To many users or companies, it is a backup of critical data to another directory on their computer. When we build a Disaster Recovery Plan (DRP), we must examine not only the data on the server. We must look at what is required for every user to perform their job. Each area or function of the company must be evaluated to determine how long each system can be down with minimal impact to the customers, or product line.
In order to create a DRP, we will first list out the different types of disasters we feel would be common for our area. Next we will list all the different organizational groups in the company. Finally we need a list of all the different systems or applications used by everyone in the company.
|
Disasters |
Organizational Groups |
Systems / Applications |
|
User deletes file |
Sales |
|
|
User deletes records from database |
Marketing |
CRM |
|
Virus infected file |
Customer Service |
Internet website |
|
Virus outbreak |
Accounting |
Internet website |
|
Single computer crash |
Payroll |
Phone system |
|
Network crash |
Manufacturing |
Manufacturing |
|
Building unusable (fire) |
Shipping and Receiving |
Accounts Payable |
|
Flood |
Information Technology |
Accounts Receivable |
|
Tornado |
Quality Control |
Payroll |
|
Earth quake |
Inventory Control |
It is now time to take our list of groups and interview them. We are going to want to talk to the management of each group. During this first discussion two or three team members will be identified as typical users. From these typical users we can determine the amount of time a user from their group will spend in each application. While the interviews are happening, the group managers will verify with every team member that every application they use is listed in the applications list.
After the interviews are complete the interviewer and group managers will consolidate and review all information gathered. Then it is time to identify how long this application can be down, how much data can be re-entered to make the system usable, and is this application or information public facing? I have found it best to enter this into a spreadsheet. Each group would have their own tab or page.
|
Systems / Applications |
Down time tolerance |
Data re-entry |
Public facing |
|
|
|||
|
CRM |
|||
|
Internet website |
|||
|
Internet website |
|||
|
Phone system |
|||
|
Manufacturing |
|||
|
Accounts Payable |
|||
|
Accounts Receivable |
|||
|
Payroll |
|||
|
Inventory Control |
You may find systems that others consider as minor, are considered critical by others as they are client facing. Also as companies work to become paperless the ability to re-enter data is not available. There are many variables to consider when the down time tolerance and the ability to re-enter data is examined.
We will stop here and hold our interviews and build our spreadsheet. Next time we will look at available recovery options and how they fit our down time tolerance and data re-entry requirements.
Once all the organizational units are interviewed, it is time to compile the information and identify the systems that are used the most, and which organizational units are using them. This usage can vary greatly depending on the company’s business type. Only good research can clearly identify the critical systems for the employees.
Now that we have identified which applications are most important to the employee’s daily tasks. It is necessary to identify which applications are critical to the company. These applications are going to be evaluated using a different list of criteria. This list of criteria will be like the one below.
- Is the application customer facing
- Does the application affect new customers
- Does the application affect existing customers
- Are customers with issues to be resolved affected
- Is the company able to receive payments
- Is the company able to pay bills
- Will the company be able to process payroll
- Is the company’s production facility impacted
The company may decide that the finance area, account receivable, accounts payable, and payroll are the most important. On occasion, the company may feel the perception of the company to new possible clients is most important and they may therefore decide to make the customer facing interfaces, such as the website, the most redundant.
Armed with these two lists, we can now begin to match these needs with the appropriate computer system. Once we have matched up the two lists, the proper level of protection can be selected. We should now be able to identify which systems need to be continuously and which ones can be unavailable for short periods of time.
Next we will look at how to begin designing the desired redundant systems.
Determining the proper level of protection for the computer systems will be determined by the information that has been gathered. First the systems must be assigned a recovery time. This is the time the application or system can be off line with minimal impact to the company. As you have interviewed the different groups in the company, you will find that one group, administration for example can be without email for 4 hours and not really have a negative impact. But then another group, let’s use sales, will say that if their email is down for more than 15 minutes it is going to negatively affect their ability to sell your products. This means that every application is going to have to be evaluated based on the groups that use the application, the financial impact of the outage of that application, and the damage to the company’s reputation from the outage.
Once this is completed you will have a list of applications and the acceptable downtime for the application and how much if any data loss is recoverable.
Application, Downtime, Data loss
Internet website, 0 minutes, Data is fairly static. It will have to be re-added.
E-mail, 30 minutes, Email will queue
Phone system, 30 minutes, Dropped calls will have to be returned, new calls will fail
Manufacturing, 1 hour, Data in workstations will be lost. It will have to be recollected.
CRM, 2 hours, Customer information cannot be verified, information will be difficult to re-collect process is paperless.
Inventory, 4 hours, Data in workstations will be lost. It will have to be re-added using shipping / receiving slips.
Payroll, 1 day, Data in workstations will be lost. It will have to be re-added.
Accounts receivable, 1 day, Data in workstations will be lost. It will have to be re-added.
Accounts payable, 1 day, Data in workstations will be lost. It will have to be re-added.
Intranet website, 2 days, Data is fairly static. It will have to be re-added.
From the list above, there are a couple of areas of concern. First, data from the CRM system is entered live by the customers on the website, or direct from the sales person while talking to the customer. The trigger word is paperless. This information cannot be recreated easily. Second, there as several systems with a recovery time of less than 1 hour, we must implement systems that can recover in the needed timeframe.
Next, we will discuss our options.