Disaster Recovery and Business Continuity with E-Commerce Businesses

Transcription

1 Disaster Recovery and Business Continuity with E-Commerce Businesses Eric Palmer IS 8300 Disaster Recovery/Business Continuity Planning Summer 2012 Abstract: Disaster Recovery and Business Continuity Planning has been an important part of business survival ever since the mid 70 s. The problem with e-commerce businesses is that plans are often insufficient to the demands of today. In this research paper, Disaster Recovery and Business Continuity with E-Commerce is examined through analyzing how top management helps with planning, the methods that are used in planning, and how to ensure business continuity. This research details that without planning for disasters or business continuity; a company might be permanently crippled and might not survive. E-commerce must have disaster recovery and business continuity plans to comply with regulations, mandates, laws, and to ensure that the company will continue to prosper.

2 Introduction: Plan making is essential for every aspect of the world. Sun Tzu wrote The Art of War and he describes Laying Plans to be a matter of life and death, a road either to safety or to ruin a subject that cannot be neglected. Just like in Sun Tzu s emphasis on planning for war, Businesses must plan as well. E-commerce businesses are becoming very popular and plans are necessary for their survival. An e-commerce business must know how to run their business and also how to protect their business. Some reasons why an e-commerce business would need to protect themselves are from a number of incidents and disasters ranging from hacks to natural disasters. E-commerce businesses must know what to do when these incidents happen. Businesses in Japan would not have been able to repair themselves as quickly if they didn t have a disaster recovery plan entailing what to do when a disaster occurred. Beyond knowing what to do if a disaster happens, is knowing what should be done to resume normal business operations. This planning is known as Business Continuity Planning. This research paper will examine how important Disaster Recovery and Business Continuity Planning are to E-Commerce Businesses. It will discuss how plans came to be by discussing its history, how top management is necessary, the seven tiers of disaster recovery, planning regulations, threat of business discontinuity, ensure business continuity, importance of a good team, and the cyclic approach to planning. History of Disaster Recovery and Business Continuity: The history of Disaster Recovery and Business Continuity started way back into the mid-70s. It was a long road to where Disaster Recovery Planning and Business Continuity planning are today. The history can be described in four phases. The Emerging legislation phase, the emerging standards phase, post 9/11 phase, and the internationalization phase. The emerging legislation phase was the time between the mid-70s to the mid-90s. It was the time when the legislation of healthcare, government, and finance sectors of the economy. One of the legislations pasted during this time was the US Foreign Corrupt Practices Act. The FCPA was a legislation that was enacted to prevent and prosecute bribery of foreign officials and required the protection of important company records from being destroyed (Herbane, 2010). This act dealt with interaction during a crisis from error or an illegal act that could hurt the organization. The emerging standards phase was between the 1990s and It saw the development of COBIT 4.0. It was developed by the IT Governance Institution and the Information Systems Audit and Control Association, and was a standard of practices and guidelines to ensure continuous services to an organization. This was when Business Continuity Management was determined to be a solution (Herbane, 2010). The National Fire Protection Association s 1600 standard dealt with the management and business continuity for fires. It developed code standards, procedures, and training, for international and U.S. organizations (Herbane, 2010). This phase had two characteristics, standards could be revised and modernized, and standards transformed into international standards through the development of the ISO/IEC (Herbane, 2010).

