Protect Your IT Infrastructure a Server Disaster Recovery Plan Template
Cyberattacks. Natural disasters. Human error. Any of these could take down your IT systems and grind your operations to a halt, without warning. If you’re not prepared, the business may never recover. In our Server Disaster Recovery Plan Template below, we’ve outlined the critical steps for approaching a real-world disaster scenario and getting your systems back up and running—before it’s too late.
You’ll be able to use the template as a basic framework for identifying:
- What disaster recovery procedures to include as part of your business continuity planning
- Who is on your recovery teams and what roles they’ll play
- How to perform a risk assessment to determine which disasters pose a threat to your servers and operations
- What weaknesses currently exist that require urgent action
- How often to update your own recovery plan and who will do it
No recovery plan? Game over.
When your business-critical servers go down, it can devastate the business. Every minute of downtime translates into losses in productivity and profits. Idle workers alone can be extremely costly.
Consider a threat like ransomware, which encrypts the data on your servers and demands ransom money in exchange for the key to restore your files. By targeting vulnerable businesses, government agencies and healthcare facilities, ransomware is already extorting over a $1 billion a year from its victims.
But that’s not the whole picture.
Experts say the downtime after such an attack is where costs really start to rack up. They estimate that each hour of inactivity costs small businesses an average of $8,581 per hour in lost productivity and expenses. These costs can be crippling for many companies, which is why some businesses ultimately decide to pay the ransomware attackers, rather than risk a painfully slow recovery.
But other types of disasters, like a fire or flooding in your server, don’t come with such an easy out. If your IT infrastructure is destroyed, and you don’t have a backup plan, it’s game over.
40 percent of businesses never reopen after a disaster, according to Federal Emergency Management Agency (FEMA). Without a sound recovery plan in place, your company could become another statistic.
Let’s look at the fundamental sections you need to include in your continuity planning documents.
Server Disaster Recovery Plan Template
- Plan Objectives
Regardless of whether your document is specific to server continuity, or part of your larger business continuity plan, you should open with a statement of intent. This provides key stakeholders and other recovery team personnel with a clear purpose for the plan, why it’s important and what objectives it should achieve.
If you’re creating your own server disaster recovery plan template from scratch, the “Plan Objectives” also serves as a useful guide for what the plan needs to accomplish.
Example objectives could include:
- Develop a company-wide plan to adequately prepare for an unforeseen disaster
- Help ensure the company can recover rapidly after a disaster that has impacted information systems, thus minimizing impact on business-critical operations
- Provide instructions, procedures and emergency contact information for recovery personnel to use in a disaster situation
- Identify processes and technologies for restoring server data and networking configurations after a critical event
- Identify current risks and recommend action steps for preventing and resolving a network failure
- Points of Communication
This section identifies key personnel, such as stakeholders, executives and department managers, along with emergency contact information for each, which should include:
- Phone(s): (Work, Home and Alternate)
- Email(s): (Work and Home)
You will also want to include an additional section that lists the personnel on your recovery team. These are the individuals who will be tasked with updating the plan, activating it during a disaster and ultimately overseeing the recovery. In addition to their contact information, consider adding their specific roles and responsibilities on the team.
Examples within a server-specific recovery plan could include:
- Inspects physical on-site servers and infrastructure for abnormalities or damage
- Initiates data recovery processes; determines the appropriate recovery point from backups, checks backups for integrity
Some businesses should also include a calling tree in this section. A calling tree is a flowchart that identifies who should contact whom in an emergency incident. This tree is essential for maintaining effective communications after a major event. It ensures that all personnel are notified of the incident and know what to do.
III. Plan Management
Here, you will specify who is responsible for periodically reviewing and updating your disaster recovery plan, and how often. This will likely include a primary plan manager, in addition to others on your recovery team who will need to make sure that various elements of the plan are up to date and fully tested. Also, identify where and how the plan is stored, so that there’s never any confusion on where the documents can be found.
- Backup Strategy
Include a high-level overview of the backup strategies for various company operations. Here’s a small sample of what this list could look like, specifically for a server disaster recovery plan:
|IT Infrastructure||Mirrored recovery site (identify location)|
|Email data||Daily backup, cloud|
|Customer data||Hourly backup, on-site and cloud|
|Tech support||Fully mirrored recovery site|
Following this high-level overview, you’ll want to include more information on each of the backup strategies identified. For example, if there is a backup location for the business, specify where it is and who has access. For data backups, specify how those backups occur and with what systems. If you’re using third-party services or managed services providers, include that information along with points of contact.
- Risk Assessment
Now, it’s time to identify all the “what ifs” that pose risks for the company. In this section, you’ll include various types of disaster scenarios and their impact on the business.
Chances are your business is more at risk of certain incidents than others, so you’ll want to assess the probability of each. For example, if the company is located right on the coast, it could be more at risk of flooding, rather than a tornado. If you store sensitive and valuable data, your risks may be greater for a cyberattack.
Consider using a numerical rating system to identify both the probability and impact on the business, such as:
- Probability: 5=Very likely, 1=not likely
- Business impact: 5=Major disruption, 1=Minor disruption
Let’s consider a single event for illustrative purposes:
|Event||Probability||Impact||Consequences and/or Response|
Up to 12 hours loss of business-critical data; restore most recent backups from cloud
Here, you will define what a ransomware attack is and what it would look like. While events like “fire” and “flooding” would be obvious to personnel, a specific form of cyberattack may not always be so clear. Describing what such an attack looks like is important for both your recovery teams and training of personnel.
Include the level of severity that would warrant activating the recovery plan. In a fire, for example, you need to determine specifically what needs to happen before the emergency protocols should be followed. (How big of a fire? Where?)
Elaborate on the specific procedures that should be used to resolve the incident. For example:
- Upon detection of ransomware, notify IT manager
- Define and communicate immediate actions to appropriate teams
- Isolate infected machines; remove from network and/or power-off
- Rollback to healthy data recovery point, ideally no more than 12 hours previous
Be as specific as possible. Remember to include steps for contacting the appropriate authorities. In a natural disaster, for example, your protocols will likely include dozens of steps, identifying locations for employee safety, evacuation procedures, assembly points and so on.
Preventative & Recommended Guidance
Identify the systems, technologies and other tools that are already in place to help mitigate the risks of the event or resolve it. This is where you will include more details on your data backup and recovery systems, anti-malware software, training programs or even things like server-room fire suppression systems.
You should also include any recommended action steps for resolving weaknesses that you’ve discovered during planning. Update the plan again once those systems have been implemented.
- External Communication
In a major event, your teams may need to contact a wide range of external parties, such as:
- Third-party recovery providers
- Insurance agencies
- Financial firms
This section should identify the primary points of contact for each of those parties and the scenarios or rules for communicating with them. For media communication, some companies include pre-written press release drafts (with blank areas for the specifics) in their business continuity plans. This helps save precious time after a disaster and also ensures the communication is pre-approved and consistent with company policies.
VII. Asset Management
Depending on the scope of your plan (company-wide or IT-specific), you’ll also want to include a list of physical assets. This will probably be similar to versions that you’ve already provided to your insurance company. The list can include everything from the components of your IT infrastructure to your office furniture and valuable paper files.
Ready to create your own? Before you simply copy and paste…
Keep in mind: no two recovery plans are exactly the same. While this server disaster recovery plan template provides the basic structure for creating your own plan, we strongly suggest customizing your plan according to your business’s specific needs.
Use the template above only as a starting point for identifying your unique risks, emergency protocols and technology solutions. You may find that the nature of your business, and the threats unique to your industry, require a different approach. As long as you’re carefully considering your disaster scenarios and creating the appropriate response plans, you can significantly reduce the risks of a prolonged server outage.