Disaster recovery plan_for_business_cont

2016
Disaster Recovery Plan
For Business
Continuity : Case Study
in a Business Sector
Author: Jacob Joseph Kassema
INFORMATION
TECHNOLOGY DISASTER
RECOVERY (ITDR)
An information technology (IT) disaster recovery (DR) plan
provides a structured approach for responding to unplanned
incidents that threaten an IT infrastructure, which includes
hardware, software, networks, processes and people. Protecting
your organization's investment in its technology infrastructure, and
protecting your organization's ability to conduct business are the
key reasons for implementing an IT disaster recovery plan.

i
IT-DRP For Business Continuity Case Study in a Business Sector, June 2016.
TABLE OF CONTENTS
Abbreviations 3................................................................................
Acknowledgement 4...........................................................................
Research Preference 5........................................................................
Abstract 5.......................................................................................
Introduction 7..................................................................................
What is an IT disaster recovery plan? 7.................................................
IT Disaster Recovery Plan 7...............................................................
IT Recovery Strategy 8.....................................................................
Data and restoration 9.....................................................................
Internal Recovery Strategies 10.......................................................
Vendor Supported Recovery Strategies 10...........................................
Developing an IT Disaster Recovery Plan 11.........................................
IT Data Backup 11..........................................................................
Developing the Data Backup Plan 12.................................................
Options for Data Backup 12............................................................
Statement of the Problem 13.............................................................
Significance of the Study 14..............................................................
Research Hypothesis 15.......................................................................
Paper Organization 15.....................................................................
Research Methodology 16.....................................................................
Method of the Study 16....................................................................
Study Milestone 17.........................................................................
Data Collection and Analysis 19.............................................................
Data Collection Techniques 19............................................................
Data Preparation and Analysis Tools 19..................................................
Literature Review 21..........................................................................
Business Continuity Plan 22..................................................................
Disaster Recovery Plan Framework 23......................................................
DRP Strategy 23.............................................................................
DRP Implementation Model 25............................................................
Obtaining top management commitment 25........................................
Establishing a planning committee 25................................................
Performing a risk assessment 26......................................................
Establishing priorities for processing and operations 26...........................

ii
Determining recovery strategies 27...................................................
Collecting data 27.......................................................................
Organizing and documenting a written plan 27.....................................
Developing testing criteria and procedures 28......................................
Testing the plan 29......................................................................
Obtaining plan approval 29............................................................
DRP Technologies 30........................................................................
Conclusion and Recommendations 31......................................................
Fact Findings 31.............................................................................
Step-by-Step IT DRP Implementation 31................................................
IT Disaster Recovery Plan Benefits 32...................................................
Types of Plans 33...........................................................................
Types of Disasters 33.......................................................................
References 34..................................................................................
Annexes 35......................................................................................
Annex 1:ITDR Architecture 35............................................................

iii
ABBREVIATIONS
IT Information Technology
ICT Information and Communication Technology
DR Disaster Recovery
DRP Disaster Recovery Plan
IT-DRP Information Technology Disaster Recovery Plan
ITDR Information Technology Disaster Recovery
ROI Return on Investment
VOIP Voice over Internet Protocol
EDI Electronic Data Interchange
ERP Enterprise Resource Planning
MIS Management Information System
IBM Inter Business Machine
USB Universal Serial Bus
SPSS Statistical Package for the Social Science
BIA Business Impact Analysis
PUBLISHER
SSRN ID ……………………………..
Published in SSRN eLibrary (www.ssrn.com)
Social Science Research Network 2171 Monroe Avenue, Suite 203
Rochester, NY 14618 Ofﬁce
Phone: 585 442 8170 Ofﬁce Fax: 585 442 8171

iv
ACKNOWLEDGEMENT
In success and completion of this research, I would like to
thank my supervisor Mentor Dr. Amani Sedoyeka for their full
support and constructive ideas during whole of my research, I also
acknowledge the value and importance of having online library such
as SSRN, Gartner and Google Scholar which helps me to access
various data, information and other research papers in the area of
Disaster Recovery.
Special thanks goes to my family, my wife and my loving
daughter for providing possible support during my studies and
research by dedicating their time to help me with family
responsibilities whenever I was not available or ready to do. My
thanks goes to all organizations which I managed to visit and
observe their IT-DRP and understand basics on the ground.
I also take this opportunity to thank my publisher who helped me
with the procedures in publishing this summary research paper, as
well as showing me the way on how to share my views with other
researchers, scholars and other research and education institutions
in the world of research.

v
RESEARCH PREFERENCE
In the business sector, every one wishes to have a business which
provide products and services all the time when needed, therefore if
the business relay on data as well as manufacturing, the
contingency plan in so obvious. I take this opportunity to
acknowledge IT-DRP is a Critical Success Factor (CSF) for a
business to succeed and stay in the market for as long as the
market share exist. As a research I feel privilege to conduct this
research and share with you this knowledge and ﬁndings as well as
conclusion.