3 The post 911 phase was the time after the terrorist attacks on the world trade center on September It was one of the worst crises that governments, businesses, and organizations faced due to the casualties, denial of access to building, and not being able to communicate with information systems (Herbane, 2010). 9/11 impacted financial services, government agencies, utility providers, media, business services, and aviation (Herbane, 2010). In the aftermath, business continuity and disaster planning included preparedness to includes human losses, psychological impacts, and vulnerabilities from multi-function sites (Herbane, 2010). Year 2006 to 2010 marked the internationalization phase. It started the standards and guidelines that went beyond the nation or industry, but to other countries. Standards and guidelines emerged in this phase to recognize that collaborations between organizations in a crisis are important in keeping up with the quality and standard practices that are required in an internationalization market (Herbane, 2010). Importance of Planning with Top Management and I.S. Managers: Disasters occur all around the world, claiming lives, destroying homes, and crippling businesses. Hurricanes, floods, fire, earthquakes, are examples of disasters that a company might face. These disasters destroy company information systems which often resulted in the termination of business operations (Wong, 1994). Small to midsized companies are threatened by disasters and a large percentage of these companies never resume operations in the event of a serious catastrophe (Wong, 1994). Larger companies can be weakened so badly that permanent damage results in permanent closure within in a few years after an event. Companies need to realize that Disaster Recovery Planning is critical for their survival. Top Management and Information System Managers must actively participate in the development of a Disaster Recovery Plan. When making a Disaster Recovery Plan, it is important that Top Management in a company are committed. Top Management is vital to success of any disaster recovery plan (Wong, 1994). It is the role of IS managers to make sure that Top Management is committed from the get-go and addressing the potential costs of avoiding a Disaster Recovery Plan (Wong, 1994). A Disaster Response coordinator is chosen and is responsible for strategic development of recovery processes and plan testing. The Disaster Recovery Coordinator then must make a planning committee the represents the department throughout the company (Wong, 1994). Each committee member is given the responsibility for developing emergency procedures within their department. Risk Assessment and Impact Analysis is the next step in developing a Disaster Recovery Plan. A planning committee will determine how long a company can operate without computer support (Wong, 1994). In the Assessment, all factors such as hardware, software, human errors, are taken into account along with natural disasters. The Impact Analysis is formed through interviews with management of each functional area of a company (Wong, 1994). This Analysis details what segments are prone to disaster, costs to protect, and impact on each (Wong, 1994). The Coordinator must rank Information Systems application by need for recovery if a disaster occurs. All applications should be classified into levels of tolerance such as, Critical, Vital,

4 Sensitive, and Noncritical (Wong, 1994). After everything is prioritized, the decision of what type of Disaster Recovery Plan to use, needs to be decided upon. The company needs to decide on the plan and what trade-off is necessary for the company, for example, balancing reducing risk and not spending an excessive amount on a Disaster Recovery Plan. Vendors need to be selected and contracts developed once the recovery plan is selected (Wong, 1994). A vender needs to be chosen considering which one has the best reputation, reliability, flexibility, and offering. A good vendor will be able to support current applications and allow for growth (Wong, 1994). Getting a good vendor is necessary so that processing can be taken over in the event of a disaster. Contracts need to be clear, stating what is the duration, termination condition, testing issues, system procedures, service levels, costs, and other issues to an agreement (Wong, 1994). Top Management, planning committee, venders, and end users, are then involved in developing and implementing the plan. Communication is extremely important in this phase and must be channeled efficiently through all departments of a company. After the Plan is completed it must be tested or it is essentially of no value to the company (Wong, 1994). Testing procedures and review processes must be followed to correct any problems and add improvements. Last, the plan must be continually updated and tested to meet the demands of developing technology and current laws. Seven Tiers of Disaster Recovery: Disaster Recovery Planning can be a very costly process and many companies strive to have the highest level of coverage with the lowest possible cost. In 1992, The SHARE user group and IBM defined the Disaster Recovery Tier Levels (Warrick, 2003). The purpose was to quantify different methodologies for successful Disaster Recovery Planning Implementations. It is extremely useful for describing Disaster Recovery Capabilities and only need to be updated to meet specific Disaster Recovery technologies (Warrick, 2003). The Seven Tiers define the current service level, current risk, and the target service level and target environment (Warrick, 2003). Tier 0 represents no off-site data. This Tier includes businesses that have no disaster recovery plan. In an e-commerce business with Tier 0, no information is saved, no documentation is saved, there are no backup hardware, and no contingency plan of any sorts. With an e-commerce business it s almost impossible for a business to have a tier 0 because of various laws and regulations. In the event of a disaster, the recovery time is unknown and may not be able to recover in an event (Warrick, 2003). Tier 1 represents Data Backup with no Hot Site. Businesses in this tier have all their data backed up to an off-site location. The effectiveness of this Tier is determined by how often backups are made and the number of days business can lose data. This Tier has backups but no way to restore (Warrick, 2003). Tier 2 represents Data Backup with a hot site. This Tier has regular backups on tape and combined with an off-site location and infrastructure called a hot site. A hot site is where systems

