Disaster recovery plans for information and technology (I&T) assets are increasingly essential given system malfunctions, ransomware and other cyberattacks, disruptions from natural disasters, and other threats.
IT departments need a game plan or contingency plan to deal with I&T disruptions. The ultimate goal is reconstitution or a return to pre-disruption status. Over the longer term, the ultimate goal is to monitor and improve systems to prevent or minimize the effects of disruptions where possible.
Below are some essential components of a contingency plan for I&T assets, disaster recovery being a crucial element:
- Plan. Developing a written contingency plan is the first step to managing disruptions successfully. The plan should address the who, what, where, when, and how of managing I&T disruptions:
- Assign roles and responsibilities for components of the contingency plan.
- Identify essential business functions and the procedures necessary to ensure that these functions remain or become available and effective after any disruption.
- Coordinate the I&T contingency plan with overall business recovery plans, emergency preparedness and response plans for environmental management systems, and similar plans.
- Communicate the plan throughout the organization, both to persons who need to lead contingency planning activities and employees who need to know what procedures to follow.
- Update the plan to address changing circumstances, for instance, a move to hybrid or remote work. Perhaps changes to where people work will lead to changes in the number or location of alternative processing sites.
- Train. Persons with roles and responsibilities for executing the contingency plan require training to deploy the plan effectively. Update training as threats and other circumstances change—so continuously. Training could include simulations that mirror real-life as much as possible.
- Test the effectiveness of contingency plans. Whether through checklists, table-top exercises, drills, or walkthroughs, test contingency plans periodically to ensure that they remain effective and will enable the organization to respond to disruptions appropriately. Do not test I&T contingency plans in isolation, instead, coordinate testing with any other existing contingency plans.
- Secure alternative storage sites, processing sites, and telecommunications services where necessary:
- Ensure alternative sites are distinct and, as much as is practicable, geographically distanced from primary operating sites.
- Remember that the purpose of alternative sites is to have a location that is unlikely to suffer from the same threats as those causing disruptions to the primary site.
- Ensure that alternative sites can accommodate business-critical operations.
- Plan for situations where an alternative site may need to be operational for an extended period because primary sites are unavailable after natural disasters or for other reasons.
- Remember that alternative sites may be unavailable during areawide disruptions. How will the organization manage those circumstances? Are other branches that are farther away or in other provinces or countries an option? Is assistance from business partners a possibility?
- System recovery is a critical milestone and often the most imminent need when responding to a disruption. Recovery means that business-critical functions can resume. It does not mean that everything is back to normal. It may be necessary to operate in safe mode, which uses minimal resources like power or communication bandwidth, to allow critical functions to proceed until reconstitution is possible.
- Reconstitution is the ultimate milestone. Reconstitution follows recovery and is the stage at which operations return to the pre-disaster, normal operating status. Until reconstitution is possible, relaxing or using alternative security mechanisms may be necessary. For instance, if two- or multi-factor authentication is the usual security standard, passwords only or other single-factor authentication methods may be required for an interim period.
- Backup is critical. Without backups, it may be very difficult or impossible to return to pre-disruption status successfully:
- Backup system-level data, including operating systems, firmware, and applications. Protect firmware (software in non-volatile storage or read-only memory), compilers (software that translates or converts computer code), router tables (rules that determine where data travels), and other requirements that will be necessary for disaster recovery and reconstitution. System-level data will be essential where for instance, reimaging (resetting a component to factory settings to start from scratch) will be required.
- Backup user-level information, including documents, reports, and other data. In transaction-based systems and databases, provide for transaction rollback (going back to a previous state and ignoring subsequent transactions—which may be corrupt or unverifiable) and transaction journaling (chronological details of database updates) to address data loss or corruption resulting from disruptions or threats.
- Ensure that there are robust data security policies and procedures, for instance, using cryptography and digital signatures and data sanitization and disposal procedures to preserve the confidentiality, integrity, and availability of backup data.
- Keep backup data separate from primary-use data in a fire-secure, physically distinct, and, as far as is practicable, geographically distanced location.
- Consider the speed with which backup data can be accessed when needed.
- Periodically test the integrity of backup data to ensure they remain usable. Use some of the available backup data when testing the contingency plan.
Meeting your duty of care: Develop a written contingency plan for I&T assets. Ensure that the plan is compatible with other existing contingency plans. Include provisions for training, testing, backups, alternative sites, recovery, and reconstitution.
Several policies in First Reference’s Internal Control Library are relevant, including Chapter 11 – Backup and Disaster Planning, IT 1.01 – Site Planning, IT 8.01 – Physical and Infrastructure Security, IT 8.02 – Systems Security, and Chapter 9 – Data Security in Information Technology PolicyPro. Also relevant are OP 5.09 – Emergency Preparedness and Response in Operations and Marketing PolicyPro. Then see GV – 5.03 – Business Recovery Planning and GV 5.05 – Physical Security in Finance and Accounting PolicyPro.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, here.