Disaster Recovery and Business Continuity: A quick guide for organisations and business managers
By Thejendra BS
()
About this ebook
IT has brought many benefits to business. However, IT failures can seriously damage your ability to deliver products and services, harm your company’s reputation, and jeopardise your relationship with your customers. In short, poorly managed IT problems could threaten the survival of your business.
Disaster Recovery and Business Continuity shows you how to develop a plan that will:
- keep your information safe in the face of systems failure
- safeguard your company from viruses, phishing scams and accidental data loss
- ensure your communication links are secure, and help you stay connected when disaster strikes.
Thejendra BS
Thejendra BS is the IT manager for a software development firm in Bangalore, and has over 17 years of experience in IT. Besides working in India, his career has also taken him to Saudi Arabia, Dubai, Bahrain and Australia. He has dealt with customers in many different areas of business, and has written many articles for websites such as techrepublic.com and geekleaders.com.
Related to Disaster Recovery and Business Continuity
Related ebooks
Everything you want to know about Business Continuity Rating: 0 out of 5 stars0 ratingsISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5Business Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Information Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsCyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsModern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsRisk Management and Information Systems Control Rating: 5 out of 5 stars5/5How Cyber Security Can Protect Your Business: A guide for all stakeholders Rating: 0 out of 5 stars0 ratingsAssessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsInformation Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsAvailability and Capacity Management in the Cloud: An ITSM Narrative Account Rating: 0 out of 5 stars0 ratingsThe True Cost of Information Security Breaches and Cyber Crime Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Choosing to Survive Rating: 3 out of 5 stars3/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Compliance by Design: IT controls that work Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Beyond Play: A Down-To-Earth Approach to Governance, Risk and Compliance Rating: 0 out of 5 stars0 ratings
System Administration For You
CompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Linux Command-Line Tips & Tricks Rating: 0 out of 5 stars0 ratingsLinux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Learn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS Rating: 5 out of 5 stars5/5The Complete Powershell Training for Beginners Rating: 0 out of 5 stars0 ratingsBash Command Line Pro Tips Rating: 5 out of 5 stars5/5Learning ServiceNow Rating: 5 out of 5 stars5/5Practical Data Analysis Rating: 4 out of 5 stars4/5Linux Bible Rating: 0 out of 5 stars0 ratingsPowerShell: A Comprehensive Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Ethical Hacking Rating: 4 out of 5 stars4/5Networking for System Administrators: IT Mastery, #5 Rating: 5 out of 5 stars5/5Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsLearn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLearn SQL Server Administration in a Month of Lunches Rating: 3 out of 5 stars3/5Wordpress 2023 A Beginners Guide : Design Your Own Website With WordPress 2023 Rating: 0 out of 5 stars0 ratingsMastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5ServiceNow IT Operations Management Rating: 5 out of 5 stars5/5PowerShell: A Beginner's Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Mastering Salesforce CRM Administration Rating: 5 out of 5 stars5/5Learning Microsoft Endpoint Manager: Unified Endpoint Management with Intune and the Enterprise Mobility + Security Suite Rating: 0 out of 5 stars0 ratingsMastering Linux Network Administration Rating: 4 out of 5 stars4/5Mastering Ubuntu Server Rating: 5 out of 5 stars5/5Data Acquisition from HD Vehicles Using J1939 CAN Bus Rating: 0 out of 5 stars0 ratingsLearn PowerShell Scripting in a Month of Lunches Rating: 0 out of 5 stars0 ratingsMastering Active Directory, Third Edition: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022 Rating: 0 out of 5 stars0 ratings
Reviews for Disaster Recovery and Business Continuity
0 ratings0 reviews
Book preview
Disaster Recovery and Business Continuity - Thejendra BS
Disaster Recovery and Business Continuity
A quick guide for organisations and business managers
Third edition
Disaster Recovery and Business Continuity
A quick guide for organisations and business managers
Third edition
THEJENDRA B.S
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernance.co.uk
© Thejendra B.S 2007, 2008, 2014
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2007 by IT Governance Publishing.
