Disaster Recovery: Best Practices

1
Disaster Recovery Best Practices

• Diane Slack
• Vice President
• Midwest Records Storage, Inc.

2
(No Transcript)
3
Back to Basics

• Business Continuity vs. Disaster Recovery
• What is the difference?

4
Business Continuity

• A business continuity plan, which includes the
  disaster recovery plan, addresses the manual
  procedures and alternative processing for
  critical business functions it keeps key
  operations operating while systems are being
  recovered.

5
Disaster Recovery

• Most disaster recovery plans include
  procedures for recovering data and the computing
  environment but fail to focus on the needs of the
  organization.

6
Risk Analysis

• Risk analysis is an evaluation of the exposures
  present in your organizations external and
  internal environment. The first step is to
  determine the probability that a particular
  threat will occur.
• Look at a 1-5 year period of possible risks

7
Business Impact Analysis

• The second step of business continuity planning
  is determining impact the dollar amount of
  damage an organization will absorb when the
  threat occurs.

8
Business Continuity Plan should Include

• Core business functions to be recovered.
• Business continuity team members and
  responsibilities.
• People, equipment, processes, and supplies
  necessary for recovery of the core business
  functions.
• A business impact analysis for setting recovery
  priorities.
• Shared computers and communications required for
  the recovery.
• Backup listing and restoration procedures.
• Personnel required to respond to the crisis, make
  the transition to alternate facilities, and
  perform business functions and support services.
• Checklists of specific steps required to recover
  business processes in alternate facilities.
• Employee contact information.
• Service provider contact information (including
  insurance provider).
• A media relations plan.
• A plan for periodically testing and exercising
  the business continuity plan.

9
Basic Terms To Know

• Disaster Preparedness
• Having a plan in case a disaster strikes.
• Disaster Recovery
• Taking action after a disaster occurs

10
Seven Layered Business Continuity Handbook

• Develop the Contingency Planning Policy
  statement.
• Mission Statement - A formal company policy
  provides the authority and guidance necessary to
  develop an effective contingency plan.

11
Policies to include in Statement

• Identify Emergency Response Team
• Develop contingency for business recovery through
  industry best practices. Use your resources and
  research.
• Develop the Policy, include team leaders as
  identified
• Obtain policy approval
• Publish policy and make sure all team leaders and
  department heads have copies that are obtainable!

12
2. Conduct the business impact analysis (BIA)

• The BIA helps to identify and prioritize
  critical business systems and components. A
  template for developing the BIA is also provided
  to the user to assist the user.
• How will a disruption impact our business?
• Identify the impact of power outages
• Develop recovery

13
Critical Business Systems

• Operations, Purchasing, Finance, Management
  Information Systems,
• Facilities, HR, Records, Security, Risk
  Management

14
3. Identify preventative controls

• Measures taken to reduce the effects of system
  disruptions can increase system availability and
  reduce contingency life cycle costs.

15
4. Develop Recovery Strategies

• Detailed recovery strategies ensure that
  systems may be recovered quickly and effectively
  following an outage.

16
5. Develop a Contingency Plan

• The contingency plan should contain detailed
  guidance and procedures for restoring a damages.

-Identify methods and procedures to recover
quickly and effectively -Incorporate into
business processes -Review often as technology
changes quickly
17
Disaster Recovery Sample Outline

• Part I. Table of Contents
• Disaster/Emergency Plan
• Mission Statement
• Risk Assessment
• Disaster Planning Checklist
• Damage Assessment Contingencies
• Plan Maintenance
• Testing the Plan
• Disaster Prevention
• Establishment of Emergency Response Team
• Monitoring of Temperature/Humidity Control
  Equipment in Vault
• Safe Storage of Records is in Records Center
• Fire Prevention in Vault and Records Center
• Monitoring for Water Leaks in sprinkler system
• Evacuation Plans and Emergency Lights

18
Disaster Recovery Outline (Cont.)

• Plan of Action for Emergency Situations
• Vehicle Accident or Theft
• Shelving Structure Damage
• Sprinkler Head Damage
• Roof Water Leaks
• Water Damaged Materials
• Insects or Rodents
• Serious Injury/Illness
• Severe Storm Warnings
• Prolonged Power Outage
• Hazardous Materials Threats
• Earthquakes
• Bomb Threats
• Steps to Follow
• Temporary Off-site Facilities
• Supplies
• Facility Integrity and Security
• Treatment of Tapes and Records
• Documentation of Disaster and Recovery Operations

19
Disaster Recovery Outline (Cont.)

• Part II. Security, Fire and Sprinkler Systems
  Information
• Security System for Records Center
• Security System for Vault
• Part III. Evacuation Routes and Shelving Plan
• Part IV. Emergency Lights
• Part V. Emergency Response Team
• Part VI. Procedures for Client Notification in
  the Event of a Disaster
• Emergency Contact Information (phone, fax, cell,
  email, security)
• Authorization Forms
• Part VII. Emergency Numbers
• Part VIII. Employee Contact Information (home,
  cell, personal email)
• Part IX. Off-site Relocation Plan
• Hotsite
• Restoration of Client Inventory
• Alternate Storage Site
• Alternate Vehicle Storage
• Part X. Priority Tapes and Records to be Salvaged
  and Restored
• Part XI. Emergency Equipment and Supplies on Hand
• Part XII. Salvage and Restoration Vendors

20
6. Plan testing, Training, and Exercises

• Testing the plan identifies planning gaps,
  whereas training prepares recovery personnel for
  plan activation both activities improve plan
  effectiveness and overall company preparedness

-Develop testing objectives -Identify successes
and lessons learned -Incorporate lessons learned
into plan
21

• Some of the largest companies in the world are so
  large because of their mistakes

22
7. Plan Maintenance

• Great, you have a plan, but does it still work??
• The plan should be a living, active document that
  is updated regularly to remain current with
  system enhancements and changing personnel .

