Skip to content
Office: (416) 621-6611
Emergency: (855) 561-4675
info@balanced.plus
Submit Support Ticket

Month: September 2022

5 Things you Need to know about IT Disaster Recovery

Posted on by Andrei Fomitchev

No one wants to experience an IT disaster – the loss of critical files, network outage, or hardware failure. However, these risks can be mitigated with appropriate preparation through Disaster Recovery planning. As IT is woven into every business, it’s crucial to include an IT portion in any DR plan(Disaster Recovery Plan). In this blog, we’ll discuss five important things you need to know about IT disaster recovery to keep your business running smoothly.

1. The purpose of an IT DR plan

Is to help the company recover as quickly and effectively as possible from an unforeseen IT disaster or emergency. Such an emergency would interrupt information systems and business operations. The plan should ensure that:

  • All employees fully understand their duties in implementing the DR plan. This means that the appropriate portions of the plan should be discussed with employees and tested.
  • Proposed contingency arrangements are cost-effective. This is where planning and preparation can really save you lots of money if you encounter an IT disaster.
  • Disaster recovery capabilities as applicable to key vendors and service providers. Your disaster recovery is only as good as those you rely on to provide equipment, services, etc.

2. Who should write the DR plan?

DR planning for IT requires preliminary study and thorough understanding of the company business model and IT infrastructure. Ideally, the IT DR planning would be done by your own IT department or an IT consultant who has done previous work for you. Having someone who is new to your environment write and test your IT DR plan may drive up your costs, or leave you with a DR plan that is disconnected from reality.

3.  What should the DR plan include?

It is easy to get carried away and write a document of such volume that will never be read by anyone (except the author). Needless to say, the size and content of DR documents for SMEs and large enterprises will differ, as the size and complexity of their IT infrastructure is also very different. Here is a brief list of the content sections that SMEs should include in their DR plan.

  • A policy statement that establishes the business requirements for the IT DR plan. Typically, a business would have a statement on IT DR requirements in its policies.
  • Key personnel and vendors contact information. This information will be priceless if an IT disaster is encountered.
  • A clearly defined DR team that outlines responsibilities for each team member, as well as a calling tree so that each team member know who they are responsible to contact and all team members and staff are notified of the incident.
  • An overview of the IT infrastructure, including a definition of the critical business process supported by IT, list of systems and their functions, network and system diagrams.
  • Backup office locations.
  • For each actual disaster event considered in the IT DR plan,
    • a description of the event;
    • risk-impact analysis, discussing the probability of a particular disaster event versus its potential business impact;
    • restoration requirements this should be determined by upper-level management;
    • and restoration procedures.

It is easy to get carried away in defining and describing all possible IT disaster scenarios; this is why good communication with management is important in order to narrow down the scope of the DR planning to key events with highest business impact or highest probability.

4. What should the IT DR plan NOT include?

The DR plan for IT should not include portions that are covered by the main business disaster recovery plan, which covers all aspects of the business (including insurance, property and personnel management, etc.), not just the IT portion.

5. What parts of the plan should be tested

It really depends on the budget you set aside for DR planning. Ideally, all parts of the plan  from complete loss of the office and emergency relocation, to virus infection, to loss of the phone system. Realistically, SMEs will not have the budget to test their entire DR plan, therefore key events must be pin-pointed and tested. For example, loss of a server, loss of critical files, loss of internet access, call tree simulation.

To Conclude

Disaster Recovery Planning for IT is an essential part of any business today. While it may seem overwhelming at first, proper preparation and planning can make all the difference in the event of an IT disaster. Remember to establish a clear policy statement, define your DR team, and include key contact information, an overview of your IT infrastructure, and restoration procedures in your plan. Regular testing and updating your plan as your business changes is also critical.

At BALANCED+, we can help you develop and implement a DR plan that fits your unique needs and budget. Contact us today to learn more about our IT Disaster Recovery Planning services.

Proper IT Governance starts with Proper IT Policies

Posted on by Maxim Kazachek

IT governance and Information Technology policies is not generally a hot topic for SMEs. However, planning business growth and development is impossible without a solid technology platform. Therefore, putting in the proper IT policies and practices to ensure that your infrastructure (be it done internally or outsourced) aligns with your business mission is essential.

In large enterprises and organizations, matters of IT policy are within the competence of the Chief Information Officer (CIO). Such organizations will have quite large and verbose IT policies, often revised by a lawyer for legal purposes. But an IT policy does not need to be a large volume of legalese to be meaningful and valuable for corporate governance.

This article discusses the key aspects that SMEs need to consider when developing their IT policies, including defining scope and responsibility, IT infrastructure documentation, acceptable use of information technology, information security, IT services and standards, IT systems management and maintenance, IT incidents, and information systems.

Defining Scope and Responsibility

The scope of any IT policy should clearly be defined what it enforces, who it applies to, who is the Policy Owner, etc. An important aspect to consider are internal and external governing documents (provincial or federal legislation) that directly applies to IT practices in your industry. For example, institutions dealing with private health information fall under the Ontario Personal Health Information Protection Act (PHIPA).

There may also be certifications that influence IT policies and standards that must be considered. For example, ISO certification mandates certain IT practices to uphold certification.

Each policy should clearly indicate who is responsible for implementing/upholding it (executive, user, external consultant, etc.)

What are the essential IT policies relevant to SMEs?

IT Infrastructure Documentation

IT Documentation is critical for business continuity and knowledge retention about IT systems. The IT infrastructure documentation policy should establish a minimal list of documents to be created and maintained. Some examples of IT documents that are critical for any organisation:

  • IP address distribution table spreadsheet;
  • System and Network diagram;
  • Firewall access control list, or similar list of access rules;
  • Active Directory user audit spreadsheet, including security group membership;
  • etc.

Acceptable Use of Information Technology

The Acceptable Use policy determines what users can or cannot do with IT resources. It touches on things like who may use IT resources (authorisation), users responsibility, and limitation on personal use. 

Areas that are covered by Acceptable use would be:

  • Telephones
  • Computers
  • Internet, including social media, and could platforms
  • Email
  • Printers
  • etc.

Information Security

Arguably one of the highest concerns for some enterprises, as everyone tries to protect data leaks and security breaches due to high liability costs (as we discussed in our article on Cyber Liability). The policy should define and list the information (data) covered by it (Confidential company-owned data, private data, databases, hard copies, etc.) and cover areas like:

  • Domain Access and Accounts;
  • User and administrator passwords;
  • Remote Domain and Computer Access, including access by Third Parties;
  • Network security: firewall, Remote login and Administration, network segregation, wireless networks, etc. (in larger policies, there may be a separate policy on Network Security in addition to Information Security);
  • Antivirus protection;
  • External Storage Devices;
  • Email and Content filtering;
  • Portable computing and Mobile Devices;

IT Services & Standards

This policy should define what services that IT department provides and what standards should be followed. For example, shared network storage and access to it, printing, data retention and backup standards, etc.

IT Systems Management and Maintenance

This policy should deal with things like hardware replacement and rotation (how frequently), managing firmware and software updates, monitoring, day-to-day operations, etc.

IT Incidents

This should talk about how IT incidents are handled at your company, i.e. who is responsible for reporting incidents and to whom, what are the resolution times (SLAs), what are standard procedures in handling incidents, etc.

IT incidents should be differentiated by severity. IT Disaster Events should be separately defined and a separate policy for Disaster Recovery should be written.

Information System

The Information System is a an aggregation of all IT resources (hardware and software) that support key business processes. With respect to the mission of any company with a (moderately) complex value chain, it is important to understand how the information system serves the business process, and how well the two should align. Information system policies should define the standards for developing and auditing key business processes and information systems.

To Conclude

Having the proper IT policies and practices in place is essential for SMEs to ensure business continuity, data security, and compliance with relevant regulations. It can also help companies better manage their IT resources and align them with their business mission.

As an IT consulting company, BALANCED+ can help SMEs develop and implement effective IT policies and practices to improve their IT governance and support their business growth. Contact BALANCED+ today to learn more about our IT consulting services and how we can help your organization achieve its goals through effective IT governance.