Second edition published in 2008: 978-1-84928-145-4
Third edition published in 2014
ISBN: 978-1-84928-540-7
ABOUT THE AUTHOR
Thejendra B.S is an Information Technology (IT) manager for a software development firm in Bangalore, India. He has also worked in other countries, such as, Saudi Arabia, Dubai, Bahrain, Qatar, Singapore, and Australia.
His introduction to IT began over 20 years ago, when after gaining a degree in electronics he took on the role of field manager. Since then he has developed a wealth of experience and knowledge of IT, and is familiar with a wide range of roles including IT support, help desk, asset management and IT security.
Thejendra is experienced in the areas of disaster recovery (DR) and business continuity (BC). He has dealt with many organisations – of all sizes and nature of business – around the world and has implemented numerous small to large IT projects worth millions of pounds.
Visit his website www.thejendra.com for details on his other books and articles. He can be contacted on [email protected] or [email protected].
FOREWORD
The increasing dependence of organisations on IT systems and the growing range of threats they face, from an act of nature to a terrorist attack, means that organisations that are unprepared for the worst will not usually survive the unexpected. Therefore, over the last ten years disaster recovery and business continuity have become critical business issues.
Business continuity is one of the most important areas of operational risk. This was recognised by the regulatory authorities in the Basel Accord, legislation from the UK’s Companies Act 2006 and the US Sarbanes-Oxley Act, which all require an organisation’s directors to take appropriate action to identify and deal with operational risk. A significant development for companies that wish to identify and apply best management practice in mitigating this risk was the emergence of the British Standard BS25999, which was the world’s first formal Standard for Business Continuity Management (BCM). It contained both the code of practice and specification for a management system against which an organisation can achieve third party accredited certification. BS25999 was replaced by ISO/IEC 22301 in 2012, which enables organisations to demonstrate to their customers and partners their planned business resilience, and those that have such a certificate will inevitably gain a competitive advantage over those that don’t.
In the US, ISO/IEC 22301 feeds into the voluntary private sector preparedness (PS-Prep) accreditation and certification scheme, which is a nationally recognised programme to develop excellence in disaster recovery and business continuity planning.
For smaller organisations, this book is a welcome guide to all the key aspects of disaster recovery and business continuity.
Alan Calder
Founder and Executive Chairman
IT Governance Ltd.
PREFACE
DR and BC are often considered to be a costly, complex and over complicated task that can only be handled by specialists. Executives and managers of small or medium-sized organisations and IT departments often live with the misconception that such activities are beyond their expertise or affordability, and are perhaps considered to be optional academic subjects that are only applicable to larger organisations. Consequently, many of those who are responsible for continuing with business as usual (BAU) may live with the constant fear and the never-ending question of how to protect their business in the event of a disaster, and who would help if such a disaster should occur. This book simplifies the procedures and processes used to successfully implement a workable DR and BC plan. It removes any doubts or uncertainties about how it can be easily achieved with the help of a simple combination of qualified internal members of staff, contractors, external consultants and some common sense.
It provides a short description and explanation of the various DR and BC terms and concepts used. The book draws on the best management practice contained in ISO22301, the latest Standard, to ensure that organisations of any size are able to benefit from its guidance.
Some chapters provide examples of IT and non-IT disasters that could strike an organisation at any time, and may be elaborated on with the use of a fictitious organisation called RockSolid Corp.
Unless stated otherwise, the names of any companies or people mentioned in any examples are fictitious. Where names of actual companies and products are mentioned, they are the trademarks of their respective organisations.
Thejendra B.S
January 2014
CONTENTS
Chapter 1: Introduction to Disaster Recovery and Business Continuity
Who should read this book?
What is a disaster?
What is disaster recovery (DR)?
What is business continuity (BC)?
What is Crisis Management?
Why are DR and BC important?
Who are the real owners of DR, BC, and CM?
What is the cost of a disaster?
Who are the right persons to manage DR and BC?
What is a DR or BC site?
What is a command centre?