5 can be restored from tapes in case of the event of a disaster. The recovery time in this Tier is less unpredictable, but will result in several hours of time recreating data (Warrick, 2003). Tier 3 involves Electronic Vaulting. This Tier uses Tier 2 solutions and adds mission critical data that is electronically vaulted (Warrick, 2003). Electronically Vaulted data is more current and results in less data recreation after the event of a disaster (Warrick, 2003). Tier 4 is Point-In Time copies. This Tier is necessary for businesses that demand faster recovery and greater data currency. It incorporates disk based solutions instead of tape like in the lower Tiers. It s easier to make point-in time copies then tape based solutions. Several hours of data reproduction still may be required (Warrick, 2003). Tier 5 involves Transaction integrity. This Tier is necessary for businesses that need data consistency between production and recovery data centers. There is hardly any data loss in this tier (Warrick, 2003). Tier 6 is when there is none or little data loss. This tier has the highest level of data currency and is used by businesses with little tolerance for data lose and needs to restore data frequently. Tier 7 is solutions with highly automated, business integrated solutions. This Tier includes all the components of Tier 6 with the addition of automation. It automatically recovers applications which allow restoration of systems to be must faster and reliable (Warrick, 2003). Regulating disaster recovery: Disaster Recovery and Business Continuity Planning was once optional. Today new regulations and mandates have made the costs for not having a plan more costly (Dimartini, 1997). Most companies associate Disaster Recovery Planning with Natural Disasters; operations being disrupted by acts of nature. Many auditors fail to realize that neglecting a good plan could be just as costly and as damaging as the damage from a storm itself. Auditors are also often now aware of what might result from non-compliance with laws and regulations that govern disaster recovery planning. Companies might face lawsuits and fines for negligence if a solid plan was never put in place (Dimartini, 1997). Besides Internal factors, there are external factors besides the law. Disaster Recovery planning is important in doing business with others; many associations require accreditation to maintain contingency plans and has become a common item that business partners look for. There are different requirements for Disaster Recovery determining on the industry that a business is in. An e-commerce business would have different laws and mandates from a banking or healthcare industry. However, due to the fact that online transactions involve the information of customers and other business partners, there are some regulations. The Consumer Credit Protection Acts address electronic funds transfers and covers industries that use point of sale transfers, automated teller machines, and funds transferred by telephone (Dimartini, 1997). E- commerce would fall into this because it facilitates an electronic payment that results in a debit or credit to a consumer account. The regulation makes sure that e-commerce businesses use due diligence to mitigate the effects of a disaster on critical business operations (Dimartini, 1997).

6 Information Security is an important part of Disaster Recovery. Increased attention in European organizations follows the Code of Practice for Information Security Management. This serves to measure the practice in establishing a secure information environment (Dimartini, 1997). The other regulations affect the liability on executives for missed opportunities when dealings with business partners. The Foreign Corrupt Practices Act of 1977 makes sure shareholders are assured that company assets, records, are properly maintained and protected (Dimartini, 1997). These record keeping requirements incudes information such as important records and intellectual capital that can affects market share and good will (Dimartini, 1997). Failure to company with these regulations may result in prosecution due to any prolonged business interruption. Managers may face fines up to $10,000, and corporate fines of up to $1,000,000. In some cases there is a maximum prison term up to five years (Dimartini, 1997). Risk of Business Discontinuity: Most people think of computer break downs, terrorist attacks, or natural disasters when associated with Disaster Recovery or Business Continuity. Those only scrape the surface and many don t think about what will happen if normal business operations are discontinued. In 2005, Hurricane Katrina crippled businesses and universities in New Orleans, Louisiana. Most of the problems came from the fact that many had poor disaster recovery plans (Omar, 2011). A number of businesses lost important records and information from years of being in business. New Disaster Recovery plans needed to be developed along with business continuity planning to make sure that if a disaster with the magnitude of Hurricane Katrina occurred, businesses would still be able to operate (Omar, 2011). Small business were made up most of the economy in New Orleans and due to local stores being destroyed, many started up their own e-commerce solutions. E-commerce business was one of the main businesses that survived the disaster but still had a hard time staying in business (Kwun, 2010). There is strategic value in e-commerce. The value of e-commerce after the disaster showed a number of potential benefits, which includes increase in customers, better service, and increase in profits (Kwun, 2010). The benefits of a e-commerce business is that it is driven by four factors; transaction efficiency, complementarities, lock-in, and novelty (Kwun, 2010). E-commerce in New Orleans was a solution to the disaster recovery, but the issue was now with Business Continuity, and that required an entirely different set of planning (Kwun, 2010). Business continuity has developed a lot in the days when contingency planning was focused on recovery of computer systems. Now, Business continuity planning grew out of the recognition that Disaster Recovery Planning would be ineffective without the other (Kubitscheck, 2001, 2001). Business continuity is important for a company to cope with specific incidents, and ensure the company s survival. However, Business Continuity Management falls short of considering risks that impact the status of a business (Kubitscheck, 2001). Most professionals and regulators believe that the traditional approach to business continuity is not good enough to adequately protect a business. All plans, despite having a good framework,

