The Binomial Bookstore

IT DISASTER RECOVERY PLANNING FOR DUMMIES
by Peter Gregory
Foreword by Philip Jan Rothstein

If you have a business or a nonprofit organization, or if you’re the one responsible for
information systems at such an operation, you know that disaster recovery planning is pretty
vital. But it’s easy to put it off. After all, where do you start?

IT DISASTER RECOVERY PLANNING FOR DUMMIES shows you how to get started by
creating a safety net while you work out the details of your major plan. The right plan will get
your business back on track quickly, whether you're hit by a tornado or a disgruntled
employee with super hacking powers. Here's how to assess the situation, develop both
short-term and long-term plans, and keep your plans updated.

This easy-to-understand guide will help you
- Prepare your systems, processes, and people for an organized response to disaster
when it strikes
- Identify critical IT systems and develop a long-range strategy
- Select and train your disaster recovery team
- Conduct a Business Impact Analysis
- Determine risks to your business from natural or human-made causes
- Get management support
- Create appropriate plan documents
- Test your plan.

Some disasters get coverage on CNN, and some just create headaches for the affected
organization. With IT DISASTER RECOVERY PLANNING FOR DUMMIES, you’ll be prepared
for anything from hackers to hurricanes!

- - - - - - -

CONTENTS

Foreword, by Philip Jan Rothstein, FBCI

Introduction

PART I GETTING STARTED WITH DISASTER RECOVERY
1 Understanding Disaster Recovery
2 Bootstrapping the DR Plan Effort
3 Developing and Using a Business Impact Analysis

PART II BUILDING TECHNOLOGY RECOVERY PLANS
4 Mapping Business Functions to Infrastructure
5 Planning User Recovery
6 Planning Facilities Protection and Recovery
7 Planning System and Network Recovery
8 Planning Data Recovery
9 Writing the Disaster Recovery Plan.

PART III MANAGING RECOVERY PLANS
10 Testing the Recovery Plan
11 Keeping DR Plans and Staff Current
12 Understanding the Role of Prevention
13 Planning for Various Disaster Scenarios

PART IV: THE PART OF TENS
14 Ten Disaster Recovery Planning Tools
15 Eleven Disaster Recovery Planning Web Sites
16 Ten Essentials for Disaster Planning Success
17 Ten Benefits of DR Planning

Index

- - - - - - -

EXCERPT FROM THE FOREWORD BY PHILIP JAN ROTHSTEIN, FBCI

In the late 1960s, I was first exposed to what would later become known as “Disaster
Recovery.” I was responsible for the systems software environment for a major university
computer center at the time. It was at the height of the Viet Nam War protests, and one of
those protests spilled over to the building housing the computer room. A number of the
protesters were running through the building and randomly damaging whatever was in their
path. When they got to the computer room, they found a locked, heavy steel door and moved
on.

It suddenly dawned on me that we had no clue - let alone plan - to deal with damage or
destruction, should the protesters have gained entry to the computer room. As I thought
about it and discussed this with others on the computer operations team, I realized there
were many other threats and vulnerabilities that had never been discussed, let alone
addressed.

Fast forward forty years. The single-mainframe data center has given way to clusters of
dozens, if not hundreds of servers and decentralized data centers; networking is often more
critical than processors; dozens of computer room operators have been replaced by lights-out
data centers; a week-long recovery from a data center disruption is now more likely to be an
almost instantaneous fail-over to a backup; and, Disaster Recovery has become a fact of life.

The bad news is that too many data center managers still have not been able to effectively
addressed disaster recovery, whether because of lack of management commitment or lack of
knowledge or lack of resources. By effectively, I mean:
- a comprehensive disaster recovery plan, based on objective assessment of threats,
vulnerabilities and exposure to loss;
- integration with comprehensive enterprise business continuity programs so that IT
Disaster Recovery is consistent with overall business needs and priorities; and,
- a meaningful exercise program, combined with training and plan maintenance to
ensure that the plan is current, realistic, and likely to work when called upon.

The good news is that with Peter Gregory's new book, even a team without prior experience
in disaster recovery planning can addressed these issues - “...those frustrated and
hard-working souls who know they're not dumb, but find that the technical complexities of
computers and the myriad of personal and business issues - and all the accompanying horror
stories - make them feel helpless” as www.Dummies.com points out.

Disaster Recovery is not simply about Katrinas nor earthquakes nor 9/11 catastrophes.
Sometimes, the focus on these monumental events could intimidate even the most
committed IT manager from tackling Disaster Recovery Planning. Disaster Recovery is really
about the ability to maintain business as usual - or as close to 'as usual' as is feasible and
justifiable - whatever gets thrown at IT. Peter's book helps to establish this perspective and
provides a non-nonsense yet manageable foundation. I actually found, despite my long
involvement with business continuity and disaster recovery, that he has identified many
issues, techniques and tips which I found quite useful.

While I confess I enjoyed “Italian Wines for Dummies” more, Peter Gregory's new book
succeeds in taking the intimidation factor out of IT Disaster Recovery and offers a
common-sense, practical, yet comprehensive process for analyzing, developing,
implementing, exercising and maintaining a successful IT Disaster Recovery program - even if
he has, regrettably failed miserably to enlighten me about Super-Tuscan wines. - Philip Jan
Rothstein, FBCI.

