I have been doing some studying on some things that I have been interested in, and going through some of it in my class has really brought some clarity to my thinking in regards to Disaster Recovery Planning. If you’ve heard the terms Business Continuity Planning and Disaster Recovery Planning thrown around and equated them to mean pretty much the same thing, I’d like to take a look at that particular concept.
A Business Continuity Plan is “A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation, after a reasonable period of time.”(1) In other words, it is the overarching plan of the company to be able to not only recover from a disaster, but also to resume normal business processes in as little time as possible. The BCP is made up of many “sub-plans”:
-Emergency Response plan
-Disaster Recovery plan
Within a BCP, you have some key components:
-Assessment: A way to identify threats (BIA – more on this later)
-Evaluation: The likelihood and impact of each threat
-Preparation: For contingent operations
-Mitigation: The reduction or elimination of risks
-Response: The response to minimize the impact of an emergency
-Recovery: The return to normalcy
Without getting in-depth into each of these, let’s take a quick look at the first one:
Assessment- We need to Identify and Triage each threat within the context of the whole organization. We do this with a Business Impact Analysis, in which we determine what the Maximum Tolerable Downtime (MTD) for any given business process is. In other words, how long can any one business process be down / compromised before it starts having a major effect on the organization. Some, like a static website for a small auto-garage being down for 8 hours might have a very high MTD, hence, have a low priority in the event of an emergency, but for others, let’s say an ecommerce site like eBay, being down for 8 hours would be a catastrophe, therefore, having a very low MTD, and a very high criticality priority in the restoration of services in a BCP.
So we have already seen that a Disaster Recovery Plan is merely a component of the BCP; A critical component, yes, but still only part of it. So what is a Disaster Recovery Plan in light of a BCP?
A Disaster Recovery Plan (DRP) covers “the tactical recovery of IT systems in the event of a disruption or disaster. It provides the capability to process essential organizational applications, even if they are not operating at 100% efficiency, in addition to the ability to return to normal operations within a reasonable amount of time. ” (2) In other words, a DRP deals with the nitty-gritty IT related portion of the BCP–Of getting the critical systems & processes identified by the BCP up and running to maintain the continuity and stability of the company in the face of an emergency.
In summary, BCP and DRP are sometimes mentioned interchangeably, when in fact, a DRP is a subset of a BCP—“…the DRP consists of tactical action items that take lace following a disaster. Where a BCP will contain high-level language that is appropriate for assessing the stability and continued operation of the business, the DRP process clear and concise instructions that will followed in the event of a disaster.” (2) I hope this post has helped to bring some clarity between a BCP and a DRP.
2. SANS.org, GSEC Class Notes