The document provides a 4-step process for creating a disaster recovery plan: 1. Conduct a risk analysis to rate threats by probability and impact. 2. Establish a budget by presenting downtime costs and critical systems to business operations for a decision on what risks to mitigate. 3. Develop a detailed recovery plan with assigned roles and procedures to recover critical data and applications. 4. Frequently test the disaster recovery plan.

1. How to Create a Disaster Recovery Plan Learn the basics of creating a plan that will have you prepared to recover your data and keep the business running after an IT-disabling disaster. by Glen Kunene, Senior Editor DevX January 15, 2002

3. Step 1: Risk Analysis

5. Simple System Rank each threat in two important categories: probability

6. Impact. In each category, rate the risks: low, medium, or high .

7. Example Template Risk Rating Power Outage Probability: Impact: Hardware Failure Probability: Impact: Disk Failure Probability: Impact: Malware/Malicious Software Probability: Impact: High Human Error Probability: High Impact: Natural Disaster Probability: Low Impact: High Malicious Social Engineering Probability: Impact: High

9. Step 2: Establish the Budget

10. From our example 2

12. Business Operations It is imperative that IT presents all of these threats to the business operations units, so they can make an informed decision regarding the size of the disaster recovery budget (i.e., which risks the company can afford to tolerate and which it must pay to mitigate ).

14. A good place to begin Present the cost of downtime to the business. How long can your business afford to be without its computer systems, should one of your threats occur? Ultimately, the business operations unit decides which threats the business can tolerate. According to Emerson, when developing a DRP, IT departments are "shooting in the dark without those business indications. "

15. Both IT and the Business Units agree on which data and applications are most critical to the business and

16. need to be recovered most quickly in a disaster. The management of our small Internet company, for example, may decide they can supply the budget only for the emergency generators and the company will have to assume the risk of an earthquake.

17. Budgets Vary Disaster recovery budgets vary from company to company, but typically run between 2 and 8 percent of the overall IT budget. Companies for which system availability is crucial usually are on the higher end of the scale, while companies that can function without it are on the lower end. However, these percentages may be too small. For a large IT shop 15 percent is a best practice rule of thumb according to Emerson.

18. Step 3: Develop the Plan

19. Example

20. Detailed Plan or "Script." The recovery procedure should be written in a detailed plan or "script." Establish a Recovery Team from among the IT staff and assign specific recovery duties to each member .

22. The script will

23. The script will also

24. Step 4: Test, Test, Test Once your DRP is set, test it frequently.