Y2K may be a distant memory, but there are plenty of other threats against corporate IT systems. In fact, today’s list of disaster threats includes more than just hurricanes and blackouts — chemical attacks and terrorist bombings have become a stark reality.
Although fires, floods and earthquakes are no more devastating now than they were five years ago, and terrorism is certainly nothing new, Steven Ross, a director in Deloitte & Touche LLP’s Enterprise Risk Services practice told TechNewsWorld that “what has changed is the heightened perception of threats and the concentration of resources that are at risk should a disaster strike.”
Scott Ramsey, global practice director for the Information Security Solutions division of IT consulting firm CTG Luxembourg, agreed with Ross’ take.
Potential Is Greater
“The threats over the past five years have not increased in number as much as they have increased in potential for occurrence,” he said. “Global terrorism is the threat that has seen the greatest amount of visibility through the media. Just within the past several weeks, the suicide bombings in the London Underground provide the most recent example.”
David Pendergast, senior vice president of marketing for IT outsourcing firm Titan Technology Partners, told TechNewsWorld that business evolution toward true global operations places additional stresses on information systems. This reality makes disaster planning mandatory as 24/7 operations are now the norm rather than a luxury.
“The challenge is to meet the changing threats and opportunities with viable plans that can be acted upon,” Pendergast said. “The good news is technology has advanced to a point where disaster recovery isn’t a single choice, but a collection of choices which have to be evaluated with diligent planning and execution with the full knowledge of executive management to the ramification of their choices.”
How should a CIO or IT manager deal with 21st century threats? Preparing data and IT systems for potential disaster requires a combination of well-planned procedures and thoughtful policies.
Planning for the Worst
Analysts said when IT was centralized, it was much easier to protect. In fact, it was typically the most secured area within organizations. However, in today’s world technology and data are dispersed to all points of the compass. Laptop computers, smartphones, iPods, and jump drives all have the ability to store and transport data and are transportable technology as well.
Ramsey said this is a catch-22, because on one hand, it is difficult to control this environment. But on the other hand it is more difficult to take out an organization’s entire technology infrastructure and data.
“Contingency plans are incorporating greater use of home offices and triangulation,” Ramsey said. “Organizations are becoming more self-reliant to recover from disaster events.”
D&T’s Ross said policies and procedures are important, but from a CIO perspective they are less valuable than having alternative data centers from which to operate in the event of a disaster.
“Given the very tight timeframes for outage and data loss in transactional, health care and e-commerce applications — especially driven by the concentration of effect driven by ERP systems — the need for a backup site may entail synchronous or near synchronous replication of data to a remote site that has the capability to be activated nearly instantly,” Ross said.
Disaster Planning Tips
In a nutshell CIOs looking to devise disaster recovery and contingency plans need to determine what their mission critical operations are — whether they relate to service, sales, supply chain, etc. — and determine in each case what is the maximum amount of time the business unit can afford to be down.
“Once dependencies are analyzed, all options should be explored and developed,” Pendergast said. “Do we need hot or cold backup? Should we outsourcing the data centers? Should we put in place multiple data centers? What about a backup call center?”
Next, the possibilities need to be cost-calculated. Analysts said it is crucial to determine the cost benefit analysis of each option to really develop an effective preparedness plan that executives can understand, support and fund.
“Since the business issues change it is critical to evaluate the plan at least annually and also whenever significant changes in the business occur, such as mergers, increased sales over Web, and consolidating operations,” Pendergast said.
Disaster Planning Checklist
Ramsey said it is important to focus on the priority — and the business needs are the priority, not IT operations. “IT is a resource that is utilized to support business operations,” he said. “How much IT infrastructure is needed is dependent upon the needs of the business during a disaster.”
Ramsey said a structured process would include the following steps:
- Identification and classification of potential disasters.
- Options for either the reduction of probability or elimination of the threat.
- Identification of mission critical business operations that if not performed would cause significant impact to the organization.
- Identification of the resources (personnel, facilities, technology, communications, etc. required to support mission critical business operations during a disaster mode of operation.
- Identification, evaluation and selection of recovery alternatives and strategies to support mission critical business operations.
- Development of action oriented recovery and restoration plans to support mission critical business operations and restore all business operations back to normalcy.
- Development of on-going maintenance and testing procedures for the contingency plan.
There is some disagreement as to software’s role in disaster planning. Business continuity software vendors tout solutions that reduce the recovery time for mission-critical applications to 30 minutes or less. But others remind that software is not a silver bullet that will provide organizations with a viable contingency plan.
“Organizations need to determine what their mission critical functions to be supported in a disaster are, what resources are required to support them during a disaster mode of operation and how long they can ‘survive’ until full restoration is required,” he said.
D&T’s Ross says in his experience software packages do not enter into the equation: “If a CIO wishes to have a plan generator or a plan repository, there are several products on the market, but they only deal with the documentation, not with the strategic approach to IT resilience that is called for in many instances today.”
This story was originally published on October 21, 2005, and is brought to you today as part of our Best of ECT News series.