This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
What happens when the worst happens? As an important city policy that should not be neglected, a disaster recovery and business continuity policy outlines how to recover electronic data after a catastrophe. Because cities cannot predict when a disaster such as a fire, flooding, or tornado will occur, it’s essential that a disaster recovery plan is in place.
So what do you need to cover in your policy? Here are five essential elements to help get you started.
Risk Assessment
Each city’s data volume and priorities may be different. It helps your policy if you outline risks specific to your city such as:
- Data loss: What happens if you permanently lose city data? Some city departments may be able to take a greater hit more than others, but some data is mission critical. Just imagine losing utility customer billing records, information about cemetery plots, police video records associated with an active case currently under investigation, or emails about city business subject to an active open records request.
- Downtime: Even if you back up your electronic data, some data needs to be up and running much sooner than other data. For each type of data, ask yourself how long you can be down? For example, you will likely want to restore public safety data before you restore your cultural events data.
- Costs: After a disaster, another way to look at risks involves examining costs. You may look at the costs (such as fines or lawsuits) related to losing critical data subject to open records requests or police video records needed as evidence in active cases or trials. Or, you may look at painful, indirect costs related to losing customer payment data related to taxes or utilities.
2. Planning
This is probably the most important aspect of your disaster recovery and business continuity policy. What exactly will you do when a disaster strikes? You will want to outline:
- How you will get your technology up and running—from your most basic operating systems to your most critical applications.
- Which data you will restore, in what order. This gives your IT staff or vendor a sequence of data to restore that they will follow to make sure your most critical systems get recovered first.
- Contingency plans while data is inaccessible. While your city doesn’t have access to data, what will you do? Depending on the type of data, you may need to manually capture data for a period of time until systems are back up. Then, you may need to input that data into your systems once they are back online in order to make sure you are up-to-date.
3. Responsibilities
In other words, who will do what? You have multiple people who need to be clear about their roles. Focusing on people, processes, documentation, and a plan helps everyone become aware of their roles. And you must prepare for the worst because, sadly, not everyone may make it through a disaster event.
- Business decision makers: City managers, city clerks, police chiefs, department heads, and elected officials may all make important decisions about restoring and accessing data in the wake of a disaster.
- IT staff and/or vendors. Clarifying ahead of time what your hired IT professionals will do after a disaster will help them jump into action immediately. They need empowerment and a clear plan in order to best help. Staff and vendors also need to know how they will coordinate together.
- Non-technical roles: This includes any non-technical stakeholders with a critical role in helping recover, restore, access, and operate systems during and after a disaster.
4. Storage
Any sound disaster recovery plan needs onsite and offsite storage capabilities.
- Onsite data storage: For small disasters like a server failure, something like frequent backups with an onsite data backup service will help cities recover data quickly.
- Offsite data storage: Most important after a serious disaster that takes out buildings housing your onsite data, your offsite storage is the way you recover that data. Offsite data backup doesn’t mean storing that data down the block or even within your county. Your policy should include a requirement that your data is stored far from your geographical location.
5. Testing and Monitoring
Don’t be the city that sets up a wonderful data backup and disaster recovery solution—and then never test it. How do you know it will work? Your policy should include regular testing. Quarterly is ideal, but annual should be an absolute minimum. IT professionals should also regularly monitor your data backups to look for problems, errors, and data corruption.
Many cities find that reviewing these elements helps them realize they need to upgrade and modernize their data backup and disaster recovery solution. Common weak areas usually include no offsite data backup, manual (instead of automated) data backups, and a lack of IT professionals overseeing data backup. While creating a policy, you want to make sure you can carry out the most important aspects of effective disaster recovery and business continuity.