Create a Disaster Recovery Plan

Disaster recovery planning is the ongoing process of planning, developing, implementing, testing, and revising disaster recovery management procedures and processes to ensure the efficient and effective resumption of critical functions in the event of an unscheduled interruption of services.

The need for a disaster recovery plan is often identified as part of the risk management process. Disaster recovery plans need to include mitigation of potential negative impacts to mission critical systems as called for by risk analysis (RECON).

Use the Template

Use the planning template provided by Information Assurance (IA) to create your plan. Working through the template, you will identify the specific individuals, systems, and processes needed to restore service in the event of a disaster. You will identify and account for dependencies, including systems, data, and personnel required to meet the unit's specified objectives for timing and completeness of recovery.

The template will guide you through the process of creating a disaster recovery plan. After filling it in, you will have a functional plan for disaster recovery.

Keep Required Recovery Objectives in Mind

As you work on your plan, keep in mind the minimum amount of time that business processes, service levels, and data must be restored as specified in Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12). Your plan must document how you would recover systems and data to meet the specified disaster recovery performance objectives for recovery time and point:

  • Recovery Time Objective (RTO). The duration of time within which a business process must be restored and a stated service level achieved following a disruption in order to avoid unacceptable consequences associated with a break in service. This is the maximum amount of time following a disaster or disruption that the business can be without the service, without incurring significant risks or significant losses. It is the time you set for yourself in which to restore the service.
  • Recovery Point Objective (RPO). The maximum tolerable period in which recent data from before the disaster or disruption might be lost from an IT system or service due to a major incident. The RPO helps you determine how frequent your backups need to be; for example, if you can only lose four hours worth of data, you need backups every four hours.

Disaster Recovery Objectives by Service Tier Criticality Level

Service Tier Criticality Level RPO RTO
Platinum No data loss except data in transit 4 hours
Gold 0–24 hours 24–48 hours
Silver 1–7 days 7–30 days
Bronze One month or longer or risk of entire loss One month or longer or not recoverable

Service Tier Criticality Levels

  • Platinum. Services and systems that have the highest requirement for availability, the shortest required recovery time, and the fastest required incident response time.
  • Gold. Services and systems that have a high availability requirement, fast recovery time, and fast incident response time.
  • Silver. Services and systems that have a moderate availability requirement, can take some time to recover, and have a moderate incident response time.
  • Bronze. Services and systems that have the lowest availability requirement, can accept complete data loss, and have a very drawn out incident response time.