Disaster Recovery Plan: Lessons Learned from the Michigan Department of Technology, Management and Budget
Think your Disaster Recovery Plan (DRP) is up to a good challenge? You’ve read all the information out there. Heck, you may have even attended a conference or a webinar on the subject. Nothing about a DRP is new or exciting. We get it. “Check out my Disaster Recovery Plan” is hardly stimulating dinner conversation.
Take it from the Michigan Department of Technology, Management, and Budget, though; what you don’t know may hurt you. The following “lessons learned” came from an audit of the MDTMB; after they failed in several categories, there were enough helpful tips to go around to help your small to medium-sized business create the perfect Disaster Recovery Plan.
Keep in mind that having a DRP is a requirement for government networks and many other businesses that host certain types of data. You might as well make your plan a good one.
Don’t Store Your Disaster Recovery Plan on the Same Network as You Store Your Data
There’s a reason the president and the vice-president never travel in the same vehicle; they even take separate flights to the same event.
The reason is obvious: if something were to happen to the Commander-In-Chief’s vehicle, the Vice President may need to step in and fill the role of President. If they were both in the same vehicle, the risk is very high that an incident would decapacitate both at the same time.
Common sense, right?
The audit of MDTMB revealed that the agency was storing its data and its DRP on the same network. Using our powers of deduction, its easy to see that if something happened to that network both the DRP and the data it is supposed to restore would be inaccessible.
In today’s world of tech, we forget the ABC’s: in this case, the most reliable place to store your Business Continuity Plan is in a physical location, such as in binders in a locked filing cabinet. For redundancy, store electronic files containing the DRP on a separate network; even better, find storage for the plan offsite.
Update Your Disaster Recovery Plan…and Test it Routinely
One of the biggest failures of the Michigan Department of Technology, Management, and Budget was its outdated tech. How outdated? The audit was performed in 2018, but the agency’s last update was 2011. During those seven years, the plan was not revisited. One of the most glaring pieces of the disaster recovery plan that was missing was the ability to restore the intranet. Without the intranet, employees can’t function or complete basic tasks.
Annual revisions can sound like a lot of work, but it’s worth it when you consider all the technological improvements and upgrades you have made in your business just within the past twelve months. If you don’t incorporate these upgrades in your Disaster Recovery Plan, you will end up in the same situation as the MDTB.
It’s not enough to include these upgrades in your DRP, though; you need to test your DRP routinely to make sure it’s ready to deploy the moment it’s needed. If the MDTMB had tested their disaster recovery plan, they would have noticed that they had no planned path to restore the internet.
Prepare for the “End of The World”
While the government agency had sufficient plans in place for restoring the LAN (local area network), they neglected any contingency plans for a scenario that kept employees away from the office. That means that MDTB’s lofty hope of a 24-hour recovery timeframe wasn’t achievable.
Make plans, such as cloud backups and software, that ensure your employees can connect if they can’t use the LAN. Remember that if you’re implementing your Disaster Recovery Plan, it’s because you need it. This isn’t the time to request employees report to work during a flood or fire because they can’t connect with the intranet remotely.
Wrapping Up Lessons Learned
This wasn’t the first failed audit for Michigan’s Department of Technology, Management, and Budget. They had an alarming audit in 2017 as well, citing infractions for the some of the same points they failed in 2018. The agency, ironically, had several cybersecurity issues uncovered as well. They have since been working on achieving compliancy with the rules, regulations, and auditors, but had they “practiced what they preached,” they would have sailed through the audits.
Not feeling quite as confident about your Disaster Recovery Plan? We don’t blame you. There’s a lot to consider.
Iconic IT can give you a free audit and evaluation of your DRP and make sure you are ready for an audit and the “end of the world.”
Your DRP is more than just a pesky legal requirement. It’s the insurance plan that will keep you in business when disaster strikes. Our professionals know the importance of combining both academic and real-world resources to make your plan airtight when either auditors or blizzards strike. Message us today about bringing that expertise to your business.