A Disaster Recovery (DR) plan is a documented, detailed process for responding to a major IT service disruption at your organization. For small and mid-sized companies, investing in security awareness and establishing a strong Disaster Recovery plan can be an expensive undertaking. We often hear about best practices in Disaster Recovery, which include recovery to a failover site as easy as flipping a switch. These premium recovery strategies, often called Hot Sites, can be very expensive and may not be the best approach to meet the needs of your organization.
Disaster Recovery Options
To help identify what the best Disaster Recovery option may be for your company, your first step should be to perform a Business Impact Analysis (BIA) for each business unit within your organization. The Business Impact Analysis involves examining all critical systems that support your business, and working with key data owners to determine exactly how long their team could tolerate a downed system before severely impacting service to your clients. The outcome of your BIA usually involves two key metrics: The Recovery Time Objective (RTO) and the RPO (Recovery Point Objective). This post focuses on the RTO. Simply put, the RTO is the length of time your system can be down before it starts to severely impact client support. In some cases, the RTO may be several days. Imagine you are running a marketing company, and you run weekly or monthly campaigns with data compiled within a system. Not having access to this data or systems for 3 to 4 days may not severely impact client service. If that is the case, spending a lot of money on a Hot Site that will allow you to recover in minutes may not be necessary for your organization. However, if you are running an e-commerce site, you need to recover instantly to be able to service your customers. In this case, since every second your system is down is costing money, your recovery time objective will most likely be measured in minutes.
Before spending any time or money on specific recovery environments, it is important to make sure you have completed a full BIA. This is to make sure you have a solid understanding of the impact that any and all systems within your organization will have, should they fail for an extended period. This will allow you to make an informed decision on how to best spend your company’s funds on a recovery strategy.
When performing your BIA, keep in mind:
• Too Long of a RTO = Unacceptable Risks
• Too Short of a RTO = Unnecessary Costs
Upon completion of the BIA, you will have information on how quickly your systems must recover. This information is the key to designing your Disaster Recovery solution. You have three main options:
1. Hot Site $$$$$ Primary and recovery site running concurrently
2. Warm Site $$$ Recovery site has servers in place, not running
3. Cold Site $ Recovery site available, no servers in place
Having a fluid understanding of your company’s data and its use will help you make a more informed decision on how to best utilize your valuable security awareness, IT resources, and dollars.