23
Statistics

• 6 percent of companies suffering from a
  catastrophic data loss survive, while 43 percent
  never reopen and 51 percent close within two
  years.
• Only 35 percent of small businesses have a
  comprehensive disaster recovery plan in place.
• International Data Corp. estimates that companies
  lose an average of 84,000 for every hour of
  downtime. According to Strategic Research, the
  cost of downtime is estimated at close to 90,000
  per hour.
• Man-made disasters affect 10 of small
  businesses, whereas natural disasters have
  impacted more than 30 of all small businesses in
  the USA. Hurricanes are by far the most
  destructive force causing power failure,
  flooding, customer loss, and the closure of many
  businesses.
• 70 percent of all successful attacks on computer
  networks were carried out by employees and
  insiders.

24
Why plan for a disaster?

• Resumption of Business
• Safety
• Protection of Assets
• Litigation

25
Types of Disaster

• Power Outages
• Hardware Problems
• Human Error
• Lightning
• Floods
• Fire
• Hurricane/Tornadoes
• Earthquakes
• Terrorism
• Security Breach

26
Power Outage One of the Most Common Business
Disruption

• Floods are second most common disruption
• Provide one hour of uninterrupted power on all
  service used internally.
• Provide eight hours of uninterrupted power for
  all Web servers and required support hardware.
• Replace desktop systems with laptop systems
  (where possible).

27
If Disaster Strikes
28
Disaster Recovery Kit

• Chemicals for preserving microfilm photographs
• Protective clothing
• Yellow pages
• Utility knives
• 9 x 12 Mylar paper
• Screwdriver
• Clothesline or fishing line
• Cotton (photographers) gloves
• Cotton hand towels
• Scissors
• Plastic garbage can small plastic buckets
• Disposable cameras

• Disaster Recovery Plan wrapped in plastic
• Absorbent paper such as paper towels
• Blotting paper such as florist paper
• Lint free cloths
• Flashlights extra batteries
• Waterproof markers colored tape in red, black,
  yellow green
• Rubber gloves (latex) and rubber fingers
• Large garbage bags
• Plastic sheeting

29
Assess Damage

• Concentrate on
• Safety of Employees
• Major facility damage
• Facility loss
• Blocked areas
• Records and information damage
• We prepared for the worst, but the worst wasnt
  enough Hurricane Katrina Victims, Mississippi
  Power

30
Vital Records and information priority recovery
materials include

• Records listed as vital records
• Additional records and information included on
  divisional or departmental priorities lists
• Records that are used to locate records and
  information such as indexes, file classification
  lists, accession analyses, location registers and
  inventories
• Records with high intrinsic value such as items
  for which a photocopy or microform would not
  provide a suitable replacement original deeds,
  contracts, wills, and certain archival holdings.

31
Priority Records Restoration

• Items that have already developed mold Mold is
  visible and can develop in 6 hours
• Items printed on parchment or vellum or printed
  on coated papers
• Items with water-soluble inks such as maps,
  drawings or manuscripts.

32
Options for Recovery

• Freeze Drying/Cold Storage
• Fumigation Services
• Image Recovery
• Freezer Paper, Fans, Heaters, Garbage Cans

33
Paper

• Use colored tape and/or markers to designate the
  different status of materials
• Black Beyond hope and will not be recovered
• Red To be recovered first and of the greatest
  importance
• Yellow To be frozen and recovered only when
  needed
• Green Does not need any recovery service

34
Microfilm

• Microfilm must be kept wet until it can be dried
  properly. Leave the film in the cartons or other
  containers and immerse in buckets of clean water
  for no more than 3 days.
• Contact a microfilm processing lab for
  restoration.

35
Magnetic Media

• Magnetic media may be difficult to recover and,
  in all cases, a professional should be contacted
  for assistance. Water alone does not necessarily
  damage magnetic media but contaminants do.
  Contaminants can damage the equipment that the
  magnetic media is run on and should be removed
  carefully.
• Immerse floppy disks and cassette tapes in
  distilled water in an upright position without
  crowding until a professional can clean and copy
  them.
• Large rolls of magnetic tape, disk packs, audio
  and videotape are difficult to recover and should
  be handled by a professional recovery specialist.
• Contact a professional disaster recovery vendor
  to clean and copy any magnetic media.

36
Laser Compact Disks

• Rinse surface with clean water being careful not
  to scratch the surface.
• Allow to air dry and then clean with a commercial
  disk cleaning solution.

37
Hot Site Centers

• Compatible computers to run back up tapes and
  current systems
• Appropriate contract

Finding office space in the event of a disaster
is difficult.  Leasing space in advance is
expensive. Having it available the instant a
disruption occurs is mandatory.  
38
Recommendations

• Responsible Disaster Recovery must be seen as a
  corporate core value.
• Top level management must support, provide
  resources and mandate change
• Include it in corporate compliance program
• Amend Code of Conduct, training programs,
  Corporate Policies and Procedures
• Approach it in phases.

39
What about third Parties??

• Identify organizations in which you have
  significant reliance on
• Ensure those vendors have Recovery Plans
• Ask to see test results

40

• Some of us will do our jobs well, and some
  will not, but we are all judged on one thing
  The End Result
• Vince Lombardi
• Hall of Fame Football Coach
• 1913-1970

41
Discussion and Questions