Disaster recovery report card: Measuring your company's disaster recovery profile

Disaster recovery report card: Measuring your company's disaster recovery profile

Disaster recovery preparation is challenging because you don't know exactly what you're preparing for. Events like Hurricane Katrina also point to our inability to reliably predict the scale of damage and the inability of government at all levels to cope with the aftermath of an adverse event. The adverse event can range from extreme weather conditions or disturbances in the earth's geology to human-related events caused by errors, accidents or malice.

Regardless of the cause, adverse events become disasters when the event's negative consequences affect your company's ability to maintain operations. Even though IT planners cannot predict what event may threaten the continuity of IT operations, the basics of disaster recovery planning and recovery requirements change very little. To see how your company's disaster recovery efforts may measure up, consider using the following criteria to measure your

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

disaster recovery plan and the probability that your IT operations can be recovered to support your business operations within a short period of time.

Grade F (Unprepared)

  • Regular data backups are not performed.
  • Processes or documented procedures for recovery are not in place.
  • You have never tested your ability to recover operations in any way should normal IT operations be threatened or fail.

    Grade D (Marginally Prepared)

  • Operating systems and applications are backed up daily, but not tested.
    More information on disaster recovery

    Learn from these worst practices for backup and disaster recovery.

    Visit our resource center for more tips and expert advice on disaster recovery and business continuity.
  • Tape backups haven't been tested since the last staff change -- or in the last six months.
  • Data backups are sent out each night to an alternate location nearby.

    Grade C (Prepared)

  • Full back-ups (digital trio replicas) have been recently tested, as have processes and documented procedures for recovery.
  • Backups are done off-site over a communications link on alternate hardware.
  • Tape backups are stored off site or sent by courier each evening to an alternate location up to ten miles away.

    Grade B (Well Prepared)

  • Backups are done on a redundant SANS storage array at alternate locations separated by 10-63 miles.
  • Alternative electric power is available at one or both sites.
  • Data, OS and application recovery steps have been tested in the last quarter and found to be adequate to recover normal business operations within 24 hours.

    Grade A (All Set)

  • Redundant, near real time, bit-by-bit hot backup site separated by 64-200 miles or more, with alternative power.
  • Backup site runs daily production operations at least one day per month to verify smooth transfer of operations.

    The days of having your entire backup and recovery tapes and hardware in the same building should long be a thing of the past for any of today's publicly traded companies reliant on their data systems. The technology and communications options available allow placing replicas in geographically dispersed locations and communicating backup data in near real time. Should an organization not want to invest in the resources themselves, pooling with others or using third-party providers should be considered as alternatives. Management should know the company's disaster recovery profile and have an honest assessment of the time it would take to recover after an adverse event. The grading scale above should provide a starting point and help communicate the situation in easily understood terms to decision makers regarding the ability to recover. It should also help to demonstrate the funding and resources needed to prevent an event from becoming a disaster by moving up one or more grades.

    About the author
    Dennis C. Brewer is the author of     Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.


    This was first published in July 2006

    • Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top