ABSTRACT
An information technology (IT) disaster recovery (DR) plan
provides a structured approach for responding to unplanned
incidents that threaten an IT infrastructure, which includes
hardware, software, networks, processes and people.
Protecting your organization's investment in its technology
infrastructure, and protecting your organization’s ability to
conduct business are the key reasons for implementing an IT
disaster recovery plan.
As IT systems have become increasingly critical to the smooth
operation of a company, and arguably the economy as a
whole, the importance of ensuring the continued operation of
those systems, and their rapid recovery, has increased.
According to IBM, most of their customers (companies) that
had a major loss of business data, 43% never reopen and 29%
close within two years. As a result, preparation for continuation
or recovery of systems needs to be taken very seriously. This
involves a signiﬁcant investment of time and money with the
aim of ensuring minimal losses in the event of a disruptive
event
It is known that, Organization’s has a number of systems in
place such as ERP’s, Finance and Accounting System, Human

vi
Resource MIS, Assets Management System, Content
Management System (Webserver), Authentication System
(Domain) as well as Electronic Mail System e.t.c, all these are
the investments which an Organization is investing, protecting
these investment it is mandatory so that ROI can be achieved
and enjoyed. Therefore, it is very important to make sure that
all these systems are properly backed up with an appropriate
technology for easy and quick recovery for business operations
continuity in case of any disruption may occur.

vii
INTRODUCTION
WHAT IS AN IT DISASTER RECOVERY PLAN?
IT disaster recovery plans provide step-by-step procedures for
recovering disrupted systems and networks, and help them
resume normal operations. The goal of these processes is to
minimize any negative impacts to company operations. The IT
disaster recovery process identiﬁes critical IT systems and
networks; prioritizes their recovery time objective; and
delineates the steps needed to restart, reconﬁgure, and
recover them. A comprehensive IT DR plan also includes all
the relevant supplier contacts, sources of expertise for
recovering disrupted systems and a logical sequence of action
steps to take for a smooth recovery.
IT DISASTER RECOVERY PLAN
Businesses and Government use information technology to
quickly and effectively process information. Employees use
electronic mail and Voice Over Internet Protocol (VOIP)
telephone systems to communicate. Electronic data
interchange (EDI) is used to transmit data including orders and
payments from one Ministry, Department or Agency to another.
Servers process information and store large amounts of data.
Desktop computers, laptops and wireless devices are used by
employees to create, process, manage and communicate
information. What will you do when your information technology
stops working? An information technology disaster recovery

viii
plan (IT DRP) should be developed and incorporated with the
business continuity plan as well as the appropriate technology
to support the plan.
Priorities and recovery time objectives for information
technology should be developed during the business impact
analysis. Technology recovery strategies should be developed
to restore hardware, applications and data in time to meet the
needs of the business recovery.
Organization with its departments regardless of its size (large
and/or small) create and manage large volumes of electronic
information or data. Much and most of that data are important
and crucial. Some data is vital to the survival and continued
operation of the business. The impact of data loss or corruption
from hardware failure, human error, hacking or malware could
be so much signiﬁcant to the Ministry. Therefore, a plan for
data backup and restoration of electronic information is
essential.
IT RECOVERY STRATEGY
Recovery strategies should be developed for Information
technology (IT) systems, applications and data. This includes
networks, servers, desktops, laptops, wireless devices, data
and connectivity. Priorities for IT recovery should be consistent
with the priorities for recovery of business functions and
processes that were developed during the business impact
analysis.

ix
IT resources required to support time-sensitive business
functions and processes should also be identified. The
recovery time for an IT resource should match the recovery
time objective for the business function or process that
depends on the IT resource.
Information technology systems require hardware, software,
data and connectivity. Without one component of the “system,”
the system may not run. Therefore, recovery strategies should
be developed to anticipate the loss of one or more of the
following system components:
• Computer room environment (secure computer room
with climate control, conditioned and backup power
supply, etc.)
• Hardware (networks, servers, desktop and laptop
computers, wireless devices and peripherals)
• Connectivity to a service provider (fiber, cable,
wireless, etc.)
• Software applications (electronic data interchange,
electronic mail, enterprise resource management,
office productivity, etc.)
DATA AND RESTORATION
Some business applications cannot tolerate any downtime.
They utilize dual data centers capable of handling all data
processing needs, which run in parallel with data mirrored or
synchronized between the two centers. This is a very

x
expensive solution that only larger companies can afford.
However, there are other solutions available for small to
medium sized businesses with critical business applications
and data to protect.
INTERNAL RECOVERY STRATEGIES
Many businesses have access to more than one facility.
Hardware as an alternate facility can be configured to run
similar hardware and software applications when needed.
Assuming data is backed up off-site or data is mirrored
between the two sites, data can be restored at the alternate
site and processing can continue.
VENDOR SUPPORTED RECOVERY STRATEGIES
There are vendors that can provide “hot sites” for IT disaster
recovery. These sites are fully configured data centers with
commonly used hardware and software products. Subscribers
may provide unique equipment or software either at the time of
disaster or store it at the hot site ready for use.
Data streams, data security services and applications can be
hosted and managed by vendors. This information can be
accessed at the primary business site or any alternate site
using a web browser. If an outage is detected at the client site
by the vendor, the vendor automatically holds data until the
client’s system is restored. These vendors can also provide
data filtering and detection of malware threats, which enhance
cyber security.

xi
DEVELOPING AN IT DISASTER RECOVERY PLAN
Businesses should develop an IT disaster recovery plan. It
begins by compiling an inventory of hardware (e.g. servers,
desktops, laptops and wireless devices), software applications
and data. The plan should include a strategy to ensure that all
critical information is backed up.
Identify critical software applications and data and the
hardware required to run them. Using standardized hardware
will help to replicate and reimage new hardware. Ensure that
copies of program software are available to enable re-
installation on replacement equipment. Prioritize hardware and
software restoration. Document the IT disaster recovery plan
as part of the business continuity plan. Test the plan
periodically to make sure that it works.
IT DATA BACKUP
Businesses generate large amounts of data and data ﬁles are
changing throughout the workday. Data can be lost, corrupted,
compromised or stolen through hardware failure, human error,
hacking and malware. Loss or corruption of data could result in
signiﬁcant business disruption. Data backup and recovery
should be an integral part of the business continuity plan and
information technology disaster recovery plan.
Developing a data backup strategy begins with identifying what
data to backup, selecting and implementing hardware and
software backup procedures, scheduling and conducting

xii
backups and periodically validating that data has been
accurately backed up.
DEVELOPING THE DATA BACKUP PLAN
Identify data on network servers, desktop computers, laptop
computers and wireless devices that needs to be backed up
along with other hard copy records and information. The plan
should include regularly scheduled backups from wireless
devices, laptop computers and desktop computers to a network
server. Data on the server can then be backed up. Backing up
hard copy vital records can be accomplished by scanning
paper records into digital formats and allowing them to be
backed up along with other digital data.
OPTIONS FOR DATA BACKUP
Tapes, cartridges and large capacity USB drives with
integrated data backup software are effective means for
businesses to backup data. The frequency of backups, security
of the backups and secure off-site storage are usually
addressed in the plan. Backups should be stored with the
same level of security as the original data.
Many vendors offer online data backup services including
storage in the “cloud”. This is a cost effective solution for
businesses with an internet connection. Software installed on
the client server or computer is automatically backed up. Data

xiii
should be backed up as frequently as necessary to ensure
that, if data is lost, it is not unacceptable to the business. The
business impact analysis should evaluate the potential for lost
data and define the “recovery point objective.” Data restoration
times should be confirmed and compared with the IT and
business function recovery time objectives.
There are available technologies for disk to disk backup, which
provide total data backup and the image of the system state
according to the scheduling plan which is configured, this
provide more flexibility in using the technology and
management point of view. Because restoration is just within
two to three hours since everything will be backed up at the
volume level and snapshot image of the system state.
STATEMENT OF THE PROBLEM
It has been noted that, when IT disruption occur in most of the
organization in the business sector, recovery in many cases
took much longer, some data and information are lost, the
revenue is lost at that period of recovery, and some other
cases additional cost in incurred. This phenomena lead me to
take a closer look into the basics of DRP and technologies
which are available with their pros and cons. Because when
disruption happen, causes so much trouble to the organization
such as un-availability of services, loss of revenue and
reputation, time consuming in recovery as well as additional
cost for business to be back in operation, sometime (in rare
cases) the beginning of the organization downfall.

xiv
SIGNIFICANCE OF THE STUDY
This paper looks into the outlined problems by ﬁrst
understating the basics of the Distaste Recovery from different
literature, and observe on site its applicability as well as its
application. But also to test and demonstrate different tools,
techniques and methods of research methodology for the
purpose of having correct and genuine evidence and results to
support my ﬁndings, conclusion and recommendations.
This paper will add values to the body of knowledge in the area
of Disaster Recovery by identifying and eliminating factors that
contribute to IT-DRP implementation failures, providing more
information and details related to proper IT-DRP Framework,
Data Backup best practise, plans and strategies for the
successful business continuity, by identify the requirements as
readiness towards IT-DRP implementation, and providing more
rooms for research in the area of DR and related technologies.

