Disaster Recovery and Business Continuity

As we discussed in the Introduction to this Chapter, Disaster Recovery normally applies to the IT infrastructure and IT systems even though it can be applied by some organizations in the context of all disasters. Business Continuity as mentioned here below provides for continuity of business in the context of disasters as well as business recovery post disasters. Normally, Incident Response Mechanisms handle disasters of smaller gravity, particularly security incidents and Disaster Recovery and Business Continuity Plans address higher order disasters. An organization may have a single plan covering all incidents and disasters or may have different plans for different aspects. However, where the organizations have multiple plans, it should be ensured that the scope of each plan is clearly defined and there is no conflict between these plans, instead these plans complement each other. In the following sections, we

discuss all the three plans: Disaster Recovery Plan, Business Continuity Plan and Business Recovery Plan. All of these plans form a single composite plan that is known as Business Continuity Plan.

How to Approach Business Continuity Plan

A clear approach to the formulation of the Business Continuity Plan ensures that it considers all the important aspects and according to the scope of the business continuity that the organization wants to achieve.

Figure 5-4 illustrates the three important components of an effective Business Continuity Plan:

• Disaster Recovery Plan

• Business Continuity Plan

• Business Recovery Plan

Figure 5-4. Components of Business Continuity Plan

Assign Clear Roles and Responsibilities

For any project to be successful, it is necessary to define and assign clear roles and responsibilities. This is true even in the case of the formulation of Business Continuity Plans. The important roles and responsibilities in the context of the formulation of the Business Continuity Plans are described in the following sections.


Any plan will not be successful if there is no top management commitment. It is necessary from the perspective of provision of resources, allocation of sufficient budget, and getting the requisite infrastructure that Business Continuity Planning effort has the concrete backing of the top management. Ideal sponsor for the Business Continuity Plan is the Chief Executive Officer or the President or the Vice President of the organization. In case of specific unit level plans

it can be the head of that particular unit. Such a person should demonstrate not only his / her commitment through funding and provision of resources, but also by intervening and resolving any barriers to the effective formulation of Business Continuity Plans. The sponsor should discuss with the Project Manager and formulate the scope of the Business Continuity Plans so that the Business Continuity Planning Team puts its efforts in the right direction and without any ambiguity. Budget for the entire business continuity planning also should be decided and conveyed by the Sponsor to the Project Manager.

Project Manager

Formulation of the Business Continuity Plan should be treated like a project. Hence, there should be a designated project manager. In the context of the Business Continuity Plan this person is normally known as Business Continuity Planning Coordinator. Some organizations may call such a coordinator as Contingency Planning Coordinator.

Business Continuity Plan formulation project should have a planned start date and a planned end date. The activities or tasks to be carried over this period of time should be clearly planned in the schedule with the responsibility

clearly assigned to relevant and appropriate personnel. Dependencies between various steps or tasks or activities of the plan have to be identified. A tool like Microsoft Project Plan or any other scheduling software or tool should be of help to carry this out effectively. The Project Manager or the Business Continuity Planning Coordinator can be an external consultant or an internal employee with prior experience in such a plan formulation or may be an internal management person supported by an identified external consultant. Communication Plan is an important component of planning for Business Continuity Plan formulation. It is the responsibility of the Project Manager or the Business Continuity Planning Coordinator to ensure an effective Communication Plan.

Business Continuity Planning Team

The Project Manager or Business Continuity Planning Coordinator in discussion with the sponsor or on his/her own should identify the team members who need to be part of the Business Continuity Planning Team. Ideally it should be a cross-functional team representing the members from the business, IT team, information security team, facility

management and security team, human resources team, Sales and Marketing, Community Relations and Public Affairs, and Supply Chain / Purchasing, Finance. Experts or external consultants may also be included as part of the team.

Life Cycle of Business Continuity Planning

For Business Continuity Plans to be effective in addressing all the components of the plan including disaster recovery, business continuity and business recovery, organizations need to follow a well-defined Life Cycle of Business Continuity Planning. The success of the organization and its ability to withstand a disaster or serious business disruption depends upon the adequate thinking provided to each aspect of the life cycle, detailing of the same so that it is understood by everybody as relevant, tested for the assurance that it will work as expected in case of need and will enable the organization to bounce back effectively and efficiently on to the path of business continuity and business recovery. The Life Cycle of Business Continuity Planning is illustrated in Figure 5-5.

