How to Write a Disaster Recovery Policy

By Blog, SOC 2

Read our post on business continuity before you start on your disaster recovery policy.

As you prepare your company to endure and recover from a disaster, two primary information technology policies should be in place: business continuity and disaster recovery.  These two policies help you plan for – and recover from – adverse events, but the difference lies in the goals of each policy: business continuity focuses on returning your business to normalcy, while disaster recovery details the minimum necessary functions for your business to survive.

The first step in this policy is to define the critical processes and assets necessary for you to maintain minimum business functions after a disaster.  Here are five best practices to consider:

  1.     Prepare for physical disasters

This type of disaster makes sense to prepare for first.  It forces you to ask some tough questions, such as “What would we do if our physical building was gone – either from some natural disaster or an act of God?  Can employees be relocated to another location or work from home?” Whatever preparations you put in place, don’t just think of physical disasters as an “all or nothing” event.  If your whole building goes away, that is a different set of problems than if a plumbing issue forces your employees to evacuate for a few days. If you don’t currently have a VPN or similar remote access option that employees can use to access network resources, now is a good time to consider it.  It might also be a good opportunity to have a backup office space in place. Several companies offer alternative workspaces you can have on retainer – complete with desks, computer hardware, and phone/Internet access – so your business can continue running.

  1.     Protect against cyber disasters

Cyber disasters typically include major incidents such as ransomware attacks and data loss from breaches.  To protect against these, your layers of security should include a firewall with IDS/IPS and solid host-based endpoint protection.  Also, consider that according to the Verizon Data Breach Investigations Report, a much more likely cyber risk is an employee clicking a malicious link.  Make sure your cyber disaster preparations also include training for your users – both at hire and throughout the year – on relevant security topics. A good data backup system is also critical, so ensure that backups are taken regularly and test the restore process often as well.  Refer to our post on System Availability for best practices on backing up your infrastructure.

  1.     Redundancy is critical

You have likely spent some serious dollars on making sure you have a well-designed infrastructure, and in a disaster scenario, redundancy is your friend.  Look at all the components of your network design and talk through how your infrastructure would be affected if one piece was missing. For example, if one of your core switches flakes out, can critical network traffic failover to another switch?  Do you have another firewall ready to go if the primary goes down? How about your wireless access points – do you have enough coverage throughout your offices to keep employees working if one goes out? And what about critical information systems, such as Active Directory?  Have you deployed enough domain controllers – and in the right locations – so that users can always authenticate no matter where they are? Ultimately, your contingency planning process needs to eliminate any single points of failure, establish who owns each asset, and provide multiple ways to get in touch with that person or team.

  1.     Assign responsibilities

In the event of a disaster, there will be plenty of confusion and commotion.  To reduce some of that stress, you should preemptively authorize and assign key tasks to team members.  That way, in the heat of the moment, everybody knows their individual responsibilities, as well as who the point people are for further questions.  At a minimum, you want to delegate people who will lead initiatives such as purchasing new equipment, coordinating alternative office space and communicating with senior management, clients and the press.

  1.     Test and review your disaster recovery plan

Backups are great, but being able to restore the data is even better.  In other words, a good rule of thumb is to test the disaster plan on a regular basis - and ideally not when you’re in the middle of a disaster.  Scheduled tabletop exercises are a great way to simulate a business threat, and then work through how your company would respond. These exercises should include representation from all business units so everyone is part of the conversation, and you might also want to engage a third party service provider to help coach you through the first few recovery tests.  This type of testing will help you continuously identify gaps in your plan, and then remediate them.

Without a doubt, an IT disaster recovery plan is a ton of work, and it’s tempting to leave it on the back burner and say, “Oh that won’t happen to us.”  But by designing a solid plan and putting in the time up front, you will be well-poised to respond to the disaster, handle it effectively with your team, and recover as quickly and completely as possible.  Remember that an IT disaster recovery and business continuity plan is just a piece of your larger information security strategy, which should include a risk assessment and business impact analysis (BIA) conducted on an annual basis.

New call-to-action

Tagged under: