What is the IT DRP? How to set it up to ensure disaster recovery in the event of a computer failure or a cyberattack? Here is everything you need to know about the DRP, its definition and the usual stages of its implementation.
Published on July 27, 2021, 9:35 a.m. (Updated on 24 September 2021 17:11)
The security of your computer systems does not only rely on your antivirus software. In 2021, cybersecurity challenges are so critical that you also need to consider the possibility that your protective measures are not sufficient. Your IT security also relies on you anticipating a possible shutdown of your IT infrastructure, whether because of a failure, a malware infection or a cyber attack.
The IT Disaster Recovery Plan, or DRP, details the procedures and technological resources your company would need to resume its strategic activities in the event of such a disaster. However, this useful tool requires you to master some ground principles. Here is everything you need to know about the DRP, its definition and the usual stages of its implementation.
The Disaster Recovery Plan, or DRP, enables the company to resume normal operations after a disaster. In the context of IT, this disaster generally involves a cybersecurity breach: loss, theft or disappearance of sensitive data, virus, cyberattack, cybercrime.
In the context of IT, the DRP has several sub-goals toward a main goal which is safeguarding the sustainability of your company's activities. Those sub-goals are:
The DRP is a document which lists all the processes your company has to put in place to maintain or rebuild the IT systems in the aftermath of a cyber crisis:
The missions of BCP and DRP have evolved over time. Originally, the BCP, or business continuity plan, had to anticipate the impact of a disaster on the company. It also provided for measures to mitigate the negative consequences of crises. The DRP functioned like the BCP, but only dealt with IT issues.
Over time, the Business Continuity Plan and the Disaster Recovery Plan have both taken on more precise meanings. Each now has a specific role regarding the company's IT system.
The BCP now consists of a portfolio of procedures and resources that help to safeguard the continuity of the organisation's activities should a problem occur. Its objective is before anything else to avoid the interruption of IT systems and prevent operational disruptions. It must therefore be built in such a way that all of the company's IT structures remain available: networks, servers and data centers.
From a strict IT perspective, a distinction is made between the operational continuity plan which includes the company as a whole from the IT Continuity Plan, which specifically targets the procedures and resources to put in place to ensure the continuous operation of the information systems.
The Disaster Recovery Plan focuses on making sure the company's activity can be operational again. This means, in IT, backing up infrastructure. The plan is then activated when an obvious shutdown of the information systems happens. It must ensure the post-disaster reconstruction of the IT and the reboot of the applications which are the most critical to the company’s operation.
Its objective is to guarantee a satisfactory resumption of activity as soon as practicable, to reduce the financial consequences of the cyber crisis. This is why it has to rely on careful risk mapping to provide adequate back-up IT systems and ensure data redundancy. Data redundancy means saving the same data on different devices (phone, computer, external hard drive, digital drive, table…)
To summarise, Chief Information Officers (CIO) generally consider that the BCP describes the measures to ensure the continuity of the activity, while the DRP details the measures which guarantee the resumption of activity after an IT shutdown. The Disaster Recovery Plan is indeed activated when the infrastructure is unavailable.
In the event of a cyber attack, there are generally two execution scenarios for the DRP:
By definition, the DRP is only activated when the company suffers a real shutdown of its IT activities. If you want this IT recovery plan to perform well and enable you to quickly resume your activities, you must think it through well in advance of the actual onset of a cyber crisis. Allow an average of 3 months to design it. This is an indicative time frame, you might need more or less, depending on the size of your structure.
Once the cyberattack, computer failure or human error has been recorded at the expense of your infrastructure, the execution of your DRP should help minimise your operational downtime. The longer the recovery, the more the company’s financial results are jeopardised.
The main mission of the Disaster Recovery Plan is to ensure a rapid restart of your operations. A too long interruption has an impact on your reputation, and as a consequence, on your financial value. Moreover, if that one-off stop threatens the fulfillment of your regulatory and contractual obligations, you incur harmful legal consequences.
Nevertheless, setting up a DRP does come at a cost. Yet, it pays for itself if you take into account the harmful consequences that it prevents for the company in the event of a cyberattack or an IT failure:
The DRP relies on a third-party computer network and on data backups to ensure satisfactory IT operation. Like the BCP, the advantages of the Disaster Recovery Plan can only be appreciated if good practices are complied with. This is a plan that should be thought through and regularly tested. Its development takes time and a large budget to be effective.
