I have seen a number of security professionals with a lack of operational experience in disaster recover and business continunity planning address both DRP and BCP as if it was a templated, academic exercise. This is one of the worse possible approaches for DRP. So, let's make this quite simple.
The most important first step that must be done in any disaster recovery situation is to establish communications. In most cases this means that you need to establish communications between people within an organization and also external to the organization.
In Thailand, for example, I see many folks approaching DRP and BCP incorrectly. They promote and advocate an academic approach that is more confusing than useful, and in many instances, these approaches are a waste of time and precious resources. The reason is simple. If you focus on a solid communication recovery plan first you will solve the most critical part of any disaster recovery scenario.
For example, let's say you are the IT security person in charge of a major manufacturing company. A natural disaster occurs and destroys your main building and your data center. How does the CEO communicate with employees? How does the company communicate with their customers? How does the company communicate with the news media and analysts? Who will be responsible for communicating with whom? How will they do it? What happens if a disaster knocks out telecommunications (for example the mobile phone network), what is the plan?
In other words, in every disaster recovery planning situation the most important first step is to insure that you have a solid communications plan in effect and you are ready to execute than plan under various disaster scenarios. In addition, you need to distinguish between disasters that knock out national communications backbones and more specific corporate disasters, like a fire in a data center.
Sometimes I am surprised at how folks with little operational experience can be driven by academic studies, confusing standards and templated approaches to security, when all that is required is a bit of common sense and an understanding of what is important. These is nothing more important, in any disaster recovery situation, than establishing communcations.
More...