Government has led in disaster recovery; Can it continue?

When it comes to cutting edge technology and IT advancements, federal, state and local governments are often criticized as slow to adapt to new technologies. In one area, however, government has often led: disaster recovery.

Disaster recovery (DR) or disaster data recovery is an organization’s plan on how to recover critical data and systems and respond in the event of a disaster such as an extreme weather event, cyber incident or other cause of a...

READ MORE

When it comes to cutting edge technology and IT advancements, federal, state and local governments are often criticized as slow to adapt to new technologies. In one area, however, government has often led: disaster recovery.

Disaster recovery (DR) or disaster data recovery is an organization’s plan on how to recover critical data and systems and respond in the event of a disaster such as an extreme weather event, cyber incident or other cause of a major outage. While a simple concept, it is an often-overlooked practice as many organizations don’t regularly revisit DR plans and can fail to see the importance until a major event happens.

When it comes to government, agencies cannot be offline or “down” for a few days; systems must remain running to ensure citizen safety and communications. Given this large responsibility and the nature of government data, the public sector has historically led when it comes to updated DR plans.

But as technologies, approaches and disasters themselves change, maintenance of these plans requires a focused effort. In order to stay prepared, agencies must regularly update DR plans, train workers and take an offensive stance. Governments can’t wait for something to go wrong; they must practice their plans and monitor and stop any actions that could cause a loss of data.

What a successful DR plan looks like

A successful DR plan is composed of clear steps to take in the event of an unplanned event or disaster that disrupts resources and puts day-to-day operations at risk. The plan should include both tactical steps to take as well as clear roles and responsibilities in case of an event.

One of the first steps in developing a DR plan is a review and analysis of the entire IT infrastructure. In order to conduct this review, DR plans should have a list of assets from hardware and software to devices, applications and more. This list should capture version history, system location, how it is backed up and protected, and where any backup is stored. All these details are crucial so that when a disaster strikes, leaders have documentation of what the system looked like prior to the event.

The backup of data and its storage is essential to a DR plan and can save organizations time and money when it comes to enacting a recovery protocol. If everything is backed up and available, it can be easier to get systems back online as before. With this in mind, a key data protection practice can save government time, money and stress — the “3-2-1-1-0” backup rule. This states that organizations should maintain at least three copies of data, on at least two different types of storage media and keep one copy of backups at an off-site location. The off-site location becomes critical especially in the event of a storm such as a tornado, hurricane or other extreme weather event. In addition, one of the media should be stored offline and all recoverability solutions should have zero errors.

This rule ensures that data is backed up, that the locations of the backups are varied enough that one disaster should not disrupt them all and provides organizations with a full backup in the event of any disaster scenario.

Testing, practicing the DR plan

As government organizations make IT modernization progress and launch new technology, DR plans must be updated regularly to reflect those changes, or risk missing parts of the IT infrastructure when disaster strikes. This includes not just adding new items to the list of technology or workloads but also adding additional processes if needed to create a holistic recovery plan, ensuring organizational awareness of the technology implemented and conducting training on the DR plan.

In the future, as government aims to eliminate as much human error as they can, automation will play a key role in running, monitoring and providing DR planning. It is critical that the government should not suffer the same pitfalls observed in the private sector. The key challenges in the private sector are the inability to properly test and suffering from obsolete documentation and procedures. This is an opportunity well served by automation today. Automation can help in both response and compliance to address readiness to a disaster situation. Additionally, the definition of disaster by today’s standards is subject to some interpretation. The familiar actors of fire, flood and blood are in place but ransomware and human error need coverage as well.

To ensure the plan is holistic and that employees know their responsibilities in the face of an unplanned event, organizations should practice their plans. DR plans should be tested regularly with real-world tests for common situations like extreme weather events, user error like accidentally deleting data or locking a system, and cyber attacks. Running tests with these scenarios is crucial to ensure a DR plan is strong regardless of the disaster.

Tests can also provide government with important information regarding prioritization. In the event of an incident affecting multiple areas of data, government leaders need to know which to prioritize for recovery and that the DR plan can meet the needs of multiple recovery operations. Failing to test a DR plan can result in mismanagement, confusion and, ultimately, a slower response and recovery. Lack of ability to test is relieved today with the capabilities of modern data center infrastructure. Testing can be non-disruptive and not interfere with organizational missions or citizen services.

Finally, plans should consist of less technical steps like an emergency communication plan detailing what an organization will share regarding the situation both internally and externally, and how. Additionally, the roles and responsibilities of each employee should be determined in the plan. In the event of a disaster, everyone in the government should be working together to implement the DR plan and get the system back in full capacity.

While this may seem like a lot of work, it is important to remember that the cost to prepare for a disaster is generally less than the cost to address a disaster and recover lost data. The National Institute of Standards and Technology’s Contingency Planning Guide for Federal Information Systems and FEMA’s National Disaster Recovery Framework are solid frameworks for government to refer to when building and strengthening their DR plans.

The future of DR plans

Over the past year, many organizations had to make swift decisions related to supporting a remote work environment. As a flexible remote environment seems possible for the foreseeable future, government should be sure to take the time to update their DR plans to reflect any changes and make sure all devices are accounted for.

Government has been a leader when it comes to DR plans. It can continue to be so but must make the necessary adjustments from training its workforce as changes occur to practicing its plans and keeping them up to date as needs evolve. When it comes to DR plans, every member of the organization has a role to play to ensure their success. By being proactive and preparing for a disaster today, government can be ready for the disaster of tomorrow.

Rick Vanover is senior director of product strategy at Veeam.

Related Stories