Information Technology
Disaster Recovery
Planning for IT System
Kamran Abbas is a CA finalist and is currently involved as Technical Consultant to Ministry of
Finance (GoP) on Medium Term Budgetary Framework (MTBF) a new, scientific approach to
national budget.
What is Disaster Recovery Planning
The Disaster Recovery Planning is a significant element
of business continuity planning. Business Continuity
Planning (BCP) is the progression of creating, testing and
maintaining an enterprise-wide plan to recover from any
form of disaster.
Disaster Recovery Planning (DRP) for Information
Technology has become a vital feature of business
continuity planning. It is essential that the organization
takes the development and maintenance of the disaster
recovery plan seriously. It is not a job that can be ignored
until someone finds adequate time to deal with it. An
unfortunate event can occur at any time. If you were to
ask an assorted group of organizations what would
happen if their computer systems were destroyed by
some type of disaster, a wide-ranging reply would be that
the company preserves backup tapes of data stored
offsite. A vast majority of businesses would have nothing
more than that.
The critically vital feature of disaster recovery planning is
to assess the possible risks to the organization should
computer systems be inaccessible or inoperable for an
extended period of time. DRP should encompass every
kind of business interruption from the slightest two-
second power outage or spike-up to the most horrible
likely natural disaster or terrorist attack (recall 9/11/01).
September-December 2007
Classically, disaster recovery planning covers a defined
period of time, enabling the organization to carry on
operations at the same time as the old data center is
repaired or a new data center is assembled. When a
major disaster occurs, organizations need to have an
alternate site to set up computer systems and install
applications software before data from backup tapes can
be restored.
The plan should deal with the fact that servers, unlike
desktop computers, cannot be readily purchased off the
shelf. And given that it may be unrealistic to recuperate all
computer applications in a diminutive time span, the plan
should prioritize the recovery of applications. Most
organizations cannot function without electronic
communication i.e., e-mail, so re-establishing e-mail
service is usually a top priority. Most of the organizations
also rely on their web sites to provide services, both
inside and externally. For such organizations, a sufficient
Internet connection would be part of the initial disaster
recovery steps. It is good practice for the organization's
top management to show an apparent commitment for
establishing and maintaining an effective disaster
recovery planning process.
All layers of management and employees should be
informed that a disaster recovery plan is required in order
to make sure that indispensable functions of the
organization are able to continue in the event of disaster.
The Pakistan Accountant 37

Every organization should set up for possible radical
situations, and should consider what type of back-up and
preventive strategies would be appropriate for each facet
of their activities.
The difficulties and financial cost of back-up procedures
and systems may well depend upon the identified speed
with which systems or business processes need to be
restored. This should be premeditated in advance.
The Policy for Disaster Recovery
Planning
The strategic level of the organization should issue a lucid
policy statement on disaster recovery planning. The
policy statement should contain the following instructions:
w The organization should device a comprehensive
disaster recovery plan.
w A formal risk assessment should be undertaken in order
to determine the requirements for the disaster recovery
plan.
w The disaster recovery plan should be tested at regular
intervals to ensure that it can be implemented in crisis
situations and that the management and staff know how
it is to be executed.
w The disaster recovery plan should encompass all
essential and critical business activities.
w The disaster recovery plan is to be kept up to date.
w All staff must be made aware of the disaster recovery
plan and their own roles within.
w The key persons to be contacted during the disaster
should be identified.
Overall Approach to DRP
The overall approach to Disaster Recovery Planning
(DRP) is as follows:
w Strategic level commitment secured
w Kick off the management process
w Classify the threats and risks
w Manage the risks as part of risk management
w Business impact analysis
w Develop strategies
w Test, identify and maintain the plan
w Maintain a crisis management team
Phased Approach to Disaster Recovery
Plan as developed by IBM
The following is the Phased Approach to IT disaster
recovery planning recommended by IBM:
September-December 2007
Information Technology
Phase 1: Critical Analysis of Processes
w Identify which business divisions and processes are
critical and contribute most to the delivery of the
company's services and products;
w Identify the requirements necessary to support these
processes during an extended outage;
w Establish the type of disasters you are planning for;
w Identify the purpose;
w Identify which computer applications need to be
recovered first;
Phase 2: The Development of Recovery Plan
w Identify, prioritize, and sequence the tasks that need to
be performed during recovery, such as setting up
servers, arranging for power and Internet connections,
installing systems software, installing application
software, and restoring data from backup tapes;
w Identify roles and responsibilities, document who does
what, how, and when;
w Identify the resource required for recovery plan such as
location, power requirements, server requirements, and
human resources;
w Prepare the disaster recovery procedure manual.
Phase 3: Testing of Plan
The concluding step is to test the recovery plan to verify
that it is appropriate and workable. For multifaceted
systems, active testing may go through several iterations,
as errors and omissions in the disaster recovery
procedures are discovered and corrected. Testing must
be repeated at least once a year to keep the procedures
current.
Phase 4: Documentation of the Plan
The documentation needs to include the logical and
physical configuration of all the servers, network routers,
switches and individual desktop configurations. Write
down any patches that have been applied to the server
and the applications each server runs. Create images of
each type of workstation and store them away. Also, make
sure the name and contact information for each person
responsible for supporting your network devices is
documented and readily accessible.
Also, document the backup process and how data and
configurations are to be restored. Write down the
frequency of backups, how they are performed and where
tape cartridges will be stored. Review how you get tapes
to remote sites. Also determine how long it will take you to
get tapes back in the event of a failure. At some point, in
a relaxed business period, test the backup and recovery
process.
The Pakistan Accountant 38
 Information Technology

