Recovery planning for systems is often difficult for institutions to fully grasp. There are a lot of moving parts involved and a variety of options available. We find that it helps if management has a basic understanding of the types of potential recovery scenarios, the methods that work best for each scenario, and the relationship recovery planning has with the Business Continuity Plan (BCP) and the Business Impact Analysis (BIA).
This week, we will provide a simplified approach to help make your recovery planning more cohesive:
- The Business Impact Analysis is the Key! Every recovery plan should start with an understanding of which processes are critical to the institution, as well as which systems serve those processes. The Business Impact Analysis (BIA) is what does this. Start at the process level, asking each department what the impact would be to the institution if each process they are responsible for were unavailable for an hour, for 4 hours, for a day, for a week, and for a month. At the same time, ask what the impact would be if data were lost for those same time periods. Answering these questions will determine what the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) are for each process. Once these are known, include technical staff to identify the underlying servers and infrastructure that are used by each process. (To better understand the benefits of a Business Impact Analysis check out this article!)
- Simplify Scenarios. How the RTO and RPO is met may change based on the recovery scenario. Identifying recovery scenarios can be confusing because there are so many potential situations an institution could encounter. We find that it helps to start by grouping scenarios into five categories: Loss of Key Staff, Loss of a System, Loss of a Location, Loss of the Datacenter, and Loss of Data Integrity. Thinking in these terms will help make the design of recovery methods and plans easier.
- Identify Recovery Methods. There are many different types of methods available for system recovery, and institutions can utilize different methods (or multiple methods) for different scenarios. The methods boil down to these four: Backups, Snapshots, Replication, and Redundancy. Backups can usually be used to recover data when the acceptable RPO is a day or longer and the RTO is longer than the amount of time it takes to restore the backup. If the RPO is less than a day, snapshots which are replicated can be used (this replication also means snapshots can satisfy RTOs of under 1 day). If the RPO for a system is zero (meaning no data can be lost), real time replication should be used to a system outside the datacenter. If the RTO is zero, there should be redundant systems in place that automatically fill in during an outage.
- Put it All Together! Once you have the BIA completed, the scenarios defined, and the desired methods identified it is simple to build a matrix that provides an overview. This matrix then becomes the roadmap for building the recovery plan, ensuring that the plan meets the needs of the organization.
In short, Business Continuity Planning is a complicated process with a lot of moving parts, but you shouldn't make it harder than it needs to be. If done correctly it leads to a really successful recovery plan which ultimately means less down time.
If having a cohesive, easy to follow, recovery plan is a priority for you we can help you accomplish just that. Drop us a line or shoot us an email to get started at support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success
Getting the Most Out of Your Business Impact Analysis
https://www.bedelsecurity.com/blog/getting-the-most-out-of-your-business-impact-analysis