What is Disaster Recovery Planning (DRP)?
In 2022, businesses are reliant on IT infrastructure. Whether it’s on-premises, cloud, or outsourced infrastructure, IT supports day-to-day business operations, customer interactions, human resource management, communications, sales and marketing, financial management, web and mobile services, and more. Unexpected downtime in these areas can severely impact operations and cost thousands of dollars every minute. Has your business planned for how to deal with these kinds of threats?
To prepare for such attacks, your organization needs to have a documented Disaster Recovery Plan (DRP). A DSP is a documented policy detailing an organization’s planned response to unexpected events that disrupt IT infrastructure and operations. DRPs document actions, processes, and systems to re-establish service availability while maintaining security and compliance. Organizations create DRPs to reduce downtime and the potential for financial loss in the face of catastrophic disruption. DRPs also play a key compliance role: many information security regulations and standards require businesses to plan for disaster recovery.
This article explores disaster recovery plans, the part DRPs play in business continuity planning, and the relationship between disaster recovery planning and compliance.
What is a Disaster Recovery Plan?
Because businesses depend on IT infrastructure, they are threatened by potential disasters ranging from cybercrime attacks and human error to power outages and tornadoes. A disaster recovery plan is a hedge against risk. Businesses consider potential risk scenarios and implement plans and policies to limit their impact.
There are obvious financial and operational incentives for creating and maintaining disaster recovery plans. The Uptime Institute’s Outage Analysis for 2022 found that over 60% of IT outages result in losses exceeding $100,000. One in five organizations reported a serious or severe outage in the last three years, and 80% of data center operators reported outages of similar severity. If your business relies on IT infrastructure, it makes sense to plan for disruption.
Disaster recovery planning aims to provide documented processes employees can follow when the worst happens. Employees should know their roles and responsibilities, the processes they are expected to follow, and how the business plans to overcome IT availability challenges. DRPs also outline technological solutions to downtime, including implementation and maintenance procedures to ensure backups and redundancies work when needed.
At the policy level, a business may have a single document detailing its disaster recovery policies: its goals for disaster recovery. However, all but the smallest businesses should have multiple disaster recovery plans covering various business operations. For example, a business might have independent disaster recovery plans covering:
- Data center infrastructure
- Communication systems
- Cloud and virtualized infrastructure
- Network disruptions
- Cyberattacks and data theft
Although there may be some overlap, each of these scenarios requires a unique response and, therefore, a unique disaster recovery plan.
Disaster Recovery vs. Business Continuity: What’s the Difference?
Disaster recovery and business continuity are related but distinct responses to risk. Disaster recovery planning is limited to IT infrastructure and resources. It concerns preparations for IT outages and downtime, temporary measures to maintain availability when infrastructure is disrupted, and how the organization plans to recover IT operations to their original state.
Business continuity planning is broader in scope than disaster recovery planning. It concerns all policies and procedures related to a company’s continued operation during a disruptive event. For example, business continuity plans might include responses to supply chain disruption, pandemics, financial fraud, property theft, the outbreak of war, and so on.
Disaster recovery planning is typically considered a subset of business continuity planning concerning IT infrastructure. Forward-thinking businesses make business continuity plans for realistic threat and risk scenarios. Plans that focus on IT infrastructure and service availability are called disaster recovery plans.
Disaster Recovery Planning and Compliance
Many IT and information security regulations and standards mandate disaster recovery planning. There are two main compliance concerns relevant to disaster recovery:
- Regulations and standards may require organizations to demonstrate they have implemented effective disaster recovery planning.
- Disaster recovery processes and the associated IT infrastructure must comply with information security, privacy, and confidentiality compliance requirements.
Let’s explore the specific requirements per the different security regulations and standards:
The Health Insurance Portability and Accountability Act (HIPAA) requires organizations that store electronic protected health information (ePHI) to implement contingency plans, including disaster recovery plans, data backup plans, and emergency operation mode plans. Organizations must be able to recover critical IT systems that store and process PHI in the event of a disruptive incident. As you might expect, all redundant and failover infrastructure implemented as part of a disaster recovery plan must also be HIPAA-compliant.
A SOC 2 audit verifies that businesses comply with the common criteria of the Trust Services Principles, which are primarily related to information security. However, businesses may also need to comply with additional criteria, including availability, confidentiality, processing integrity, and privacy. The availability criteria address disaster recovery planning and testing.
Key criteria include A1.2 and A1.3. The former requires organizations to develop, implement, operate, and maintain data backup processes and recovery infrastructure. The latter requires organizations to test recovery plan procedures that support system recovery.
ISO 27001 Annex 1.17 focuses on infrastructure redundancy and security continuity. A.17.2.1 concerns the availability of information processing facilities with requirements for redundant infrastructure and testing. A.17.1.1-3 concerns information security continuity and an organization’s ability to maintain information security during disruptive events. Together they require compliant organizations to plan, implement, and evaluate information security continuity policies and processes.
The Payment Card Industry Data Security Standard (PCI DSS) does not require disaster recovery planning, but it does include several requirements that impact planning for disasters. Requirement 12.10 concerns creating and implementing an incident response plan for security breaches. Requirement 9.5.1 addresses storing media backups in secure off-site facilities and periodically reviewing backup security. As with other standards, all infrastructure used for disaster recovery must also be compliant.
What Should Be Included in a Disaster Recovery Plan?
Disaster recovery plans should be uniquely tailored to each organization and its IT infrastructure. There is no simple disaster recovery plan template that applies to every organization. In fact, your disaster recovery should not be the same in a year as it is today—it must evolve as your business and its infrastructure evolves.
However, all disaster recovery planning processes should include the following components:
- Recovery time objectives (RTO): How quickly should services be restored to an acceptable level after an incident?
- Recovery point objectives (RPO): What level of data loss is acceptable to your organization?
- IT Inventory: A complete and up-to-date inventory of IT infrastructure and cloud services your business relies on.
- Risk assessment: A thorough assessment of realistic risks and their potential impact.
- Personnel responsibilities: Who is responsible for implementing disaster recovery plans; it is vital that roles and responsibilities are clearly documented and that personnel are adequately trained.
- Disaster recovery and restoration processes: A detailed breakdown of actions to be taken and the resources required to achieve the business’s RTOs and RPOs.
Validate Your Disaster Recovery Compliance with KirkpatrickPrice
As we’ve discussed, many information security regulations and standards touch on disaster recovery planning. Is your organization certain its disaster recovery plans and systems are secure and compliant? A KirkpatrickPrice compliance audit can assure you that your plans are sufficient and effective for your specific business needs. As a licensed CPA firm, KirkpatrickPrice’s experienced information security experts carry out a wide range of compliance audits, including:
To learn more, contact a KirkpatrickPrice information security specialist today.