Appendix 5: IT Disaster Recovery

Information Technology disaster recovery is the process by which computer systems and associated infrastructure is recovered following a disruption to services. In some cases, IT disaster recovery plans may encompass other technical facilities such as telephony.

The recovery of IT systems should be based on the requirements of the entity that the systems support. However, the speed of recovery required will have a significant effect on the cost and complexity of the solution that is deployed.

The type of solution required to address IT disaster recovery needs is based on two main parameters. These being:

• recovery point objective, which is the point in time (before the business disruption) to which electronic data must be recovered after a business disruption event. For example, data must be recovered to the end of the previous day’s processing; and
• recovery time objective, which is the target time set for recovery of an activity, product, service, or critical business process after a business disruption event, or recovery of an IT system or application after a business disruption event. Note: The recovery time objective must be less than the maximum tolerable period of disruption. If it is greater, manual processing must be developed for interim processing.

Entities may wish to explore the option of shared arrangements for IT recovery with other entities.

For an entity that requires a very fast recovery time objective and no data loss (zero recovery time objective), it may be necessary to duplicate the entire technology environment at an alternative site. Clearly, this is a very expensive and complex solution that would require the real time update of data at both sites.

Conversely, for an entity that can accept a recovery time objective of 48 hours and also accepts the loss of data accumulated over the last 24 hours, a traditional lower cost recovery from off-site tape based data backups may be appropriate.

It is the requirements of the entity that are crucial and determine the level of sophistication required by the IT disaster recovery plan. Recovery time objective and recovery point objective for each software application are determined as part of the business impact analysis. The point in time of the business cycle can also effect the maximum tolerable period of disruption.

IT disaster recovery plans contain the tasks and processes that need to be undertaken to effect the recovery in line with the required recovery time objective and recovery point objective. In most cases, successful IT disaster recovery plans will need to identify a second site at which systems can be recovered. They may also identify how the infrastructure, hardware, specialist equipment, application software, infrastructure and associated data will be accessed and/or recovered.

Further references

• Australian Government ICT Security Manual (ISM), ACSI 33, 2008, Department of Defence, Defence Signals Directorate.
• Code of Practice for Information and Communications Technology Continuity, BS25777 / PAS 77, 2008, British Standards Institute.
• Contingency Planning Guide for Information Technology Systems, NIST Special Publication 800-34, 2002, National Institute of Standards and Technology.
• Control objectives for information and related technology, COBIT 4.1, 2007, ISACA.
• Information Security Management, ISO 27001, 2005, International Standards Organisation.
• Information technology - Security techniques - Code of practice for information security management, ISO/IEC 17799:2005, 2005, International Standards Organisation.
• Information technology – Security techniques – Guidelines for Information and communications technology disaster recovery services, ISO/IEC 24762:2008, 2008, International Standards Organisation.
• Information Technology Service Management, ISO 20000 – 1, 2005, International Standards Organisation.
• Information Technology Service Management – Code of Practice ISO 20000 – 2, 2005, International Standards Organisation.
• Protective Security Manual, 2005, Attorney-General’s Department.