when a disaster occurs.
I like how you broke down the different types of DRP. Different parts of the organization rely on certain infrastructure and having a plan ready for that Infrastructure is key in coming back from a disastrous event. Many times virtualized, cloud, and data center plans overlap as they all store data and Information, but each can be used for a specific service as you have stated.
An disaster recovery plan is as set of plans/procedures for an organization to recover from different scenarios or events which could cause loss of systems/operations/critical functions within an organization.
A disaster recovery plan is essential for every business in order to resume operations based on the event that occurred. Depending on what IT infrastructure or operations are affected might vary between procedures to bring systems back online. Some procedures may specify moving data-bases to an alternate site in order to mitigate downtime or moving to different sites entirely depending on the criticality of the data. As Vacca elaborates in Chapter 36, the response must match the threat which is why the DR plan should specify Mission Critical, Business Critical, and Organizational Critical processes.
Disaster Recovery Plans are created to provide means for businesses and organization to have an effective strategy to mitigate losses and bring the business back to operations. As Morgan Stanley states “73% of firms hit by a disaster wind up shutting down.” Making disaster recovery businesses should prioritize in respective to their scope of operations.
Thanks for sharing Michael. You mention that the DR plan should specify Mission Critical, Business Critical, and Organizational Critical processes and I certainly agree. I think it also makes sense to periodically (maybe bi-annually) review the processes to ensure their level of criticality is accurately documented. If they are not, and changes are required, updates can then subsequently be applied to processes whose level of criticality has changed.
A disaster recovery plan is a detailed document created by a company that contains instructions on how to respond to unplanned incidents. A DRP is important for an organization to have due to the unpredictability of when these unplanned events will take place, such as natural disasters or cyber-attacks. Anytime there is a disruption to business there can be a loss of revenue and the longer the recovery time the more adversely the company will be affected. Therefore having a proper DRP in place will ensure the company can recover as quickly as possible and minimize the negative impacts of these unplanned events.
I agree that a disaster recovery plan is meant to instruct on how a company should act in the case of an unplanned disaster. By having a disaster recovery plan set in place, you are helping prevent data loss, data destruction, and quick IT recovery. It is important that a company recovers as quickly as possible with as minimal risk possible.
A disaster recovery plan is a system that has been created for a business to recover and restart from a disaster as quickly as possible, and also to minimize human life risk, financial loss, reputation loss, and legal liability. As there are many different types of disasters that can occur, a disaster recovery plan is better the more comprehensive that it is, and should at least cover the most common and most severe disasters that can occur (fire, IT breach, sever weather, business interruption, etc). It should be descriptive, concrete, and practiced so that employees feel confident and well-trained should a disaster ever occur. It is needed because you never know when a disaster will happen, but there is always a chance. Some disasters end businesses altogether, and the worst ones (especially if unprepared for) can put human lives at risk.
A disaster recovery plan is developed to help a company recover from a disaster. It is the plan and processes for quickly reestablishing access to data, applications, and IT resources after an outage. It provides procedures for emergency response, extended backup operations, and post disaster recovery when an organization suffers a loss of computer processing capability or resources and physical facilities.
There are many options for a disaster recovery plan, for example; an organization’s plan could consist of switching over to a redundant set of servers and storage systems until their primary data center is fully functional again. There are many solutions and many options to deploy those solutions. A few alternatives an operations or security team can employ for backup and disaster recovery are traditional tape, snapshot-based replication or continuous replication.
Moreover, it is important to consider both completely restoring necessary backups, as well as doing it in a thorough but hasty fashion. Every minute the servers are down is money being lost!
Hey Joshua,
That’s a great post. I completely agree with you that Disaster recovery plan is to help company recover from the disaster. I also agree that there any many option for an solution to keep the business running as having a cold, warn, or hot site planning prepared ahead of time that can help the business running during the disaster.
That last point is something companies obsess over. Especially companies that offer live service. For example; if you are running a website and having more than just 1% downtime can cost an incredible amount of money and reputation. Imagine spending 40 minutes online shopping and your entire cart is emptied because the site was unstable. Are you likely to shop at the website again? No – you’ll just head over to amazon instead where they rarely experience outages.
Vraj, very good point and reminder about the three types of recovery sites. (cold, warm and hot sites)
Michael, you are absolutely correct. After reading your reply it made me think about how facebook, instagram and what’s app all went down a couple of weeks ago on Oct. 4th. I don’t know exactly how long these social media platforms were down that day, but according to Google it was at least 6 or 7 hours. After the fact I saw a post on Instagram, which I confirmed with a credible source that said Mark Zuckerberg personally lost $7 Billion dollars due to the outages. Truly perplexing!!
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is a formally defined method for a plan of action in the event that a disaster event occurs. A disaster is defined by each corporation based on the results of different risks and associated impacts based on both qualitative and quantitative risk assessments. According to Vacca, it is an often overlooked element of business, which represents its own risk for the organization. Through critical understanding of the most relevant and realistic risks that would cause major issues and downtime, an organization can develop an efficient DRP which will help the business to retain its reputation and minimize revenue loss while bringing critical infrastructure back online through means of redundancies like alternate sites, extra authorized and knowledgeable IT staff, and or technologies.
Hello Antonio.
To further support your comment that it is an often-overlooked element of Business, we recently saw it during the COVID pandemic. Most organizations realized that they didn’t have the proper process in place or the process was not adequate to ensure disaster recovery. Even though a Pandemic of that nature is a once in a century occurrence, organizations that had a structure in place were able to withstand the pressure, survive and learn. In contrast, the consequences of the pandemic consumed businesses with nothing in place.
Great job on defining a DRP. All companies need a DRP in case a natural disaster happens. This strategy will analyze critical business processes to define the policies and procedures they need to implement when such an event is happening.
A disaster recovery plan is a contingency plan designed to respond to events that result in a business interruption. This could be physical catastrophes that lead to destruction of the office (such as flood, tornado, hurricane). The DRP goes into how to respond to such events. For example, public relations, recovery time objectives, and key personnel to assist in the response effort. Ideally, the plan will have thought of everything so that you are able to respond to the disaster with a clear and determined head. A subset of the DRP would include an incident response plan (IRP). This plan would go into detail on how to respond if there is a network interruption, such as due to a ransomware incident. The IRP will ideally have already outlined your counsel (which you should ideally have a relationship with prior to the incident). Similarly, it should also outline who you will go to for forensics. Ideally, you want to establish privilege as soon as possible by contacting an outside counsel. This legal firm can assist in figuring out your notification requirements or legal obligations.
