Executive Briefing Topic 5 Info Assurance and Security Business Continuity and Disaster Recovery For Information Technology John Pardini ISYM 540 SSII Current Topics in ISM 7/26/2009
Overview Disaster recovery (DR) is the process of preparing for restoration or continuation of information technology infrastructure and critical data to an organization after a natural or man-made disaster. Disaster recovery planning (DRP) is a subset of an inclusive process called business continuity planning (BCP) and should include planning for restoration of applications, data, hardware and communications infrastructure. BCP includes preparation for non-information Technology business areas such as key personnel, facilities, disaster communication and data protection. A DR event could be considerable, such as an earthquake or the terrorist attacks on the World Trade Center, or something small such as malfunctioning software caused by a worm or virus. Given the human tendency toward optimism in relation to technology, many business executives tend to ignore DR because disaster does not seem to be a likely event. (This student s Vice President of Information Technology often jocularly pronounces: All disasters shall be scheduled to occur after my retirement. ) BCP suggests a comprehensive approach to ensuring an organization is able to function, not only after a natural or large-scale disaster but also in the event of minor disruptions including illness or departure of key staffers and vendor issues or other challenges that businesses face (Lyons). Despite these distinctions, the two terms are often married under the acronym BC/DR because of their many common considerations for the business. Interruption of service or data loss can have serious financial impact, whether directly or through loss of customer confidence; thus, DR has become an integral aspect of enterprise computing. As devices, systems and networks become ever more complex, the points of failure have increased exponentially and DR plans have become more complicated as a result. Years ago, if there was a threat to systems from a fire, a DRP might consist of powering down those systems before the sprinkler system activated, disassembling components and subsequently drying circuit boards with a hair dryer (Togio). Current enterprise systems tend to be too large and intricate for such hands-on (and preposterous) approaches. Appropriate plans vary from one enterprise to another, depending on variables such as the type of business, the processes involved and the level of security needed. DR plans may be developed within an organization or purchased as a software application or an external service. It is not unusual for an enterprise to spend 25% of its Information Technology (IT) budget on DR (Doherty). Nevertheless, the consensus within the DR industry is that most enterprises are not prepared for a disaster. According to a survey conducted by Harris Interactive, "Despite the number of very public disasters since 9/11, still only about 50 percent of companies report having a disaster recovery plan. Of those that do, nearly half have never tested their plan, which is tantamount to not having one at all." Additionally, the same Harris poll indicated more IT leaders than business executives understood that planning for DR should be a top priority and pursued at whatever investment is required. The survey also reveals that IT departments are not receiving the budgets required to achieve the recovery objectives desired by the business line leaders.
Business Considerations All BC/DR plans need to encompass how employees will communicate, where they will go and how they will perform their jobs when a disaster strikes. The details can vary greatly, depending on the size and nature of an organization and its methods for doing business. IT may play a pivotal role but the BC/DR plan should focus more on overall recovery for the entire organization. For example, the BC/DR plan at an energy company would restore critical mainframes with vital data at a backup site within two days of a disruptive event, obtain a call center management unit with several hundred telephones within two days, recover the company's computers in order of business need and set up a temporary call center for 50 agents at a nearby divisional facility. The critical point is that no elements can be ignored and physical, IT and human resources plans cannot be developed independently (Humphrey). Business leaders and IT management should work together to determine what kind of plan is necessary and which systems and business units are vital to the company after a disaster. They should decide which employees are responsible for declaring a disaster event and mitigating its effects. The BC/DR plan should also establish a process for locating and communicating with employees after a disaster event. In a catastrophic natural event, the plan will also need to take into account that many employees may have more pressing personal concerns than work and their employer s recovery efforts. Due diligence for BC/DR planning should include a comprehensive business impact analysis (BIA). This exercise will identify the organization s essential systems and processes and the effect an outage would have on the organization. The greater the potential impact, the more expense that should allocated to restore a system or process rapidly. Another goal of the BIA should be to define objectives for the recovery of computing systems that run the applications to support the business processes. The Recovery Time Objective is the number of hours or days business leaders have required for a business process or a system to be returned to service. The Recovery Point Objective describes the age of the data to be restored in event of a disaster. Technology, personnel and facilities are in a constant state of flux at any company. IT and business leaders should train additional employees to perform emergency tasks. The primary employees counted on to lead in an emergency may not always be available (or worse, be involved in the disaster themselves in a way that precludes their involvement in the recovery). The BC/DR plan should establish an offsite meeting location and a disaster communication plan for all employees (including executives). Recovery plans should be practiced with employees and recovery teams to determine the integrity of the plan as well as to prepare people in advance of a disaster. Companies should schedule regular tests of their BC/DR plans to reveal and accommodate changes and work toward constant improvement. Organizations should invest in an alternate means of communication in case the phone networks are disrupted. (This student persuaded his firm to purchase satellite phones for deployment to the company s critical locations for disaster situations.) Leadership should make BC/DR exercises realistic enough to tap into employees' emotions to gauge reactions when the situation becomes stressful (Collett). The BC/DR planning team should strive to create partnerships with local emergency response groups to establish a closer rapport.