7 require to updated and maintained on a regular basis. Complex business structures and risks from different business practices have led businesses to consider buying Business Continuity Services (Kubitscheck, 2001). Some of the reasons that company s buy Business Continuity Services are, dependence on e-business, failure of data backups, risk of software or hardware failure, data security, and virus attacks (Kubitscheck, 2001). In the 21 century, the scale and speed at which risks can happen has changed. For example, an e-commerce site can get a virus which compromises a customer database resulting in failure to deliver products. Information is the main part of any e-commerce business. Information includes intellectual data, patents, designs, and the system in which the company assets run on (Kubitscheck, 2001). Protecting core assets is a given but many organizations neglected security due to incompetence or new business prospects. With e-commerce, threats from Cyber Crime are just one of the many threats a company must face. Organizations also run the risk of losing important information when employees leave a company. In the past an employee would have to smuggle sensitive information on a copy, now with the web, important information can be spread a lot easier by the internet. New controls for monitoring information transfer on the internet are required along with other controls such as contractual agreements (Kubitscheck, 2001). The 21 century has seen a rise in outsourcing relating to the IT industry. A popular type of activity often outsourced is, payment systems and other specialized areas (Kubitscheck, 2001). According to Business Continuity Systems Consultants, the most common cause of business disruption is from contracts. Few organizations require contractors with safety procedures. Outsourcing needs to be thought through carefully and included in a Business Continuity Planning. Good news spreads fast but bad news spreads much faster. It is important to have BCP to ensure business is operational and that there is no downtime. The goal is to make sure no one outside of the company notices any issues that a company may have faced. Reputation risk is high on the agenda of traditional business continuity management (Kubitscheck, 2001). Businesses must keep a close eye on the temperament of their key stakeholders to maintain continuity of the business (Kubitscheck, 2001). If stakeholder confidences is lost, a company might be on a path of great financial loses. External risks must be determined and a company must be able to continue operations after managing major incidents on a short notice. Vulnerabilities need to be assessed and tested for to ensure a quick recovery. Business Continuity Planning Keeps You In Business: The global market has created new forms of business operations and organizations are starting to recognize and address their vulnerabilities. Business Continuity should not be confused with disaster response planning, they sound similar but they are greatly different. Disaster Response planning is a response to a specific event, for example an earthquake. This type of plan is considered Tactical (Morganti, 2002). Disaster Planning and Emergency response planning are also very similar. Disaster Planning is usually the preparation of incidents such as storms, earthquakes and floods. Emergency Response Planning often deals with specific incidents such as fires or explosions or power outages (Morganti, 2002). The Tactical, Disaster

8 Response Plans and Emergency Response Plans, are very different from the, Strategic, Business Continuity Plans. The Business Continuity Plans are plans to keeps a business up and running after it has been damaged (Morganti, 2002). The entire point of Business Continuity is to prepare for the worst case scenario in e-commerce, which is damage to the site itself. Damage could be from small errors in the system, human mistakes, or natural hazards (Morganti, 2002). The halt of operations from a scenario, even if it is brief might cripple an e-commerce business. The physical damage is not the main issue, but the halt of product flow. This is why a good plan must be in place to ensure a quick recovery. The first step of a Business Continuity Plan is the Planning phase. This phase is the most time consuming and difficult and involves a number of steps. A organization needs to have realistic goals and objectives and the best place to start is by asking the Chief Information Officer or the Chief Financial Officer what their tolerance for loss in dollars and their tolerance for allowable downtime (Morganti, 2002). The leader of a Business Continuity Plan will serve as a facilitator in a plans but must assign responsibilities for all key functions of a e-commerce site. All plans need to be reviewed frequently and Back Up plans developed. Assess risk and threats by available information through a firm s property insurance carrier or risk management service company or by loss prevention engineering products (Morganti, 2002). Key functions in an e-commerce site needs to be identified to better focus on the Business Continuity Plan. A Business Impact Analysis needs to be conducted; it is difficult and time consuming, but important. A Business Impact Analysis can be done through a company s property insurance carrier or risk management firm (Morganti, 2002). The last parts of the planning phase is to determine budget requirements, create the plans, and determine, the training, testing, and auditing schedules (Morganti, 2002). The phase after determining risks and threats is the prevention and control phase. This phase serves to make sure that all possibility of threats is reduced through prevention, control, and mitigation (Morganti, 2002). This phase is often not given as much attention as needed; a Business Continuity Plan needs to identify hazards to operations and giving a ranking to the severity and probability of such an incident happening. In the Preparation Phase, the response teams, command centers, aid agreements, are established. This is also when Hot Sites, the place where computer data and programs are transferred and run when a company lost their own computers, is tested and audited to ensure its effectiveness. The last part is to make sure that the BCP is always kept current; one of the most serious problems is that organizations will spend too much money on developing a BCP and then allow it to become outdated making it essentially useless. In the event that an incident occurs, go directly to the response phase. Make sure that someone has the authority to initiate the Business Continuity Phase, so that time is not wasted determining who has to get permission to go forward. Communication is important and a succession plan needs to be established in case key manager happen to not be present during an incident. Many organizations manage their response activities through an Incident Command System (Morganti,

