Card, mobile credential, payment and security
Prep work and communication can minimize damage
Impact analysis has three defined steps. First, a planning team needs to sit down, and actually make a decision on what is considered high, medium and low priority for your institution. Second, the analysis must be filled in to determine exactly what aspects of the system carry which level of importance. This enables campus officials to make more informed decisions on what priorities of the downed system you want to return service to first. The final step is to bring all stakeholders into the same room and ensure that everyone’s expectations are the same. Only then can rules can be created, and more importantly, followed.
It is a hard process because every department thinks that their needs and systems are top priority, but this is not always the case. Defining a business impact analysis before a crisis hits, enables people to be far more agreeable when it comes to prioritizing service return.
[pullquote]Defining a business impact analysis before a crisis hits enables people to be far more agreeable when it comes to prioritizing return of service[/pullquote]
A communication plan is another vital part of a disaster recovery plan.
It should clearly outline how people will be communicated with in the event that a situation defined in the scope section occurs.
Every contact should not only have a name, phone number and email, but also have their responsibilities and secondary non-institutional contact details. If there is a localized problem that has disabled campus systems, sending internal email with vital instructions isn’t really going to help.
Many institutions – mine included – ensure that all staff members maintain a work email account with a third-party provider that is different than the regular provider. This way, emergency communications can be distributed to both primary and secondary accounts.
Each year this communication list should be reviewed and updated as part of a regular process by a specific department. The responsibility should fall squarely on one department so that there is ownership of the process.
Finally, the most important and least-accomplished part of disaster recovery planning is setting up a routine to test the plan.
A disaster recovery plan is only as good as its last test. Sure, you can have everything well documented, lots of information on service times, recovery procedures and which servers should be checked and when, but all that quickly goes out the window if something goes wrong.
Each disaster situation listed in the scope should be tested periodically. We don’t all have the staff or the time to do a full disaster preparedness drill on our campus, but we do all have time to make sure that our recovery plan is valid.
Without routine testing, the time spent designing and developing a disaster recovery plan is for naught.
Time should be taken during plan creation to define what should be tested and how often. This leads to the entire institution being more comfortable with the plan, and ultimately it increases response times when an issue inevitably occurs.
Everyone can, and will, suffer a data loss or disaster situation at some point. The trick is being confident that your campus will be minimally impacted through proper preparation. How well you prepare now will determine how effective and efficient you are when disaster strikes.
Oh yeah, now that you have a new disaster recovery plan, make sure to give a copy of it to as many people as necessary.
