The 3 P's of Disaster Recovery

If you are a regular reader of my blog, you know every so often I come out with general rules that can help you in your daily IT life. A few examples include:

• The 8 Rules of Information Security
  
• The "Higher Security Mindset" - Seven Best Practices to Keep you Safe
  
• The 5 Rules of Regulatory Compliance

Today during my presentation I talked about "The 3 P's of Disaster Recovery". In ORDER, they are:

1. People
   
2. Product
   
3. Processes
   

1. People
During recovery, unless your moral compass is a bit out of wack, knowing your people are safe is paramount. There is no business without your people, and they need to be taken care of first.

2. Product
Before you can worry about "turning the business on", you better know you have your "product" available. Maybe thats physical product, your manufacturing systems, or your consulting service. Ensuring thats available lets you start number 3...

3. Processes
Now that your people are in place, and you have the product available, you can start getting the business back up. You will do this by bringing up the systems in order of priority. When you create your asset catalog, you will know which systems need to be up first so you can get back to generating revenue.

Of course this is an over-simplified view of things. But if you remember to follow the 3 P's.... you are on the right track to getting your business back up and running after disaster.

Disaster Recovery - Creating Asset Catalogs

So I have spent the memorial weekend down here in New Orleans attending the IT Pro Disaster Recovery Conference. When I was on stage talking about asset catalogs, and the extrodinary value it is for a small business, some people were asking for the best practices "checklist". They wanted guidance on what that would look like. Normally I would never quote an ISO standard for small business, as they typically don't gel well. But I am going to do so here.

Within ISO 17799, all businesses should strive to maintain appropriate protection of their assets. This is accomplished by ensuring all information assets are accounted for, and that there is an owner accountable for them. Along side of a documented business workflow, they need to be classified, labeled and properly protected.

Making up an Asset Catalog, in regards to information systems atleast, would include :

• Information - Operational processes, documentation, manuals, databases, data files etc
  
• Software - LOB applications, operating systems, configuration settings etc
  
• Physical assets - telco equipment, computers, storage media, fax and copy machines, furniture, building premises etc
  
• Services - Utility companies, ISPs, telcos, product suppliers etc

Once you know WHAT belongs in the asset catalog, now you need to determine WHO is responsible for each item. When documenting this, its good to associate the items to a job title and their positions opposed to individual people. This way, whomever is in that role can understand their responsibilities and asset ownership. As an example, as we discussed total devistation from a fire, the "accounts payable" role would ensure "cheque book" was an asset required in his or her role. Ensuring you can pay for new items needed during recovery is kind of important... and knowing WHO has access to cheques is critical. (May not be the perfect example, but you get the idea)

So for those of you that asked for guidance.... check out ISO 17799. Seem too overwhealming? Hire an information security professional who enjoys DR. That's what we are here for. You are a consultant yourself? Don't feel ashamed to ask for help. an infosec pro is there to help.

Where information security meets IT operations... disaster planning for risk and crisis recovery

So next week I will be down in New Orleans sitting on a few leadership panels at the "Small Business IT Disaster Planning for Risk and Crisis Recovery" conference. I think it is a fitting location for such a conference, especially with the results of Katrina a few years back.

Some of the sessions are going to be very interesting. From virtualization and backups to access control, there is quite a bit to learn from when it comes to mitigating risk in the face of disaster. There is something for everyone, and is an event you shouldn't miss.

The format is quite interesting as well. This isn't about slidedecks and single people speaking TO the audience. It's about a leadership panel that communicate WITH the audience to answer questions and explore issues facing our organizations today.

If you are going to be going down, let me know. Maybe we can hook up during the conference, or go check out the jazz scene in the evening. Bring your own beads. :)