Figure 5-5. Business Continuity Planning Life Cycle


Appropriate scoping is very important and the starting point of a good Business Continuity Planning exercise. Whether the scope is the entire organization, for specific location, for specific business, or for specific department should be clearly set by the Sponsor of the Business Continuity Plan in his / her discussion with the Business Continuity Planning Coordinator. The scope should be written down and signed off by the Sponsor to ensure

that there is no disconnect between what was expected by the Sponsor and what was understood by the Business Continuity Planning Coordinator.

Plan for Formulation of Business Continuity Plan

A draft Project Schedule has to be prepared with a clear planned start date and planned end date. Various activities or tasks to be planned to formulate the Business Continuity Plan are identified. Assignments of the planned activities to various team members are also carried out. Dependencies between various tasks are also identified. Pre-requisites for important activities and success criteria for important activities are also identified. This draft schedule is discussed with the Business Continuity Team during the Business Continuity Plan Kick-Off Meeting and is finalized.

Communication Plan is an important component of planning for Business Continuity Plan formulation. This plan very clearly delineates how the status of the formulation of Business Continuity Plan is communicated to various stakeholders including the Sponsor and when and how the issues related to the plan are communicated. This plan also delineates channels of communication and various meetings that are part of overall communication strategy.

This also includes the communication of any changes including changes to the scope, changes to the cost, and changes to the project plans. This draft communication plan is discussed with Sponsor to check that the plan is as per the expectations of the Sponsor. This plan is then discussed broadly during the Business Continuity Plan Kick-Off Meeting and agreed to.

Business Continuity Plan Kick-Off Meeting

This is an important meeting of the Business Continuity Planning Team wherein the scope of the Business Continuity Planning is discussed so that everybody on the team is clearly aware of the scope. The broad plan prepared by the Business Continuity Planning Coordinator will be discussed with the team and depending upon the team's views necessary additional tasks / activities are incorporated, timelines are revised, dependencies are added / modified, and the responsibilities for various tasks are reassigned where required.

This meeting also discusses the risks to the schedule, risks to the achievement of the objective of the plans, and risk of the resources planned to be employed (non-availability, over engagement in other critical activities etc.).

Any issues expressed by the team members are considered, discussed, and necessary actions to be taken are planned for / determined.

Business Impact Analysis (BIA)

Business Impact Analysis is at the heart of Business Continuity Planning. Data from various local agencies, regional agencies, national agencies, and international agencies, as relevant, are collected related to applicable disasters and taken into consideration during the Business Impact Analysis.

The first activity as a part of the Business Impact Analysis is to list out various Business Lines of the organization and to understand their relative contribution to the organization and their relative criticality in terms of revenue and profitability. This also has to take into account impact on the customers of those business and possibility of the customers moving to other organizations if they are not supported. Business Impact Analysis will allow an organization to determine as to how much time each of these business lines can be down without significantly impacting the customers, and also how much a reduced level of service can sustain the business for some time.

Table 5-10 provides an example of how different lines of business determine the criticality of business continuity and recovery.

Table 5-10. Criticality Analysis of Different Lines of Business

Business Line Business Share

(% of total business of the organization)

Profitability % Criticality of Business

Continuity and Recovery

Business Line A 54% 12% Critical

Business Line B 17% 18% Critical

Business Line C 15% 5% Non-Critical

Business Line D 14% -2% Non-Critical

Assurance made to the customers of various service levels, impact on the customers due to the business downtime / service downtime are taken into account and minimum time within which business needs to be continued even at the reduced levels of scale or reduced service levels have to be identified. This step is very crucial for the success of effective business continuity.

Then we look at the risks to the systems enabling and supporting each of these business lines including IT infrastructure, software, applications, tools, and utilities from various applicable threats or scenarios including from natural disasters, infrastructural breakdowns, riots and strikes, system downtime because of issues like virus infection, and server crashes. We identify the top risks based on their probability of occurrence and their likely impact on each of the business lines. We use the data available while arriving at these. The focus here is on availability as this is the risk we want to cover primarily as part of BIA. However here, we go beyond the normal risk assessment and assume that the disaster is likely to happen and think of what steps the organization needs to take to recover from disasters and continue the business if the disaster comes true in spite of controls put in place.

On the basis of the criticality of various Business Lines and the corresponding applicable risks or scenarios, relative ranking is used for prioritization of recovery and focus on business continuity. This step is very crucial for the success of effective business recovery. Additionally, it is good to understand, at this point in time, the implication of downtime or disruption on the confidentiality, integrity, and primarily availability (as BCP addresses primarily the issue of availability). The same guidelines from NIST's FIPS PUB 199 as used in the Risk Management Section may be referred to understand the impact. The rating may be 1 or Low; 2 or Moderate; 3 or High i.e. one in a numerical scale and the other at risk level.