These plans are needed so you are able to respond to any disasters or incidents in a timely manner. You think more clearly when you’re not in the middle of an emergency. Therefore, you can carefully select a law firm and forensics firm that best suits your needs, rather than rushing to pick one the day of the event.
To further articulate your comments. A disaster recovery plan is mission-critical technical infrastructure-focused, while the business continuity plan is process-centric. Regardless of the area of concentration, the Incident Response plan is a subset of both the Disaster Recovery and the Business Continuity plan, which supports organization-wide contingency planning.
I really appreciate the insight you have provided in your answer. Having a contingency plan in place is always a good idea, in all walks of life… especially in the case of Cyber Security. It is imperative that IT security professionals are able to respond to these outages promptly, and like you’ve mentioned “with a clear and determined head”. I’m sure there is a lot of pressure when trying to restore these systems that are critical to business operations, so a having disaster recovery plan is essential when actually responding to a disaster. Also I like how you included some perspective about IRPs, and how they provide an understanding of how to respond to a network outage. This was a perfectly detailed reponse!
Once the organization lose access or functionality to its IT infrastructure systems, disaster recovery helps to recover from the event. It relies on replication of data or computer processing in not-affected location. Regardless of natural disaster, cyber attack or equipment failure, business needs to recover as soon as possible to regain access and keep functioning.
The disaster recovery plan specifically address the set of actions to be taken “before, during and after the disaster”. Disaster recovery is needed to minimize the recovery time and possible delays. It improves security while preventing potential legal liability.
Well said. The overall objective of the disaster recovery plan is to establish parameters based on quantitative indicators to guide organizations during and after incidents. Such parameters include the MTDT (Maximum Tolerable Downtime), RPO (Recovery Point Objective), and RTO (Recovery Time Objective). All these initially derived from conducted Risk assessments are subject to management approval and will serve as the standard for assuring the disaster recovery plan’s effectiveness.
A disaster recovery plan encompasses a what to do set of instructions in case of there being an event that could bring the whole system down that may affect the operations of a business. With a disaster recovery plan, the IT department knows what to do for each incidental scenario that they have predicted may happen. This way no data is lost, and or the business operations can still function while the system recovers from whatever incident occurs.It is crucial and needed for every business that relies on technology. Without a disaster recovery plan a business would take much longer to recover and or might not know what to do because they are not prepared, this can cost the business a lot of money especially the money that is lost from not operating separate from the disaster incident. Being prepared for the worst is always the best for a business and will add longevity to the business in case of any scenario occurs.
Hi Wilmer, good that you mention how crucial it is for businesses to have a BIA plan that rely in technology. Just like physical security, you need to have a step-by-step plan in place to help protect your data that is critical to the business. If it is not maintained properly, things may turn catastrophic should an unfortunate event occur.
A disaster recovery plan is a strategy that allows the organization to run in the situation that an unfortunate event occurs such as natural disasters or getting hacked. Disaster recovery plans are important for an organization not only to keep running after a catastrophic event but can also aid in preventing the event. Many DR plans will contain hardware and software that have preventative measures that can reduce the chances of getting hacked. In addition to this, disaster recovery plans can mitigate financial loss and allow for a quick turnaround in the event of a major disaster.
You mentioned the Disaster Recovery Plan (DRP) would respond to cyber incidents. Often times, the DRP is separate from the Incident Response Plan (IRP). The DRP is what responds to disasters (flood, hurricane, etc). The IRP is typically what responds to cyber incidents.
Then as additional context, there’s a Business Continuity Plan (BCP) as well, which typically includes analyses such as the business impact analysis. This plan is focused on getting operations resuming as fast as possible. It often incorporates aspects of both the DRP and IRP.
Typically, organizations have a DRP, IRP, and BCP.
The disaster recovery plan (DRP) is designed to assist an organization in executing recovery processes in response to a disaster. The DRP helps organizations outline the necessary steps in order to actually recover from a disaster. The goal of the plan shouldn’t be to simply recover from a disaster, but rather, another key objective should be to make the recovery as efficient as possible. A thorough business impact analysis (BIA) can provide details on what critical systems/processes should be prioritized and the DRP can utilize this information to ensure disaster recovery teams are adequately staffed and trained on the necessary recovery steps. This plan should be periodically reassessed and tested to ensure it remains it’s still applicable to the recovery of the organization.
Good job mentioning how a BIA is necessary for the most efficient DRP to be created. Unless the most prominent risks and vectors for loss are identified, an adequate process cannot be created for mitigating these risks and prioritizing one step before another.
What is a disaster recovery plan? Why is it needed?
A disaster recovery (DRP) plan is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The disaster recovery plan, is a recorded policy or process that is designed to assist an organization in executing recovery processes in response to a disaster to protect business IT infrastructure and more generally promote recovery.
It is needed to lessen the blow of any unplanned outage the business may face. As understood from the readings, the longer the downtime, the worst off the business is. The loss of revenue, critical data and customer satisfaction all become major issues if the outage is not addressed quickly. The DRP is in place to make sure business can get back to normally as quickly as possible.
I agree with you about the benefits that a disaster recovery plan can bring to humanity, and a good disaster recovery plan can recover quickly from an outage. Business disruption due to a cyber attack can have a devastating impact on an organization, and time is of the essence for disaster recovery to provide smooth, rapid service recovery to ensure continued business operations when a disaster occurs.
I agree with you as regards your analysis on disaster recovery plan. However, you need to understand that One of the main overlooked aspects of Disaster Recovery planning is communication, despite it being among the most important tasks on this list. Your communication plan should outline the protocol for communicating with people essential to your business, e.g. employees, vendors, and customers.
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is the ‘game plan’ on how an organization will respond to an event that could potentially threaten its existence. This plan is normally the end product of an organization wide analysis and planning activity that will map out the roles and responses for all key stakeholders and critical functions in the case of a disaster. Without a DR Plan the organization will likely not be able to function or respond effectively in the event of a disaster. In the face of a disaster event and the ensuing chaos, without a DR Plan the organization will not respond effectively. A DR Plan maps out the functions and the roles to be played when responding to a disaster event. It prioritizes the critical business functions to be performed and how to do it.