xv
RESEARCH HYPOTHESIS
The hypothesis of this research based on the following
statement, which will be tested and verified after data collection
and analysis:
“Organizations and Businesses which has IT-DRP helps
them to maintain their product and service availability
than those which do not have”
This statement will be used to test the hypothesis of the study
according to the population and sample defined.
PAPER ORGANIZATION
This paper is organized in eight chapters, which includes
abstract and Introduction as written, followed by research
methodology as well as literature review from different papers
and authors, followed by Data Collection and Analysis, followed
by DRP Framework which includes DRP Strategies,
Implementation Model and DRP Technologies, and finalized
with conclusion and recommendations which included fact
findings from literature review and data collection and analysis
for a better and successful IT-DRP.

xvi
RESEARCH METHODOLOGY
METHOD OF THE STUDY
In this research the following have been used to gather all the fact
and data from different sources, which includes different companies
and organization:-
a. Literature Reviewing
b. Interviewing
c. Site Visiting and
d. Stakeholders Consulting
• Literature Review
During this study, different IT Audit report, Technological and
Computer journals, IT and Computer Books as well as
Technological Scientiﬁc papers related to this study area have
been reviewed to understand the situation and domain of the
study.
• Interviewing
Involvement of other stake holders have be done through
interview to get a clear picture of the situation as well as to
collect facts on the ground and to those who are involved in
the process of IT-DRP and those who are using the IT-DR
Infrastructures
• Sites Visits/Observation/Survey
Looking on how things are done in really time and actual
sense is a key factor to understand difﬁculties and challenges
they face in managing the IT-DR Infrastructure as well as
implementation models they use.
• Consultation
Because of the importance of the IT-DRP in a modern world,
the consultation from the key players and experts as well as

xvii
specialists in this area were done to understand and know
different technologies available and their importance as well
as significance to the business industry.
STUDY MILESTONE
As a research milestone, the following were the steps followed
throughout the study to make sure I do the research in a systematic
and scientific way:-
Step 1: Identify the Problem
In this step, the study done in order to get the challenges, limitation
and constraints which the business industry faces in managing IT-
DRP during a disaster, as well as getting the correct information on
the research area, this serves as the focus of the study.
Step 2: Review the Literature
Now that the problem has been identified, as a researcher I had to
learn more about the topic. To do this, I reviewed the literatures
related to the problem area. The information discovered during this
step helped me fully understand in depth the magnitude of the
research area.
Step 3: Clarify the Problem
The aim of this step was to clarify the problem and narrows the
scope of the study due to the fact, initially in any research the idea
always becomes wide in scope and it is not easy to conduct a wide-
scale research area. This was done after the literature been pre-
reviewed.
Step 4: Clearly Define Synonyms, Abbreviations, Terms and
Concepts
Synonyms, Abbreviations, Terms and concepts are words or
phrases used in the study, these items need to be specifically
defined as they apply to the study. Terms or concepts often have
different definitions depending on who is reading the study.
Step 5: Define the Population
Usually any research focuses on a specific group of people,
facilities, or the integration of technology into the operations e.t.c. In
research terms, the group to involve in the study called population.
Therefore, I identified the group that the study results will apply is to
be all IT people who are managing IT Service Delivery within an
organization.
Step 6: Develop the Instrumentation Plan
The instrumentation plan serves as the road map for the entire
study, specifying who will participate in the study; how, when, and

xviii
where data will be collected; and the content of the program. This
ensures that I have carefully thought through all these decisions and
that I provides a step-by-step plan to be followed in the study.
Step 7: Collect Data
Once the instrumentation plan is completed, the actual study begins
with the collection of data. Every study includes the collection of
some type of data—whether it is from the literature or from subjects
—to answer the research question. Data can be collected in the
form of words on a survey, with a questionnaire, through
observations, or from the literature.
Step 8: Analyze the Data
All the time, effort, and resources dedicated to steps 1 through 7 of
the research process culminate in this ﬁnal step. Finally at this step,
I had data to analyze so that the research question can be answered
as well as research signiﬁcance.

xix
DATA COLLECTION AND
ANALYSIS
According to C R Kothari and Gaurav Garg, 2014, I came to realize
that, as a researcher I had to keep in mind that, there is a Primary
and Secondary data, where by “primary data are those which are
collected afresh and for the ﬁrst time, and thus happen to be original
in character”, and “secondary data are those which have been
already collected by someone else and which have already been
passed through the statistical process”.
DATA COLLECTION TECHNIQUES
I this research both data were used, primary and secondary
due to the nature of the study area, and basically the types of
this research is descriptive. This means primary data were
collected through the following methods/techniques
Observation, Site Visit, Interviewing and/or Survey as well as
consultation, and secondary data were collected mostly from
different papers, reports, journals, newsletters as well as
literature books through literature review method/technique
DATA PREPARATION AND ANALYSIS TOOLS
After data being collected, the process of preparing data started as
per C R Kothari and Gaurav Garg, 2014 demonstrated the entire
process, the process involves questions checking, editing, coding,
classiﬁcation, tabulation, graphical representation, data cleaning and

xx
data adjusting. This process have been done to make sure data
collected are useful and provide useful meaning, and data analysis
tool which have been used is SPSS Package due to the fact that, it
is the most reputable and worldwide recognized for its ability and
ﬂexibility in analyzing data as well as providing correct and
meaningful results.

