Being prepared means planning for the worst and expecting the best. While CU*Answers has invested steadily over the past decade developing and implementing High Availability strategies to prepare us to continue operations through likely disruptive scenarios, we would fall short on our commitment if we did not plan for those unexpected, large-scale disasters, outside of the scope and reach of high-availability controls.
In the event of a disruption where failing-over to redundant hosts at the secondary datacenter is not an option, recovery teams will follow the necessary recovery procedures to restore the production system from backup media at a surviving site. To ensure our recovery teams are fully trained and capable and that procedures are validated and confirmed, bare-metal recovery exercises are performed on systems in a sandbox test environment.
For applications and systems that are not categorized as “core-processing” and are not included in the High Availability strategy, IT Contingency and Recovery Plans are maintained and tested regularly. Where feasible, redundant components are installed on systems and hardware to mitigate the risk of component failure and expedited warranty service maintained (most with 4 hour support or less).
Results from each disaster recovery test are published in a report and available for download. In-network credit unions are encouraged to review each report and to include them in their board packet documentation.
The Recovery Planning Process
Having a test-validated recovery plan that clearly articulates which systems must be recovered and in what order is crucial if an organization is to resume normal operations within an acceptable timeframe. A test-validated Disaster Recovery Plan should answer the following questions:
- What happens when disaster strikes?
- Will what we have planned support our business?
- How do we resume ‘normal’ business procedures?
The information obtained from current Business Impact Analysis (BIA) and Risk Assessment (RA) reports will identify the amount of downtime tolerable before the organization is significantly impacted, and provide a prioritized list of systems that are required to restore critical business functions. A recovery plan should include all of the steps required to bring systems back on-line and re-establish functionality for system end-users. These systems to restore include main and branch office facilities, hardware, software, data, and communications networks.
Components required for a successful recovery include:
- Test-validated documentation for restoring systems
- Skilled personnel
- Access to vital records (data), and
- Alternate recovery resources
For the Credit Union
Whether an on-line or in-house credit union, having a test-validated recovery plan for all resources required to perform critical business functions is the baseline. To be effective, your recovery plan must provide a roadmap for restoring minimum service levels within a time-frame that is acceptable to the organization (within the parameters of RTO/RPO as identified in the BIA).
Business Impact Analysis (BIA) – “is the Process of identifying the potential impact of uncontrolled, non-specific events on an organization’s business processes.”
Recovery Time Objectives (RTO) – “represent the maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g., the point in time that a process can no longer be inoperable).
Recovery Point Objectives (RPO) – “represent the amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).”
For more information, see the “Resilient Credit Union.
Next Steps
CU*Answers offers professional and managed services to help you meet and exceed your recovery objectives. Contact a CU*Answers Continuity Consultant today to discover in-network solutions that best meet your business objectives.
Professional Services available include:
- Business Continuity Planning and Resilience Testing
- Information Security Risk Assessment
- Comprehensive Information Security Program (CISP)
- Staff Security Training
- IT Examination and Audit Preparation
- IT Strategy Consulting
Managed Services available include:
- Network Management and Monitoring
- Continuous Data Protection (CDP) including off-site data storage
- Virtual Branch / Virtual Office