Disaster recovery refers to the process of reactivating the data, hardware, and software devices of the information system after a natural or artificial disaster to restore normal business operations. Disaster recovery planning is part of a broader business continuity plan. Its core is to assess and prevent catastrophic risks of an enterprise or organization, mainly to record, back up, and protect critical business data and processes promptly.
Disaster recovery plans and the preventative measures they include are essential for stopping disasters from occurring in the first place. Although tragedies may not always be avoidable, having a recovery plan helps reduce the potential damage and quickly restore operations when one occurs.
I like the way you phrased your conclusion – that a recovery plan ‘REDUCES’ the potential damage to the business. Most DR plans are designed to provide some level of relief and not full restoration of services – that level of DR is generally cost prohibitive and therefore out of reach for most organizations.
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is extremely important to an organization; every business must have a DR plan in place. It helps a business get back on its feet as quickly as possible. In case of a natural or human disaster (hurricane, flood, earthquake, or tornado), policies and tools are set in to recover the data of a business. It is very important for an organization of course to not lose all of their data, but to avoid a criminal cyber attack.
In a DR plan, scenarios are included to help employees in order to respond in an emergency matter efficiently as possible. I found a very interesting fact on Evolve IP that mentions, “The National Archives and Records Administration reports that 93 percent of companies that experience data loss and downtime, extending for 10 or more days, will file for bankruptcy within 12 months.”
A disaster recovery (DR) plan is a formal document created by an organization that contains detailed instructions on how to respond to an unplanned event. Examples include natural disasters, power outages, cyber-attacks, and any other disruptive events. This plan contains strategies to minimize the impact of a disaster, and the longer the recovery time, the greater the adverse impact on the business. Regardless of the source of the outage, a good disaster recovery plan allows for a quick recovery from the outage. Business interruptions due to cyber attacks can have a devastating impact on an organization, and the importance of time for disaster recovery is largely reflected in the enormous impact of today’s midrange networks on human life.
Disaster recovery planning requires specialized skills, integrated strategies, and advanced technologies, including orchestration of data protection and recovery. This means that the program has high technical requirements for this area. A disaster recovery plan is necessary and its benefits are many. For example, it minimizes disruption to normal operations and reduces the economic impact of disruptions, and provides smooth, rapid service recovery in the event of a disaster to ensure continued business operations.
A disaster recovery plan is a set of “actions to be taken before, during, and after a disaster”, and is made to help protect businesses in such an event. A disaster recovery plan is a more focused, specific part of the wider business continuity plan. The scope of a disaster recovery plan is sometimes narrowed to focus on the data and information systems of a business. Simply put, a disaster recovery plan is designed to save data with the sole purpose of being able to recover it quickly in the event of a disaster. Some benefits of the DRP includes business recover operations more quickly after interruptions, reduce costs and duration of any disruption, mitigate risks and financial exposure, build customer confidence and trust as well as safeguard company reputation.
The IT disaster recovery plan (DR plan), to put it in simple terms, is a plan an organization will put into place in order to recover from potentially disastrous events. It is defined as “a written document that spells out the policies and step-by step procedures/responsibilities to recover an organizations IT systems and data as well as to restart operations following the disaster.” Once implemented, it should also be tested to confirm that IT operations can fully recover from said disaster. Examples of such events that affect IT capabilities are obviously natural disasters, but more commonly they are human error, hardware/software failure, and cyber attacks. Often times these ‘disasters’ are completely unpredictable or the result of accidents, so for that reason it is essential for every organization to have some form of recovery plan put into place, regardless of the organization’s size. Such a plan set in place also minimizes risk exposure, reduces disruption, esnsures economic stability, reduces insurance premiums/potential liability, and upholds compliance. Failure to have a well-organized plan can lead to potentially devastating losses, anywhere from loss of money/resources, to to completely shutting down the organization.
Kelly Sharadin says
Every organization having on-premise infrastructure requires a disaster recovery plan to limit a catastrophic event’s potential to threaten the business’s livelihood. A disaster recovery plan or DR plan outlines how to restore business operations as quickly as possible. Typically, the plan will seek to restore from a hot, warm, or cold backup site. An organization’s budget and maturity will determine which type of restoration site is used; larger businesses will typically deploy hot or warm backup sites. Hot or warm sites have the shortest time to restore operations due to mirrored or some infrastructure already in place. However, a cold site requires much more resources and time to become operational and, thus, lower cost.
Natural disasters are inevitable, and many have the potential to destroy businesses permanently; therefore, having an actional plan to revive critical functions and assets is imperative for any business, whether larger or small. A coherent DRP also ensures the business’s ability to keep its employees safe during a natural disaster and enables communication channels to remain open throughout the crisis.
kofi bonsu says
A disaster recovery (DR) plan is regarded as a formal document being designed by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.
Disruptions as natural disaster can bring to lost revenue, brand damage and dissatisfied customers. And, the longer the recovery time, the greater the adverse business impact. Thus, a good disaster recovery plan should enable rapid recovery from disruptions, regardless of the source of the disruption .Disaster recovery (DR) is an area of security planning that aims to protect an organization from the effects of significant negative events . Having a disaster recovery strategy in place enables an organization to maintain or quickly resume mission-critical functions following a disruption.
Ornella Rhyne says
A disaster recovery plan is a strategy put in place by an organization or a formal document established that contains detailed instructions to immediately respond to an unplanned incident such as power outages, hurricanes, attacks and any other disruptive events. This strategy minimizes the effects caused by the disaster so that the organization can continue to operate adequately and efficiently.
It is needed to prevent financial loss, customers or shareholders from being dissatisfied and keep the reputation of the company.
Kelly Sharadin says
Hi Ornella,
Nice call out that the DR plan must exist as a formal document and not solely as a theoretical plan within the organization. For the DR plan to be truly actionable, key stakeholders (CIO, CTO, Facilities managers, etc.) must know where the document is stored and how to execute it. This is where tabletop exercises are helpful to address those obstacles or gaps within the plan before a disaster occurs.
