Table Of Content01_039731 ffirs.qxp 11/16/07 2:21 PM Page iii
IT Disaster Recovery
Planning
FOR
DUMmIES
‰
by Peter Gregory,CISA,CISSP
Foreword by Philip Jan Rothstein,FBCI
01_039731 ffirs.qxp 11/16/07 2:21 PM Page iv
IT Disaster Recovery Planning For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-
ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,
Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at
http://www.wiley.com/go/permissions.
Trademarks:Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the
Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United
States and other countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor
mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REP-
RESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT
LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CRE-
ATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CON-
TAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE
UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR
OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A
COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FUR-
THER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY
MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK
MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT
IS READ.
For general information on our other products and services, please contact our Customer Care
Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.
For technical support, please visit www.wiley.com/techsupport.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Library of Congress Control Number: 2006923952
ISBN: 978-0-470-03973-1
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
01_039731 ffirs.qxp 11/16/07 2:21 PM Page v
About the Author
Peter H. Gregory, CISA, CISSP, is the author of fifteen books on security
andtechnology, including Solaris Security (Prentice Hall),Computer Viruses
For Dummies (Wiley),Blocking Spam and Spyware For Dummies(Wiley),and
Securing the Vista Environment(O’Reilly).
Peter is a security strategist at a publicly-traded financial management soft-
ware company located in Redmond, Washington. Prior to taking this position,
he held tactical and strategic security positions in large wireless telecommu-
nications organizations. He has also held development and operations posi-
tions in casino management systems, banking, government, non-profit
organizations, and academia since the late 1970s.
He’s on the board of advisors for the NSA-certified Certificate program in
Information Assurance & Cybersecurity at the University of Washington, and
he’s a member of the board of directors of the Evergreen State Chapter of
InfraGard.
You can find Peter’s Web site and blog at www.isecbooks.com, and you can
reach him at [email protected].
01_039731 ffirs.qxp 11/16/07 2:21 PM Page vii
Dedication
This book is dedicated to Rebekah Gregory, Iris Finsilver, Jacqueline
McMahon, and Lisa Galoia, my personal disaster recovery team, and also
toprofessionals everywhere who are trying to do the right thing to protect
their organizations’ assets.
Author’s Acknowledgments
I would like to thank Greg Croy, Executive Editor at Wiley, for his leader-
ship,perseverance, and patience throughout this project. Thank you to
Christopher Morris, Senior Project Editor at Wiley, for your help. Also,
thanksto Philip Rothstein for technical review and expert guidance —
andfor writing the Forward to this book at the last minute. And thank you,
LauraMiller, for your thoughtful and effective copy editing.
And finally, heartfelt thanks go to Liz Suto, wherever you are, for getting me
into this business over twelve years ago when you asked me to do a tech
review on your book, Informix Online Performance Tuning(Prentice Hall).
01_039731 ffirs.qxp 11/16/07 2:21 PM Page viii
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form
located at www.dummies.com/register.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Composition Services
MediaDevelopment
Project Coordinator: Patrick Redmond
Sr. Project Editor:Christopher Morris
Layout and Graphics: Stacie Brooks,
Acquisitions Editor:Gregory Croy JonelleBurns, Reuben W. Davis,
MelissaK.Jester, Stephanie D. Jumper,
Copy Editor:Laura Miller
Alissa Walker, ChristineWilliams
Technical Editor:Philip Jan Rothstein
Proofreader: Linda Morris
Editorial Manager:Kevin Kirschner
Indexer: Rebecca Salerno
Media Development and Quality Assurance:
Anniversary Logo Design:Richard Pacifico
Angela Denny, Kate Jenkins,
StevenKudirka, Kit Malone
Media Development Coordinator:
JennySwisher
Media Project Supervisor:Laura Moss-Hollister
Editorial Assistant:Amanda Foxworth
Sr. Editorial Assistant:Cherie Case
Cartoons:Rich Tennant
(www.the5thwave.com)
Publishing and Editorial for Technology Dummies
Richard Swadley,Vice President and Executive Group Publisher
Andy Cummings,Vice President and Publisher
Mary Bednarek,Executive Acquisitions Director
Mary C. Corder,Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele,Vice President and Publisher
Joyce Pepple,Acquisitions Director
Composition Services
Gerry Fahey,Vice President of Production Services
Debbie Stailey,Director of Composition Services
02_039731 ftoc.qxp 11/16/07 2:21 PM Page ix
Contents at a Glance
Foreword....................................................................xix
Introduction.................................................................1
Part I: Getting Started with Disaster Recovery................7
Chapter 1: Understanding Disaster Recovery................................................................9
Chapter 2: Bootstrapping the DR Plan Effort................................................................29
Chapter 3: Developing and Using a Business Impact Analysis...................................51
Part II: Building Technology Recovery Plans.................75
Chapter 4: Mapping Business Functions to Infrastructure.........................................77
Chapter 5: Planning User Recovery...............................................................................97
Chapter 6: Planning Facilities Protection and Recovery...........................................129
Chapter 7: Planning System and Network Recovery.................................................153
Chapter 8: Planning Data Recovery.............................................................................173
Chapter 9: Writing the Disaster Recovery Plan..........................................................197
Part III: Managing Recovery Plans ............................215
Chapter 10: Testing the Recovery Plan.......................................................................217
Chapter 11: Keeping DR Plans and Staff Current........................................................241
Chapter 12: Understanding the Role of Prevention...................................................263
Chapter 13: Planning for Various Disaster Scenarios................................................285
Part IV: The Part of Tens...........................................305
Chapter 14: Ten Disaster Recovery Planning Tools...................................................307
Chapter 15: Eleven Disaster Recovery Planning Web Sites......................................315
Chapter 16: Ten Essentials for Disaster Planning Success........................................323
