4 May, 2023
What is a disaster recovery plan?
A disaster recovery plan is your plan for when the dirt hits the fan.
Security pundits like to say things such as “It is not a question of whether your systems will be compromised but rather a question of when.” Sure, a strong security posture decreases the risk, but being ready for the worst case scenario is an integral part of any mature security posture.
The worst thing that could happen is not “getting hacked”, it is “getting hacked and not knowing what to do”. So long before the clouds gather over the horizon we think through a broad range of potentially disastrous scenarios. The result of this exercise is a practical playbook on what to do when disaster strikes. This playbook is called the disaster recovery plan.
What should be included in my disaster recovery plan?
Your disaster recovery plan needs to identify all your assets (hardware, software and data), roles (responsibilities) and procedures (actions) for different scenarios. A categorization of criticality of assets helps to define the priorities in the response actions. On top of that we must prepare for a wide range of incidents that have varying impacts on infrastructure and data. How do we make sure we don’t forget anything?
The Computer Security Resource Center of NIST (National Institute of Standards and Technology) provides extensive guidance in special publication 800-34. Based on this guidance we have created a SAMMY module to manage your disaster recovery plans. This model starts with a checklist of everything that is needed in your disaster recovery plan.
Is there a template I can use for my disaster recovery plan?
You can use SAMMY’s disaster recovery plan module to guide you through the important components of the disaster recovery plan. This guidance is based on the NIST guidelines and is organized in 6 parts:
- Supporting Information: Covers the proper definition of purpose, scope and assumptions.
- Concept of operation: Covers the system description, roles and responsibilities and the existence of the three phases (activation, recovery and validation) which are looked at further in the next parts.
- Activation: Covers the procedures around activation, notification and outage assessment.
- Recovery: Covers activities, procedures and escalation.
- Validation: Covers data, functionality and security testing as well as event documentation and recovery declaration.
- Appendices: Covers 13 other components ranging from diagrams to contact lists.
How do I know if my disaster recovery plan is good enough?
SAMMY uses a weighted scoring system based on the relative priority, risk profile and appetite factors of the organization or the product. This scoring system allows you to easily benchmark and set a “good enough” threshold for all business units and teams.
How do I manage multiple disaster recovery plans within an organization?
Depending on how you scope your disaster recovery plans you may end up with several plans in the same organization. SAMMY allows you to easily manage multiple plans in parallel with OWASP SAMM management. The tool also makes ownership and responsibilities across individuals clear and transparent.
Disaster Recovery Plan Training.
The teams that have to execute the different components of the plan have to be familiar with the plan. In order for this to happen we organize disaster recovery training. These trainings look like war games and improve the execution of the plan. They are also used to test the plans and to further refine them based on the practical experience of the test runs.
What is the difference between a disaster recovery plan (DRP) and a business continuity plan (BCP)?
Your business continuity plan is a set of often temporary measures that minimize the impact to the business while information systems are being recovered. You can think of the BCP as the reserve wheel you carry in your car, while the DRP is getting the car back to its original state in the garage. In smaller organizations the DRP and BCP may be parts of the same document. When dealing with critical infrastructure there will also be a continuity of operations plan (COOP). The COOP is similar to the BCP but specific to the most critical operations.
Wait, what? How many plans are there?
Well, I’m glad you asked! There are up to 8 plans recommended by NIST. But most organizations don’t need all of these. The amount of plans you have will be in line with the scale of your business, the nature of your activities, your security maturity and your process maturity.
The total picture looks like this:
On the schema the COOP and BCP are red and labeled “process focussed”. Their objective is to allow business processes to continue. These are often temporary measures.
The disaster recovery plan (DRP) is blue and labeled “system focused”. These processes are about getting the information systems back up and running.
The other system focussed plans are:
Critical Infrastructure Plan (CIP): Specific plans for critical infrastructure
Information System Contingency Plan (ISCP): A more granular plan dealing with a specific information system. Your general DRP may refer to several ISCPs based on what is affected in the incident.
Cyber Incident Response Plan (CIRP): This is your fight plan for dealing with active attacks.
Then there are two green plans labeled “People Focussed”. These are about protecting and communication with the people inside and outside your organization.
Crisis Communication Plan: Covers both internal and external communication.
Occupant Emergency Plan (OEP): This covers physical safety of anyone affected by an incident.
SAMMY makes things easy.
We believe in a simple and safe digital future. In the face of complexity, structure is your friend. And that is what SAMMY brings, be it for your Disaster Recovery Plan Management or your OWASP SAMM management.
And SAMMY is free to use. You can try it out here:
When creating a new scope you can select OWASP SAMM or DRP to select the model you want to use in this scope. In the future we hope to add more models to the tool.