Kelly
Antonio Cozza says
Great points Ornella and Kelly,
To add to this line of thought and further stress the importance of the plan being actionable, I would also like to point out that disaster recovery plans represent the same risk of being nonexistent more or less if tests like the aforementioned tabletop exercises are not conducted. This must be done to ensure that the relevant personnel are actually able to execute the plan in a timely fashion as prescribed by the maximum time objectives for each of the elements of the recovery procedures in the DRP.
Christopher Clayton says
A Disaster Recovery Plan (DRP) are procedures created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks, and any other disruptive events. The plan contains strategies on lessening the effects of a disaster, and recover enough data so an organization can quickly continue its functions.
Disruptions can lead to damage and lost revenue. Therefore, a good disaster recovery plan is needed to lessen damages and financial impacts from the disruption. It is also necessary in training employees about safety procedures in case of an emergency.
Lauren Deinhardt says
HI Chris. Great point in addressing the need for DR training. I think an important takeaway from the COVID-19 pandemic was how so many companies were unprepared for such a disaster, and training might have helped both employees and managers be prepared for what was to come. Nice response!
Antonio Cozza says
Interesting point, Lauren. It was interesting to see how many companies across many different industries adapted and were able to ensure business continuity in the face of this disaster, despite not having training for it. Although it probably seemed near impossible to reasonably allocate funds for implementing redundancies for this type of disaster where human contact and interaction would be minimized, I think it will likely now remain a relevant element to consider for future disaster recovery plans.
Kelly Sharadin says
Hi Lauren,
An excellent example of how COVID-19 revealed how many organizations were ill-prepared to adapt to unforeseen events. For my news article, I posit whether incident response for ransomware targeting critical infrastructure (water facilities) should also invoke the disaster recovery plan. As you have explained, I think the scope and type of incidents requiring DR planning are quickly growing and pose a serious threat to business livelihoods if not addressed. Thanks for sharing your thoughts!
Kelly
kofi bonsu says
I agree with you in regard to your explanation of disaster recovery but you must understand in the same way that those who have been living on the edge without a detailed disaster recovery plan struggled to adapt to the unexpected normality where almost all employees have to work remotely.
kofi bonsu says
Good one there ! However, you must understand that a disaster recovery plan can be “wrong” if it’s too simple or too complicated.
Ornella Rhyne says
Hi Christopher,
I like your definition. It’s simple and clear and it looks like we put the same definition which I believe is not bad. A disaster recovery plan should be in the company priorities as we never know what will happen the next day or hour. A good strategy will help an organization reduces the cost of what a natural disaster can do and immediately respond to an unplanned incident to keep the business going.
Mohammed Syed says
Disaster recovery plan is a set of written procedures that are to be followed in case of natural disaster. Disaster recovery planning brings order to the confusion that surrounds the interruption of an organization’s normal activities. The set of written procedures can ensure the smooth running of technical controls, policies, tools, and procedures. The recovery plan starts after a natural disaster occurs such as a hurricane, fire, terrorist attack, and flood etc. Disaster recovery plans are designed to help guide individuals with clear directions when individuals are in an heighted state and have a hard time focusing. Disaster recovery assumes that the primary site is not recoverable, at least for some time and enables a standby site to be reserved to keep all essential business aspects functioning despite significant disruptive events. Standby sites help ensure that alternate process sites are far enough away from your main site that are unlikely to be affected by the same disaster. The Disaster recovery plan ensures that data is backed up on systems on a regular basis to prevent sudden loss of data. Disasters don’t usually come with advance warning. If real time operation is critical to an organization, it is best to ensure that the backup site is ready to assume primary status at a moment’s notice.
Chapter 18 (ISC2)
Andrew Nguyen says
Hi Mohammed,
I agree with your point that the DRP should be followed in the case of a natural disaster. I would also add that the disaster recovery plan should include / account for other business disruptions that are not natural disasters, such as power failures, loss of life, etc.
Thanks for sharing your thoughts!
Best,
Andrew
Wilmer Monsalve says
Yes Andrew I agree, anything that disrupts business functions and or creates a system failure due to a significant incident it encompasses other events such as a cyber attack or breach within the company. Anything that prepares for the worst possible scenario.
Alexander William Knoll says
Hi Mohammed,
I 100% agree with what Andrew said and also wanted to add that which DRP sounds like something put in place for natural disasters, and while that is key, it is definitely not the major reason. An article I read said that over the past 3 years, only 7% of DRPS were in response to natural disasters, with most being in response to something that was human error. Thought that was interesting. Thanks for both of your thoughts.
Corey Arana says
A disaster recovery plan (DRP) is a response to a particular event. The organization should have a formal document that details the steps on how to respond to such event. Earthquakes, hurricanes, cyber-attacks, and terror attacks are just a few examples. The DRP will contain information and guidelines on how to minimize the effects of the disaster so the business can continue operating. A DRP is needed so the organization does not lose money, customers, and even the business itself.
Jason Burwell says
Hello Corey,
I agree the DRP should be a formal document and should cover what to do in all forms of disaster whether they be natural or through cyber means
Ornella Rhyne says
Hi Corey,
I agree with you. I think that the pandemic has made companies to include this recovery plan to their business objective. We are now seeing with the pandemic that working from home has made organizations come up with new policies and procedures to protect their data. Some jobs does not allow you to travel outside the US with your work laptop because they are scared of breaches or power outages especially in Africa. A DRP comes to restore data access and keep the business running.
Alexander William Knoll says
I fully agree, Ornella,
The pandemic has likely forced so many organizations to make necessary changes in the aspects of their DRP, because remote working has made every organization have to look at every aspect of the organization in an entirely different way, this just being another one of those aspects.
Michael Galdo says
A disaster recovery plan is a company’s document of instructions on how employees and the company should act in the case of an unplanned disaster. These unplanned disasters include events such as natural disasters and power outages. A disaster recovery plan is needed for the sake of business continuity. By having a disaster recovery plan set in place, you are helping prevent data loss, data destruction, and quick IT recovery.
Christopher Clayton says
Hi Michael, unplanned disasters are definitely events that management and employees need to be prepared for. As I mentioned in my comment, training is a very necessary step to help staff stay ahead and know what procedures to follow if a disaster should come, so that it will be resolved and business will continue to run efficiently.