From the above the following three important aspects of Business Continuity and Recovery are decided:

Maximum Tolerable Downtime (MTD): This is the downtime or outage or disruption considered as tolerable by the stakeholders particularly business users in the context of a specific business line. Beyond this period of downtime, it will be perceived that the downtime will have severe impact on the business. This provides the inputs for the recovery method and processes to be used.4

Recovery Time Objective (RTO): This is the maximum time by which the recoveries of the affected systems have to be accomplished. This provides the input for the technologies to be used for effective recovery. This has to be less than the MTD as the recoveries of the systems well before the MTD are necessary to ensure that the business can be carried out effectively after MTD. Further, testing of the integrity of the system and data restored shall also be checked and ensured before MTD. This provides for time to get a new server (rented or redeployed within the organization

or leased etc.), install the operating system, install the application, configure the system appropriately, restore the backup from the backup media, check the system for effective restoration and roll it out for production, etc. Where the RTO is more than the MTD, then the Top Management has to be consulted as to the risks to the business and necessary steps as required have to be planned for as per the guidance of the Top Management.4

Recovery Point Objective (RPO): This is the point of time before the disaster or disruption or outage that the system can be brought back to. This applies to the data and usually depends upon the number of hours of data we can afford to lose. This decides the required backup frequency and type of backup. If the data is critical and can't be lost

at all, then online real-time mirroring of the data may have to be looked into. However, whenever strategizing such things the cost vs. benefits have to be considered.4

The analysis that we've discussed is better known as the Business Impact Analysis (see Figure 5-6). Typically, the organization determines five business areas and five relevant disasters (as per the thumb rule), which need to be addressed for business continuity as well as recovery. This number may vary from organization to organization;

however, looking to continue all the business lines, and always at the same level of performance, is possible to achieve only at high redundancy. It requires a high investment to support business continuity, and may not be a prudent business decision. As mentioned earlier, based on the relative criticality of the selected business lines, the recovery and continuity efforts are prioritized. Consequently, critical systems supporting those business lines and the priorities for their recovery also are identified.

Figure 5-6. Business Impact Analysis3

For some customers or some businesses, it may cost significantly if the business doesn't continue at the time of disaster or as early as possible after the disaster. For example, e-commerce business with high competition and huge volumes of business may lead to huge losses or potential business losses even if the systems are out for part of the day. Hence, we need to identify the need for continuity of business while recovery efforts are underway.

Adequate and appropriate resource deployment is the next important step in the process of effective recovery. Facilities, staff, hardware, operating system and other software, application software, data, tools and utilities, and relevant records are the important resources required to ensure effective recovery. These should be identified well ahead of time in appropriate quantity with appropriate capability to ensure effective and efficient recovery.

Again, while most focus is on recovery, as discussed earlier, not all business lines may require continuity of business immediately after the disaster as this can be enabled in case of most disasters only at a high cost like hot sites setup and maintenance.

Whether the business can be continued at a lower scale from the same site or from another alternate site depends upon the type of disaster impacting the current site. Heavy floods or huge fires or earthquake, or damages on account of terrorist strikes through bombs etc. may lead to total or high devastation at the current site and hence it may not be possible to recover the services mostly within the MTD from the same site. Hence, in case such disasters are perceived strongly (i.e., with relatively high probability), then business continuity or business recovery from other alternative sites may have to be planned for. If the immediate continuity of the business from another site is required, then alternative hot sites may have to be setup. If the business can wait for some time, then there is a possibility to recover and continue the business from other alternative sites by having alternative warm sites. If there is substantial time available as MTD, then it may be enough to have a cold alternative site or a reciprocal arrangement with some other organization. These alternative sites may be the ones owned already by the organization or may be the sites leased out for the specific purposes of business continuity or may be the sites of other organizations with which we have reciprocal arrangements.

In most of the cases, the disasters may have localized impact in which case business may be possible to be routed temporarily through some other sites where possibly only the personnel have to be shifted temporarily along with the requisite equipment like laptops etc. Some of the cases can be handled effectively by having reciprocal arrangements with other organizations in a neighboring town or city which can be easily reached within a reasonable time-frame.

Business Continuity Plan Preparation

Once the business lines to be supported along with the applicable disasters and the corresponding systems to be recovered and / or business operations to be continued from alternative sites are decided along with the priorities attached to them, the detailed Business Continuity Plan is drawn up.