xxi
LITERATURE REVIEW
Assuming you have completed a risk assessment and have
identified potential threats to your IT infrastructure, the next step is
to determine which infrastructure elements are most important to the
performance of your company's business. Also assuming that all IT
systems and networks are performing normally, your firm ought to
be fully viable, competitive and financially solid. When an incident --
internal or external -- negatively affects the IT infrastructure, the
business could be compromised.
According to National Institute for Standards and Technology (NIST)
Special Publication 800-34, Contingency Planning for Information
Technology Systems, the following summarizes the ideal structure
for an IT disaster recovery plan:
1. Develop the contingency planning policy statement. A
formal policy provides the authority and guidance necessary
to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The business
impact analysis helps to identify and prioritize critical IT
systems and components.
3. Identify preventive controls. These are measures that
reduce the effects of system disruptions and can increase
system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies
ensure that the system can be recovered quickly and
effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan
should contain detailed guidance and procedures for
restoring a damaged system.
6. Plan testing, training and exercising. Testing the plan
identifies planning gaps, whereas training prepares recovery
personnel for plan activation; both activities improve plan
effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document
that is updated regularly to remain current with system
enhancements.
Many vendors offer online data backup services including storage in
the “cloud”. This is a cost-effective solution for businesses with an
internet connection. Software installed on the client server or
computer is automatically backed up.

xxii
Data should be backed up as frequently as necessary to ensure
that, if data is lost, it is not unacceptable to the business. The
business impact analysis should evaluate the potential for lost data
and define the “recovery point objective.” Data restoration times
should be confirmed and compared with the IT and business
function recovery time objectives.
BUSINESS CONTINUITY PLAN
Business Continuity Planning Process Diagram - Text Version
When business is disrupted, it can cost money. Lost revenues plus
extra expenses means reduced profits. Insurance does not cover all
costs and cannot replace customers that defe ct to the22
competition. A business continuity plan to continue business is
essential. Development of a business continuity plan includes four
steps:
• Conduct a business impact analysis to identify time-sensitive
or critical business functions and processes and the
resources that support them.
• Identify, document, and implement to recover critical business
functions and processes.
• Organize a business continuity team and compile a business
continuity plan to manage a business disruption.
• Conduct training for the business continuity team and testing
and exercises to evaluate recovery strategies and the plan.
Information technology (IT) includes many components such as
networks, servers, desktop and laptop computers and wireless
devices. The ability to run both office productivity and enterprise
software is critical. Therefore, recovery strategies for information
technology should be developed so technology can be restored in
time to meet the needs of the business. Manual workarounds should
be part of the IT plan so business can continue while computer
systems are being restored.

xxiii
DISASTER RECOVERY PLAN
FRAMEWORK
DRP STRATEGY
If a facility is damaged, production machinery breaks down, a
supplier fails to deliver or information technology is disrupted,
business is impacted and the financial losses can begin to grow.
Recovery strategies are alternate means to restore business
operations to a minimum acceptable level following a business
disruption and are prioritized by the recovery time objectives (RTO)
developed during the business impact analysis.
Recovery strategies require resources including people, facilities,
equipment, materials and information technology. An analysis of the
resources required to execute recovery strategies should be
conducted to identify gaps. For example, if a machine fails but other
machines are readily available to make up lost production, then
there is no resource gap. However, if all machines are lost due to a
flood, and insufficient undamaged inventory is available to meet
customer demand until production is restored, production might be
made up by machines at another facility—whether owned or
contracted.
Strategies may involve contracting with third parties, entering into
partnership or reciprocal agreements or displacing other activities
within the company. Staff with in-depth knowledge of business
functions and processes are in the best position to determine what
will work. Possible alternatives should be explored and presented to
management for approval and to decide how much to spend.
Depending upon the size of the company and resources available,
there may be many recovery strategies that can be explored.
Utilization of other owned or controlled facilities performing similar
work is one option. Operations may be relocated to an alternate site
- assuming both are not impacted by the same incident. This
strategy also assumes that the surviving site has the resources and
capacity to assume the work of the impacted site. Prioritization of
production or service levels, providing additional staff and resources
and other action would be needed if capacity at the second site is
inadequate.

