Example disaster recovery plan for small businesses

Why create a DR plan specifically for small business?

Regardless of the type and size of the business, a DR plan provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure. These can include threats to software, networks, processes and people.

Click to download
our free small
business DR plan
template.

Protecting an organization's investment in its technology infrastructure and its ability to conduct business are the key reasons for implementing an IT DR plan. Considering that businesses of any size depend on technology, DR plans should be on every CIO's short list. Support from senior management is the primary starting point for a small business DR plan, especially with funding and a project budget.

Get started with goals and analyses

Once management approval has been received to develop a DR plan, IT and DR teams should begin by completing a risk assessment to identify potential threats to the IT infrastructure. A risk assessment can also be used to identify potential vulnerabilities and single points of failure that could cause a disruption or outage.

The goal of a risk assessment is to determine which infrastructure elements are most at risk to the organization's business. For a small business with less than 100 employees, this could be any hardware in the data center, key applications the business uses, and networking resources. If the organization uses external cloud resources, the assessment should consider risks that might affect their ability to recover from an incident.

When an incident -- internal or external -- negatively affects the IT infrastructure, the business could be compromised, resulting in loss of business and reputational damage. Identifying risks and threats to the infrastructure is a key activity. For smaller organizations with fewer resources, attention to detail is critical.

It might be advisable to conduct a business impact analysis (BIA), which identifies the most important activities the organization performs. BIAs also correlate the key functions with the technologies needed to support them. This information, coupled with data from the risk assessment, results in a DR plan design that focuses on protecting the most essential systems and functions.

What do you need for a DR plan?

It is essential to have the right players during the planning process as well as a team ready to respond to system disruptions. Coordination with business unit leaders, particularly those who are responsible for the mission-critical functions, helps zero in on the technology requirements needed to sustain business operations. Senior leaders define recovery time objectives and recovery prioritization.

The DR planning process identifies critical IT systems and networks; links them to mission-critical business functions; prioritizes recovery times; and delineates the steps needed to restart, reconfigure, and recover operations.

A comprehensive IT DR plan also includes relevant supplier contacts and sources of expertise for recovering disrupted systems.

In today's business environment, both large and small businesses use cloud-based services to supplement existing IT resources. Data storage is a key use for cloud services, and many cloud vendors offer DR services of their own. The flexibility and relatively low cost of cloud DR make it a good option for small businesses.

In addition to securely protecting data, databases and applications, hardware devices must also be protected in a DR plan. Having one or two spare servers ready to use if an existing server fails is one way to minimize the consequences of a device failure. Backup power, such as uninterruptible power systems, is also essential.

Considering how much small business technology can be deployed today from hosted sources, one could make the argument that in-house DR is unnecessary for SMBs. Such a decision should be carefully made and in consultation with third-party resources to make sure they can support the technology needs of a business.

Limitations and benefits of a DR plan

Among the less tangible benefits of a DR plan is peace of mind. Aside from that, it is good to know how to manage disruptions to IT systems and return them to normal. In situations where the technology is on site, a DR plan -- even if it is only a few pages of who to call and what systems to fix first -- is far better than having no plan at all.

By contrast, SMBs using hosted systems for most of their infrastructure will still need to know who to call, what to say, and how to work on an interim basis while the third party fixes operations.

One of the key activities to perform with a DR plan is a periodic test. This will determine if the right systems are being addressed and the recovery steps have been validated. Periodic testing ensures that backup systems and data are accessible, and the organization has contact information for all necessary parties, within and outside the organization.

Regrettably, testing is perhaps the one activity most SMBs fail to perform, and it increases the risk of damage from a disruptive event.

Another challenge with DR plans is keeping them up to date. Changes in technology, installation of new patches, changes to storage devices, updates to key applications and other events should be added to DR plans but often are not.

Additional resources to develop an IT DR plan

In addition to the plan template attached to this article, the National Institute for Standards and Technology Special Publication 800-34, Contingency Planning for Information Technology Systems, is a helpful resource for building a DR plan.

This standard covers several areas of DR organizations can include in a plan. Helpful additions from this standard might include the following:

• Add a vulnerability assessment component to the risk assessment to identify and address any potential weak points.
• Identify preventive controls that reduce the effects of system disruptions and can increase system availability and reduce life cycle costs.
• Conduct plan testing, training and exercising to improve plan effectiveness and overall company preparedness.
• Consider the plan as a living document to be reviewed and updated regularly to remain current with system changes and business requirements.

SMB considerations

While this article addresses disaster recovery from a general perspective, the SMB template is designed to be flexible yet comprehensive enough to address the key business and technology issues an organization might face in a disaster. An SMB might decide that the focus is recovering critical system and network resources. As such, other sections of the template can be omitted.

Staffing can be a challenge in an SMB. In some organizations, there might be only one or two employees who can lead a recovery effort. Organizations with a one- or two-person IT department might be challenged to respond in an incident.

It might be necessary to consolidate DR plan data and procedures into a one- or two-page document. As long as emergency contacts are up to date for crisis communications, procedures are current, and backup resources are in place, SMBs can likely make it through all but the most devastating events.

How to use the template

The included template is designed to be flexible for most SMBs, and users can delete sections that don't apply to their business. Key sections to review include emergency contacts, recovery and restoration procedures, and any other activities needed to return the IT infrastructure to normal.

Following is a summary of the plan template and its sections:

1. Information Technology Statement of Intent. This sets the stage and direction for the plan.
2. Policy Statement. It is important to include an approved statement of the organization's policy regarding the provision of disaster recovery services.
3. Objectives. These describe the main goals of the plan.
4. Key Personnel Contact Information. Key contact data should be included early in the plan. It is the information most likely to be used right away and must be easy to locate.
5. Plan Overview. This describes basic aspects of the plan.
6. Emergency Response. This describes what needs to be done immediately following the onset of an incident.
7. Disaster Recovery Team. This lists members and contact information of the DR team.
8. Emergency Alert, Escalation and DR Plan Activation. These list steps to take through the early phase of the incident, leading to activation of the DR plan.
9. Media. This includes tips for dealing with the media during and after a crisis.
10. Insurance. This summarizes the insurance coverage associated with the IT environment and any other relevant policies.
11. Financial and Legal Issues. This lists actions to take for dealing with financial and legal issues.
12. DR Plan Exercising. This underscores the importance of DR plan exercising.
13. Appendix A – Technology Disaster Recovery Plan Templates. This includes sample templates for a variety of technology recoveries. For some organizations, these templates might be sufficient by themselves as DR plans.
14. Appendix B – Suggested Forms. These are ready-to-use forms that will facilitate the plan completion.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.