Where should a DR or BC site be located?
Can an organisation manage DR and BC alone?
What about DR and BC assistance from external consultants?
What kinds of disaster should an organisation be aware of?
What is a technical risk?
What are some of the most common technical risks?
What are some of the most common non-technical disasters?
What is a business impact analysis (BIA)?
Who can invoke BC?
What are the options available for BC?
What is a DR or BC exercise?
What are the biggest roadblocks for DR or BC?
What are the costs of establishing a proper DR facility?
Are there any international qualifications or training for DR and BC?
Are there any international standards for BC planning?
Chapter 2: Data Disasters
What is data?
What is meant by risk to data?
Why and how do companies lose data?
How should organisations store data safely?
What are some of the most common storage and back-up options?
What is meant by Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?
What is Internet back-up?
What is a ‘geocluster’?
How often should back-ups be taken, and what should be backed up?
How can one decide what data needs to be backed-up?
How and where should back-up tapes be stored?
How often should back-ups be tested?
Will taking proper data back-ups daily ensure DR?
What is ‘disk mirroring’?
What is a ‘database replication’?
What does ‘server load balancing’ mean?
How can one prevent loss of IT equipment?
On-site disaster prevention methods:
Chapter 3: Virus Disasters
What is a computer virus?
How can an organisation protect itself from viruses?
What is a worm?
What is a Trojan?
How can an organisation recover after a virus attack?
How does one update anti-virus software on all machines?
Dos and don’ts regarding viruses
What is ‘phishing’?
What about safety on mobile devices?
Chapter 4: Communication System Disasters
What are some of the common methods of communication in organisations?
What is a communication failure?
What are some of the methods for preventing Local Area Network failures?
What are some methods for preventing WAN disasters?
Dos and don’ts regarding communication systems
Chapter 5: Software Disasters
What is a software disaster?
What is a mission critical application?
What are some of the software disasters that can strike an organisation?
What are some of the best practices for software disaster prevention?
Chapter 6: Data Centre Disasters
What is a data centre?
How should a data centre be built?
What are some of the best practices to prevent disasters inside data centres?
Other precautions to prevent IT disasters
Chapter 7: IT Staff Member Disasters
Who is meant by members of IT staff?
What are the general precautions to prevent disasters relating to members of IT staff?
What is an appropriate IT member of staff ratio?
What are the usual reasons for members of IT staff disasters?
What are some of the best practices to be followed by members of IT staff?
What are the main benefits of using ITIL?
How can change management prevent disasters?
What are the other risks relating to members of IT staff?
Chapter 8: IT Contractor Disasters
What is an IT contractor-related disaster?
How can organisations protect themselves against IT vendor-related disasters?
How does one prevent IT-contractor support disasters?
Should IT staff be outsourced?
What can be outsourced?
Questions to ask vendors
Is it necessary to have contracts with vendors?
What are the key elements of a maintenance contract or an SLA?
Chapter 9: IT Project Failures
Why do IT projects fail?
How can organisations avoid IT project failures?
Chapter 10: Information Security
What is information security?
What are the various ways in which information security can be compromised?
What safeguards are available to protect information?
Chapter 11: Cyber Security Issues
What is Cyber Security?
What is hacking?
How can an organisation prevent hacking?
Exploring Cloud services
Chapter 12: Introduction to Non-IT Disasters
What are some of the non-IT disasters that could affect an organisation?
What is a human error?
What are marketing and sales errors?
What are financial disasters?
What are some of the common recruitment risks?
How do you handle fire related disasters?
What about health and biological threats to an organisation’s members of staff?
What about electrical failures and blackouts?
What precautions can an organisation take to handle civil disturbances?
How can an organisation take precaution against terrorism?
What is a travel-related risk?
What are the usual trade or labour union problems?
What about the psychological effects of a disaster on members of staff?
What is a reputational risk?
What about industrial espionage?
How can an organisation prevent a disaster relating to paper documents?
What other precautions can an organisation take?
Chapter 13: Disaster Recovery at Home
What are the main risks associated with home working?