Corey Arana says
Well said Michael, having documented instructions on how to handle a disaster is key.
Victoria Zak says
Michael,
Because disaster recovery plan is so important for a business to have in place, there are scenarios included so employees understand what to do in a high pressure situation. Not only should scenarios be included, but training should as well.
kofi bonsu says
Good one there ! However, you must understand that a disaster recovery plan can be “wrong” if it’s too simple or too complicated.
Bernard Antwi says
Great points raised, Michael. Disaster recovery planning enables businesses to maintain a high service quality, regardless of the circumstances. For instance, reacquiring an old customer in the aftermath of an IT disaster can be nearly impossible – a disastrous effect that so many businesses have experienced firsthand.
Alexander William Knoll says
Bernard,
Good point that I didn’t think about in my response, and a lot of people didn’t bring up either. Not only is it essential to have business functionality able to recover as fast as possible, it’s definitely important to think about the customers as well. In many cases, if an organization poorly responds to a said disaster, the customer would likely feel inclined to take their business elsewhere, and the organization definitely needs to be prepared for how to respond to that possibility.
Lauren Deinhardt says
A disaster recovery plan (DRP) is a holistic plan for a company/organization to follow if and when a disaster occurs. DRP’s are not universal by any means, and it is important for an organization to conduct a risk assessment in order to properly formulate an applicable DRP (for instance, a company based in Hawaii would not typically consider potential threats like blizzards and ice storms when creating a DRP). DRP’s assist in coordinating recovery efforts, and should be regularly tested in order to ensure the DRP works, and is constantly improving. A DRP is critical to an organization to ensure business continuity, as well as the availability of services, in light of a disaster. Without a strong DRP, an organization is risking perseveration of its essential security objectives, which creates both organizational and cybersecurity risk.
Madalyn Stiverson says
Hi Lauren, Good point on regularly testing the DRP. A DRP that has not been tested is no better than an organization not having a DRP. It’s one thing to have all necessary steps written down, but it’s another thing to teach and make sure each key player knows their role in the event of a disaster. Emergencies are stressful, high stakes situations, and a person’s judgement can be impaired by the stress in those situations. So it’s ideal to make sure that person has already experienced that situation in a mock environment and has (hopefully) had all or most of their questions answered.
Ryan Trapp says
Hi Madalyn,
I also agree it is a good idea to have the DRP tested. My question I would pose is how often should something like this be tested? Is this something that would want to be done monthly, quarterly, annually or even longer? Ideally a DRP would not be used that often so it begs the question of how often something like that should be tested.
Madalyn Stiverson says
I would think annually is the bare minimum for how often you should be doing tabletop exercises. When you do these exercises, often times it’s a different scenario each time. For example, the first time could be a flood took out your manufacturing plant. The second tabletop exercise could be pandemic related (think covid-19 and how many companies needed to transition to having a primarily in-office workforce to a primarily virtual workface). In other words, there’s many different disasters that could happen, and your DRP will respond differently to different disasters.
Vraj Patel says
Disaster recovery plan is a written documented that is being reviewed and approved by higher authority in the company. Which includes the gaps in the business that could be affected during any type of disaster and the remediation process once the disaster has occurred. The disaster could be any type as occurred by nature or human. The natural disaster would be determined based on the geographic location of the business some of the examples of nature disaster would be in tornado, hurricane, fire, storm, flood, earthquakes, or tsunamis. The disaster that could be caused by the human would be though hacking, gaining physical access to the companies devices and damaging them, or caused by the human error. Disaster recovery plan would help organization to resume quickly as possible after the disaster has occurred. As it would have contain the information to help guide business to remediate the threat as quick as possible. If the businesses doesn’t have the disaster recovery plan in place then it could cause them a financial issues or/and would have to keep their business shut down for a long period of time until they have fully recovered from that disaster.
Kelly Sharadin says
Hi Vraj,
Excellent post. I initially agreed with your point that natural disaster planning should be based on geographic location, which remains valid. However, given the changing climate, that may need re-evaluation. For example, who would have ever predicted Texas would experience a snowstorm! The entire state’s infrastructure was not prepared for such a bizarre natural disaster. These weather anomalies are where a risk assessment would be impactful – it may not be likely to occur, but some thought and planning around the possibility may become an increasing reality—nicely done!
Kelly
Andrew Nguyen says
A disaster recovery plan details an organizations procedure when a disaster happens. A disaster in this case can be natural (hurricanes, floods, power shutdowns) or something else (eg. An employee being involved in a fatal incident).
It is needed to protect the business in cases in which a disaster occurs, and helps the business protect itself against loss.
Matthew Bryan says
A disaster recovery plan is a document created by an organization, often via special committee, that outlines detailed instructions on how to respond to an unexpected business disruption, e.g. natural disasters, fire, cyber attacks, etc. The disaster recovery plan is informed by business continuity requirements and how the organization will respond to maintain an acceptable level of business operations. (Vacca 36) The disaster recovery plan ensures the business is able to function during unplanned, disruptive events that limit resources and complicate operations. Failure to have a disaster recovery plan could result in additional losses and extended time to recover from the event.
Andrew Nguyen says
Hi Matthew,
I like how you point out that the disaster recovery plan (DRP) not only applies to natural disasters, but other business disruptions as well (like loss of life, etc.).
I think the more business disruptions that an organization can account for, the better their disaster recovery plan will be, and ultimately will be better prepared in the case that a business disruption occurs, since organizations response is already accounted for in the disaster recovery plan.
Thanks for sharing your thoughts!
Best,
Andrew
Victoria Zak says
Matthew,
It is extremely important for a business to have a DR plan. If an organization does not have a disaster recovery plan, not only is there an extended time to recover from the event but, a business can lose millions and millions of dollars. Additionally, customer data can be lost in the process as well.
Olayinka Lucas says
Disaster Recovery is the process developed within the organization to ensure the recovery of enterprise mission-critical activities following an unforeseen disruption. Disaster recovery focuses strictly on technology systems supporting critical business functions, which involves keeping all essential aspects running efficiently despite significant incidents.
An IT Disaster Recovery plan, on the other hand, is a document that articulates the steps, procedures, and responsibilities to enable an organization to recover its IT systems and get operations back on track when disaster strikes.