Chapter 17: Ten Benefits of DR Planning.....................................................................331
Index.......................................................................339
02_039731 ftoc.qxp 11/16/07 2:21 PM Page xi
Table of Contents
Foreword....................................................................xix
Introduction.................................................................1
About This Book...............................................................................................1
How This Book Is Organized...........................................................................2
Part I: Getting Started with Disaster Recovery...................................2
Part II: Building Technology Recovery Plans......................................2
Part III: Managing Recovery Plans........................................................2
Part IV: The Part of Tens........................................................................3
What This Book Is — and What It Isn’t..........................................................3
Assumptions about Disasters.........................................................................3
Icons Used in This Book..................................................................................4
Where to Go from Here....................................................................................4
Write to Us!........................................................................................................5
Part I: Getting Started with Disaster Recovery ................7
Chapter 1: Understanding Disaster Recovery . . . . . . . . . . . . . . . . . . . . .9
Disaster Recovery Needs and Benefits.........................................................9
The effects of disasters........................................................................10
Minor disasters occur more frequently.............................................11
Recovery isn’t accidental....................................................................12
Recovery required by regulation.......................................................12
The benefits of disaster recovery planning......................................13
Beginning a Disaster Recovery Plan............................................................13
Starting with an interim plan..............................................................14
Beginning the full DR project..............................................................15
Managing the DR Project...............................................................................18
Conducting a Business Impact Analysis............................................18
Developing recovery procedures.......................................................22
Understanding the Entire DR Lifecycle.......................................................25
Changes should include DR reviews..................................................26
Periodic review and testing.................................................................26
Training response teams.....................................................................26
02_039731 ftoc.qxp 11/16/07 2:21 PM Page xii
xii
IT Disaster Recovery Planning For Dummies
Chapter 2: Bootstrapping the DR Plan Effort . . . . . . . . . . . . . . . . . . . . . .29
Starting at Square One...................................................................................30
How disaster may affect your organization......................................30
Understanding the role of prevention...............................................31
Understanding the role of planning...................................................31
Resources to Begin Planning........................................................................32
Emergency Operations Planning..................................................................33
Preparing an Interim DR Plan.......................................................................34
Staffing your interim DR plan team....................................................35
Looking at an interim DR plan overview...........................................35
Building the Interim Plan..............................................................................36
Step 1 — Build the Emergency Response Team...............................37
Step 2 — Define the procedure for declaring a disaster.................37
Step 3 — Invoke the interim DR plan.................................................39
Step 4 — Maintain communications during a disaster....................39
Step 5 — Identify basic recovery plans.............................................41
Step 6 — Develop processing alternatives........................................42
Step 7 — Enact preventive measures................................................44
Step 8 — Document the interim DR plan...........................................46
Step 9 — Train ERT members.............................................................48
Testing Interim DR Plans...............................................................................48
Chapter 3: Developing and Using a Business Impact Analysis . . . . .51
Understanding the Purpose of a BIA...........................................................52
Scoping the Effort...........................................................................................53
Conducting a BIA: Taking a Common Approach........................................54
Gathering information through interviews.......................................55
Using consistent forms and worksheets...........................................56
Capturing Data for the BIA............................................................................58
Business processes..............................................................................59
Information systems............................................................................60
Assets.....................................................................................................61
Personnel...............................................................................................62
Suppliers................................................................................................62
Statements of impact...........................................................................62
Criticality assessment..........................................................................63
Maximum Tolerable Downtime...........................................................64
Recovery Time Objective....................................................................64
Recovery Point Objective....................................................................65
Introducing Threat Modeling and Risk Analysis........................................66
Disaster scenarios................................................................................67
Identifying potential disasters in your region..................................68
Performing Threat Modeling and Risk Analysis.........................................68
Identifying Critical Components..................................................................69
Processes and systems........................................................................70
Suppliers................................................................................................71
