The importance of creating a BC/DR plan can’t be emphasised enough. You need to make sure all key members of staff (responders) are ready and a plan is in place if/when a disaster occurs. As Murphy’s Law states, ‘what can go wrong, will go wrong’ and if you have no plan, what do you do when it all goes wrong?
Read more about the costs of having a BC/DR plan vs not having one
How to create your own BC/DR plan
It is important to realise that every business is unique, and whilst there are of course best practices for business continuity and disaster recovery you should adhere to, there are no hard and fast rules that apply when considering connectivity and networking solutions for all businesses, in all instances.
We have created a few handy tips for you to help you get started when you decide to start creating a BC/DR plan:
1. BCDR Policy Statement
This should be an introduction to who you are, what you do and declare the objectives, purpose & scope of the document, including what will be covered, why and what the expected results should be. This should also declare responsibility of the overall policy (as well as testing and amends), approval of the policy and penalties for non-compliance
2. RPO’s and RTO’s
In this section, we look at each individual IT service and calculate target RPO’s and RTO’s for a variety of scenarios.
IT SERVICE: WEBSITE
|Server Failure||24 hrs||4 hrs|
|Fire||24 hrs||4 hrs|
|Company name||Information needed to find backups||4 hrs|
3. Testing Schedule
Consider how often the document be tested, will this be broken down into different scenarios, individual services, or will the whole plan be tested in its entirety?
Reason: Employee no longer works at the company.
4. Roles & Responsibilities
This section must provide information about who key responders are; both internally and externally, contact information and their responsibilities. This includes data recovery providers, insurers, suppliers and power companies etc. If the roles of a responder should change depending on the scenario, this should also be accounted for as should the absence of a responder.
|DR PROCESS||NAME||ROLE||CONTACT DETAILS|
|Health and safety
||John Doe||Health & safety officer||Number:
Next of Kin:
|Data backup & recovery||Jane Smith||IT Manager||Number:
Next of Kin:
5. Plan Activation & Procedure
What needs to happen in order for the plan to be activated? How severe must the circumstance be? For example, if the office has flooded in a small area, will this impact operations? What is the procedure in these circumstances? How is a disaster declared and whose responsibility is it to do this?
6. Details of Plans According to Scenario
This is where we get into the finer details and iron out the specifics. Here is an example of what this could look like;
Plan set 1: Server Scenarios
|IT Services at risk||Website|
|Impact||Restricted communication, reputation damage (other vital tools and portals)|
Plan of action
|1. Identify issue, commence initial response||(responders name)||(Contact information)|
|2. Remove damaged server||(responders name)||(Contact information)|
|3. Seek replacement server (contact insurance)||(responders name)||(Contact information)|
|4. Installation of new server||(responders name)||(Contact information)|
|5. Restoration of data||(responders name)||(Contact information)|
|6. Risk assessment||(responders name)||(Contact information)|
|7. Repair damaged server||(responders name)||(Contact information)|
|8. Test other servers on the network
|(responders name)||(Contact information)|
7. Alternate Work Locations
If a disaster occurs that renders the office or route to the office unusable, is there anywhere else that can be used? What does the new site require for operation to be re-established. If this is not possible, what is the procedure for remote working in the company?
8. Notification Procedures
Is there anyone outside the company not necessary for recovery that need to be informed? For example, customers, clients, partners, distributors, stakeholders, investors and suppliers. Who is the first point of contact at these locations? How will they respond and what will the impact of this be?
9. Insurance Policies
Here, there should be information about the insurance policies on all assets. This could be copied of the insurance documents or summaries that highlight the key elements around the policy, with locations of the full documents.
10. Testing Results, Findings & Actions
Finally, the last section of the document should contain a record of all the testing activity in detail. This should outline what was tested, under which circumstances, any irregularities, time taken, the outcomes and finally, changes to be made to the plan. If you find that for any reason, the solutions you have chosen do not meet target RPO’s or RTO’s, it is essential that you look more into alternative solutions and providers that can restore operations as required in a simple, timely and reliable manor.
Many documents also include Appendices. These are a collection of lists, forms and documents relevant to the BC/DR plan, such as details on alternate work locations, insurance policies, and the storage and distribution of DR resources.
How we help: Solar security assessments
By performing regular security health checks with Solar security assessments, you can help protect your assets and guard against downtime; it’s the fastest way to expose security threats and vulnerabilities and helps when creating and performing technical tests on your BD/DR plan.
We Schedule regular non-intrusive testing of the systems & software currently in use, and those necessary for your BC/DR plan. This includes a health check of current technology with no agents, probes or software. Just one agent with temporary remote admin access to run a file. Scans take less than an hour, and you will be sent a security risk report & user behavior report that does not compromise your own data. We also provide services for backing up storing and managing data.
As we say, these are just tips you should observe. For more practical advice, you need to tailor your approach to your individual business requirements. If you want to speak to a member of the team about how to create your own BC/DR plan, including the various technologies covered in the guide, please get in touch with one of our experts today, or read our ultimate guide to business continuity & disaster recovery.