Blog / Incident Response Plans vs Disaster Recovery Plans
Are they really all that different?
Having a solid incident response plan and disaster recovery plan are required by multiple regulatory frameworks and legislations (PIPA, PIPEDA and PCI-DSS all require them). These plans form the basis for how organizations deal with the situation when things go rather badly wrong. It’s important to have them in place because when disaster strikes the last thing you need is to try and figure out what you’re supposed to do.
There are plenty of different things that can go wrong and cause problems, so these plans aren’t there to cover everything. However, they should cover most of the more likely incidents, so let’s get down to the meat of it and start with the purposes, and differences, between each.
Disaster Recovery (DR) Plan
A DR plan is where you put your plans for dealing with specific situations, like how to respond to a fire, flood, earthquake, or other natural disaster. These are all events that can have major impacts on your organization and for which you should be prepared. Your DR plan is where you detail how to handle major events that could cause massive disruption and are reasonably possible.
What exactly gets put into your DR plan will vary depending on the nature of your organization. For example, many businesses include vehicles or even fleets of them among their various assets. Since vehicles are a high-value asset, it would make sense that a portion of such a company’s DR plan were dedicated to dealing with lost or stolen vehicles. It’s a situation where a lot of money is involved (vehicles are pricey) and doing the right thing like notifying the proper authorities (insurance, police, etc.) is important.
Incident Response (IR) Plan
While a DR is where you keep your specific plans, your IR is where you keep your generic plans. The idea behind your incident response plan is just that an “incident” has occurred, but what that incident may be or how bad it is you don’t exactly know. That’s when you use what’s been laid out in your IR to investigate a situation.
For example, your IR plan should include steps for dealing with a cybersecurity incidents. Such a section should lay out how you approach and investigate problem with your computers. You need to lay out the processes and responsibilities for finding and gathering the appropriate information. Along the way you may discover the situation the situation has progressed to a disaster, in which case you then stop using the generic ideas of your IR plan and activate your DR plan. For example, a computer starts glitching out so you activate your IR plan, during the execution of which you discover the glitch was the start of a ransomware infection. Now it’s time to jump into full on disaster mode. Similarly, a generic portion of your IR plan may detail how to investigate a missing vehicle, then activate the relevant section of your DR plan when it becomes clear it was stolen and not just signed out without a signature.
So, to summarize, the IR plan is where you detail investigating different types of situations to find out what’s going on and take appropriate action, while your DR plan is where you detail how to handle specific disasters. Both plans need to detail specific responsibilities for the various personnel involved, as well as contact information for any important individuals and external organizations. The more details you can reasonably work out ahead of time, the easier it will be to manage a real situation.
Another aspect of these plans that is often woefully ignored is that they need to be practiced. If something goes wrong but no one knows how to execute the processes you’ve put in place, someone’s likely going to make a mistake and possible make the situation even worse. IR and DR plans needs to practiced, regularly and repeatedly.
If you’d like help drafting your IR and DR plans and setting or executing rehearsal schedules, contact a TRINUS cyber security expert today.
This week’s quote from Shakespeare can be found in Measure for Measure: “Our doubts are traitors, and make us lose the good we oft might win, by fearing to attempt.”
Courtesy your friendly neighbourhood cyber-man.