xxiv
Telecommuting is a strategy employed when staff can work from
home through remote connectivity. It can be used in combination
with other strategies to reduce alternate site requirements. This
strategy requires ensuring telecommuters have a suitable home
work environment and are equipped with or have access to a
computer with required applications and data, peripherals, and a
secure broadband connection.
In an emergency, space at another facility can be put to use.
Cafeterias, conference rooms and training rooms can be converted
to office space or to other uses when needed. Equipping converted
space with furnishings, equipment, power, connectivity and other
resources would be required to meet the needs of workers.
Partnership or reciprocal agreements can be arranged with other
businesses or organizations that can support each other in the event
of a disaster. Assuming space is available, issues such as the
capacity and connectivity of telecommunications and information
technology, protection of privacy and intellectual property, the
impacts to each other’s operation and allocating expenses must be
addressed. Agreements should be negotiated in writing and
documented in the business continuity plan. Periodic review of the
agreement is needed to determine if there is a change in the ability
of each party to support the other.
There are many vendors that support business continuity and
information technology recovery strategies. External suppliers can
provide a full business environment including office space and live
data centers ready to be occupied. Other options include provision
of technology equipped office trailers, replacement machinery and
other equipment. The availability and cost of these options can be
affected when a regional disaster results in competition for these
resources.
There are multiple strategies for recovery of manufacturing
operations. Many of these strategies include use of existing owned
or leased facilities. Manufacturing strategies include:
• Shifting production from one facility to another
• Increasing manufacturing output at operational facilities
• Retooling production from one item to another
• Prioritization of production—by profit margin or customer
relationship
• Maintaining higher raw materials or finished goods inventory
• Reallocating existing inventory, repurchase or buyback of
inventory
• Limiting orders (e.g., maximum order size or unit quantity)

xxv
• Contracting with third parties
• Purchasing business interruption insurance
There are many factors to consider in manufacturing recovery
strategies:
• Will a facility be available when needed?
• How much time will it take to shift production from one
product to another?
• How much will it cost to shift production from one product to
another?
• How much revenue would be lost when displacing other
production?
• How much extra time will it take to receive raw materials or
ship ﬁnished goods to customers? Will the extra time impact
customer relationships?
• Are there any regulations that would restrict shifting
production?
• What quality issues could arise if production is shifted or
outsourced?
• Are there any long-term consequences associated with a
strategy?
DRP IMPLEMENTATION MODEL
OBTAINING TOP MANAGEMENT COMMITMENT
For a disaster recovery plan to be successful, the central
responsibility for the plan must reside on top management.
Management is responsible for coordinating the disaster recovery
plan and ensuring its effectiveness within the organization. It is also
responsible for allocating adequate time and resources required in
the development of an effective plan. Resources that management
must allocate include both ﬁnancial considerations and the effort of
all personnel involved.
ESTABLISHING A PLANNING COMMITTEE

xxvi
A planning committee is appointed to oversee the development and
implementation of the plan. The planning committee includes
representatives from all functional areas of the organization. Key
committee members customarily include the operations manager
and the data processing manager. The committee also defines the
scope of the plan.
PERFORMING A RISK ASSESSMENT
The planning committee prepares a risk analysis and a business
impact analysis (BIA) that includes a range of possible disasters,
including natural, technical and human threats. Each functional area
of the organization is analyzed to determine the potential
consequence and impact associated with several disaster scenarios.
The risk assessment process also evaluates the safety of critical
documents and vital records. Traditionally, fire has posed the
greatest threat to an organization. Intentional human destruction,
however, should also be considered. A thorough plan provides for
the “worst case” situation: destruction of the main building. It is
important to assess the impacts and consequences resulting from
loss of information and services. The planning committee also
analyzes the costs related to minimizing the potential exposures.
ESTABLISHING PRIORITIES FOR PROCESSING AND OPERATIONS
At this point, the critical needs of each department within the
organization are evaluated in order to prioritize them. Establishing
priorities is important because no organization possesses infinite
resources and criteria must be set as to where to allocate resources
first. Some of the areas often reviewed during the prioritization
process are functional operations, key personnel and their functions,
information flow, processing systems used, services provided,
existing documentation, historical records, and the department's
policies and procedures.
Processing and operations are analyzed to determine the maximum
amount of time that the department and organization can operate
without each critical system. This will later get mapped into the
Recovery Time Objective. A critical system is defined as that which
is part of a system or procedure necessary to continue operations
should a department, computer center, main facility or a combination
of these be destroyed or become inaccessible. A method used to
determine the critical needs of a department is to document all the
functions performed by each department. Once the primary
functions have been identified, the operations and processes are
then ranked in order of priority: essential, important and non-
essential.