- - - - - - -

EXCERPT FROM CHAPTER 1 (UNDERSTANDING DISASTER RECOVERY)

Minor Disasters Occur More Frequently

Don’t make the mistake of justifying your lack of a DR plan by thinking, “Hurricanes rarely
visit my neck of the woods,” or “Earthquakes occur only every one hundred years,” or “No
country has ever invaded our country,” or “Mt. Rainier hasn’t erupted in recorded history.” All
of these statements may be true. However, disasters on smaller scales happen far more
frequently, often hundreds of times more frequently, than the big ones.

Smaller disasters — such as building fires, burst pipes that flood office space, server crashes
that result in corrupted data, extended power outages, severe winter storms, and so on —
occur with much greater regularity than big disasters. Any of these small events can
potentially interrupt critical business processes for days. In time-critical, service-oriented
businesses, this interruption can be a fatal blow. Contingency Planning and Management
Magazine indicated that 40 percent of companies that shut down for three days or more failed
within 36 months. An unplanned outage may be the beginning of the end for an organization
— everything starts to go downhill from that point forward. That sobering thought should instill
fear in you. You might even put that chilling thought on a sticky-note and attach it to your
monitor as a reminder.

Recovery Isn’t Accidental

From a DR perspective, the world is divided into two types of businesses - those that have
DR plans and those that don’t. If a disaster strikes businesses in each category, which ones
will survive?

When disaster strikes, businesses without DR plans have an extremely difficult road ahead. If
the business has any highly time-sensitive critical business processes, that business is
almost certain to fail. If a disaster hits a business without a DR plan, that business has very
little chance of recovery. And it’s certainly too late to begin planning.

Businesses that do have DR plans may still have a difficult time when a disaster strikes. You
may have to put in considerable effort to recover time-sensitive critical business functions.
But if you have DR plan, you have a fighting chance at survival.

Recovery Required by Regulation

Developing disaster recovery plans used to be simply a good idea. These plans are still a
good idea, but they’re also beginning to appear in standards and regulations, including:
- PCI DSS (Payment Card Industry Data Security Standard): Although not really
government legislation, it’s required for virtually every merchant and financial services firm.
PCI is a great example of what I call private legislation — laws made by corporations instead
of governments. All the major banks and credit card companies impose PCI.
- ISO27001: This international standard for security management is gaining
considerable recognition. Many larger organizations require their IT service providers to be
ISO27001 compliant.
- BS25999: The emerging international standard for business continuity management.
- NFPA 1620: The National Fire Protection Association standard for pre-incident
planning. It’s a recommended practice that addresses the protection, construction, and
operational features of specific occupancies to develop pre-incident plans that responders can
use to manage fires and other emergencies by using available resources.
- HIPAA Security Rule: This U.S. law requires the protection of patient medical
records and a disaster recovery plan for those records

Over time, more data security laws are certain to include disaster recovery planning.

The Benefits of Disaster Recovery Planning

Besides the obvious readiness to survive a disaster, organizations can enjoy several other
benefits from DR planning:
- Improved business processes: Because business processes undergo such analysis
and scrutiny, analysts almost can’t help but find areas for improvement.
- Improved technology: Often, you need to improve IT systems to support recovery
objectives that you develop in the disaster recovery plan. The attention you pay to
recoverability also often leads to making your IT systems more consistent with each other
and, hence, more easily and predictably managed.
- Fewer disruptions: As a result of improved technology, IT systems tend to be more
stable than in the past. Also, when you make changes to system architecture to meet
recovery objectives, events that used to cause outages don’t do so anymore.
- Higher quality services: Because of improved processes and technologies, you
improve services, both internally and to customers and supply-chain partners.
- Competitive advantages: Having a good DR plan gives a company bragging rights that
may outshine competitors. Price isn’t necessarily the only point on which companies
compete for business. A DR plan allows a company to also claim higher availability and
reliability of services.

A business often doesn’t expect these benefits, unless it knows to anticipate them through
its development of disaster recovery plans.

- - - - - - -

ABOUT THE AUTHOR

Peter H. Gregory, CISA, CISSP, is the author of fifteen books on security and technology,
including Solaris Security, Computer Viruses For Dummies, Blocking Spam and Spyware For
Dummies, and Securing the Vista Environment.

Peter is a security strategist at a publicly-traded financial management software company
located in Redmond, Washington. Prior to taking this position, he held tactical and strategic
security positions in large wireless telecommunications organizations. He has also held
development and operations positions in casino management systems, banking, government,
non-profit organizations, and academia since the late 1970s.

He’s on the board of advisors for the NSA-certified Certificate program in Information
Assurance & Cybersecurity at the University of Washington, and he’s a member of the board
of directors of the Evergreen State Chapter of InfraGard.

- - - - - - -
ISBN #978-0-470-03973-1
2008, 360 pages. Order #DR825.
- - - - - - -

The Binomial Bookstore

NEW RELEASES AND SPECIAL OFFERS!

Rothstein Associates Inc.