Learn how to a build a cloud-first strategyRegister Now


Lock Disaster Recovery Plan away or not?

Posted on 2005-04-09
Medium Priority
Last Modified: 2010-04-03
My organization has put together a Disaster Recovery Plan.  We are debating - should the DRP be locked away to prevent tampering or should it be stored in an unlocked area.  Any particular down sides to having one or the other?
Question by:bboy77
LVL 88

Accepted Solution

rindi earned 200 total points
ID: 13743996
A disaster recovery plan is not something no one should know about. On the contrary, everyone should know what to do in case of disaster. I suggest you hang it up in the server room as well as some other places where it may be needed. This shouldn't be akept a secret!
LVL 88

Expert Comment

ID: 13744005
What you would want to lock away and keep secret are passwords necessary.
LVL 13

Assisted Solution

gpriceee earned 100 total points
ID: 13744295
A didaster recovery plan should also include within it alternatives to administer the plan.  If you lock away the plan and cannot get to it, what value does it have?

In our plan, we have binders with not only the plan but recovery CDs to ceate servers--assuming the building gets hit by a tornado or something else while the majority of IT is in it.

The Senior VPs have binders that they have locked in their homes and not places that only can be accessed during specified hours.  If the business goes down, it needs to be brought up--no matter what time it goes down.

If the Senior VPs can't be trusted, then why are they Senior VPs?  They can be trusted with the plans.  Some IT folks have a hard time with that, but then again, why should the business trust only us for its future?
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

LVL 25

Expert Comment

by:Ron Malmstead
ID: 13744749
It is recommended to keep your disaster recovery plan somewhere safe, with no access to those who aren't involved in the recovery or backup plan.  IT admins only.

If your backing up to tape drive for instance...only backup operators should have access to the tape drive and backup server.  A locked server room should be sufficient.  Your tapes should be rotated daily, and yesterday's tape should always be kept off-site in case of fire.  A fireproof safe should hold all of the other remaining tapes...I buy tapes ..one for every day of the month....labeled 1-30...makes finding your restore tape easier.

The fact that you have a backup/recovery plan should not be secret....It is conforting to users to know that their files are being backed up.  I would backup a user share and make a company policy that all user files be kept on that share "User Shared Folders"....instead of the habit of saving work to the My Documents folder.
LVL 88

Expert Comment

ID: 13744826
I think your mixing something up. The Disaster recovery plan isn't the servers or tapes themselves.

It is a file or can be some piece of paper on  which is written what has to be done in which eventuality, ie what needs to be done if there was a fire or a flood or a server crashed etc. This info has to be known.

Of course the server room needs to be locked, the tapes (at least certain tapes) should be kept off site etc etc. In fact this is part of the info which belongs into the file or on that piece of paper which is described by the Disaster Recovery Plan itself.

Assisted Solution

simonenticott earned 100 total points
ID: 13745440

We keep serveral copies offisite - me, my colleague, and a few of the technical managers and a director.  We also have a dedicated offsite recovery centre on standby (in case the building goes up in flames etc.), we have a copy there, there is also a copy in our fire safe, which all internal systems people have access to.  All of the binders have the paper plans/contacts etc. as well CDs of info (DNS, server configs, serials etc.), we also include server and backup exec CDs to get the process going).

I wouldn't leave it available to just anyone as there will be operational senstive info in there that a hacker could use, though if you lock it away you risk not being able to get it when you need it.  Ideally it there should be an offsite copy with each person than can invoke the plan a copy secured in yoru server room and one other copy secured at work in a different location.

Its also important that you test your plan at least annualy, my predecessor spent 6 months backing up blank space :)

LVL 88

Expert Comment

ID: 13746023
The recovery plan doesn't need any sensitive data inside, it just tells you how to do what in case of disaster. There should be mention where to look if you need serials or passwords etc, and those must be locked away, as well as the original CDs and their copies,

Of course the backup strategy should be included in the recovery plan, but a normal backup strategy of course includes regular restores to make sure you have backed up your blank space correctly (Alsways restore some of your blank space from your backup and compare it with the original blank space, if one of those balnk spaces is blanker than the other, the backup is a blank....)
LVL 93

Expert Comment

ID: 13746753
are you talking about an IT DRP or a general DRP?

that's totally different

Author Comment

ID: 13747579
Thanks for all the input thus far. Lots of good points on either side.   I'm talking about an IT DRP plan, the regular drp document is with the CEO andnot very detailed.  I have seen major institutions, like MIT post their IT DRP plan online available to anyone.  Our DRP plan does not have usernames or passwords of systems on it, but it does have an inventory of all critical applications and assets.  

I'm trying to view this from a security perspective and see if it makes sense to lock the DRP plan to prevent tampering or any other caveats I might not know about. After reading all the responses I'm thinking it should be available so that everyone in the organization is familiar with it, but I'm not sure if that becomes a security threat by exposing too much information.  
LVL 88

Expert Comment

ID: 13747832
You can create a plan in two or more stages. One displaying the general plan which would not have any critical info in it, but which would point the users in the correct direction for the rest of the info.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question