9 2002). This system helps allocate resources and coordinates in effectively by monitoring a single incident command official (Morganti, 2002). The final stage is the Restoration Phase; it looks at continuing operations, rebuilding, labor requirements, and more issues. The Business Continuity Team: Employees are an asset and the Business Continuity Team is very important in carrying out a Business Continuity Plan. There are six steps in building a team; identify stakeholders, form team, clarify and agree on objectives, define roles and responsibilities with a work plan, identify engagement processes, and update business continuity policy (Lam, 2002). An e-commerce team is made up of five key groups of stakeholders. Executives are stakeholders who must know why e-commerce is important in order to get key resources such as money and employees. Marketing stakeholders will deal with organization branding and B2B e commerce marketing (Lam, 2002). Sales are stakeholder groups that ensure that the site accurately reflects sales arrangements offered to customers. IT stakeholders are important because they play a role in making sure e-commerce systems integrate properly with ERP and Back-End Systems (Lam, 2002). The last stakeholder that is important is Operations. Operations make sure that a e- commerce business will be efficient and watch out for obstacles (Lam, 2002). Once the key stakeholders have been identified in an e-commerce business, the Business Continuity Team needs to be developed. The Team must be ready to manage an incident and to commence any business continuity plan that is in place (Lam, 2002). There are several roles that are common in a team and they should be made up of individuals who have held existing roles of responsibility so that they are familiar with the business and Information Technology practices (Lam, 2002). The business continuity manager is the first contact who manages an incident, initiates a business continuity plan, gets the team mobilized, and discuss with business owners. All key decisions about how to handle the incidents is done by the business owner. The Technical service manager manages issues with infrastructure, initiates continuity arrangements and talk to business continuity providers (Lam, 2002). A estate manager manages incidents related to the environment that the e-commerce business is surrounded in such as offices and buildings (law). The business operations and customer services manager deals with business operations and customer services, and keeps customers informed in there is a noticeable impact that customers should be informed of and also arranges with business continuity service providers (Lam, 2002). The last role is the recovery manager and this role involves guiding the business from the recovery state to normal business operations (Lam, 2002). Cyclic Approach to Implementing a Business Continuity Planning: In a traditional plan, a company must consider all planning phases whether a company is large or small (Botha, 2004). There are seven phases that an e-commerce company must do. The Project Planning phase incorporates all actives that will make sure a Business Continuity Plan Project is planned properly (Botha, 2004). The Business Impact Analysis phases determine important business processes and then they are analyzed determining impact that various disasters may