The Business Continuity Plan lists out the Business Lines determined to be supported (as per BIA) as part of BCP as per their priorities. For each of the business lines the top few identified and applicable disasters impacting them

as determined during the BIA are listed out. Based on each disaster scenario, the systems to be brought up and the resources required for the recovery process are listed as determined during the BIA.

The next step is to identify the Preventive Controls. Preventive Controls are such controls which make it possible to reduce the impact or the possibility of some of these disasters, such as fire through mechanisms like smoke / fire detectors, fire alarm systems, and fire suppression systems. Many of these would have been considered as a part of organizational information security risk management activities. If not, possible preventive controls are now identified and assigned to appropriate personnel for effective execution.

For each of these listed disasters, what should be done during the first 24 hours, first 48 hours, first 72 hours of disaster are identified. These may be arranging for alternative servers, alternative routing of the network traffic, operating out of alternative sites (including where applicable other locations of the organization itself), restoration of the system files and data on to the alternative servers set up etc. The MTD and RTO are taken into consideration while planning these. The objective is to ensure that the business and supporting systems are brought back before the MTD. These have to be supported by effective and well-planned recovery processes.

Effective recovery depends upon the contingency strategies planned for. Some of the contingency strategies are backup and recovery methods, offsite storage strategies, provisioning of alternative cold, warm, or hot sites. Reciprocal arrangements for alternative sites, provision for receipt of backup equipment from the hardware vendor, inventory of internally deployable alternative systems necessary equipment to be stocked internally etc. are also required to be planned as part of these strategies. Service Level Agreements or timelines have to be agreed with

suppliers, where appropriate, to ensure timely and effective support. All these should be in tune with the determined recovery strategies / plans and should support the RTO and RPO. These should be appropriately captured as part of the BCP. Cost vs. benefit analysis should be carried out while deciding these and appropriate strategies have to be selected keeping in mind RTO and RPO.

Outage assessment procedures like assessing the cause of an outage, potential impacts of the outage, damages possible to the infrastructure and systems, time required to bring back the situation to normalcy, and so on have also to be planned as part of the BCP.

Various recovery procedures and their sequence of execution have to be planned for in detail as part of the BCP or as addendum to the BCP or as a separate companion plan. Procedures to check the effectiveness of the recovery activities during the reconstitution phase also have to be planned for as part of BCP.

Various roles and responsibilities to effectively execute the Business Continuity Plan are determined and documented as part of the BCP. While BCP Coordinator plays an important role in the entire planning and execution of the BCP, there are other roles and responsibilities which are important to ensure effective execution of the BCP. One of these is the Crisis Management Lead who is the senior person from the organization who is empowered to declare the situation as a crisis upon evaluating the scenario and the possible damages or impacts. Other roles may be the Travel Coordinator for arranging for travel during the disaster, Purchase Coordinator who initiates necessary purchases as per the plan, Facility Coordinator who sets up the alternative site / facility, Server Recovery Team, Network Recovery Team, Database Recovery Team, Legal Affairs Team, Public Affairs Team, etc. while the BCP Coordinator takes overall lead and provides overall guidance for the effective execution of the BCP. Also, backups for each of the critical roles is also decided and assigned as part of the BCP.

Crisis Communication and other communication plans are also part of the Business Continuity Plan. These very clearly describe who is empowered to communicate with the internal and external world on the crisis and what kinds of communications are normally allowed in case of the relevant disasters. Even the forms and templates as necessary to support the same may be provided. The line of communication chart is also provided as needed, if the communication at various centers has to be percolated down / to others through various personnel of the organization. Activation criteria for important communications like crisis announcement and various notifications to be provided prior to the disaster, during the disaster, or after the disaster are also documented clearly as part of the BCP.

The primary and secondary contact details like landline numbers, mobile numbers, e-mail ids, and addresses of personnel assigned with various roles are captured as part of the BCP. The contact names and details of various critical suppliers like offsite backup custodial service providers, critical suppliers to whom critical work has been outsourced, etc. are also captured as part of the BCP.

Designation of the war rooms and the facilities to be available in the war rooms, the type of documentation to be carried out during the entire BCP life cycle; who is responsible for the documentation as scribe, and so on are planned for clearly as part of the BCP.

The plan is concluded with all the necessary contents as above and reviewed with the sponsor for completeness, consistency and correctness.

