Hurricane Ian reminded us all that an ounce of prevention is worth a pound of cure.
The daily demands of keeping an IT infrastructure operational have grown increasingly complex thanks to how often and how rapidly vendors, technologies, and deployments change. In addition, organizations must now consider the nomadic workforce, reduced budgets, and the challenges of hiring and keeping skilled IT professionals. Altogether, this makes a perfect storm for – well, storms and other events which bring the standard workday challenges to levels well above the capacities and sometimes the capabilities of those assigned to deal with the emergencies. This is where your emergency plans come in. An effective outcome and recovery schedule can be tied back to key initiatives brought about and put in to place long before the emergency took place. If you haven’t looked at your Business Continuity Plan (BCP) and Disaster Recovery Planning (DRP) manuals, now is a great time to do so while extraordinary events like the wildfires in the western states and the hurricanes on the east coast are still fresh in mind.
It is often said that the best plan is the one that has been detailed out and tested but never needed. What follows is a partial checklist of categories you can use to revitalize your Business Continuity Plan (BCP) and your Disaster Recovery Plan (DRP) and to fine-tune your organization's Business Impact Analysis (BIA). The goal is to be able to meet your organization's needs through various levels of emergencies.
The categories below are only a partial list of areas to pay attention to but gives a great start to ensure that a plan could actually be carried out with success and minimal damage or impact to the business or group it is designed for.
Documentation, documentation and, did we mention? Documentation
When my firm goes into an organization, we frequently find that everyone thinks the documentation exists, but when we ask to see it, the documentation either doesn’t exist, or it exists but is not current or not in a usable format. Set aside a small amount of time regularly, either daily or weekly, to maintain and update documentation. Then when the documentation is needed during an emergency, the seas of confusion would be easier to navigate, and the existing systems easier to understand and more readily able to be audited/trued up against all aspects of a recovery or disaster avoidance. When doing documentation, include licensing costs, maintenance costs, invoice true ups and approvals or credit requests. An accurate inventory and set of documentation can and should serve as great tools for renewals and negotiations of contracts.
Keep Your Documentation Easy to Access
Once the documentation is created in a manner that is accurate, it is important to keep it in a format this is easily understood and accessible to all that would use the information. Your intended recipients have to include people who manage the information on a daily basis, and those that have to be trained on the use of the contents of the information in addition to finance, IT help desks and business analysts and database developers; if you cannot easily understand it, you cannot manage it. Rules-based access can easily be applied for these systems to manage access privileges for users and maintain cybersecurity.
Don't Put All Your Infrastructure in One Place
Take a cue from the story of the three little pigs, who ultimately prevailed because they had multiple backup locations. Your key infrastructure needs to withstand geological disasters, grid instability, connectivity challenges such as the outside carrier connectivity (data circuits) to the data warehouses all the way down to connectivity within a given multi-site business environment. Upon inspection of a fully functional BIA and BCP, the aspects of where it is kept and also where all of the systems are housed will become very apparent. If the business is multi-national in nature, then the political arena and given country regulations of information and privacy need to be taken into account when setting up and maintaining backup sites.
Identify All the Infrastructure Dependencies
As you create your BIAs, you will be more able to see the relationships between infrastructure components and which ones rely on other systems being up and running. Align the survival of each of the infrastructure elements to each other and look for holes in the plan and areas which need to be shored up; this will allow you to begin budgeting on a multi-year basis to continually bring about a more resilient infrastructure, removing the weak links.
Train Your Key Personnel and Do Emergency Drills
A plan is only as good as its execution. You should not be pulling it out for the first time once the emergency is upon you; you and your key people should have been drilled to the point of knowing what works in the plan, what is missing from the plan and what would cause it to fail in the actual execution during an emergency. Tabletop exercises are one way to discover what information is missing and what the plan's shortfalls are, along with identifying staff shortages or departmental weaknesses.
Keep Contact Lists Up to Date:
With the ever-increasing movement of staff, vendor mergers, acquisitions and vendor staff, it is more important than ever to regularly update emergency contact lists for all vital vendors and partners. The contact list should include the contact information for trusted team members: consultants, staff augmentation personnel, plus the after-hours phone numbers and email addresses of all the chain of command for all key vendors and internal staff. If a team member is not willing to supply that information, it's time to talk to your emergency planning team about how to work around them.
Policy and Procedures:
No Business Continuity or Disaster Recovery Plan would be complete without organizational policies and procedures in place for all aspects of the BCP and DRP. The set of policies would be the firm rules that are required to be followed. The procedures element would include the actual steps taken to accomplish a task. These are the what to do and how to do it and, in this case, are centered around the avoidance or handling of all aspects of a disaster. A successful set of policies and procedures would include flow charts and the resulting goal or purpose for each given policy and procedure. These can start out at high levels and continue to be created on a regular basis until there is policy and also procedure to cover all aspects of the plan.
The above is only a high-level outline for an overall effective set of steps needed to pull a full plan together. As your plan becomes more and more complete, don’t forget that it should be constantly updated and expanded upon.
To recap: Make a plan including the elements above, know the plan, – know have responsible parties drill the plan, regularly revisit and update the plan.
Article featured on Enterprise Connect No Jitter Forum: https://www.nojitter.com/best-practices/how-update-business-continuity-and-disaster-recovery-plans