If you've ever spent a few nervous days awaiting the recovery of critical information, you know that when your technology is down, your business goes down with it. From fires to floods, from a computer virus to the intern who just spilled coffee all over the server – you need a plan that will get you up and running again, with no hassles and minimal downtime.
A good data recovery plan can save you thousands of dollars in lost productivity, lost profits, and costly last-minute information recovery. It's the best insurance you can have so that when disaster strikes, your business is protected. This plan of action will help you keep your information safe and prepare you for any type of technology failure or office calamity. Follow these five simple steps to create your own IT data disaster recovery and continuity plan. It's a great start to ensuring that your vital information is protected, come wind, rain, fire – or double espresso.
Step 1: Know Your Priorities To get started, you need to identify the most important business functions, including critical data and equipment that runs your business. Take a step back and ask yourself: If you were forced to do business with limited equipment, minimal staff, and less-than-ideal working conditions, what would you absolutely have to have to keep your company going? Start taking an inventory of "must haves." They'll generally fall into three main categories:
- Mission Critical Information: Many customer-facing activities like payroll and accounting software, email, customer invoicing, contracts, and files for current projects fall into this category. This is the information that your business can not live without, even for a few days. Critically important to your daily business operations, this information requires continuous data protection with zero loss and zero downtime.
- Business Critical Information: Loss of this information will not put you out of business. Doing business without it will make your company's operations more difficult. Information such as departmental databases and secondary software often fall into this category. A day or two without Business Critical Information will not put you out of commission, but your ability to service customers will be seriously affected.
- Operationally Important Information: Operationally important information and equipment includes things like departmental files, file servers, or printers. The items in this category are usually easy to replace or rarely accessed, making them a lower priority for data recovery. Keep in mind that just because data is rarely accessed does not mean it is not important. Historic and support information for things such as tax returns, personnel files, and medical records may be rarely accessible, but this information is extremely valuable during an audit or a lawsuit.
Step 2: Develop a Recovery Timeline to Determine the Acceptable Level of Data Loss Once you've identified the business functions and information you need to keep your business running, it's time to figure out how long you can go without it. This section of your data recovery plan should address two key points:
- Recovery Time Objective (RTO): RTO is the amount of time you can operate without your information. The RTO can fall anywhere between a couple of minutes to a few days, depending on the type of data failure. For example, your RTO will allow more time to recover data after a hurricane than it will after a computer virus. The RTO is also relative to your information priorities: Mission Critical data, for instance, will always have a shorter RTO than Business Critical or Operationally Important data.
- Recovery Point Object (RPO): RPO is the amount of minutes, hours, days, and weeks' worth of information that your business can afford to lose. For example, if your business generates a significant paper trail before data re-entering lost data may not be too difficult. If you enter data directly into computers (paperless), it is impossible to recreate the lost data. Since no data loss is acceptable in this scenario, you will need a reliable disk or remote backup system with continuous data protection. It is important to note that RPO is also dependent upon industry and government regulatory requirements, like those associated with HIPPA and Sarbanes-Oxley.
Step 3: Consider the Possibilities Define your RTO and RPO for every data loss scenario. Different scenarios result in different recovery times. For example, it may take several days to recovery after building fire, which requires the execution of a broad disaster recovery plan that includes a new physical location, employee management and phone service set up. Compared to a server failure, which often means several minutes to an hour of downtime, your RTO and RPO will be considered longer for a site disaster. The most common types of data loss scenarios are:
- Human error, such as a data deletion or data entry error
- File corruption, such as viruses
- Storage loss, such as RAID controller failure
- Server failure, including computer failure, error, or theft
- Site disaster, such as fires, floods, and hurricanes
A simple chart can organize your RPO and RTO times for all business function and data by priority for each type or class of disaster. When you complete this step, you have analyzed and prioritized your company's business requirements and established a timeline for restoring critical business processes after any type of disaster. Armed with information, now it is time to write a plan.
Step 4: Take Action; Make a Plan You know what's important. You understand how long you can go without important business processes and how long it's going to take to get it back, whether your office has been hit by a hurricane or a company-wide computer virus. Now, it's time to turn that information into your official business data recovery plan. A good recovery plan should include step-by-step instructions for recovering your critical information and getting back to business after a disaster. Of course, this plan will vary depending on the needs of your business, your company's specific system requirements, and information priorities. As you write your recovery plan, it's important to look at your current data backup and recovery procedures. Most companies use tape, disk-to-disk, remote backup services, or some combination of the three. Your plan of action should be tailor to work with the type of data storage procedures that you use, including instructions for:
- How often each set of information is scheduled to backup
- Which computer systems need to be backed up, including backups for full systems or data only, documented for each server
- How often restores are tested
- The number of generations of data that need to be stored for each computer and data set
- Information for restoring to virtual servers and separate servers, including hardware changes
- For data only backups – locating media with operating systems, programs, passwords, and license keys
- Contacting the primary and secondary people responsible for information restores
If you are using a tape-based system to store your information, your plan will also need to consider:
- How often and how far tapes are rotated off-site
- Tape drive cleaning procedures and expected life of your media
- Replacing media regularly
- Protocol for emergency tape retrieval from off-site location
- Weekly tape testing and information restoration
- Keeping at least a 20 tape backup rotation
- Making sure data is fully encrypted before being written to tape
- Storing tapes between 41 and 89 degrees at 20 to 60 percent relative humidity
Examine your tape rotation schedule and your company's exposure to business loss. For instance, if you rotate tapes off-site every Friday, you are at risk of losing seven days of business activities. The cost of recreating this information after a seven-day loss can be devastating. On the other hand, if you rotate tapes off-site every day, you are only at risk for losing one day's worth of information, which is generally a best-case scenario for tape-based backup systems. Recovering from even one day can be too expensive for some businesses, but it might be acceptable for others.
One of the best ways to minimize information loss associated with tape-based systems is to use a managed backup service provider. A remote backup service can reduce your risk of loss to only a few hours, or, in some cases, zero data loss. The important role of this exercise is to understand the risks associated with your current information recovery system.
Step 5: Identify the Players (and the Benchwarmers) Once you have a plan, you need a reliable team who can take action if disaster strikes. Will your IT manager restore your server's after a disaster? Your remote backup service provider? A combination of the two? Additionally, you will need to design alternate for these players. In cases of larger disasters, like a tornado or a flood, some of your emergency team members may be unavailable or unable to reach your site. Appointing alternates for these key members and exercising your DR plan, assures that someone is ready to get your business up and running. Make sure you managed backup service provider has a DR plan as well. Aside from being familiar with your data recovery plan, your emergency response team needs:
- Current emergency contact information for all employees, especially alternate team members – if this information is only located onsite, it might not be available when you need it most
- Contact information for your building management company and critical sellers, such as your remote backup supplier or computer supplier
- A list of possible alternate or replacement sites, in the event that team members can not access your facility
Practice Preparedness Once you have a solid plan, you need to test, edit, rewrite, and update your business data recovery plan quarterly. The right managed backup provider will have your disaster plan stored and documented in their CRM system. They should also participate in all of your disaster recovery drills. While disasters, information loss, and system failures can not be avoided indefinitely, their effects can be minimized with a bit of planning and preparation.