Cybersecurity Spotlight – Disaster Recovery Plan (DRP)
What it is
Disaster recovery plans (DRP) seek to quickly redirect available resources into restoring data and information systems following a disaster. A disaster can be classified as a sudden event, including an accident or natural disaster, that creates wide scoping, detrimental damage. In information management, DRPs are considered a critical subset of an entity's larger business continuity plan (BCP), which seeks to prepare for, prevent, and recover from potential threats affecting an organization. While BCPs address all facets of an organization, DRPs specifically focus on technology. DRPs provide instructions to follow when responding to various disasters, including both cyber and environment-related events. DRPs differ from incident response plans that focus on information gathering and coordinated decision making to understand and address a specific event.
Why does it matter
When DRPs are properly designed and executed they enable the efficient recovery of critical systems and help an organization avoid further damage to mission-critical operations. Benefits include minimizing recovery time and possible delays, preventing potential legal liability, improving security, and avoiding potentially damaging last minute decision making during a disaster.
Apart from their specific focus on technology, DRPs and the process for developing them are no different than the range of emergency response protocols and backup plans that election officials have already developed to address potential issues or disruptions. The lessons learned from those exercises are often valuable to DRP development. Election officials develop these plans due to the potential risk impacts during key operational periods, such as the last day for voter registration or candidate filing, and election day. For example, if all voting machines were damaged during a flood while in storage just before an election, having an effective DRP could minimize the impact and reduce recovery time.
What you can do
Election offices should have a comprehensive DRP in place and regularly exercise it to ensure effectiveness. The U.S. Election Assistance Commission published helpful tips for contingency and disaster recovery planning that election offices can leverage during this process. In order to create an effective DRP, the EI-ISAC recommends:
- including relevant stakeholders from the various business units that may be impacted in the planning process
- conducting a business impact analysis (BIA) to identify and prioritize critical systems
- exercising the DRP to test its efficacy
- conducting after action reviews to identify what went right, what went wrong, and annotate improvements
- regularly reviewing the DRP to ensure contacts are up to date and procedures are still effective and relevant
Election offices should also consider personnel training in the specifics of disaster recovery planning or leverage third-party resources for the planning and recovery process. The MS-ISAC Business Resiliency Workgroup has resources available upon request to assist election officials in creating, testing, and improving their DRPs, including a BIA guide and template, suggested items to include in a go-bag, exercise scenarios, and an After Action Report template.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.