A DR plan is a component of the organization’s Incident Recovery plan; once deployed, the disaster recovery plan must be tested to ascertain its effectiveness in the event of a disruption. The DR plan is essential to ensure that incidents through adversarial attacks, employee errors, structural breakdowns, or environmental disasters are appropriately managed within the approved MTDT (Maximum Tolerable Downtime) and RTO (Recovery Time Objective)
The under-listed are types of disaster recovery plans:
1. Virtualized Disaster Recovery Plan – A replica of the entire IT infrastructure and stores it on an offsite Virtual Machine (VM).
2. Network Disaster Recovery Plan – A network disaster recovery plan helps the IT team respond to an unplanned interruption of network services.
3. Cloud Disaster Recovery Plan – A failover cloud from the initial data center.
4. Data Center Disaster Recovery Plan – A separate facility used when a disaster occurs.
Dhaval Patel says
Hi Olayinka,
I like how you broke down the different types of DRP. Different parts of the organization rely on certain infrastructure and having a plan ready for that Infrastructure is key in coming back from a disastrous event. Many times virtualized, cloud, and data center plans overlap as they all store data and Information, but each can be used for a specific service as you have stated.
Michael Duffy says
An disaster recovery plan is as set of plans/procedures for an organization to recover from different scenarios or events which could cause loss of systems/operations/critical functions within an organization.
A disaster recovery plan is essential for every business in order to resume operations based on the event that occurred. Depending on what IT infrastructure or operations are affected might vary between procedures to bring systems back online. Some procedures may specify moving data-bases to an alternate site in order to mitigate downtime or moving to different sites entirely depending on the criticality of the data. As Vacca elaborates in Chapter 36, the response must match the threat which is why the DR plan should specify Mission Critical, Business Critical, and Organizational Critical processes.
Disaster Recovery Plans are created to provide means for businesses and organization to have an effective strategy to mitigate losses and bring the business back to operations. As Morgan Stanley states “73% of firms hit by a disaster wind up shutting down.” Making disaster recovery businesses should prioritize in respective to their scope of operations.
Bryan Garrahan says
Thanks for sharing Michael. You mention that the DR plan should specify Mission Critical, Business Critical, and Organizational Critical processes and I certainly agree. I think it also makes sense to periodically (maybe bi-annually) review the processes to ensure their level of criticality is accurately documented. If they are not, and changes are required, updates can then subsequently be applied to processes whose level of criticality has changed.
Ryan Trapp says
A disaster recovery plan is a detailed document created by a company that contains instructions on how to respond to unplanned incidents. A DRP is important for an organization to have due to the unpredictability of when these unplanned events will take place, such as natural disasters or cyber-attacks. Anytime there is a disruption to business there can be a loss of revenue and the longer the recovery time the more adversely the company will be affected. Therefore having a proper DRP in place will ensure the company can recover as quickly as possible and minimize the negative impacts of these unplanned events.
Michael Galdo says
Hello Ryan,
I agree that a disaster recovery plan is meant to instruct on how a company should act in the case of an unplanned disaster. By having a disaster recovery plan set in place, you are helping prevent data loss, data destruction, and quick IT recovery. It is important that a company recovers as quickly as possible with as minimal risk possible.
Michael Jordan says
A disaster recovery plan is a system that has been created for a business to recover and restart from a disaster as quickly as possible, and also to minimize human life risk, financial loss, reputation loss, and legal liability. As there are many different types of disasters that can occur, a disaster recovery plan is better the more comprehensive that it is, and should at least cover the most common and most severe disasters that can occur (fire, IT breach, sever weather, business interruption, etc). It should be descriptive, concrete, and practiced so that employees feel confident and well-trained should a disaster ever occur. It is needed because you never know when a disaster will happen, but there is always a chance. Some disasters end businesses altogether, and the worst ones (especially if unprepared for) can put human lives at risk.
Joshua Moses says
A disaster recovery plan is developed to help a company recover from a disaster. It is the plan and processes for quickly reestablishing access to data, applications, and IT resources after an outage. It provides procedures for emergency response, extended backup operations, and post disaster recovery when an organization suffers a loss of computer processing capability or resources and physical facilities.
There are many options for a disaster recovery plan, for example; an organization’s plan could consist of switching over to a redundant set of servers and storage systems until their primary data center is fully functional again. There are many solutions and many options to deploy those solutions. A few alternatives an operations or security team can employ for backup and disaster recovery are traditional tape, snapshot-based replication or continuous replication.
Moreover, it is important to consider both completely restoring necessary backups, as well as doing it in a thorough but hasty fashion. Every minute the servers are down is money being lost!
Vraj Patel says
Hey Joshua,
That’s a great post. I completely agree with you that Disaster recovery plan is to help company recover from the disaster. I also agree that there any many option for an solution to keep the business running as having a cold, warn, or hot site planning prepared ahead of time that can help the business running during the disaster.
Michael Duffy says
That last point is something companies obsess over. Especially companies that offer live service. For example; if you are running a website and having more than just 1% downtime can cost an incredible amount of money and reputation. Imagine spending 40 minutes online shopping and your entire cart is emptied because the site was unstable. Are you likely to shop at the website again? No – you’ll just head over to amazon instead where they rarely experience outages.
Joshua Moses says
Hello Vraj and Michael,
Vraj, very good point and reminder about the three types of recovery sites. (cold, warm and hot sites)
Michael, you are absolutely correct. After reading your reply it made me think about how facebook, instagram and what’s app all went down a couple of weeks ago on Oct. 4th. I don’t know exactly how long these social media platforms were down that day, but according to Google it was at least 6 or 7 hours. After the fact I saw a post on Instagram, which I confirmed with a credible source that said Mark Zuckerberg personally lost $7 Billion dollars due to the outages. Truly perplexing!!
Antonio Cozza says
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is a formally defined method for a plan of action in the event that a disaster event occurs. A disaster is defined by each corporation based on the results of different risks and associated impacts based on both qualitative and quantitative risk assessments. According to Vacca, it is an often overlooked element of business, which represents its own risk for the organization. Through critical understanding of the most relevant and realistic risks that would cause major issues and downtime, an organization can develop an efficient DRP which will help the business to retain its reputation and minimize revenue loss while bringing critical infrastructure back online through means of redundancies like alternate sites, extra authorized and knowledgeable IT staff, and or technologies.
