Note: The following is a guest post from Jeff Norris, senior director of information security for LexisNexis Managed Technology Services, and Greg Inge, managing director of information security consulting firm CQR.
Most law firms have taken steps to assure business continuity and to recover from emergencies. The ABA Law Practice Division has gone to great lengths to assist by making available excellent resources that address various potential disaster scenarios.
However, most of the accumulated knowledge in the area of disaster recovery is associated with catastrophic business disruptions, such as the death of partners, a major fire or weather event, or perhaps a building security emergency.
For today’s law firm, the more likely business disruption is actually an IT disaster from which the firm must quickly recover, such as a data breach or a network outage. In working with law firms of various sizes all over the world, we’ve found there are five keys to effective IT disaster recovery:
1. Develop a clear strategy
Your strategy should provide all of the components necessary to perform a recovery. This should include hardware and operating systems, communications, applications, facilities and other critical functions to keep the IT infrastructure running. Quantify your processing requirements, what would be needed to replace the component in event of disaster, alternative methods of processing information, and contact information for all relevant vendors.
2. Assess against best practices
After the analysis of the recovery options and development of the strategy, the operational requirements should be assessed against best practices in the industry. What do your peers view as critical and what plans might they have in place for recovery from an IT disaster? Adjust and improve your strategy based on this reality check.
3. Create the recovery plan
Now it’s time to define the resources, actions, tasks and data required to manage the disaster recovery in the event of an incident that unexpectedly hits your firm. The plan should be designed to assist in restoring the IT infrastructure, systems and data networks within the clear strategic goals you established at the outset. This includes the specific procedures involved, assignment of responsible employees, notification requirements (internal and external), timeline for recovery and operational processes while the firm works in contingency mode.
4. Test the plan
It’s important to see how the recovery plan and procedures work in practice . . . before an actual IT disaster strikes. Testing the plan not only allows you to identify possible weaknesses and get accustomed to disaster recovery scenarios, but it also enables everyone to gain reasonable assurance that the plan will operate effectively in the event of an actual incident. Document testing data, evaluate the results and train your staff on how to improve based on those tests.
5. Maintain the plan
Finally, IT disaster recovery plans can have a shelf life of between 6 to 12 months, depending on changes in company procedures, applications, systems and personnel. It’s important to put in place an effective maintenance program that requires your firm to revisit the disaster recovery plan on a regular basis, review changes in the firm and your IT infrastructure, and update your procedures based on these changes. Maintaining the plan will help ensure that everyone in your firm will be ready if a disaster occurs.
When developing your IT disaster recovery plan, resist the temptation to expect 100 percent success with every component. That’s the wrong approach to testing a disaster recovery plan because all it does is drive bad behavior for the professionals on your team who are developing and testing the plans. They start to skip steps or – far worse – are tempted to fake results to achieve success. Some just do “tabletop exercises” and don’t even attempt a recovery and simulate production in parallel.
* * *
IT disaster recovery planning may be time-consuming and non-revenue generating, but the whole point of it is that you actually want to find the problems to solve them. You don’t want to be doing that on the fly when your firm’s livelihood swings in the balance. LexisNexis operates state-of-the-art data centers in nine cities (U.S., Europe and Asia) and is trusted by more than 25 percent of Am Law 100 law firms to manage their critical data. For more information about data security or to request a disaster recovery audit, please click here.
If you enjoyed this post, you might also like:
Infographic: Cybersecurity Stats for Legal Tech