A Cheap and Dirty Guide to Disaster Recovery

What is a Disaster Recovery Plan?

Updated after Hurricane Sandy in October 2012

We live in a world full of extreme events. Some are expected, such as hurricanes in the US southeast or earthquakes along the San Andreas Fault. Others are often referred to as Black Swans: unforeseen catastrophes that not only surprise, but also unravel the seemingly well-operated organizations.

Black Swan examples might include the September 11, 2001 tragedy or a potential Level 5 hurricane hitting New York City or Boston. In August 2011, another illustrative example might include massive and destructive tropical storm-induced flooding in mountainous, land-locked states such as Vermont. Hurricane Sandy ravaged the east cost of the US in October 2012, and either confirmed or dismissed many disaster recovery plans.

As Black Swans are unpredictable, preparing for one is difficult. One might know something could potentially happen, but there are no preliminary indicators or signs that provide warning.

The more resilient a system, the more likely it will successfully weather a Black Swan disaster event. Brittleness of a system generally leads to failure.

For instance, the copper pair-based network of cables around the world known as the publicly switched telephone network (PSTN), is older than most people alive. Yet during power outages, it is more likely to remain operational. Meanwhile, cellular phone networks, regardless of their protocols utilized such as CDMA or GSM, are often deprecated by power loss and over-utilization. In that case, the cellular phone networks are brittle systems that frequently fail in disaster scenarios.

A plan to proactively prepare for a range of disasters is vital. While each and every disaster is particular, in most cases, there are certain general precautions that assist a smoother restart when the normal day-to-day returns.

That is the key point: planning for disasters is about three things:

Documents that provide guidance and policy in such circumstances are called disaster recovery plans, or DR plans for short. An alternative name is a "business continuity plan." However, this piece is relevant beyond businesses, and is applicable to any type of coordinated operation that strives to survive during and after disasters strike.

Real Disaster Recovery Plans

Developing a comprehensive disaster recovery plan is a difficult task. However, organizations such as SANS provide an array of useful information on creating one, including SANS. Start with their section on Information Security Policy Templates and the Reading Room, composed of papers submitted by their students who excelled on their certification exams. More generally, searching for "disaster recovery plan template" will provide more insight.

Keep in mind that certain industries must maintain DR plans based upon legal or regulatory guidelines. It might be necessary to query resources specific to the context.

If an entity does not have staff qualified to develop and implement a disaster recovery plan, it is recommended that external parties are utilized. But starting with the basics is in the reach of almost everyone.

What Makes a Good DR Plan?

It is critical that comprehensive plans are developed. Even if it is less than exhaustive, it is a fundamental requirement to have plans that are understood and executable by the staff.

The three vital elements or characteristics of a basic DR plan might be:

What is the "Cost" and Expectation?

The term "cost" is more than mere monetary denominations. It also reflects effort and additional stress on normal operations.

For instance, the cost of maintaining offsite data backups might be $500 a month. But there is an additional cost of confirming the operations, testing restores of that data, and so on. Extra work and thought should be included in that the monetary cost.

In that general sense, cost matters. While certainly the monetary cost matters, what about the cost of testing a restore on a regular basis? Finding a solid provider remote from your current area or country of familiarity? Or just confirming that the backups are even just operational?

That cost means that a routine must be kept, such as transporting or testing backups. Routines can be time-consuming and are easily shelved in the face of more immediate tasks. Yet without those necessary routines, a strong DR policy becomes a useless document.

Measure the expected costs in a DR plan. That will determine its ability to be implemented, and ultimately, it can determine if the DR plan is successful after the particular crisis.

A Cheap and Dirty DR Plan

The following list may be useful in a number of scenarios for developing an executable DR plan. It is not comprehensive, and it is not particular to any area, geographic location or industry. It can form the basis of a stronger plan, if utilized as a starting point.

There are a number of areas to consider and address:

There should be nothing overwhelming about creating a basic yet useful DR plan for any entity.

Extensive templates available on the internet may make the task seem daunting. An initial plan may provide a useful bare-bones approach. Over time, and with regular attention, such a simple plan could blossom into a comprehensive DR plan that is practical and fits the entities' needs.

These articles may provide more insight on approaching disaster recover: