Functions for Recovery and Identifying Data Storage and Recovery Sites

timer Asked: Mar 30th, 2017
account_balance_wallet $25

Question Description

Option #1: Cisco Systems

Read the Cisco Systems white paper Disaster Recovery: Best Practices (attached below).

Disasters most often are unpredictable, and they vary in type and magnitude when they happen. Many companies have some disaster recovery strategies in place to return to normal after the disaster has struck. To minimize disaster losses, it is very important to have a good disaster recovery plan for every business subsystem and operation within an enterprise.
Write a report on your understanding of disaster recovery strategies from the perspective of a multinational corporation. Do the same strategies should apply to smaller, non-multinational organizations?

Your paper should be 3-5 pages in length including graphics, and conform to the APA requirements. Include at least five credible references in addition to the course textbook.


1. Simple essay format, with proper introduction and Conclusion.

2. No Plagiarism, inline citations is must wherever applicable.

Unformatted Attachment Preview

White Paper Disaster Recovery: Best Practices Contents 1 Executive Summary 2 Disaster Recovery Planning 2.1 Identification and Analysis of Disaster Risks/Threats 2.2 Classification of Risks Based on Relative Weights 2.2.1 External Risks 2.2.2 Facility Risks 2.2.3 Data Systems Risks 2.2.4 Departmental Risks 2.2.5 Desk-Level Risks 2.3 Building the Risk Assessment 2.4 Determining the Effects of Disasters 2.4.1 List of Disaster Affected Entities 2.4.2 Downtime Tolerance Limits 2.4.3 Cost of Downtime 2.4.4 Interdependencies 2.5 Evaluation of Disaster Recovery Mechanisms 2.6 Disaster Recovery Committee 3 Disaster Recovery Phases 3.1 Activation Phase 3.1.1 Notification Procedures 3.1.2 Damage Assessment 3.1.3 Activation Planning 3.2 Execution Phase 3.2.1 Sequence of Recovery Activities 3.2.2 Recovery Procedures 3.3 4 Reconstitution Phase The Disaster Recovery Plan Document © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 18 White Paper 5 4.1 Document Contents 4.2 Document Maintenance Reference © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 18 White Paper 1 Executive Summary Disasters are inevitable but mostly unpredictable, and they vary in type and magnitude. The best strategy is to have some kind of disaster recovery plan in place, to return to normal after the disaster has struck. For an enterprise, a disaster means abrupt disruption of all or part of its business operations, which may directly result in revenue loss. To minimize disaster losses, it is very important to have a good disaster recovery plan for every business subsystem and operation within an enterprise. This paper discusses an approach for creating a good disaster recovery plan for a business enterprise. The guidelines are generic in nature, hence they can be applied to any business subsystem within the enterprise. In the IT subsystem, disaster recovery is not the same as high availability. Though both concepts are related to business continuity, high availability is about providing undisrupted continuity of operations whereas disaster recovery involves some amount of downtime, typically measured in days. This paper focuses only on disaster recovery. Every business disaster has one or more causes and effects. The causes can be natural or human or mechanical in origin, ranging from events such as a tiny hardware or software component’s malfunctioning to universally recognized events such as earthquakes, fire, and flood. Effects of disasters range from small interruptions to total business shutdown for days or months, even fatal damage to the business. The process of preparing a disaster recovery plan begins by identifying these causes and effects, analyzing their likelihood and severity, and ranking them in terms of their business priority. The ultimate results are a formal assessment of risk, a disaster recovery plan that includes all available recovery mechanisms, and a formalized Disaster Recovery Committee that has responsibility for rehearsing, carrying out, and improving the disaster recovery plan. When a disaster strikes, the normal operations of the enterprise are suspended and replaced with operations spelled out in the disaster recovery plan. Figure 1 depicts the cycle of stages that lead through a disaster back to a state of normalcy. Figure 1. Enterprise Operations Cycle of Disaster Recovery © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 18 White Paper It takes the enterprise some time to assess the exact effects of the disaster. Only when these are assessed and the affected systems are identified can a recovery process begin. The disaster recovery system cannot replace the normal working system forever, but only supports it for a short period of time. At the earliest possible time, the disaster recovery process must be decommissioned and the business should return to normalcy. The disaster recovery plan does not stop at defining the resources or processes that need to be in place to recover from a disaster. The plan should also define how to restore operations to a normal state once the disaster’s effects are mitigated. Finally, ongoing procedures for testing and improving the effectiveness of the disaster recovery system are part of a good disaster recovery plan. In summary, the disaster recovery plan should (1) identify and classify the threats/risks that may lead to disasters, (2) define the resources and processes that ensure business continuity during the disaster, and (3) define the reconstitution mechanism to get the business back to normal from the disaster recovery state, after the effects of the disaster are mitigated. An effective disaster recovery plan plays its role in all stages of the operations as depicted above, and it is continuously improved by disaster recovery mock drills and feedback capture processes. The second section of this paper explains the methods and procedures involved in the disaster recovery planning process. The third section explains the different phases of disaster recovery. And the fourth section explains what information the disaster recovery plan should contain and how to maintain the disaster recovery plan. 2 Disaster Recovery Planning This section explains the various procedures/methods involved in planning disaster recovery. © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 18 White Paper 2.1 Identification and Analysis of Disaster Risks/Threats The first step in planning recovery from unexpected disasters is to identify the threats or risks that can bring about disasters by doing risk analysis covering threats to business continuity. Risk analysis (sometimes called business impact analysis) involves evaluating existing physical and environmental security and control systems, and assessing their adequacy with respect to the potential threats. The risk analysis process begins with a list of the essential functions of the business. This list will set priorities for addressing the risks. Essential functions are those whose interruption would considerably disrupt the operations of the business and may result in financial loss. These essential functions should be prioritized based on their relative importance to business operations. For example, in the case of a telecom service provider, though both billing operations and CRM/helpdesk operations are essential functions, CRM/helpdesk is less essential than billing. Hence, mitigating the risks that affect billing operations should be given more priority than CRM/helpdesk operations. While evaluating the risks, it is also useful to consider the attributes of a risk (Figure 2). Figure 2. Risk Attributes The scope of a risk is determined by the possible damage, in terms of downtime or cost of lost opportunities. In evaluating a risk, it is essential to keep in mind the options around that risk, such as time of the day or day of the week, that can affect its scope. For example, spilling several gallons of toxic liquid across an assembly line area during working hours is a different situation than the same spill at night or during the weekend. While the time taken and cost to clean up the area are the same in both cases, the first case may require shutting down the assembly line area, which adds downtime cost to this event. © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 18 White Paper The magnitude of a risk may be different considering the affected component, its location, and the time of occurrence. The effects of a disaster that strikes the entire enterprise are different from the effects of a disaster affecting a specific area, office, or utility within the company. 2.2 Classification of Risks Based on Relative Weights When evaluating risks, it is recommended to categorize them into different classes to accurately prioritize them. In general, risks can be classified in the following five categories. 2.2.1 External Risks External risks are those that cannot be associated with a failure within the enterprise. They are very significant in that they are not directly under the control of the organization that faces the damages. External risks can be split into four subcategories: Natural: These disasters are on top of the list in every disaster recovery plan. Typically they damage a large geographical area. To mitigate the risk of disruption of business operations, a recovery solution should involve disaster recovery facilities in a location away from the affected area. Nowadays most of the meteorological threats can be forecasted, hence the chances to mitigate effects of some natural disasters are considerable. Nevertheless is important to consider documenting the scope of these natural risks in as much detail as possible. Human caused: These disasters include acts of terrorism, sabotage, virus attacks, operations mistakes, crimes, and so on. These also include the risks resulting from manmade structures. These may be caused by both internal and external persons. Civil: These risks typically are related to the location of the business facilities. Typical civil risks include labor disputes ending in strikes, communal riots, local political instability, and so on. These again may be internal to the company or external. Supplier: These risks are tied to the capacity of suppliers to maintain their level of services in a disaster. It is appropriate that a backup supplier pool be maintained in case of emergency. 2.2.2 Facility Risks Facility risks are risks that affect only local facilities. While evaluating these risks, the following essential utilities and commodities need to be considered. Electricity: To analyze the power outage risk, it is important to study the frequency of power outage and the duration of each outage. It is also useful to determine how many powers feeds operate within the facility and if necessary make the power system redundant. Telephones: Telephones are a particularly crucial service during a disaster. A key factor in evaluating risks associated with telephone systems is to study the telephone architecture and determine if any additional infrastructure is required to mitigate the risk of losing the entire telecommunication service during a disaster. Water: There are certain disaster scenarios where water outages must be considered very seriously, for instance the impact of a water cutoff on computer cooling systems. Climate Control: Losing the air conditioning or heating system may produce different risks that change with the seasons. Fire: Many factors affect the risk of fire, for instance the facility’s location, its materials, neighboring businesses and structures, and its distance from fire stations. All of these and more must be considered during risk evaluation. © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 18 White Paper Structural: Structural risks may be related to design flaws, defective material, or poor-quality construction or repairs. Physical Security: Security risks have gained attention in recent years, and nowadays security is a mandatory 24-hour measure to protect each and every asset of the company from both outsiders and employees. Different secure access and authorization procedures, manual as well as automated ones, are enforced in enterprises. Factors such as workplace violence, bomb threats, trespassing, sabotage, and intellectual property loss are also considered during the security risk analysis. 2.2.3 Data Systems Risks Data systems risks are those related to the use of shared infrastructure, such as networks, file servers, and software applications that could impact multiple departments. A key objective in analyzing these risks is to identify all single points of failure within the data systems architecture. Data systems risks can also be due to inappropriate operation processes. Operations that have run for a long period of time on obsolete hardware or software are a major risk given the lack of spares or support. Recovery from this type of failure may be lengthy and expensive due to the need to replace or update software and equipment and retrain personnel. Data systems risks may be evaluated within the following subcategories: ● Data communication network ● Telecommunication systems and network ● Shared servers ● Virus ● Data backup/storage systems ● Software applications and bugs 2.2.4 Departmental Risks Departmental risks are the failures within specific departments. These would be events such as a fire within an area where flammable liquids are stored, or a missing door key preventing a specific operation. An effective departmental risk assessment needs to consider all the critical functions within that department, key operating equipment, and vital records whose absence or loss will compromise operations. Unavailability of skilled personnel also can be a risk. The department should have necessary plans to have skilled backup personnel in place. 2.2.5 Desk-Level Risks Desk-level risks are all the risks that can happen that would limit or stop the day-to-day personal work of an individual employee. The assessment at this layer may feel a little like an exercise in paranoia. Every process and tool that makes up the personal job must be examined carefully and accounted as essential. © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 18 White Paper 2.3 Building the Risk Assessment Once the evaluation of the major risk categories is completed, it is time to score and sort all of them, category by category, in terms of their likelihood and impact. The scoring process can be approached by preparing a score sheet, as shown in Table 1, that has the following keys: ● Groups are the subcategories of the main risk category. ● Risks are the individual risks under each group that can affect the business. ● Likelihood is estimated on a scale from 0 to 10, with 0 being not probable and 10 highly probable. The likelihood that something happens should be considered in a long plan period, such as 5 years. ● Impact is estimated on a scale from 0 to 10, with 0 being no impact and 10 being an impact that threatens the company’s existence. Impact is highly sensitive to time of day and day of the week. ● Restoration Time is estimated on a scale from 1 to 10. A higher value would mean longer restoration time hence the priority of having a Disaster Recovery mechanism for this risk is higher. Table 1. Risk Assessment Form Risk Assessment Form External risks Date: Grouping Likelihood Impact Restoration Time Score Risk 0 – 10 0 – 10 1 – 10 Earthquake 1 9 10 90 Tornado 0 0 10 0 Natural disasters Severe thunderstorm 0 Hail 8 3 9 216 Snow/ice/blizzard 9 5 8 360 Human caused risks Sabotage or act of terror Bridge collapse Water leakage in facility Civil issues Riot Labor stoppage and picketing Suppliers Power supplier Transportation vendor © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 18 White Paper Looking at the above example, multiplying the likelihood time, impact time, and restoration time yields a rough risk analysis score. A zero value within one of the two columns makes the total risk score a zero. Sorting the table in descending order will put the biggest risks to the top, and these are the risks that deserve more attention. 