xxvii
DETERMINING RECOVERY STRATEGIES
During this phase, the most practical alternatives for processing in
case of a disaster are researched and evaluated. All aspects of the
organization are considered, including physical facilities, computer
hardware and software, communications links, data files and
databases, customer services provided, user operations, the overall
management information systems (MIS) structure, end-user
systems, and any other processing operations.
Alternatives, dependent upon the evaluation of the computer
function, may include: hot sites, warm sites, cold sites, reciprocal
agreements, the provision of more than one data center, the
installation and deployment of multiple computer system, duplication
of service center, consortium arrangements, lease of equipment,
and any combinations of the above.
Written agreements for the specific recovery alternatives selected
are prepared, specifying contract duration, termination conditions,
system testing, cost, any special security procedures, procedure for
the notification of system changes, hours of operation, the specific
hardware and other equipment required for processing, personnel
requirements, definition of the circumstances constituting an
emergency, process to negotiate service extensions, guarantee of
compatibility, availability, non-mainframe resource requirements,
priorities, and other contractual issues.
COLLECTING DATA
In this phase, data collection takes place. Among the recommended
data gathering materials and documentation often included are
various lists (employee backup position listing, critical telephone
numbers list, master call list, master vendor list, notification
checklist), inventories (communications equipment, documentation,
office equipment, forms, insurance policies, workgroup and data
center computer hardware, microcomputer hardware and software,
office supply, off-site storage location equipment, telephones, etc.),
distribution register, software and data files backup/retention
schedules, temporary location specifications, any other such other
lists, materials, inventories and documentation. Pre-formatted forms
are often used to facilitate the data gathering process.
ORGANIZING AND DOCUMENTING A WRITTEN PLAN
Next, an outline of the plan’s contents is prepared to guide the
development of the detailed procedures. Top management reviews
and approves the proposed plan. The outline can ultimately be used
for the table of contents after final revision. Other four benefits of this
approach are that (1) it helps to organize the detailed procedures,

xxviii
(2) identifies all major steps before the actual writing process begins,
(3) identifies redundant procedures that only need to be written
once, and (4) provides a road map for developing the procedures.
It is often considered best practice to develop a standard format for
the disaster recovery plan so as to facilitate the writing of detailed
procedures and the documentation of other information to be
included in the plan later. This helps ensure that the disaster plan
follows a consistent format and allows for its ongoing future
maintenance. Standardization is also important if more than one
person is involved in writing the procedures.
It is during this phase that the actual written plan is developed in its
entirety, including all detailed procedures to be used before, during,
and after a disaster. The procedures include methods for
maintaining and updating the plan to reflect any significant internal,
external or systems changes. The procedures allow for a regular
review of the plan by key personnel within the organization. The
disaster recovery plan is structured using a team approach. Specific
responsibilities are assigned to the appropriate team for each
functional area of the organization. Teams responsible for
administrative functions, facilities, logistics, user support, computer
backup, restoration and other important areas in the organization
are identified.
The structure of the contingency organization may not be the same
as the existing organization chart. The contingency organization is
usually structured with teams responsible for major functional areas
such as administrative functions, facilities, logistics, user support,
computer backup, restoration, and any other important area.
The management team is especially important because it
coordinates the recovery process. The team assesses the disaster,
activates the recovery plan, and contacts team managers. The
management team also oversees, documents and monitors the
recovery process. It is helpful when management team members
are the final decision-makers in setting priorities, policies and
procedures. Each team has specific responsibilities that are
completed to ensure successful execution of the plan. The teams
have an assigned manager and an alternate in case the team
manager is not available. Other team members may also have
specific assignments where possible.
DEVELOPING TESTING CRITERIA AND PROCEDURES
Best practices dictate that DR plans be thoroughly tested and
evaluated on a regular basis (at least annually). Thorough DR plans
include documentation with the procedures for testing the plan. The
tests will provide the organization with the assurance that all

xxix
necessary steps are included in the plan. Other reasons for testing
include:
• Determining the feasibility and compatibility of backup
facilities and procedures.
• Identifying areas in the plan that need modiﬁcation.
• Providing training to the team managers and team members.
• Demonstrating the ability of the organization to recover.
• Providing motivation for maintaining and updating the disaster
recovery plan.
TESTING THE PLAN
After testing procedures have been completed, an initial "dry run" of
the plan is performed by conducting a structured walk-through test.
The test will provide additional information regarding any further
steps that may need to be included, changes in procedures that are
not effective, and other appropriate adjustments. These may not
become evident unless an actual dry-run test is performed. The plan
is subsequently updated to correct any problems identiﬁed during
the test. Initially, testing of the plan is done in sections and after
normal business hours to minimize disruptions to the overall
operations of the organization. As the plan is further polished, future
tests occur during normal business hours.
Types of tests include: checklist tests, simulation tests, parallel tests,
and full interruption tests.
OBTAINING PLAN APPROVAL
Once the disaster recovery plan has been written and tested, the
plan is then submitted to management for approval. It is top
management’s ultimate responsibility that the organization has a
documented and tested plan. Management is responsible for (1)
establishing the policies, procedures and responsibilities for
comprehensive contingency planning, and (2) reviewing and
approving the contingency plan annually, documenting such reviews
in writing.
Organizations that receive information processing from service
bureaus will, in addition, also need to (1) evaluate the adequacy of
contingency plans for its service bureau, and (2) ensure that its
contingency plan is compatible with its service bureau’s plan.

