How to make a disaster recovery plan

Eight steps to creating a disaster recovery plan

 

 

Make an inventory of all your IT resources

 

An important starting point is to take stock of all your digital activities and produce an inventory of everything that is involved. This should include hardware, software, databases, other data stores, and any cloud services your charity uses.

 

 

Decide what’s vital to the operation of our charity

 

The key to effective disaster recovery is to get the bare minimum your charity needs to function up and running as quickly as possible. Once the “mission critical” digital systems are operational you can focus on the less important computer systems.

 

As well as looking at applications, it is important to look at your data. In particular, you need to establish what data you need to be able to access quickly. By eliminating unnecessary data from your disaster recovery plans you will need to deal with a much smaller volume of data, meaning you will be able to restore it and start using it much more quickly.

 

 

Work out your recovery objectives

 

Disaster recovery plans should be tailored to meet to specific objectives: a recovery time objective (RTO) and a recovery point objective (RPO). The RTO is the time it should take to get up and running after a disaster, while the RPO is the point in time before the disaster occurred that you want to get back to.

 

That means that the RPO is effectively a measure of how much data you are prepared to lose. If you can afford to lose up to a week’s worth of data, your RPO could be seven days and you could achieve this objective by making backups every weekend.

 

But if you can only afford to lose up to one hour’s worth of data then you would choose an RPO of one hour, and to achieve this objective you would need a far more regular backup regime. It is quite acceptable to have different RPOs and RTOs for different charity functions.

 

 

 

Establish where you store your data backups

 

For a charity that has gone digital, data is perhaps the most valuable asset. That’s because while computers and software can easily be replaced, data cannot.

 

Many organisations create backups that are stored on site, which means it is close to hand and therefore easy to access. But in the event of a fire or flood theses backups may also be destroyed.

 

For that reason, it is sensible to store backed-up data offsite as well – either in another office or in the cloud. Storing backups in the cloud is a more secure option, because cloud storage services themselves make backups of the data they store and keep these in separate locations. That means that data backed up in the cloud is unlikely to be lost.

 

The drawbacks of storing backups in the cloud are that it can be costly and it can also take a considerable amount of time to restore data from the cloud. This can have important implications for your RTO.

 

 

 

Decide how you will get up and running again

 

If your RTO is relatively long then your recovery plan may involve moving into a temporary office and purchasing new computers. Alternatively you may decide that staff should work from home using their own computers.

 

Larger organisations with shorter RTOs may want to pay to make use of a disaster recovery as a service (DRaaS) offering. These make a virtual copy of your computer and software setup, and in the event of a disaster you can switch over to this copy until your real systems are back up and running again.

 

DRaaS can be highly effective, but also generally expensive.

 

 

 

Make a disaster recovery plan playbook

 

The idea of a disaster recovery plan is that it is put into operation as soon as a disaster strikes. For this to be practical it is important that everybody in your charity knows exactly what is supposed to happen, and what they are expected to do.

 

A playbook is a documented step-by-step guide for putting the disaster recovery plan into operation, and this should be as detailed as possible.

 

That means that it should include named staff members and what they need to do, the services which need to be activated (such as data restoration from a cloud backup), who they need to contact, and the contact details of all of those contacts.

 

 

 

 

Test your disaster recovery plan

 

Many disaster recovery plans fail to work because some small detail has been overlooked. For example, the plan may call for data to be recovered from cloud storage, but nobody remembers the password.

 

It’s only by testing the disaster recovery plan regularly that you can spot any vital information that may be missing, or that the plan needs updating because of the introduction of a new software system.

 

Key things to look for when testing a disaster recovery plan include:

• Is all the information there to carry it out?
• Does it meet your RTO?
• Does it meet your RPO?
• Have any “mission critical” operations been left out?

 

Make it easy to access your playbook

 

 

The final step is to ensure that your playbook is easy to get hold of when it is needed. Copies should be stored locally on staff computers, but it should also be stored in the cloud so it can be accessed from anywhere.

 

Ideally it should also be printed out and distributed to key staff members, although it is important that any existing printed copies are discarded every time the playbook is updated.