2.4 Determining the Effects of Disasters Once the disaster risks have been assessed and the decision has been made to cover the most critical risks, the next step is to determine and list the likely effects of each of the disasters. These specific effects are what will need to be covered by the disaster recovery process. Simple “one cause multiple effects” diagrams (Figure 3) can be used as tools for specifying the effects of each of the disasters. Figure 3. Disaster Effects Diagram Note that multiple causes can produce the same effects, and in some cases the effects themselves may be the causes of some other effects. 2.4.1 List of Disaster Affected Entities The intention of this exercise is to produce a list of entities affected by failure due to disasters, which need to be addressed by the disaster recovery plan. In Figure 3, the entities that fail due to the earthquake disaster are office facility, power system, operations staff, data systems, and telephone system. Table 2 provides a sample mapping of the cause, effects, and affected entities. Table 2. Determination of Disaster Affected Entities Risk (Disaster) Effect of Disaster Disaster Affected Entity Earthquake Office space destroyed Office space Operators cannot report to work Office staff Power disruption Power Data systems destroyed Data systems Desktops destroyed Desktops and workstations © 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 18 White Paper Telecom failure Power supply cut Telephone instruments and network Power disruption Power Data systems powered off Data systems Desktops powered off Desktops/workstations Data network down Network devices and links Telecom failure Telephone instruments and network It may be noticed that two or more disasters may affect the same entities, and it can be determined which entities are affected most often. The entities with the most appearances in the table have a greater tendency of failure occurrence. 2.4.2 Downtime Tolerance Limits Once the list of entities that possibly fail due to various types of disasters is prepared, the next step is to determine what is the downtime tolerance limit for each of the entities. This information becomes crucial for preparing the recovery sequence in the disaster recovery plan. The entities with less downtime tolerance limit should be assigned higher priorities for recovery. One metric for evaluating the downtime tolerance limit is the cost of downtime. 2.4.3 Cost of Downtime The cost of downtime is the main key to calculate the investment needed in a disaster recovery plan. Downtime costs can be divided into tangible and intangible costs. Tangible costs are those costs that are a consequence of a business interruption, generating loss of revenue and productivity. Intangible costs include lost opportunities when customers would approach competitors, loss of reputation, and similar factors. 2.4.4 Interdependencies How the disaster affected entities depend upon each other is crucial information for preparing the recovery sequence in the disaster recovery plan. For example, having the data systems restored has a dependency on the restoration of power. 2.5 Evaluation of Disaster Recovery Mechanisms Once the list of affected entities is prepared and each entity’s business criticality and failure tendency is assessed, it is time to analyze various recovery methods available for each entity and determine the best suitable recovery method for each. This step defines the resources employed in recovery and the process of recovery. Some of the typical entities are data systems, power, data network, and telephone systems. For each of these there are one or more recovery mechanisms in practice in the industry. In the case of data systems, for example, the recovery mechanism usually involves having the critical data systems replicated somewhere else in the network and putting them online with the latest backed up data available. For less critical data systems, there may be an option to have spare server hardware, and if required these servers could be configured with the required application. Depending on the data system, there may be options of autorecovery or manual recovery ...
Purchase answer to see full attachment

Tutor Answer

School: University of Virginia




Disaster Recovery
Student Name
Professor Name
Course Title

Disaster Recovery
Disasters within the organizational setting are inevitable, and it is necessary to make the
necessary preparations within the organization. The organization will have to assess possible
effects of disaster to ensure an efficient recovery process. Such a plan should be capable of
returning the organization to normalcy in case of disaster. It will also be necessary to provide
procedures for testing, improving the effectiveness of the disaster recovery system (Clarke&
Varma 1999).There is a need to identify the various threats or risks that may bring disasters, and
this includes the use of risk analysis strategies. It will include evaluating physical as well as
environmental security as well as control systems within the organizational setting. The process
of risk analysis involves identifying the various essential functions of the organization. It will
ensure that priorities are given in addressing the various risks within the organization.
Disaster Recovery in Organizations
The business functions should be prioritized by their importance in the normal business
operations. The scope of risk can be assessed by determining any possible damage that may
occur in the case of disaster. It will also be necessary to establish any external risks, and those
include those that are not directly under the control of the organization (Cook,2015).Another
area of risk that will need to be a...

flag Report DMCA

Thanks, good work

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors