One of the most important things for any business is to ensure the continuity of operations in the event of a disaster. As more companies are investing in disaster recovery techniques, they are becoming overly complacent without implementing a proper test.
When creating a Disaster Recovery (DR) plan, it is important to realize that this in only one step in the DR process. Even if the plan is created with the utmost precision, a DR plan is worthless if it is not tested. One of the most frequently forgotten steps, testing your DR plan is also the most essential. Proactively testing your DR plan will reduce the amount of unaddressed risks and increase the effectiveness of data recovery. For most organizations, it is tempting to skip this step of DR planning due to additional time, resources and costs that need to be allocated. However, in the event of the disaster, you will be thankful you completed this step when your data recovery is successful.
Before you start a test of your DR plan, it is important to make sure you have taken the necessary steps to ensure a smooth test takes place. Before you flip the switch, make sure you:
Create a disaster scenario unique to your organization
What are the most likely disasters to impact your business? Perhaps if your office is in California, it’s an earthquake; If you’re located in the Midwest, maybe it’s a tornado; or maybe your disaster is cyber-attack related and your business is seized by ransomware. Whatever your likely disaster, ensure that your team takes the scenario seriously and takes the appropriate actions to bring your business back online.
Determine goals you would like to accomplish
How will you define a successful test? Establishing goals and success criteria prior to your test is essential in rating the effectiveness of your DR strategy. If a test is not successful, understanding the desired outcomes will help determine where changes need to be made to meet that criteria.
Notify any personnel that are affected by the test
Conducting a test of your DR strategy often requires putting several systems offline at once. By notifying the appropriate personnel you will minimize the disruption to business operations and ensure all work is backed up accordingly in the event of a negative outcome.
Define personnel roles beforehand
Too many cooks in the kitchen can affect the outcome of a test. It is important to identify all essential personnel and assign appropriate roles in the event of a disaster. These same personnel should be responsible for those roles during the test of your plan. Not only will this help make your response more efficient, it will lessen the confusion amongst your team.
Include all infrastructure in your test (databases, networks, firewalls, etc.)
To ensure that your plan is fully executed, all forms of infrastructure should be taken into account and included in your DR test.
Management Needs to Know and Why and WhenTo avoid confusion, unnecessary data loss and a slew of frantic emails, make sure to notify management of the date and time of the test. It is also important to make sure that managers take this test seriously and understand the reasoning behind conducting this test. Ensuring that all authority figures are aware of standard DR protocol and can effectively execute it will help to reduce risk in the event of a disaster.
Creating a test plan will help to ensure that minor mistakes do not interfere with your test. To help you prepare, use this step-by-step checklist.
By invoking the steps above you can proactively prepare your entire organization to conduct a successful DR test. However, these steps alone are not enough to ensure the process runs smoothly. Here are some best practices to keep in mind when conducting your DR test.
Best Practices:Allow for enough time to conduct the test
A DR test is not a simple task that can be accomplished within an hour. A test can take up to several hours to fully execute. Thus, when scheduling your plan, it is important to make sure to allow for enough time and schedule personnel accordingly. Generally, it is a best practice to allow for 2 to 3 weeks’ notice for all involved, sending out reminders when the date approaches.Assign the Roles of Scribe and Time Keeper
During the test, two of the most important roles will be the scribe and the time keeper. The scribe’s task is to be take notes during the test and document all important data relative to the success criteria of the test. The timekeeper will record the start and end time of the DR plan to measure results against company defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Both of these roles play a part in the creation of an after-action report.Conduct the test at your lowest traffic time.
Often, there is a lot of concern with voluntarily disabling normal business operations. This alone is enough to put organizations off the idea of testing their DR plans. To avoid the loss of business and reduce the impact, conduct the test during the lowest traffic time to your website/office/business. If your company is international, you can either conduct the DR test in stages or find a time with the most reduced traffic. If your business operates on one time zone, conduct tests after hours or during the least impactful time.
The Bottom Line:
You may find that the overall result of your DR test is that your DR plan is effective and covers all areas of risk. More likely, you will discover gaps in your plan and un-assessed risks to your business. This is why you test your plan. Proactive preparation for an outage is often the difference between life and death for a company; and the number one mistake that businesses make is neglecting to put their DR strategies to the test. The dissolution of your business can be avoided with time and effort allocated to testing your DR strategy. Testing your plan allows you to improve it before it counts.