About a decade ago, I personally witnessed the handover of the simplest, cheapest, and most effective disaster recover plan ever.
Let me first give you a little background….
I worked for a great IT director, who moved to another company, much bigger, and brought me with him.
In the new company, he again was responsible for all IT, and he brought me along to manage security and disaster recovery.
If I named this company, at least 25% of you would recognize it, even those of you around the world–true story, too.
I was in my boss’ office with my boss and the outgoing IT director for a meeting. We were going to be briefed on the company disaster recovery plan.
The meeting began with me being introduced to the outgoing IT director. He then reached into his briefcase a pulled out a 1-inch binder.
He handed the binder to my boss and said, “Here’s the recovery plan. I hope it works for you as well as it did for me.”
My boss opened the binder and found only one printed page in it.
“You’ve got to be kidding, Sid,” my boss exclaimed (that’s a family version of his words).
“Hey, it worked for me,” the outgoing director said, as he walked toward the door. “Good luck.”
As the door closed, I turned to my boss. “What does it say?”
He shook his head and mentioned a few other non-family phrases.
Finally, he cleared his throat, and said, “Disaster Recovery Plan – Hand this binder to your successor before a disaster occurs.”
I kid you not.
ITauditSecurity 
Hahahaha…
I wonder how that 20% known company passed its audits…
LikeLike
This was before the days of SOX and such. And even after SOX was implemented at this company, DRP was out of scope. Always thought that was strange, but E&Y went along with that.
LikeLike
Very true. I remember that Barings Bank went bankrupt 20 years ago when I was still a business school student. It was the first time I knew a concept called cooperation governance, which I hadn’t read about in any business books.
LikeLike
Pingback: The Simplest, Cheapest, and Most Effective Disaster Recovery Plan Ever – sec.uno
I think there is a growing realisation that disaster recovery plans aren’t worth the paper they are written on. A good friend of mine was talked me through a disaster recovery simulation day she attended many years ago. There came a crunch point where the scenario became so unreal (hell and damnation raining down), that self preservation and her own personal welfare took priority over the organisation’s continuity. In her current role she is sceptical that employees would bother coming into work in the event of a major incident.
LikeLike
Good to see you again, Monkey. I miss sparing with you!
I agree. Even after I put a DR program together for this company, we always had trouble executing it. The problem is, it’s hard, no one knows all the dependencies, companies don’t want to spend the money on the hardware, software, or testing to even get close. Anyone who tells you differently is lying or is one of the few companies that was willing to spend millions of dollars on it.
Those systems that are critical should have active failover configurations. The rest you have to cobble together as you can.
That’s the main reason I no longer do DR. Too hard to do well.So I got out as soon as I could.
For all the Fortune 500’s and better I’ve worked for, none of them were confident of their DR plans…
LikeLike