Monday, October 25, 2010

The HexiSTOR Business Guide for Disaster Recovery and Continuity Planning


Part 1


Why Businesses Need to Plan.


The most important asset for any business today is it’s data. If a business looses it’s data and it can not be completely and quickly recovered, it may be forced to shutdown. Over 50% of businesses never recover from this type of disaster. Most data losses will happen from business event risks or catastrophic events.

With the proper plans implemented your business will run smoothly, with a minimum of downtime during any disaster. Your insurance company may offer discounts when you have disaster and continuity plans implemented.

Two Types of Plans


Disaster Recovery Plans (DRP), plans created to handle catastrophic events. What is a catastrophic event? It is one or more natural or man made disaster that would cause a business to close and evacuate, flooding, hurricanes, earthquakes, fires, etc.

Business Continuity Plans (BCP), plans designed to handle event risks. What are event risks? Any type of internal business failure(s) that could cause a business to shutdown, even for a brief time. Event risks are not always hardware related, software updates and virus attacks can cause problems, but the number one overlooked risk is, human error. Note: Catastrophic events often create event risks.

Having DRP and BCP implemented at your business will help to keep your business safe and protected during any event with a minimized loss of downtime.

Common sense: How can a business prepare for catastrophic and even risks? They must analyze and create disaster recovery and continuity plans. The first thing is to identify the risks which takes us to part 2.

Part 2


Identify the Risks that can Shutdown Your Business.


First, catastrophic events: nature happens,

What natural disasters have happen in or close to your area? Earthquakes, hurricanes, tornadoes, flooding, snow (ice) storms, etc.


Followed by man made disasters, which are harder to predict, but can include power outages, network outages, fires, gas leaks, train derailing, etc. You can learn from history, whatever has happened will happen again.


Second, inside event risks: Sooner or later every business will experience these events,

Computer related problems:

Hardware:

Designed to last 5 years at best, yet you get a 1 year warranty. How fast can your vendor supply you with new hardware?

Software:

Virus attack, driver issues, a bug in the software, mixing different versions, etc, can cause the system to slow or shutdown.

Network:

Loss of commutation between computers and or the Internet.


Other business equipment failures:

Phone system:

What will happen when telecommunications is lost for x amount of time?

Peripherals:

Copiers, FAX, printers, monitors, etc, how long can you maintain business if any of these devices fail?

Security:

Could this result in a greater risk of exposure to theft, sabotage, even a terrorist attack?

Human error:

From accidentally deleting a file to formatting a hard drive with critical data.

Accidents happen! Murphy's law. When they happen in the work place you must be prepared.

What happens if the person in charge of handling an event risk is not at the location?


The simplest way to start evaluating your risks, is to make a chart (fig 1 & 2). List all possible events that could happen to your business and assign a risk number. Start with natural disasters, man made, then computer and equipment failures, and finally human error.

By assigning a risk number to each event you can start to prioritize the possible events. You must consider your location, age of equipment, and experience of your employees when assigning a risk number. Using a simple number system, zero through nine, where 9 is most likely to happen and 0 is next to impossible. Numbers in between represent a possible risk, the higher the number the more likely this event could happen.

Equipment (computers and other hardware) failures should also be assigned an impact number. What to do when this failure happens, using a simple number system with 1 meaning can do without, wait for repairs, to 5 highly critical to business, requires immediate recovery / replacement. There must always be a second in charge for high impact number events.

Keep your risk factors within a time frame, as a rule, they should be re-evaluated every 6 months.

Example:

What is the risk of a major snow (ice) storm in the next 6 months?

If you live is Key West Florida, assign a 0, if you live in Fargo South Dakota, it would be a 9 (in the Fall-Winter Seasons) and a 4 (Spring-Summer time).


Figure 1, set up a simple spread sheet to describe natural and man made catastrophic events that can, or have, happened at your location.

What is the risk of computer hardware failure in the next 6 months?

If the hardware is new (less than two years), maybe a 3, older (2-5 years), a higher number like 6, and over 5 years old would be a 7 or higher.

The impact number would be a

5- if it must be repaired / replaced immediately.

4- if it must be repaired / replaced current business day.

3- if it can wait 24 hours for repair / replacement.

2- if it can wait 36-72 hours for repair / replacement.

1- if it can wait for normal service.


Figure 2, set up a simple spread sheet to identify the equipment that is important to the business’ operation.




Develop and Maintain a List of Inventory Items


Every business needs a complete inventory list of their equipment. Using the spread sheet above (Fig 2) and adding a few more columns Serial Number, Model Number, Purchase Date, Cost, and Vendor you will have an inventory list. To complete the list be sure to add software, and equipment other than IT. Check with your insurance company to be sure this list contains all the information they require. You should have an separate inventory list for each location.


Any risk with a number greater than zero, must be included in your disaster recovery plan, and your business continuity plan. Now that you know your risks and the impact to your business you can start to write a plan. This will be covered in part 3 of this document.

Caveat: This guide is very basic and is designed more for the IT department. We know that every business is different. Use this document as a starting point to help create your own plans for the types of disasters that could happen to your business.

We look forward to comments and suggestions.