COOP and DRP: What is the difference?

 

Disaster Recovery Plans and Business Continuity Plans (more often referred to as (COOP) Continuity of Operations Plan) are major issues in the world of business today. The terms are often misused and intertwined so that its often required to explain the differences when they come up in general conversation, as well as in important business decision meetings. Although sometimes very costly, if a business neglects to invest in either of the crucial plans, it can result in serious consequences for the organization as a whole. It is often a crucial decision which can cost people their jobs.

Initially, the differences between Disaster Recover and Business Continuity should be understood. In comparison they are very similar in that they are (or should be) detailed plans to prepare an organization for events in which a situation presents itself which can cause internal systems failures, or a disruption of business systems in which they are no longer able to function to meet the requirements to perform day to day tasks. These situations almost always result in loss of revenue, and in some cases, loss of client base. Where these plans differ is in the main concept topic for which they prepare. Business Continuity Plans generally focus on the continuation of business services in the event of any type of interruptions whether its IT based or other. Disaster Recover Plans often refer to a company’s strategy if something happens to crucial business data, and how to restore / recover that data (generally in the shortest amount of time possible). The two plans can also take the roles of proactive, and reactive. One prepares for continuity of service ahead of time; the other is the plan for what happens afterwards.

The role of a proper disaster recovery plan (and system) is often over looked in many organizations. In previously clients, during initial strategy planning for deployment of services, Disaster recovery is a specific topic to determine requirements for server availability, downtime scenarios, maintenance, etc. One specific client decided that they didn’t feel that the extra expense for servers, or backup and recovery solutions was required. This is a security company which provides service to military and government facilities, with over six thousand security employees and a net of over twenty million a year. Before the proposed solution was considered the company was running off hosted POP3, and a single internal server in workgroup mode, running all internal applications, print services, and file shares for the corporate office. Rather than have a higher up front expenditure for a solid DRP / BCP, they opted to select the week (+/-) of downtime option. This decision eventually led to the dismissal of over 15 people involved in the planning of the infrastructure upgrades. The building the company resided in suffered massive power issues, and a flood due to a faulty air conditioner line. This event caused the company to be unable to pay over six thousand employees for about 2 weeks while the system was rebuilt from scratch, and new hardware purchased and shipped.

Solid plans can prepare a company for any matter of event, whether it’s internal to a facility, national, power, natural, or a nuclear bomb strike. They can determine if a company loses millions or goes out of business, or if they continue business almost as usual. There are five key factors or elements that contribute to having a strong plan in place. Preparedness, which can determine how ready an organization, is for a disaster event. Response, determines what happens when a disaster event occurs. Recovery, determines what happens once the environment is ready to move forward. Mitigation discovers what the causes of the issues were, if they could be avoided, and often can lead to updating a plan to account for any modifications required.

There are many ways to test a DRP and a BCP, and they are often required on production systems before a system can be classified as ready for use. CISSP recognizes five methods of testing a DRP. These tests include walkthroughs, simulations, Checklists, parallel testing, and full interruptions. With the prevalence of virtual machines running infrastructures these days, in personal testing, it has become a preferred method to perform a ‘reality simulation,’ in which systems are actually ‘virtually’ demolished to simulate an actual disaster, rather than similar test simulations which are often power tests, or service tests. These tests don’t often take into account what can actually happen to a system in a real life event. The benefits of virtual systems are SAN replication and snapshotting. An entire network can be destroyed, and 5 minutes later, restored to a snapshot. This can provide a more realistic idea of what can, and often will happen when Murphy gets involved.

References

Key Elements of a Disaster Recovery Plan. August 22, 2006. Retrieved September 13, 2010 from: http://www.umsystem.edu/ums/departments/fa/management/records/disaster/guide/recovery.shtml

Checklist for a successful Disaster Recovery / Business Continuity Plan. March 23, 2007. Retrieved September 13, 2010 from: http://www.giac.org/resources/whitepaper/planning/277.php

Merkow, M. & Breithaupt, J. (2006). Information Security. Principles and Practice. Chapter 6: Business Continuity Planning and Disaster Recovery Planning. Prentice Hall.