Store the disaster recovery plan in a number of onsite, as commonly known as "Vendor-Subscription." This involves
well as off-site locations. But most importantly, keep your an agreement with a recovery services vendor for the
documentation up-to-date. guaranteed delivery of computer hardware to the
customer's alternate recovery site. This strategy is
Disaster Recovery Strategies generally less expensive than other two.
The following are four universal strategies to disaster
recovery: 4. Acquisition
The least receptive strategy involves purchasing the
1. Duplicate systems required computer hardware, data, and communications
The rapid recovery strategy calls for a duplicate set of equipment at the time of the disaster. This strategy has
computer hardware, data, communications equipment, the lowest operating costs, as there is virtually no cost
power supply, and an Internet unless a disaster happens. Costs of
connection, ready for acquiring equipment at the time of a
commencement at an alternate site. If a disaster hits disaster are potentially the most
With this strategy, recovery times expensive, as a premium price may
are measured in minutes or hours. the production be paid to get quick delivery.
This is also called “mirror site”. Recovery times for this strategy are
site, the Duplicate usually measured in weeks.
It is basically a redundant setup
elsewhere, running in parallel to the system enters in Maintenance of Disaster
computer systems in production. All
transactions are automatically and continues the Recovery Plan
recorded by the production systems The increase in technological based
and the Duplicate system. operation. A mirror processes over the recent past
years has significantly increased
If a disaster hits the production site,
the Duplicate system enters in and
site is the most the level of dependency upon the
availability of systems and
continues the operation. A mirror
site is the most expensive solution
expensive solution information for the business to
function properly. These changes
are likely to continue, and it is likely
but provides the best disaster
protection; however, not many
but provides the that the only certainty is that the
pace of change will continue to
organizations can pay for or need
this strategy.
best disaster increase.

2. Hot-site service
protection;
A hot-site is an agreement with a
recovery services provider to
however, not
access a physical location equipped
with the necessary hardware. This
many
strategy has comparatively high
continuing operating costs and the
organizations can
shorter the guaranteed time period,
the more costly the payment.
pay for or need
Typically, hot-site service provides
recovery within a few hours to a few
this strategy.
days. There are more advanced
offerings that range from having a shared room that you
get access to on a first come first served basis to a room
that is dedicated solely to your company. The drawback of
the first come first serve solution is that if more than one
company has a calamity at the same time, you may not
have a facility to go to. On the other hand dedicated
facility will be more expensive but it will be yours to use
when required. Hot-site service is designed to bridge the
organization for several weeks while a replacement data
centre is built.
3. The vendor subscription
Another disaster recovery strategy is a subscription for
surefire shipment of servers and other critical equipment -
It is necessary for the disaster
recovery plan to keep pace with
these changes in order for it to be of
use in the event of a disruptive
emergency.
To ensure this, the disaster
recovery plan update process must
be properly planned, executed and
controlled. Further, whenever
changes are made to the plan they
are to be fully tested and
appropriate amendments should be
made to the training materials.
It is worth noting that Disaster Recovery Planning is not
only necessary for IT applications but it should be
developed for every critical business process.
Make sure that the Plan Can
Run On Its Own
It may happen that when disaster strikes, the staff who
wrote the recovery plan may not be available to execute
it. You have to make sure that your Disaster Recovery
Plan will work with or without the internal key people who
wrote it.

September-December 2007 The Pakistan Accountant 39