Disaster Recovery Planning:

Information Technology systems are vulnerable to various disruptions, ranging from mild to severe. Most vulnerability can be minimized or eliminated through technical, management, or operational solutions as part of the organization's risk management effort. It is virtually impossible to eliminate all risks. Developing a well-suited contingency plan will mitigate the risk of system and service unavailability using effective and efficient recovery solutions.

Risk management should identify threats and vulnerabilities so that appropriate controls can be architected to prevent or limit an incident's effects. These controls protect an IT system against three classifications of threats.

Natural: Caused by mother nature. Earthquake, Fire, hurricane, tornado, and flood.

Human: Caused by humans. Unintentional or intentional. Operator error, sabotage, malicious code, and terrorist attacks.

Environmental: Equipment failure, software error, telecommunications network outage, electric power failure, Environment climate control systems (Cooling, heating, humidity).


In addition, risk management should identify residual risks and constructs a contingency plan closely tied to the risk assessment results and its mitigation process.

A thorough risk assessment should identify the system vulnerabilities, threats, and current controls and determine the risk based on the likelihood and threat impact. These risks should assess a risk level assigned (e.g., high, medium, or low).


Seven Rules of a successful DRP
1. Develop the contingency planning policy statement
2. Conduct the business impact analysis (BIA)
3. Identify preventive controls
4. Develop recovery strategies
5. Develop an IT contingency plan
6. Plan testing, training, and exercise
7. Plan