Disaster recovery plans have become crucial for nearly every industry that relies on connectivity and uptime for business survival. According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, a few of the top business drivers for creating an IT disaster recovery plan include the increased reliance on technology (48 percent) and an increased reliance on third-parties (33 percent).
Although some CIOs might not see the reasoning behind budgeting for a disaster recovery plan, as a valuable subset of business continuity planning, disaster recovery can save a business from shutting down completely in an unpredictable event – the health of IT systems is vital to maintaining a business.
When you look to a third party disaster recovery provider, what kind of questions should you ask to ensure your critical data and applications are safe? Read on for tips on what to look for in a disaster recovery as a service (DRaaS) solution from your hosting provider.
1. Do you have the following data center certifications: SSAE 16, SOC 1, 2 and 3?
Data center certifications should be up-to-date, backed up by an auditor’s report, and comprehensive of all security-related controls. Here’s a brief snippet of what each one measures:
The Statement on Standards for Attestation Engagements (SSAE) No. 16 replaced SAS 70 in June 2011 – if your current disaster recovery provider only has a SAS 70 certification, keep looking! SSAE 16 has made SAS 70 extinct.
A SSAE 16 audit measures the controls, design and operating effectiveness of data centers, as relevant to financial reporting. (Note: SSAE 16 does not provide assurance of controls directly related to data centers/disaster recovery providers).
The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. SOC 1 is essentially the same as SSAE 16 – the purpose of the report is to meet financial reporting needs of companies that use data hosting services, including disaster recovery.
SOC 2 measures controls specifically related to IT and data center service providers, unlike SOC 1 or SSAE 16. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy.
SOC 3 delivers an auditor’s opinion of SOC 2 components with the additional seal of approval needed to ensure you are hosting with an audited and compliant data center. A SOC 3 report is less detailed and technical than a SOC 2 report.
2. What is your recovery time objective and recovery point objective SLA?
Recovery Time Objective (RTO): This refers to the maximum length of time a system can be down after a failure or disaster before the company is negatively impacted by the downtime.
Recovery Point Objective (RPO): This specifies a point in time that data must be recovered and backed up. The RPO determines the minimum frequency at which interval backups need to occur, from every hour to every 5 minutes.
Clarifying the time objectives with your disaster recovery provider can help your organization plan for the worst and know what to expect, when.
3. Where are your disaster recovery data centers located?
Natural disasters happen at any time, almost anywhere – but you can decrease your odds of experiencing them by choosing to partner with a disaster recovery provider that has data center facilities located in a disaster-free zone. The Midwest is one region that is relatively free from major disasters. Read more in High Density of Data Centers Correlate with Disaster Zones; Michigan Provides Safe Haven.
4. Do you offer cloud-based disaster recovery?
As VMware.com states, “traditional disaster recovery solutions are complex to set up. They require a secondary site, dedicated infrastructure, and hardware-based replication to move data to the secondary site.”
With cloud-based disaster recovery, you could achieve a 4 hour RTO and 24 hour RPO. Cloud-based disaster recovery replicates the entire hosted cloud (servers, software, network and security) to an offsite data center, allowing for far faster recovery times than traditional disaster recovery solutions can offer.
5. How often do you test your disaster recovery systems?
Disaster recovery providers should test at least annually to ensure systems are prepared for an emergency response whenever a disaster is declared. Testing also allows for a valuable learning experience – if anything goes wrong, professionals can investigate and remediate before an actual disaster occurs. It’s also a test run for the personnel involved in managing the event.
Read more about disaster recovery:
PCI Compliant Disaster Recovery
Within PCI DSS (Payment Card Industry Data Security Standards), there is a standard dedicated to having the merchant create an incident response plan in order to act quickly and surely in the event of a breach. The requirement demands that … Continue reading →
Risks on the Rise: Making a Case for IT Disaster Recovery
According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey from 2011 Q4, the top increasing risks cited by a survey of decision-makers or influencers when it comes to IT planning and purchasing for business continuity were as follows: (48%) … Continue reading →
Disaster Recovery for HIPAA Applications – It’s All About Availability of PHI
HIPAA – The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. This blog post focuses on availability as it applies to HIPAA applications and HIPAA data. Availability … Continue reading →