Business Continuity Plan Validation & Training

The Business Continuity Plan has to be tested and validated to get the requisite assurance that it works effectively when required. Testing and exercises are part of this validation. This is an important step of the Business Continuity Plan and cannot be missed out.

Testing enables plan deficiencies to be identified and addressed by validating one or more of the system components and the operability of the plan. Testing should be performed as far as possible in an environment akin to the current operating environment of the organization. Each of the recovery processes mentioned in the plan should be tested to get the assurance that they work when executed. Some of the things tested as part of BCP validation are:3

• Notification procedures;

• System recovery on an alternate platform from backup media;

• Internal and external connectivity;

• System performance using alternate equipment;

• Restoration of normal operations.4

This testing has to be carried out methodically using the test plans with clearly defined test scenarios (ideally worst case scenarios) and success criteria based on the defined test objectives. Test Plans should also test for the timeframes for each of the critical processes. This enables us to understand whether recovery is possible as per RTO or not.

Based on the outcome of the tests, necessary modifications or improvements may have to be made to the BCP.

Training on the BCP has to be provided to various roles mentioned in the BCP. The primary focus should be on the objective of the plan, communications to be carried out by and among various roles including reporting processes, coordination between various roles, do's and don'ts, team specific processes, responsibilities attached to

individual roles, and security requirements. All the stakeholders have to be involved in the training mandatorily and clarify their doubts so that they are effective when it comes to the execution of the plan in case of eventuality.

Various exercises are conducted to ensure that the plan is appropriate and works when needed. Some of the popular exercises used are:

• Table Top Exercise4: This is normally done as a class room discussion based exercise. Here, no equipment is used. Various stakeholders meet and discuss their responsibilities in the case of an emergency and how will they respond in the context of a specific scenario provided by the facilitator.

• Functional Exercise4: Simulated environment is used and emergency processes are implemented by various teams. The teams carry out their emergency responsibilities in the simulated environment. It provides them hands on experience as well as tests the validity of the plans and processes. These may be exercising specific responsibilities of specific team members or exercising specific processes etc. These may be limited to specific aspects of the plans or may be a full scale exercise of the plan.

Table Top exercises may be enough for low impact systems. Limited functional exercises may be required for medium impact systems. Full functional exercises may be required in case of high-impact systems.

Up-to-date Maintenance of the BCP

With significant changes to businesses or infrastructure or systems, the BCP need to be reviewed and the need for its continued currency or the need for update to the same has to be ascertained. In case, the changes have impact on the BCP, it needs to be updated. Where the changes to the BCP are significant, then re-training of the resources and re-validation of the BCP are important. Even in case the BCP is static in terms of its technical contents, the BCP may require periodical updates and trainings on account of changes to the personnel and their responsibilities, and contact details. Like the original BCP, modified BCP also has to be reviewed and approved by the Sponsor of BCP.


• We discussed security breaches on confidentiality, integrity, and availability aspects of information security. We also made it clear that the risk management, incident response, disaster recovery, and business continuity planning are critical to ensure that the impacts on or compromises to confidentiality, integrity and availability are reduced significantly. We also stressed upon numerous theories around these concepts and found that they are diverse and many a time confusing. We also defined some of the key terminologies used in the chapter in our simple and practical ways to avoid confusion to the readers.

• We explored Risk Management and looked at each of the components of the risk management life cycle including risk identification, risk analysis, risk response, execution of risk treatment plans, and periodical risk assessments. Each of these were explained and elaborated in detail. Detailed guidelines are provided so that the users can effectively carry out the risk assessment. A useful template for risk assessment is also provided as reference.

• We also explored upon the Incident Response Policy, Plan, Processes, and the Incident Response Life Cycle. We looked at the importance of the preparation activities. We elaborated in detail upon incident detection including incident analysis, incident containment including containment strategies, incident eradication, and incident recovery. We also explained how the post incident analysis like learning, use of data collected are important, and useful steps leading to the improvement to the incident response mechanisms.

• We examined the Business Continuity Plan (including the Disaster Recovery, Business Continuity, and Business Recovery). We elaborated upon the important roles and responsibilities related to the formulation of the BCP. We also elaborated upon the planning required to arrive at the BCP. We also examined, as part of the BCP Life Cycle, the importance of Business Impact Analysis, and how it becomes the base for the formulation of the BCP. We also looked at the broad contents of the BCP. We also highlighted the need for validation of the BCP through Testing and Exercises. We also explored how training helps in the effective implementation of BCP. Then we highlighted the need for keeping the BCP updated with the changes.

< Prev   CONTENTS   Next >