Personnel...............................................................................................71
02_039731 ftoc.qxp 11/16/07 2:21 PM Page xiii
xiii
Table of Contents
Determining the Maximum Tolerable Downtime.......................................72
Calculating the Recovery Time Objective...................................................72
Calculating the Recovery Point Objective..................................................73
Part II: Building Technology Recovery Plans .................75
Chapter 4: Mapping Business Functions to Infrastructure . . . . . . . . .77
Finding and Using Inventories......................................................................78
Using High-Level Architectures....................................................................80
Data flow and data storage diagrams................................................80
Infrastructure diagrams and schematics..........................................84
Identifying Dependencies..............................................................................90
Inter-system dependencies.................................................................91
External dependencies........................................................................95
Chapter 5: Planning User Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Managing and Recovering End-User Computing........................................98
Workstations as Web terminals..........................................................99
Workstation access to centralized information..............................102
Workstations as application clients.................................................104
Workstations as local computers.....................................................108
Workstation operating systems........................................................113
Managing and Recovering End-User Communications...........................119
Voice communications.......................................................................119
E-mail....................................................................................................121
Fax machines......................................................................................125
Instant messaging...............................................................................126
Chapter 6: Planning Facilities Protection and Recovery . . . . . . . . . .129
Protecting Processing Facilities.................................................................129
Controlling physical access..............................................................130
Getting charged up about electric power.......................................140
Detecting and suppressing fire.........................................................141
Chemical hazards...............................................................................144
Keeping your cool..............................................................................145
Staying dry: Water/flooding detection and prevention.................145
Selecting Alternate Processing Sites..........................................................146
Hot, cold, and warm sites..................................................................147
Other business locations...................................................................149
Data center in a box: Mobile sites....................................................150
Colocation facilities............................................................................150
Reciprocal facilities............................................................................151
02_039731 ftoc.qxp 11/16/07 2:21 PM Page xiv
xiv
IT Disaster Recovery Planning For Dummies
Chapter 7: Planning System and Network Recovery . . . . . . . . . . . . .153
Managing and Recovering Server Computing..........................................154
Determining system readiness.........................................................154
Server architecture and configuration............................................155
Developing the ability to build new servers...................................157
Distributed server computing considerations...............................159
Application architecture considerations........................................160
Server consolidation: The double-edged sword............................161
Managing and Recovering Network Infrastructure..................................163
Implementing Standard Interfaces.............................................................166
Implementing Server Clustering.................................................................167
Understanding cluster modes..........................................................168
Geographically distributed clusters................................................169
Cluster and storage architecture......................................................170
Chapter 8: Planning Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Protecting and Recovering Application Data...........................................173
Choosing How and Where to Store Data for Recovery...........................175
Protecting data through backups.....................................................176
Protecting data through resilient storage.......................................179
Protecting data through replication and mirroring.......................180
Protecting data through electronic vaulting...................................182
Deciding where to keep your recovery data...................................182
Protecting data in transit...................................................................184
Protecting data while in DR mode....................................................185
Protecting and Recovering Applications..................................................185
Application version............................................................................186
Application patches and fixes..........................................................186
Application configuration.................................................................186
Application users and roles..............................................................187
Application interfaces........................................................................189
Application customizations..............................................................189
Applications dependencies with databases,
operating systems, and more........................................................190
Applications and client systems......................................................191
Applications and networks...............................................................192
Applications and change management............................................193
Applications and configuration management.................................193
Off-Site Media and Records Storage..........................................................194
Chapter 9: Writing the Disaster Recovery Plan . . . . . . . . . . . . . . . . . .197
Determining Plan Contents.........................................................................198
Disaster declaration procedure........................................................198
Emergency contact lists and trees...................................................200