Olayinka Lucas says
Hello Antonio.
To further support your comment that it is an often-overlooked element of Business, we recently saw it during the COVID pandemic. Most organizations realized that they didn’t have the proper process in place or the process was not adequate to ensure disaster recovery. Even though a Pandemic of that nature is a once in a century occurrence, organizations that had a structure in place were able to withstand the pressure, survive and learn. In contrast, the consequences of the pandemic consumed businesses with nothing in place.
Ornella Rhyne says
Hi Antonio,
Great job on defining a DRP. All companies need a DRP in case a natural disaster happens. This strategy will analyze critical business processes to define the policies and procedures they need to implement when such an event is happening.
Madalyn Stiverson says
A disaster recovery plan is a contingency plan designed to respond to events that result in a business interruption. This could be physical catastrophes that lead to destruction of the office (such as flood, tornado, hurricane). The DRP goes into how to respond to such events. For example, public relations, recovery time objectives, and key personnel to assist in the response effort. Ideally, the plan will have thought of everything so that you are able to respond to the disaster with a clear and determined head. A subset of the DRP would include an incident response plan (IRP). This plan would go into detail on how to respond if there is a network interruption, such as due to a ransomware incident. The IRP will ideally have already outlined your counsel (which you should ideally have a relationship with prior to the incident). Similarly, it should also outline who you will go to for forensics. Ideally, you want to establish privilege as soon as possible by contacting an outside counsel. This legal firm can assist in figuring out your notification requirements or legal obligations.
These plans are needed so you are able to respond to any disasters or incidents in a timely manner. You think more clearly when you’re not in the middle of an emergency. Therefore, you can carefully select a law firm and forensics firm that best suits your needs, rather than rushing to pick one the day of the event.
Olayinka Lucas says
Hello Madalyn.
To further articulate your comments. A disaster recovery plan is mission-critical technical infrastructure-focused, while the business continuity plan is process-centric. Regardless of the area of concentration, the Incident Response plan is a subset of both the Disaster Recovery and the Business Continuity plan, which supports organization-wide contingency planning.
Joshua Moses says
Hello Madalyn,
I really appreciate the insight you have provided in your answer. Having a contingency plan in place is always a good idea, in all walks of life… especially in the case of Cyber Security. It is imperative that IT security professionals are able to respond to these outages promptly, and like you’ve mentioned “with a clear and determined head”. I’m sure there is a lot of pressure when trying to restore these systems that are critical to business operations, so a having disaster recovery plan is essential when actually responding to a disaster. Also I like how you included some perspective about IRPs, and how they provide an understanding of how to respond to a network outage. This was a perfectly detailed reponse!
Miray Bolukbasi says
Once the organization lose access or functionality to its IT infrastructure systems, disaster recovery helps to recover from the event. It relies on replication of data or computer processing in not-affected location. Regardless of natural disaster, cyber attack or equipment failure, business needs to recover as soon as possible to regain access and keep functioning.
The disaster recovery plan specifically address the set of actions to be taken “before, during and after the disaster”. Disaster recovery is needed to minimize the recovery time and possible delays. It improves security while preventing potential legal liability.
Olayinka Lucas says
Hello Miray.
Well said. The overall objective of the disaster recovery plan is to establish parameters based on quantitative indicators to guide organizations during and after incidents. Such parameters include the MTDT (Maximum Tolerable Downtime), RPO (Recovery Point Objective), and RTO (Recovery Time Objective). All these initially derived from conducted Risk assessments are subject to management approval and will serve as the standard for assuring the disaster recovery plan’s effectiveness.
Wilmer Monsalve says
A disaster recovery plan encompasses a what to do set of instructions in case of there being an event that could bring the whole system down that may affect the operations of a business. With a disaster recovery plan, the IT department knows what to do for each incidental scenario that they have predicted may happen. This way no data is lost, and or the business operations can still function while the system recovers from whatever incident occurs.It is crucial and needed for every business that relies on technology. Without a disaster recovery plan a business would take much longer to recover and or might not know what to do because they are not prepared, this can cost the business a lot of money especially the money that is lost from not operating separate from the disaster incident. Being prepared for the worst is always the best for a business and will add longevity to the business in case of any scenario occurs.
Christopher Clayton says
Hi Wilmer, good that you mention how crucial it is for businesses to have a BIA plan that rely in technology. Just like physical security, you need to have a step-by-step plan in place to help protect your data that is critical to the business. If it is not maintained properly, things may turn catastrophic should an unfortunate event occur.
Dhaval Patel says
A disaster recovery plan is a strategy that allows the organization to run in the situation that an unfortunate event occurs such as natural disasters or getting hacked. Disaster recovery plans are important for an organization not only to keep running after a catastrophic event but can also aid in preventing the event. Many DR plans will contain hardware and software that have preventative measures that can reduce the chances of getting hacked. In addition to this, disaster recovery plans can mitigate financial loss and allow for a quick turnaround in the event of a major disaster.
Madalyn Stiverson says
Hi Dhaval,
You mentioned the Disaster Recovery Plan (DRP) would respond to cyber incidents. Often times, the DRP is separate from the Incident Response Plan (IRP). The DRP is what responds to disasters (flood, hurricane, etc). The IRP is typically what responds to cyber incidents.
Then as additional context, there’s a Business Continuity Plan (BCP) as well, which typically includes analyses such as the business impact analysis. This plan is focused on getting operations resuming as fast as possible. It often incorporates aspects of both the DRP and IRP.
Typically, organizations have a DRP, IRP, and BCP.
Bryan Garrahan says
The disaster recovery plan (DRP) is designed to assist an organization in executing recovery processes in response to a disaster. The DRP helps organizations outline the necessary steps in order to actually recover from a disaster. The goal of the plan shouldn’t be to simply recover from a disaster, but rather, another key objective should be to make the recovery as efficient as possible. A thorough business impact analysis (BIA) can provide details on what critical systems/processes should be prioritized and the DRP can utilize this information to ensure disaster recovery teams are adequately staffed and trained on the necessary recovery steps. This plan should be periodically reassessed and tested to ensure it remains it’s still applicable to the recovery of the organization.
Michael Jordan says
Bryan,
Good job mentioning how a BIA is necessary for the most efficient DRP to be created. Unless the most prominent risks and vectors for loss are identified, an adequate process cannot be created for mitigating these risks and prioritizing one step before another.
