Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO

INFORMATION TECHNOLOGY SECURITY

Disaster Recovery & Business Continuity

A good disaster Recovery Plan, or DRP, enables the organization to resume normal operations after a disaster. In the context of IT, this disaster generally involves a cyber security breach/loss, cybercrime, cyber-attack, theft, disappearance of sensitive data, virus, or malware. A DRP has several sub-goals toward a main goal which is safeguarding the sustainability of your company’s activities and ensuring business continuity. Those sub-goals are:

  • anticipating and mitigating the impact of any cyber crisis.
  • guaranteeing the protection of sensitive digital data in the event of a disaster.
  • ensuring the continuity of the structure’s activities, in the face of the IT crisis.
  • Setting up a back-up system to resume critical IT applications.

The DRP should also document all the processes the organization has to put in place to maintain or rebuild the IT systems in the aftermath of a cyber crisis. It can follow these guidelines:

  • It should establish how and when to refer to the back-up system.
  • It should specify which backup system it to be activated depending on the crisis scenario.
  • It should detail how long each unit/department can afford to be paralyzed. This is also known as Recovery Time Objective (RTO).
  • The document should determine the maximum acceptable data loss, also known as the Recovery Point Objective (RPO).

The Cost of Setting Up and Abiding To A DRP

Setting up a DRP does come at a cost. Yet, it pays for itself when considering the harmful consequences that it prevents such as:

  • Alteration or disappearance of part of the sensitive data.
  • Inability to resume operations due to unavailable IT systems.
  • Bad reputation with customers, partners, and investors.
  • Legal risks.

Some DRPs make use of a third-party computer network and data backups to ensure satisfactory IT operation. The advantages of a DRP can only be appreciated if good practices are complied with and it is something that should be thought through and regularly tested and can take some time to fine-tune.

Business Continuity Plan

In general terms, a business continuity plan (BCP) is a broad document for the entire organization and could include or not a DRP where the DRP applies to IT resources and operations. In this sense, a good BCP consists of a portfolio of procedures and resources that help to safeguard the continuity of the organization’s activities should a problem occur. Its main objective is to avoid the interruption of systems, including IT, and prevent operational disruptions and it must be built in such a way that the company’s structure remains available.

Complementing the BCP, the Disaster Recovery Plan should focus on making sure the organizational IT infrastructure can become operational again and it is activated when an obvious shutdown of the information systems happens. It must ensure the post-disaster reconstruction of all the IT and the reboot of the applications that are critical to the operation or the organization. It should guarantee a satisfactory resumption of activity as soon as possible and reduce the financial consequences of the cyber crisis. It should rely on careful risk mapping to ensure IT resources availability and data redundancy. By definition, a DRP is only activated when the organization suffers a shutdown of its IT activities. But if the DRP is to succeed, it must be thought through well in advance of the actual onset of a cyber crisis. When creating a DRP keep in mind that it should help minimize operational downtime.