10 have (Botha, 2004). The Business Continuity Strategies phase identifies the strategies that focus on business continuity and recovery. The Continuity Strategies Implementation phase is when each strategy is defined and details functional plans that correspond to different scenarios (Botha, 2004). The last three phases are the Continuity Training, Testing, and Maintenance phases. The phases that are part of the seven phased continuity planning methodology can be partially or entirely implemented. Many small to medium sized companies have a hard time affording the time and money that goes into these cycles so there is a differed implementation methodology that can be used called the Cyclic Approach. This approach is good to use when a project is large but there is limited workforce and funding (Botha, 2004). By dividing into four different cycles, it is able to implement a BCP. The Cyclic approach is made up of four cycles, the backup cycle, disaster recovery cycle, contingency planning cycle, and the business continuity planning cycle. Each stage is separated from the next phase (Botha, 2004). The backup cycle is lays the foundation for recovery for a e-commerce business. It is often almost impossible to recover if an organization lost assess to their data after a disaster (Botha, 2004). All project planning activities need to be carried out, given that this is the first cycle. BIA activities follow the project planning. All analysis activities must be performed during the backup cycles to ensure that critical data is identified and is continually available (Botha, 2004). Data is continually available by having regular backups and off-site storage (Botha, 2004). Teams must be determined and then training and testing must be carried out. The Disaster Recovery Cycle s main objective is to make sure that IT can recover efficiently after a disaster. Project Planning activities are included in the cycle and it is important that management commitment is obtained (Botha, 2004). Employees and people working on the plan need to be made away of the disaster recovery cycle concepts, schedules, and milestones. The BIA must be conducted again for this cycle; making sure all process and supporting resources are identified and prioritized (Botha, 2004). Recovery strategies and Recovery time frames are identified along with emergency response procedures. Last part of the cycle is training, testing, and maintenance. The Contingency planning cycle concentrates on the continuity of each business process. Many steps here are the same as the Disaster Recovery Cycle, it starts with planning. Management must support decisions have meetings to make sure what parts of the cycles project participants must be a part of (Botha, 2004). The BIA review is done again in this cycle along with strategy implementation, process continuity procedures, and team identification. Training, Testing, and Maintenance is done lastly. The continuity planning cycle. At this point the Business Continuity Plan should almost be completed, and the cycle concentration on recovery and business process continuation as a whole (Botha, 2004). Planning is completed once again, and management is required to commit to decision. A final orientation meeting is required to discuss cycle prospects and schedules (Botha, 2004). Activities need to be completed such as insurance coverage review, public relations preparation, and emergency resource identification. The remaining group of teams for activities needs to be identified, and last, training, testing, and maintenance (Botha, 2004).

11 Conclusion: E-commerce is the form of business that will replace the traditional mom and pop retail stores of the past. E-commerce may be easier to set up then a traditional store or business, but it must be protected by in depth planning. Planning for disasters and how to keep a business running must be done, or business failure is imminent. It s not that a disaster won t happen, it s a matter of when it will happen, and a good plan will mean survival or death. This paper discussed how current planning came to be from various developments starting back into the 70s. The tiers of disaster recovery discussed the different tiers a business falls under determined by its level of protection and planning. New laws and mandates state that planning might have been optional in the past, but for e-commerce sites, there are requirements that every e-commerce business must follow. Operations discoinuity talked about how businesses may be permanently damaged determining how long operations cease, and often times never recover. Cooperation with Top Management is necessary in the planning process to make sure everything runs smoothly. The Development of good team for developing and acting out on plans is extremely important and necessary part of Disaster Recovery and Business Continuity. The cyclic approach to planning discus that there are other more efficient ways of planning that many be a better option for smaller business. This research paper s goal was to discuss why e-commerce is important and how planning is necessary. Just like the sayings of Sun Tzu, e-commerce businesses must know that there is nothing more valuable than a well-made plan.

12 Resources: Botha, J., & Rossouw, V. S. (2004). A cyclic approach to business continuity planning. Information Management & Computer Security, 12(4), Retrieved from Dimartini, W., & McNally, P. (1997). Regulating disaster recovery. The Internal Auditor, 54(6), Retrieved from Herbane, Brahim. "The Evolution Of Business Continuity Management: A Historical Review of Practices And Drivers." Business History 52.6 (2010): Business Source Complete. Web. 10 July Kubitscheck, V. (2001). Business discontinuity--a risk too far. Balance Sheet, 9(3), Retrieved from Savage, M. (2002). Business continuity planning. Work Study, 51(4), Retrieved from Kwun, O., Nickels, D., Alijani, G. S., & Omar, A. (2010). The perceived strategic value of E- commerce in the face of natural disaster: E-commerce adoption by small businesses in post-katrina new orleans. International Journal of Entrepreneurship, 14, Retrieved from Lam, W. (2002). Ensuring business continuity. IT Professional Magazine, 4(3), doi: /mitp Morganti, M. (2002). A business continuity plan keeps you in business. Professional Safety, 47(1), 19-19,56+. Retrieved from Omar, A., Alijani, D., & Mason, R. (2011). Information technology disaster recovery plan: Case study. Academy of Strategic Management Journal, 10(2), Retrieved from

13 Warrick, Cathy. "Seven Tiers of Disaster Recovery." IBM Redbooks. N.p., 16 Dec Web. 10 July < Wong, B. K., Monaco, J. A., & Sellaro, C. L. (1994). Disaster recovery planning: Suggestions to top management and information systems managers. Journal of Systems Management, 45(5), Retrieved from