The implementation of the IT Business Recovery Plan can be broken down into several stages. In general terms, it is first of all a matter of writing specification notes that determine the critical IT applications for your structure. These applications are the ones which require an emergency “backup” in the event of an IT shutdown.
It is also a question of identifying which backup system you need to set up and which data backup model you opt for. Your DRP must also provide for regular update measures.
Depending on the sector of activity in which you operate, there are probably regulations and standards that govern the resumption of activity, including the methods of carrying out your DRP. The ISO 22301 standard thus organises business continuity management for a certain number of areas.
The banking and finance sector is particularly affected by this type of regulatory obligation. The Financial Conduct Authority (FCA), for example, states that approved companies specialising in portfolio management must have a DRP.
The IT Disaster Recovery Plan will of course harness the skills of your CIO and your general management. More broadly, each department will have to participate in its development to determine which IT applications are essential to the proper functioning of the company.
In order to have a fluid and coherent DRP development, it may also be useful to appoint a person responsible for its implementation. They generally come from the IT department. Their role is to assess which infrastructures need to be backed up as a priority in the event of an IT shutdown, all of this after having consulted with the other departments.
The inventory of IT tools essential to an effective recovery of activity focuses on several elements:
The next step is to organise the applications according to their degree of criticality for the proper functioning of the company. In the day-to-day life of your organisation, some activities are less resilient to the unexpected shutdown of the IT than others.
You must rank these activities and the corresponding IT applications from most critical to least critical in order to define the effective scope of your Disaster Recovery Plan. You should also compare this criticality with the probability of the risks. This is a standard approach to managing risks and anticipating cybersecurity breaches.
This step also implies defining acceptable RTOs and RPOs for your business. In other words, it will be necessary to detail the maximum time of return to service that your structure can tolerate, as well as the maximum time when data is not recorded. Those are issues CIOs know well for they are directly related to the frequency of data backup.
Designing and activating a DRP implies a cost centre, although it also contributes to prevent financial losses. The question of the budget dedicated to this Disaster Recovery Plan is however all the more central as it establishes the type of backup solution you need to favour, should IT activity be stopped.
For a reasonable budget, compare the expenses due to the DRP with those implied by a shutdown of your company’s IT operation.
Once you have gathered all of this preliminary data, you still need to define which IT infrastructure will host your back-up applications. Many companies plan what they call a “backup site” for that, it is a second location equipped with the necessary IT infrastructure and a data replication system. This solution is interesting because it works according to a principle of reciprocity: both sites protect each other.
However, this is an expensive avenue. This is the reason why many organisations prefer resorting to a service provider that will grant them a remote infrastructure. The DRP on Cloud is therefore an option that is gaining ground, especially DRaaS (Disaster Recovery As A Service).
Designing a Disaster Recovery Plan only makes sense if you take into account the new software acquired by your company along the way as well as corresponding updates. The backup applications and data replication procedures must also be regularly tested to verify their suitability regarding the upgrading of your IT.
You also need to make sure your Recovery Plan fits to the logistical habits of your human resources. It must be activated in accordance with your overall management plan in the event of a cyber crisis. This requirement can be part of the simulation exercises provided for in your cyber crisis management strategy.
The DRP, or Disaster Recovery Plan, comprises a set of documents detailing the steps to a back-up IT infrastructure setup. This must safeguard the usual course of business activities, following a one-off shutdown of the IT. This shutdown could be due to a cyberattack, a computer breach, human negligence, data loss or theft.
Disaster Recovery as a Service is a cloud backup solution provided by a third party: your data server is replicated on your service provider’s facility via the cloud, thus making it easy for you to recover the data you lost during a disaster. It is a simple solution that removes the need to develop a complex and thorough plan. Maintenance costs that come with a second site are also a thing of the past since you only have to pay for a subscription.
There are sectors for which an interruption of activity, even of one minute, means a real financial loss or danger for data integrity. In these sectors, a BCP is essential. Companies whose activities have a level of less criticality and who can afford longer downtime of the IT can settle for a DRP.
related to Cyber Risk Quantification