What are some of the ways to prevent disasters occurring in homes?
Document and data management
Data back-up for standalone systems
Sample recommended solution
Chapter 14: Plenty of Questions
Questions on planning and security
Questions on technology
Questions on health and safety
Questions on financial and legal issues
Questions on people
Chapter 15: How do I get Started?
How does one start a DR or BC programme?
How do I create an actual BCP?
Common types of plans
How is an IT contingency plan prepared?
Sample IT contingency plan for a mission critical server
What is a mock run and how is it conducted?
How often should the DR or BC plan be updated?
What should a BC/DR checklist consist of?
Sample useful checklists
Appendix 1: Disaster Recovery Training and Certification
Appendix 2: Business Continuity Standards
ISO22301
Apendix 3: Making DR and BC Exciting
Appendix 4: Disaster Recovery Glossary
ITG Resources
CHAPTER 1: INTRODUCTION TO DISASTER RECOVERY AND BUSINESS CONTINUITY
‘Meet success like a gentleman and disaster like a man.’
Frederick Edwin Smith (1872-1930)
During the last decade, organisations have undergone huge technical and non-technical transformations, and in the last few years the business world has changed significantly. Regardless of the industry, more and more organisations around the world are operating 7 days a week, 24 hours a day. Competition has increased dramatically, and multiple options for a customer’s demand are available at the click of a mouse. Even a small organisation with only a few staff members depends on technology to compete globally in order to remain in business, which is of paramount importance to every organisation. It’s almost impossible to run any organisation without the use of a computer or telecom-related technology, and this can’t be achieved using the same methods and processes that were used five or ten years ago. For example, any organisation today will require computers, databases, internet access, e-mail, web-hosting and telephones for running its business. Furthermore, the advancement in new technology and its ready availability has enabled an organisation to implement and use it to great effect just to continue with business as usual.
Although an organisation may have implemented modern technologies, they may, or may not have the expertise to support them internally. As a result, there is a high dependence on external, qualified contractors and service providers that can provide timely and efficient service for various mission critical IT functions of an organisation.
Today, because of the numerous technical interdependencies that have become a necessity in all areas of business, no organisation is immune to risk. Therefore, preventing, minimising and avoiding the risk of all types of unexpected disaster or threat has become particularly important. Traditional methods of protection may have been by means of an insurance policy. This would provide cover and protection against damage to key equipment, for example, in the event of a fire or flood, or any other event which the policyholder may have opted for. However, today’s business needs and requirements demand more than this, or simply ‘hoping for the best’. An organisation has to protect itself from the ever increasing number of physical and virtual threats and risks.
With so much dependence on technology, those responsible are constantly faced with the same questions, such as:
• How can one manage predictable disasters striking an organisation?
• Who is best qualified to protect an organisation?
• What qualifications and mindset does one need to work in a DR and BC department?
• Where and how can one find or identify such people?
Who should read this book?
This book is aimed at anyone who is directly or indirectly involved with disaster recovery or business continuity. If you belong to one of the groups mentioned below then you will find this book extremely useful. Though the book is aimed at small and medium organisations the concepts hold good for large organisations too.
• IT managers
• Chief technical officers or chief information officers
• Business managers and consultants
• Board members
• Risk and safety officers
• IT consultants
• Anyone who has been assigned the responsibility for overseeing DR and BC for their organisation.
What is a disaster?
A disaster is generally considered to be ‘an occurrence causing widespread destruction and distress, or a catastrophe’. In a business environment, any event or crisis that adversely affects or disables an organisation’s ability to continue with business as usual is a disaster.
According to various surveys and studies conducted by agencies like DRJ (Disaster Recovery Journal) and Forrester Research, many organisations worldwide go out of business every year because of a disaster - many of which were fully preventable. Many small organisations are often unable to recover from a major disaster, and even larger organisations may find it difficult. As a result, it is vital that organisations constantly minimise all predictable and controllable risks and ensure that they have a properly tested disaster recovery plan in place, should an