Organizations, solutions partners (vendors), and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery (DR) Plan.” The venerable DR Plan is meant to secure business continuity in the face of harming events, or potentially harming ones. These events can be big (large scale and long-term outages, data breaches, backoffice crashes…) to those that are relatively small (short term outages, limited breach of content, etc.). I’m sure those out there can add to these quick examples.
However, security is ill served by this handle – DR – and so too are many of the plans that fall under it. “Recovery” is reactive, when we should have a plan that includes proactivity, and prevention, of disaster. Some measure of prevention is within our internal control, and some lies within our agility for sidestepping much of outside disaster’s influence. And, we strive to make disaster “transparent” to those whom we serve.
Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:
“Can you readily recover from disaster?”
“I guess so – we have a disaster recovery plan.”
Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).
Absent are identified, known, and agreed upon missions, beliefs, values, standards, and tests. Here, again, we’re building awareness.
¨ Mission will be defined by your requirements for prevention, recovery, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan (for implementation).
¨ Beliefs include ‘prevention’ as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.
¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority (for truly unforeseen events, due to catastrophic harm that has genesis outside of the organization, and its control).
¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.
¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.
You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.
When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for something that is a total rebranding: DAPR.
Next: Disaster Awareness, Preparedness, and Recovery.
NP: Kinks: Kink Kontroversy – third album on original vinyl. Carver C-1; Carver M-500t; Thorens TD-125; Shure v15v xMR.