Every so often, I like to review a system that has been
proposed to classify disasters and potential responses. While nearly everyone
involved in disaster recovery (DR) planning has some idea of the types of
disasters that could strike, few have concrete ideas on how to apply those concepts
to DR planning itself. Later columns will deal with these levels and how to
address them in more detail. For now, this is my proposal for a more formal
classification plan for disasters, based loosely on a British military
classification system for threat levels in battle situations.

Level 1 – Threat of disaster without evidence

Essentially, this level encompasses everything that doesn’t
do damage to your data-systems, and also doesn’t offer any proof of attack, but
could be a publicity or regulatory nightmare. Common examples are posted boasts
about incursions into your network on blogs and Web forums, or claims that proprietary data
was compromised
even though no evidence is offered. The major issue with
these kinds of disasters is that you can’t prove or disprove them in many
cases. Even if you have advanced security
measures
in place, employee collusion
can easily overcome those measures without showing any weakness in the digital
security itself. Since this level of threat doesn’t have any evidence
associated with it, dealing with the bad publicity can be just as devastating
to your organization as data loss.

Tips in your inbox

How well can your organization deal with an emergency? The Disaster Recovery newsletter helps you protect your valuable data.

Automatically sign up today!

Level 2 – Actual attack without data loss

Once an attacker has breached your security digitally, and
has evidence of his or her attack, your IT staff will need to be able to show
what happened and how. In these cases, there is clear proof of the attack, but
not of the extent of the attack. How far did they get into your network, what did
they see, what did they take? Just because they didn’t destroy anything, doesn’t
mean you can call this anything but a disaster.

Level 3 – Minor data/system loss

Entering the level that most people consider disasters, this
is where data systems and data itself are lost to natural causes, attacks, or system
failures. Level 3 deals mostly with smaller-scale issues: The loss of
non-critical systems, or a single critical system that can be restored quickly.
The key difference between this level and those that follow is that here we see
disasters that have a high priority, but not a high urgency. Your Recovery Time
Objective is probably at least one business day, giving you time to react and
correct.

Level 4 – Major data/system loss

At this level, larger-scale disasters strike. Here is where multiple
critical systems fail at the same time, possibly due to power loss or fire/flood
in the data center. While you can correct for these issues, it will require an
immediate response from your staff, moving quickly to get business-critical
systems back up and running. Systems that have a Recovery Time Objective of
less than one business day fall into this category when they fail.

Level 5 – Total Loss

The highest level in the system, this classification is only
invoked in cases where there is a massive disruption in services due to
disaster. Hurricanes,
large-scale floods and fires
, and building loss are usually found here,
with a twin disaster of loss of data systems and the physical plant to recover
to. Due to considerations such as loss of space, loss of life, and
psychological impact, recovery is an exceptionally difficult—though necessary—task.