Q&A: Writing your disaster recovery plan


Disaster recovery planningA disaster recovery plan is a key part of your company’s IT security precautions. Ross Walker, from security company Veritas, explains how to write your disaster recovery plan

Why should businesses have a disaster recovery plan?

"Creating a disaster recovery plan will help your business deal with IT disasters, so you can get back up and running quickly. A disaster recovery plan can cover all sorts of eventualities, from cybercriminals stealing data to fire or flood damage."

"However, for most businesses, it’s their intellectual property that differentiates them from the competition. And that intellectual property is probably stored on computers, where it can be corrupted, deleted, stolen or damaged. So having a disaster recovery plan will help preserve these intangible assets, as well as more obvious ones - like servers and computer hardware."

"Ultimately, your disaster recovery plan is a kind of insurance policy. You hope you’ll never need it, but if you ever do, you’ll be really glad of it."

Start writing your disaster recovery plan

"The first step in putting your disaster recovery plan together is to identify what assets your business has. They might be physical assets, like laptops or smartphones. Or they might be less tangible assets that are actually worth more - like that valuable data and intellectual property."

"Work with your employees on your disaster recovery plan. Identify who has a mobile phone, a smartphone, a laptop. Is there a server in the business? Identify who holds what information - and where it’s stored."

"A disaster recovery plan is all about asking 'what if...?' It can be as simple as sitting down with a sheet of paper and mapping out possible scenarios. What would happen if that device was lost or the hard disk crashed? What impact would that have?"

Who should help write your disaster recovery plan?

"It’s important you work with a trusted advisor to create a disaster recovery plan that’s appropriate for your business. This might be your existing IT supplier or a security specialist."

"However, ultimately your disaster recovery plan needs to involve everyone in your business. After all, anyone with access to your IT systems and data may conceivably need to follow some of the procedures in your disaster recovery plan."

Structuring your disaster recovery plan

"Your disaster recovery plan needs to have a line item for every eventuality that can happen. Alongside each should be a list of actions explaining how to deal with it."

"The disaster recovery plan should be created when people are not under pressure. If an IT disaster happens, people will be stressed and concerned. It can have an emotional impact, so the idea of the disaster recovery plan is to cut through that and explain what you need to do."

"For instance, say someone in your business lost a laptop or USB drive. Your disaster recovery plan would tell you to contact your IT supplier to get new hardware ordered, to ensure you can recover the data from where it’s backed up and to activate any 'remote wipe' or 'remote kill' to prevent unauthorised people accessing the data."

Make your disaster recovery plan usable

"Keep your disaster recovery plan as short as possible. It only needs to be one or two pages. You need to be able to go back and reference it quickly in a crisis."

"And once your disaster recovery plan has been written, you need to go through some disaster recovery readiness testing."

"Actually role-play the procedures in your disaster recovery plan. Do this regularly and try to identify any weaknesses or improvements you can make - especially as your business expands or changes."