Top 10 Reasons Disaster Recovery Business Continuity Plan Fails
Recent hurricanes and wild fires have shown that many organizations that have plans in place that do not work as anticipated. . .
In the recession many organizations put disaster recovery and business continuity on the back burner and the plans are not as functional as they were when they were created. It is now time to revisit these plans. In doing this planners should keep in mind the top ten mistakes made in disaster recovery business continuity plans. They are:
- Backups do not work - It does not matter how good a Disaster Recovery and Business Continuity plan is if the data is out of date, is in a location also affected by the disaster, or has become corrupted. Perform backups at rigidly enforced, regular intervals to protect information integrity. Test and test again.
- Not identifying every potential event that can jeopardize the infrastructure and data that the enterprise depends - In addition to the security and network threats - viruses, Trojans, worms, etc. - planners need to identify any forces that are unique to their geography. Are their facilities on an earthquake fault, tornado alley, or in a flood zone? Does the region experience frequent power interruptions from storms or rolling blackouts?
- Forgetting or ignoring the cross-training of personnel in disaster recovery and business continuity - Often businesses create a Disaster Recovery and Business Continuity plan that depends on just a few people. Planners and DR/BC team leaders need to identify and cross-train a pool of employees that are capable of responding in an emergency. It helps if this pool of resources is geographically dispersed in case of a large environmental disaster that affects all local employees.
- Not including a communication processes which will work when your communication infrastructure is lost - If the power goes out in a facility and no one is there to report it, will your Disaster Recovery and Business Continuity staff be informed? Planners and DR/BC team leaders can arrange with a third-party service provider to monitor your facility and notify a pre-defined set of individuals that are trained to execute your disaster recovery business continuity plan.
- Not having sufficient backup power - both capacity and durations - If a facility is affected by a widespread environmental disruption, companies may find they are without power for an extended period. Plan to have sufficient fuel on hand to run the back-up generators for more than a week. In addition, purchase the longest-life, most uninterruptable power supply available.
- Having a recovery plan in place but not listing priorities of which resources need to be restored first - Which of an enterprise's IT applications need to be accessed first? Are there some that can wait a day or two without affecting the business? Planners need to be selective about the order in which applications and services are brought back on-line first after a disaster. For example, planners might choose to reactivate your company's email application before they restore departmental file servers. There may be politics involved in this decision, so make sure planners get buy-in beforehand, to avoid the “me firsts!”
- No physical documentation of your Disaster Recovery and Business Continuity plan - After creating a plan, DR/BC managers need to be sure that they create detailed “physical” systematic instructions on how to execute the recovery plan. Ensure that every process is well documented. Describe the location of all system resources needed to accomplish the recovery. Be sure to store the documentation at multiple locations and verify that all key personnel have easy access to the manuals.
- Disaster Recovery and Business Continuity plan that has not been tested adequately - DR/BC managers need to make sure your recovery plan actually works in an emergency! They should regularly conduct data fire drills to test every possible scenario, from basic power failures to catastrophic events that could result in multiple months of devastation.
- Passwords are not available to the Disaster Recovery and Business Continuity team - Though password protection is a key goal for data security, DR/BC managers need to store system passwords in at least two geographically separate, secure locations. Make sure that more than one IT staff person has access to all passwords and codes. Change these passwords promptly if key personnel leave the company.
- Disaster Recovery and Business Continuity plan is not up to date - Planners should never stop updating the Disaster Recovery and Business Continuity plan. Once a plan is created, planners should revisit it at least on a quarterly basis. Establish and document a list of trigger points that should invoke changes to the plan, like personnel, equipment, location or application changes, to name a few.
Disaster Recovery and Business Continuity Job Descriptions Updated
What roles and responsibilities do people have during the planning, plan activation and recovery process is a question that need to be addressed before an event occurs. . .
CIOs and HT managers have have asked us what are the roles and responsibilities of staff in the disaster and business continuity process. Janco has recently updated all of its job descriptions and the Disaster Recovery Business Continuity Job Description Bundle. Each job description is at least 3 pages (single spaced) long, comes in Microsoft WORD, and is easily modifiable. The job descriptions included are:
- Chief Information Officer,
- Chief Security Officer,
- Chief Compliance Officer,
- VP Strategy and Architecture,
- Director Disaster Recovery and Business Continuity,
- Director e-Commerce,
- Director Media Communications,
- Manager Disaster Recovery,
- Manager Disaster Recovery and Business Continuity,
- Disaster Recovery Coordinator,
- Disaster Recovery - Special Projects Supervisor,
- Manager Database,
- Capacity Planning Supervisor,
- Manager Media Library Support,
- Manager Site Management, and
- Pandemic Coordinator
Audit Program for Disaster Recovery Business Continuity Updated for ISO 22310
ISO 22310 is a more robust standard than the earlier ones set by ISO
ISO 22301 is the latest ISO Business Continuity standard. It is called "Societal security - Business continuity management systems - Requirements". In addition ISO's "Plan-Act-Do-Check" it addresses:
- Objectives and monitoring performance - While continuity objectives were required in BS 25999, the requirement for them to be measurable was not specifically defined. ISO 22301 changes this by placing emphasis on measurable objectives as well as emphasis on monitoring performance.
- Terms and Definitions - The terms and definition section (Clause 3) have been expanded significantly. It now includes reference to terms that have been common in business continuity such as RPO (Recovery Point Objective).
- Legal and Regulatory Requirements - Similar to ISO 27001 Annex A.15, ISO 22301 places a requirement on the organization to establish, implement, and maintain a procedure to identify, have access to and assess the applicable legal and regulatory requirements for its organization as they relate to continuity of its operations, products, services, and the interests of interested parties.
- Communication - There is an expanded communication section within the new standard which specifically requires communication plans for internal and external interested parties.
- Business Continuity Strategy - BS 25999 did an excellent laying out a framework for Business Impact Analysis and Risk Assessment. ISO 22301 goes into much more detail on business continuity strategy.
- Alignment to other Management System Standards - BS 25999 was not a fully integrated management system standard; although many companies implemented BS 25999 as if it was a full management system ISO 22301. ISO 22301 follows the new requirements and alignment for all management system standards and is the 1st new standard to adopt these practices.