Mike
Jason Burwell says
What is a disaster recovery plan? Why is it needed?
A disaster recovery (DRP) plan is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The disaster recovery plan, is a recorded policy or process that is designed to assist an organization in executing recovery processes in response to a disaster to protect business IT infrastructure and more generally promote recovery.
It is needed to lessen the blow of any unplanned outage the business may face. As understood from the readings, the longer the downtime, the worst off the business is. The loss of revenue, critical data and customer satisfaction all become major issues if the outage is not addressed quickly. The DRP is in place to make sure business can get back to normally as quickly as possible.
Dan Xu says
I agree with you about the benefits that a disaster recovery plan can bring to humanity, and a good disaster recovery plan can recover quickly from an outage. Business disruption due to a cyber attack can have a devastating impact on an organization, and time is of the essence for disaster recovery to provide smooth, rapid service recovery to ensure continued business operations when a disaster occurs.
kofi bonsu says
I agree with you as regards your analysis on disaster recovery plan. However, you need to understand that One of the main overlooked aspects of Disaster Recovery planning is communication, despite it being among the most important tasks on this list. Your communication plan should outline the protocol for communicating with people essential to your business, e.g. employees, vendors, and customers.
Richard Hertz says
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is the ‘game plan’ on how an organization will respond to an event that could potentially threaten its existence. This plan is normally the end product of an organization wide analysis and planning activity that will map out the roles and responses for all key stakeholders and critical functions in the case of a disaster. Without a DR Plan the organization will likely not be able to function or respond effectively in the event of a disaster. In the face of a disaster event and the ensuing chaos, without a DR Plan the organization will not respond effectively. A DR Plan maps out the functions and the roles to be played when responding to a disaster event. It prioritizes the critical business functions to be performed and how to do it.
zijian ou says
Disaster recovery refers to the process of reactivating the data, hardware, and software devices of the information system after a natural or artificial disaster to restore normal business operations. Disaster recovery planning is part of a broader business continuity plan. Its core is to assess and prevent catastrophic risks of an enterprise or organization, mainly to record, back up, and protect critical business data and processes promptly.
Disaster recovery plans and the preventative measures they include are essential for stopping disasters from occurring in the first place. Although tragedies may not always be avoidable, having a recovery plan helps reduce the potential damage and quickly restore operations when one occurs.
Richard Hertz says
I like the way you phrased your conclusion – that a recovery plan ‘REDUCES’ the potential damage to the business. Most DR plans are designed to provide some level of relief and not full restoration of services – that level of DR is generally cost prohibitive and therefore out of reach for most organizations.
Victoria Zak says
What is a disaster recovery plan? Why is it needed?
A disaster recovery plan is extremely important to an organization; every business must have a DR plan in place. It helps a business get back on its feet as quickly as possible. In case of a natural or human disaster (hurricane, flood, earthquake, or tornado), policies and tools are set in to recover the data of a business. It is very important for an organization of course to not lose all of their data, but to avoid a criminal cyber attack.
In a DR plan, scenarios are included to help employees in order to respond in an emergency matter efficiently as possible. I found a very interesting fact on Evolve IP that mentions, “The National Archives and Records Administration reports that 93 percent of companies that experience data loss and downtime, extending for 10 or more days, will file for bankruptcy within 12 months.”
Reference:
https://www.evolveip.net/blog/4-benefits-disaster-recovery-planning
Dan Xu says
A disaster recovery (DR) plan is a formal document created by an organization that contains detailed instructions on how to respond to an unplanned event. Examples include natural disasters, power outages, cyber-attacks, and any other disruptive events. This plan contains strategies to minimize the impact of a disaster, and the longer the recovery time, the greater the adverse impact on the business. Regardless of the source of the outage, a good disaster recovery plan allows for a quick recovery from the outage. Business interruptions due to cyber attacks can have a devastating impact on an organization, and the importance of time for disaster recovery is largely reflected in the enormous impact of today’s midrange networks on human life.
Disaster recovery planning requires specialized skills, integrated strategies, and advanced technologies, including orchestration of data protection and recovery. This means that the program has high technical requirements for this area. A disaster recovery plan is necessary and its benefits are many. For example, it minimizes disruption to normal operations and reduces the economic impact of disruptions, and provides smooth, rapid service recovery in the event of a disaster to ensure continued business operations.
Bernard Antwi says
A disaster recovery plan is a set of “actions to be taken before, during, and after a disaster”, and is made to help protect businesses in such an event. A disaster recovery plan is a more focused, specific part of the wider business continuity plan. The scope of a disaster recovery plan is sometimes narrowed to focus on the data and information systems of a business. Simply put, a disaster recovery plan is designed to save data with the sole purpose of being able to recover it quickly in the event of a disaster. Some benefits of the DRP includes business recover operations more quickly after interruptions, reduce costs and duration of any disruption, mitigate risks and financial exposure, build customer confidence and trust as well as safeguard company reputation.
Alexander William Knoll says
The IT disaster recovery plan (DR plan), to put it in simple terms, is a plan an organization will put into place in order to recover from potentially disastrous events. It is defined as “a written document that spells out the policies and step-by step procedures/responsibilities to recover an organizations IT systems and data as well as to restart operations following the disaster.” Once implemented, it should also be tested to confirm that IT operations can fully recover from said disaster. Examples of such events that affect IT capabilities are obviously natural disasters, but more commonly they are human error, hardware/software failure, and cyber attacks. Often times these ‘disasters’ are completely unpredictable or the result of accidents, so for that reason it is essential for every organization to have some form of recovery plan put into place, regardless of the organization’s size. Such a plan set in place also minimizes risk exposure, reduces disruption, esnsures economic stability, reduces insurance premiums/potential liability, and upholds compliance. Failure to have a well-organized plan can lead to potentially devastating losses, anywhere from loss of money/resources, to to completely shutting down the organization.
https://www.acronis.com/en-us/articles/disaster-recovery-plan/?gclid=CjwKCAjw_L6LBhBbEiwA4c46uhLnj_L6cKa9BxMbiOOsIForWu1ccQz7pTivfAqQS6oadtLTMPDPGBoC6wAQAvD_BwE