Failure to bring business leaders into planning and testing of the organization s recovery efforts and insufficient support from senior-level managers could lead to calamity during and after the disaster. BC/DR teams should review the organization s performance during each test BC/DR exercises to reveal weaknesses in the plan that can be remedied before an actual disaster occurs. "There are so many interdependencies today. It's not just a physical recovery issue, it's not just a technology issue, it's not just a line of business issue, and it's not just a corporate issue. Until you've actually gone through the exercise, you don't see how it might unfold. The more times you do it, the better prepared you'll be" (Collett). Conclusion As recognition increases about the key role a well developed, maintained and exercised BC/DR plan plays in the make-up of an organization, it is critical to recognize that the role of upper management should evolve beyond buy-in. The buy-in level of support implies a willingness to fund the enterprise, hire the appropriate staff and delegate responsibility. The overall success of a BC/DR plan and the ability of an enterprise to remain resilient in challenging situations will become increasingly dependent on the integrated involvement of the corporate leadership throughout the process. While essential roles are played during all phases of BCP, one of the most obvious being the role played by emergency personnel during the immediate response to an incident, much of the ability for a successful response is determined in some of the earliest phases of the business continuity plan development lifecycle. It is in these early phases that corporate leadership must play an integrated and comprehensive role in the process. Deciding how much loss it can accept must be made by executive management based on a full understanding of the organization s interdependencies and all the potential impacts of a loss (Sharon). The ideal end state for a business continuity plan is one that permits on-going functionality at an acceptable level, even when impeded by challenging circumstances and unscheduled disasters.
Sources Collett, Stacey. Disaster Drill: Practice Makes Perfect. CSO. June 15, 2005. < http://www.csoonline.com/article/217660> Croy, Michael. Landing On Your Feet Being Prepared in the 21st Century. Disaster Recovery Journal. March 7, 2005. <http://www.drj.com/articles/win05/1801-01.html> Doherty, Patrick. Calling IT to Action for DRP. ZDNet. July 8, 2009. < http://news.zdnet.com/2100-9595_22-318844.html> Harris Interactive. State of DR Planning 2009. Sungard DDA. May 3, 2009. <http://www.sungard.com> Hoffman, Paul. Disaster Avoidance and Recovery Planning. Focus. July 10, 2009. < http://www.focus.com/ugr/research/information-technology/disaster-avoidance-andrecovery-planning/> Humphrey, Anne. Beyond Buy-In: The Case for Executive Level Involvement in Developing a Business Continuity Plan. SANS Institute. 2006. <http://www.sans.org> Lyons, Barry L. Determining Which Functions Should Be Up First Disaster Recovery Considerations. SANS Institute. 2006. <http://www.sans.org> Sharon, Bill. Risk and Disaster Management. Continuity Central. June 1, 2009. < http://www.continuitycentral.com/feature0230.htm> Toigo, Jon. Disaster Recovery Planning. Toigo International. Wiley. New York: 2006. Wheatley, Malcolm. Disaster Recovery: Write People into the Plot. CSO Online. June 5, 2006. < http://www.csoonline.com/article/220446/disaster_recovery_ Write_People_into_the_Plot>