
	Home > Security Tips > Risk Management Strategies > Disaster recovery report card: Measuring your company's disaster recovery profile

Security Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

RISK MANAGEMENT STRATEGIES

Disaster recovery report card: Measuring your company's disaster recovery profile

Dennis C. Brewer
07.25.2006
Rating: -3.86- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

Disaster recovery preparation is challenging because you don't know exactly what you're preparing for. Events like Hurricane Katrina also point to our inability to reliably predict the scale of damage and the inability of government at all levels to cope with the aftermath of an adverse event. The adverse event can range from extreme weather conditions or disturbances in the earth's geology to human-related events caused by errors, accidents or malice.

Regardless of the cause, adverse events become disasters when the event's negative consequences affect your company's ability to maintain operations. Even though IT planners cannot predict what event may threaten the continuity of IT operations, the basics of disaster recovery planning and recovery requirements change very little. To see how your company's disaster recovery efforts may measure up, consider using the following criteria to measure your disaster recovery plan and the probability that your IT operations can be recovered to support your business operations within a short period of time.

Grade F (Unprepared)

Regular data backups are not performed.

Processes or documented procedures for recovery are not in place.

You have never tested your ability to recover operations in any way should normal IT operations be threatened or fail.

Grade D (Marginally Prepared)

Operating systems and applications are backed up daily, but not tested.

More information on disaster recovery

Learn from these worst practices for backup and disaster recovery.

Visit our resource center for more tips and expert advice on disaster recovery and business continuity.

Tape backups haven't been tested since the last staff change -- or in the last six months.

Data backups are sent out each night to an alternate location nearby.

Grade C (Prepared)

Full back-ups (digital trio replicas) have been recently tested, as have processes and documented procedures for recovery.

Backups are done off-site over a communications link on alternate hardware.

Tape backups are stored off site or sent by courier each evening to an alternate location up to ten miles away.

Grade B (Well Prepared)

Backups are done on a redundant SANS storage array at alternate locations separated by 10-63 miles.

Alternative electric power is available at one or both sites.

Data, OS and application recovery steps have been tested in the last quarter and found to be adequate to recover normal business operations within 24 hours.

Grade A (All Set)

Redundant, near real time, bit-by-bit hot backup site separated by 64-200 miles or more, with alternative power.

Backup site runs daily production operations at least one day per month to verify smooth transfer of operations.

The days of having your entire backup and recovery tapes and hardware in the same building should long be a thing of the past for any of today's publicly traded companies reliant on their data systems. The technology and communications options available allow placing replicas in geographically dispersed locations and communicating backup data in near real time. Should an organization not want to invest in the resources themselves, pooling with others or using third-party providers should be considered as alternatives. Management should know the company's disaster recovery profile and have an honest assessment of the time it would take to recover after an adverse event. The grading scale above should provide a starting point and help communicate the situation in easily understood terms to decision makers regarding the ability to recover. It should also help to demonstrate the funding and resources needed to prevent an event from becoming a disaster by moving up one or more grades.

About the author
Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Risk Management Strategies
	Database patch denial: How 'critical' are Oracle's CPUs?
	Security breach management: Planning and preparation
	The ins and outs of database encryption
	Failure mode and effects analysis: Process and system risk assessment
	Data loss prevention (DLP) tools: The new way to prevent identity theft?
	IT GRC: Combining disciplines for better enterprise security
	Partner access: Balancing security and availability
	Enterprise data management: Analyzing business processes and infrastructure for data protection
	Filtering log data: Looking for the needle in the haystack
	Guide to passing PCI's five toughest requirements

Business Impact Analysis

Data breach costs soar

Is there a way to integrate business continuity planning and operational risk management?

Business Survival 101: How to Perform a Business Impact Analysis

Business continuity planning standards and guidelines

Privacy Breach Impact Calculator

Digital doomsday can be avoided with preparation

Infosec pros need to get 'physical'

Information security, 'CSI' style

Security Bytes: Shockwave flaw fixed

RSA Conference 2006

Business Impact Analysis Research

Risk Assessment and Analysis

Security data lapses hamper researchers

Panel: IT governance, risk and compliance program helps reduce expenses

Like MLB scouts, IT security pros are turning to metrics

Google shares struggle to manage security complexities

GRC Tools Help Manage Regulations

Interview: Financial Services CISO David Pollino

The New School of Information Security

Penetration testing: Helping your compliance efforts

Failure mode and effects analysis: Process and system risk assessment

The pros and cons of data breach insurance

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

risk analysis (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy