February 4, 2020
Risk Impact Assessment in Disaster Recovery: Where to Start
Assessing risks is one of the first steps required in finding a way of reducing them and therefore keeping your infrastructure safe. Creating an effective disaster recovery plan starts with searching for potential threats and vulnerabilities of your infrastructure elements, as well as the ways to respond to them. Risk assessment is not a one-time process. You should regularly update your risk assessment policies, especially if you are running a constantly changing infrastructure. Our article aims to explain the importance of risk impact assessment in disaster recovery planning and provide basic information on how risk assessment is performed.
NAKIVO Backup & Replication is a full-fledged solution for protecting data in physical, virtual, and cloud environments. Find more details below and don’t hesitate to download the Free Trial to see our software in action.
Risk Impact Assessment: Related Concepts
Assessment of risks is an important element in both disaster recovery (DR) and business continuity (BC) planning. Although explaining DR and BC in detail would take two separate blog posts, below is a brief outline of the two practices:
- Disaster recovery plan is a document that contains a well-defined algorithm of actions to be taken if an incident occurs. Its purpose is to simplify recovery from negative effects the incident has brought. Instructions outlined in a DR plan are meant to help your company maintain or quickly resume critical operations, thus keeping downtime at a minimum.
- Business continuity plan refers to a set of actions aimed at preventing potential threats and recovery from incidents your company faces. The key idea is to make sure that your company’s employees and assets are protected and able to resume operations if a disaster occurs. A BC plan is broader than a DR plan: it is meant to ensure that the business continues to operate after a disaster, while a DR plan is designed to quickly mitigate negative effects of the latter.
The assessment of risks and all the potential vulnerabilities your business may be prone to is performed before implementing a DR plan. A good practice is to start it right after you conduct a business impact analysis (BIA), another important element of a DR strategy, aiming at identifying potential consequences if any of your business functions or processes is interrupted.
Disaster recovery risk assessment is a document that contains a description of potential risks to the functioning of an organization. It covers both natural and man-made disasters and estimates the probability of each scenario occurring. The results of the estimation are then multiplied by the consequences of an incident. The value you receive defines your organization’s level of protection against a given threat. Some of the basic topics the document is supposed to highlight are the following:
- Potential damage the incident may cause;
- Amount of time and effort required to mitigate the effects of the incident & associated costs;
- Preventative measures to reduce disaster risks;
- Instructions to reduce the severity of an incident.
Evaluation of risks is a time-consuming process that requires both skills and attention to detail. When preparing this document, it is better to follow the guidelines, pay attention to risk assessment tools, and download a disaster recovery risk assessment example for a better understanding.
How to Perform Risk Impact Assessment
Usually, the process of conducting a disaster recovery risk assessment involves the steps outlined below. Depending on your organization’s needs, you can include additional steps or skip some of those that are listed.
- List the assets
Defining the assets that are the most valuable to your organization is the first step in protecting them. Assets are quite a broad term that may include servers, websites and applications, customer base information, databases, paper or electronic documents, etc., and even key team members.
To cope with this task, consider creating a questionnaire. It is important to receive feedback not only from the key managers and department heads, but from all of the company’s employees. This can help you become aware of things that might have been overlooked. Start documenting specific risks and threats within each department.
- Identify the risks
Specifically, you should define what exactly may affect each of your assets and in what way. This includes software, hardware, data, and employees. Make sure you are following an integrated approach that addresses as a wide range of disaster forms and shapes as possible. These are:
- Natural disasters. Even if your infrastructure is located in an area that is unlikely to suffer from hurricanes or earthquakes, you cannot ignore the possibility of fires and water pipe breaks. Take this into account when deciding where to place your servers.
- System failure. The probability of failure depends on the quality of your computer equipment and the maintenance effort from your part. There is always a risk that a machine may shut off and stop functioning without any warnings or error messages. Additionally, system failure may result from severe software issues, such as a bad line of code, for example.
- Accidental error. Training your employees, allowing enough time for rest, implementing safety protocols, and other preventative measures do not fully eliminate human error risks. Some of your employees may unintentionally delete an important file, click on a malware link, or accidentally damage a piece of equipment.
- Malicious activities. This group of risks comes in a variety of forms, from traditional hacker attacks targeting your data to insider threats such as credential abuse and intentional altering or damaging of data.
- Find the vulnerabilities
It is important to identify weaknesses that can be exploited to obtain or harm your company’s assets. To perform an unauthorized action, an attacker needs an attack vector (i.e. method) that can be applied in an attempt to exploit a system’s weakness. The sum of these attack vectors in your IT infrastructure is known as the attack surface. The key idea is to reduce the attack surface to a minimum.
Make sure to assess the likelihood of vulnerability exploitation. This is the first step in prioritizing the security flaws and allocating resources to eliminate them. According to the statistics based on the Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of vulnerabilities, high-severity flaws are exploited in most cases. However, this isn’t a rule without exceptions.
- Assess potential consequences
Perform a risk impact analysis to determine the financial losses your company may face if any of your assets are damaged. In addition to lost revenues, potential consequences may include data loss, damage to your IT environment as a result of downtime, reputational damage, and legal issues. Be aware that surface-level losses may only be the beginning. An incident may result in hidden costs associated with PR and investigations, as well as insurance premium hikes and legal fees.
- Prioritize the risks
Define the level of risk for each pair of threat and vulnerability. Base your assessment on a combination of two factors: the likelihood of exploitation of the vulnerability and the potential consequences this incident may bear. Try to estimate how much revenue your company may lose as a result of the risk event.
The prioritization should be based on the correlation between the impact level and the likelihood of a given incident occurring. If the incident may result in severe negative impacts and is highly likely to happen, the matter should be given the highest priority. Each of the threats should be assigned a respective value, from “very high” (high risk likelihood in a combination with significant monetary losses) to “very low” (low likelihood and insignificant damage).
- Document the results
The final step in performing a risk impact assessment is to prepare a report or document that covers all the above-mentioned estimations. Later on, this document can help you with budgetary planning, resource allocation, implementation of safety policies, and so on. The document is supposed to describe the vulnerabilities, potential impact, and likelihood of occurrence for each threat. For better understanding, see an example below:
|Overheating in server room (system failure) – High||Air-conditioning system is old and poorly maintained – High||Servers – Critical||Services, websites, applications, etc. will be unavailable for a few hours – Critical||Temperature in server rooms is 40 C – High||Substantial financial losses per each hour of downtime – High||Purchase a new air conditioner & ensure better maintenance|
Right after you start, you will gain a better understanding of your organization’s operations and processes, as well as the ways in which they can be optimized. Based on the risk impact assessment, create a policy regulating the scope of actions that your company is supposed to take every month, every quarter, or annually. Try to work out how each of the threats should be addressed and mitigated, and when to carry out the subsequent risk assessment.
Get Prepared in Advance
Ignoring the importance of preparing a comprehensive risk assessment report is one of the most common disaster recovery risks. This report is a proven helper in reducing the likelihood of an incident from happening, mitigating its negative effects, and keeping downtime at a minimum.
As an example, taking regular backups and storing backup copies offsite is a wise practice that ensures the recoverability of your data in a wide range of scenarios, from accidental deletion to the total destruction of a server room. Also, with a valid replica in place, you can recover from a disaster in just a few clicks.
NAKIVO Backup & Replication offers a wide range of tools and features to help you back up and replicate your workloads. Find a short overview of our functionality below:
- Back up virtual, physical, and cloud workloads.
- Instantly recover files, folders, and application objects right from compressed and deduplicated backups. You can recover data back to the source or to a custom location. The feature works in both LAN and WAN, with all the file permissions being restored.
- Send copies of your backups offsite to make sure they never get lost as a result of accidental deletion, corruption, disk failure, cyberattack, or any other unpredicted event.
- Create identical copies, AKA replicas, of VMware, Hyper-V, and AWS EC2-based VMs.
- Resume your business-critical operations nearly instantly by failing over to a VM replica. Put differently, you can recover a VM affected by software or hardware failure in just a few clicks.
- Perform replication from backups to offload your production environment and save time, which is especially important in large IT infrastructures.
To ensure minimal data loss and reduce downtime, get prepared in advance. Together, NAKIVO Backup & Replication and an adequate risk impact assessment report can help you protect your environment from a wide range of unexpected scenarios.