xxx
DRP TECHNOLOGIES
IT DR Technologies varies and are of different, depending on
the nature of the services, size of the data, and means of
access, now days cloud computing is the most reliable
business continuity plan as a Disaster Recovery Plan of an
organisation, and it is at the high level from Disaster Recovery
Software and Hardware, the ﬁgure below demonstrate the IT
DR Technology which accommodate various software,
application, utilities, techniques and hardware as a complete
structure for ITDR Technologies Framework.

xxxi
CONCLUSION AND
RECOMMENDATIONS
FACT FINDINGS
With a complete risk assessment and identiﬁed potential
threats to the IT infrastructure, the next step is to determine
which infrastructure elements are most important to the
performance of your organization's business. Also assuming
that all IT systems and networks are performing normally,
organization ought to be fully viable, competitive and ﬁnancially
solid. When an incident – internal or external -- negatively
affects the IT infrastructure, the business could be
compromised.
STEP-BY-STEP IT DRP IMPLEMENTATION
The following summarizes the ideal structure for an IT disaster
recovery plan:
1. Develop the contingency planning policy statement. A
formal policy provides the authority and guidance
necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The
business impact analysis helps to identify and prioritize
critical IT systems and components.
3. Identify preventive controls. These are measures that
reduce the effects of system disruptions and can

xxxii
increase system availability and reduce contingency life
cycle costs.
4. Develop recovery strategies. Thorough recovery
strategies ensure that the system can be recovered
quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan
should contain detailed guidance and procedures for
restoring a damaged system.
6. Plan testing, training and exercising. Testing the plan
identifies planning gaps, whereas training prepares
recovery personnel for plan activation; both activities
improve plan effectiveness and overall agency
preparedness.
7. Plan maintenance. The plan should be a living document
that is updated regularly to remain current with system
enhancements.
IT DISASTER RECOVERY PLAN BENEFITS
Like every insurance plan, there are benefits that can be obtained
from the drafting of a disaster recovery plan. Some of these benefits
are:
• Providing a sense of security
• Minimizing risk of delays
• Guaranteeing the reliability of standby systems
• Providing a standard for testing the plan
• Minimizing decision-making during a disaster

xxxiii
• Reducing potential legal liabilities
• Lowering unnecessarily stressful work environment
TYPES OF PLANS
There is no one right type of disaster recovery plan, nor is there a
one-size-fits-all disaster recovery plan. However, there are three
basic strategies that feature in all disaster recovery plans:
(1) Preventive measures,
(2) Detective measures, and
(3) Corrective measures.
Preventive measures will try to prevent a disaster from occurring.
These measures seek to identify and reduce risks. They are
designed to mitigate or prevent an event from happening. These
measures may include keeping data backed up and off site, using
surge protectors, installing generators and conducting routine
inspections. Detective measures are taken to discover the presence
of any unwanted events within the IT infrastructure. Their aim is to
uncover new potential threats. They may detect or uncover
unwanted events. These measures include installing fire alarms,
using up-to-date antivirus software, holding employee training
sessions, and installing server and network monitoring software.
Corrective measures are aimed to restore a system after a disaster
or otherwise unwanted event takes place. These measures focus on
fixing or restoring the systems after a disaster. Corrective measures
may include keeping critical documents in the Disaster Recovery
Plan or securing proper insurance policies, after a "lessons learned"
brainstorming session.
A disaster recovery plan must answer at least three basic questions:
(1) What is its objective and purpose,
(2) Who will be the people or teams who will be responsible in
case any disruptions happen, and
(3) What will these people do (the procedures to be followed)
when the disaster strikes.
TYPES OF DISASTERS
Disasters can be natural or man-made. Man-made disasters could
be intentional (for example, sabotage or an act of terrorism) or
unintentional (that is, accidental, such as the breakage of a man-
made dam). Disasters may encompass more than weather. They
may involve Internet threats or take on other man-made
manifestations such as theft.

xxxiv
REFERENCES
National Institute For Standards And Technologies, Special
Publication 800-34, “Contigence Planning For Information
Technology Systems”
C. R. Kothari & Gaurav (2014), Research Methodology, Third
Edition, New Age International Publishers, New Delhi

xxxv
ANNEXES
ANNEX 1:ITDR ARCHITECTURE

Disaster recovery plan_for_business_cont

Recommended

Recommended

More Related Content

Similar to Disaster recovery plan_for_business_cont

Similar to Disaster recovery plan_for_business_cont (20)

Recently uploaded

Recently uploaded (19)

Disaster recovery plan_for_business_cont