Question

b. Propose a Disaster Recovery Plan (DRP) to the organization to eliminate the problem in the future.

[25 marks]

Guideline:

Google search and download a business continuity plan or DR plan template.
DR team, DR servers DR backup.

Testing DR monthly.

Plan A failure then failover to Plan B.

Answer 1

Proposal on the guideline of a Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) (based on an ideal and standard template) to the organization eliminating the problem in the future:
* Using DR team, DR servers, and/or DR backup.
* Testing DR monthly.
* In case of say, a Plan A failure, failing over to Plan B.

* In general, a Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP), which in itself, is failing over to Plan B, when the Plan A, i.e., the existing, regular, and working environment, IT infrastructure, or cloud accounts, environments, on-premise data centers with some or all of the IT infrastructure resources, applications, and software have failed, partially or completely. There should always be a Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) for any business or even for a user using IT infrastructure and associated systems for his/her personal use. There could be Plan A, B, C, and even more as long as all the plans can be implemented, afforded, followed, and used.

* A good, entire, detailed, complete, working, and a reliable DRP discussed, decided upon, created and tested regularly and recently should and would provide BCP to a business in the future from any and all failures, and help in transitions, operations, and business continuity easily, with simple steps, procedures, actions, etc, and seamlessly, with little to no loss in any aspect.

* DR plans must be tested regularly depending on what is being tested and how often the systems are even backed up. Yes, monthly DR testing is good, and some DR tests for certain systems would require bi-weekly or weekly tests, such as databases, servers, storage devices, etc.

* DRP, in general, should have a scope and objective.

* DR plans must be tested especially for storage devices and their capability of retrieving and restoring the backed up data to a new storage device or system making them run and be used. Not only storage devices but also any other system being backed-up has to be tested regularly to see if it is fully functional to be used in case of the original and existing system's failure.

* A company or a business should have a dedicated DR team with engineers or employees who have expertise, knowledge, skills, relevant and specific technical certifications, and prior hands-on work experience in DRP and BCP carrying them out in the real and production environments earlier.

* Any and all company should their DR servers either on-premise data centers, in the cloud, should have an online and offline backup of servers. These servers could be file servers, database servers, load balancing servers, storage devices, and other computing servers.

* Again, as a DR backup, a company or anyone should have a backup of a server, hardware, software, applications, data center, networking, bandwidth, storage device, databases, human resources, or a part of or the entire IT infrastructure either, on-premise data center, or in the cloud, both, offline and online.

* An example of Plan A failing and failing-over to Plan B would be a company's entire data center (Plan A), failing over to their identical virtual and isolated entire data center in the cloud with say, a Public Cloud Service Provider (CSP) such as Amazon Web Services (AWS), or Microsoft Azure, or any other provider out there currently in the market.

* Or a company may have at least one if not multiple their own on-premise data centers in different geographical areas in the world, where if one of their data centers goes down, they may switch to another with their complete business continuity intact, with no or very negligible amount time and data loss.

* Another example would be, a business having both, an online (their on-premise data center or a public cloud) as well as an offline storage facility located from the actual, existing, running data center with storage devices for their data.

It is recommended businesses to opt for and adopt cloud computing technology, especially to exploit, use, and leverage the DRP and BCP services and solutions the public CSPs offer to their customers and clients all across the globe. As these services and solutions they offer are reliable, durable, highly available, fault-tolerant, provide fail-over capabilities and functionalities, resources are highly redundant, elastic and highly scalable.

* Hence, DRPs must be used for unplanned incidents and other downtime, failures, and outages.

* A part of the DRP involves not only from escaping disasters and restoring from it, but also precautions taken reducing the effects and loss of a disaster so a company continues to run and operate or quickly retrieve, restore, and resume their mission-critical operations, functions, applications, and systems.

* The DRP should include an analysis of a company's business processes and their continuity needs. The company should have carried out a Business Impact Analysis (BIA) and Risk Analysis (RA). It should have set up the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

* A BCP should have a considerable amount of, relevant, important, an appropriate checklist of points on mission-critical actions to complete them in case of disasters.

* A DRP and BCP plan or template helps concerned people in the team and any other related person to avoid mistakes and bring in their cool without panicking.

* Depending on a given environment, DRPs have specific types such as one could opt for:
* Virtualized DRP using virtualized resources such as Virtual Machines (VMs), etc.
* Network DRP.
* Cloud DRP.
* Datacenter DRP.

DRPs should be created for:
* Failing of applications.
* Virtual Machine (VM) failure.
* Failure of Racks (racks of servers, etc).
* Communication or network failure.
* The entire on-premise data center failures.
* Building disasters, collapsing, etc.
* Disaster of campuses.
* Citywide disasters.
* Regional or local disasters.
* National or countrywise disasters.
* Multi-national or international disasters.

* DRPs are proved to be functioning and evaluated through testing.
* DRP testing figures out any and all deficiencies, failing to failover, retrieve, restore, or resume and it gives chances to resolve issues before an actual disaster strikes.
* Testing is to prove, verify, and confirm the DRP is working, functional, and effective hitting the specified and defined RPOs and RTOs.
* DRP should be up to date per the chaging IT systems, security, and technologies.
* There should not be any budget restrictions to test DRP.
* There should not be any resource constraints for DRP testing.
* There should not be any lack of management or business approval to test DRPs.
* DRPs should be well planned much before the disaster ever occuring.
* Depending on the systems, environments, and senarios, simple or complex testing of DRPs is carried out.
* One should follow a tabletop test, in which, all the participants in it go through plan activities and instructions one step at a time completing all the steps demonstrating if DR team members are well aware of their responsibilities, duties, actions in an emergency or disaster.
* A simulation test should be used, probably using even a related software on recovery sites and backup servers, storage devices, network, systems, etc., making it, a full-scale test with an actual failover not including or carried out in it, which is done only logically and virtually.

* The DRP should protect a company from both, man made and natural disasters.
* The DRP should include many different ways to recover from many kinds of disasters, handling all the possibilities.

* The DRP template should have:
* An intent and DR policy statements.
* DRP goals.
* Authentication tools such as passwords, biometric systems, MFAs, etc.
* Should list all the geographical risks and factors causing the disaster.
* Tips and instructions to handle questions from media.
* Information related to comapany's finance and legality and respective action steps.
* A planning history.

* A DRP template to be used to facilitate the initiation, implementation, usage, and completion of an IT DR plan.

* DRP should list important action steps in the process and important contacts, so these important infromation is quickly and easily accessible to related people.
* DRP should clearly and in detail define DR team members' complete roles and responsibilities.
* It should specify in general, the reason, cases, situations, scenarios, criteria to initiate the plan into action.
* DRp should specify in detail, the incident response, support, and recovery restore, and resume activities.
* DRP should have established the activity's scope.
* Collecting all the relevant network environment, infrastructure, resources, devices, and components, specifications, inventory, and documents.
* Figuring out the most latest or recent, and serious threats, risks, and vulnerabilities, and the most important, valuable, and critical assets to be protected and saved.
* Going through previously occurred unplanned incidents and outages and how they were handled.
* Figuring out the existing DR strategies defined, specified, and decided upon.
* Figuring out and knowing all the emergency response teams.
* Ensuring the company's management reviews and approves the DRP at all necessary and appropriate time.
* Test the DRP.
* Ensure the DRP is updated to the latest things happening in technologies and around the world.
* Finally, implement a DRP audit.