|
Business Continuity Plan
When most companies hear “Information Technology (IT) disaster
recovery,” they think of data recovery and off-site data storage. And even while
most companies do not even have a sound data backup or off-site data storage,
having both is only the beginning of disaster recovery.
While it is critical to have a sound backup and off-site data
storage strategy, it takes a lot more to recover from a real disaster like
Hurricanes Katrina and Rita.
Recovering from a major disaster is like building a new company
from the ground up in an expectedly shorter period of time – short enough so
that the business still has a chance of keeping its customers. Detailing the
entire scope of a Business Continuity Plan would take up more time than we have,
so we are going to concentrate on the most vital aspects of major disaster
recovery as they relate to small- and medium-sized businesses.
A major disaster implies the destruction of all major
infrastructures of a business including but not limited to its IT
infrastructure.
According to Gartner Group, an industry consulting firm, two out of
five companies that experience a catastrophic event or prolonged outage end up
shutting down for good. And of those that do, one out of three goes out of
business within two years. That means a full 60 percent of all organizations
affected by a major disaster go out of business for various reasons, including
the cost of trying to resume operations and losing the goodwill of customers.
One of the most unfortunate realities is that most small- and
medium-sized businesses do not consider IT as a critical part of their business,
judging from how IT is being managed in most of them – always from a cost
standpoint. IT should really be viewed as a competitive advantage for any
business, specifically from a revenue standpoint. While IT in itself cannot
make the business, a well-run IT operation can and has delivered the difference
in any successful business operation.
The point here is to have a successful IT disaster recovery
strategy and involve IT planning from the very beginning of a business
operation, not as an afterthought. The real question one must ask is: what
would it cost the business if all IT-related operations ceased to exist one
day. The same is true with any IT design, operation and decision-making;
disaster recovery should be part of the life cycle of any sound IT operation.
IT disaster recovery certainly is not the entire Business Continuity Plan but,
without the IT aspect, most Business Continuity Plans would not be complete.
And increasingly speaking, for certain businesses, having a sound IT disaster
recovery plan alone may keep it running or at least provide enough operational
support to buy time for other aspects of the operation came back in line.
So what kind of disasters are we are talking about here?
Well, below is a list of the possible disasters published by
Agility, a disaster recovery firm. I have also added a few of my own. And as you
can see, not all of them are featured on the Weather Channel:
|
A/C Failure
Acid Leak
Asbestos
Bomb Threat
Bomb Blast
Brown Out
Burst Pipe
Cable Cut
Chemical Spill
Telco's CO Fire
Condensation
Construction
Coolant Leak
Cooling Tower Leak
Corrupted Data
Diesel Generator
Earthquake
Electrical Short
Epidemic
Evacuation
|
Explosion
Fire
Flood
Fraud
Frozen Pipes
Hacker
Hail Storm
Halon Discharge
Human Error
Humidity
Hurricane
HVAC Failure
Hardware Error
Ice Storm
Insects
Lightning
Logic Bomb
Lost Data
Low Voltage
Microwave Fade
Network Failure
|
PCB Contamination
Plane Crash
Power Outage
Power Spike
Power Surge
Programmer Error
Raw Sewage
Relocation Delay
Rodents
Roof Cave In
Sabotage
Shotgun Blast
Shredded Data
Sick building
Smoke Damage
Snow Storm
Software Error
Software Ransom
Sprinkler Discharge
Static Electricity
Strike Action
|
Sun Storm
Terrorism
Theft
Toilet Overflow
Tornado
Train Derailment
Transformer Fire
UPS Failure
Vandalism
Vehicle Crash
Virus
Water (Various)
Wind Storm
Volcano
|
So when do we begin to plan for any kind of disaster? Now and today
and every day! The Chinese have a saying: “If one does not have anything to
worry about today, one will have a lot to worry about tomorrow.”
Just think for a moment about what would happen if the office you
are in right now is no longer available tomorrow. Will you still be able to
operate your business the way you are today?
For most companies, the answer is a resounding, “No.” Then, the
next question is do you care? If the answer is, “Yes,” then read on.
Almost all companies need certain tools, data, communication means,
employees and facilities they need to function as an organization and carry out
their mission. Last but not least, a business requires a well-defined and
communicated emergency procedure that everyone within the organization fully
understands and is capable of carrying out.
Having backup data is not going to do the company much good if
there is not a server to restore it to and a place to store the server and an IT
engineer who knows how to restore the data and bring the server back in line.
Business Continuity Plan Key Elements
Matrix
|
Key Elements
|
Examples |
|
Facilities
|
Data center, call center,
work area, warehouse, office, etc. |
|
Communication Means
|
Phone lines, T1/PRI circuits,
DSL lines, satellite links, wireless Connections, including cell phone
connections, etc.
|
|
Tools
|
Computers of all kinds,
printers, copiers, laptops, fax machines, PBX, phones, etc.
|
|
Data & Information
|
Customer database, financial
database, payroll information, HR information, etc. |
|
People
|
People of all skill levels
that are needed to keep the organization functioning. People within the
organization know how to use the communication means available to reach
each other.
|
|
Procedures
|
A well-defined and
communicated procedure and playbook for the organization to follow in
the event of disaster.
|
Below, is the same Digital Information Protection Matrix we’ve
published with our white paper titled
Digital Information Security. It shows how certain levels of disaster
recovery plans are possible for an organization to recover from a major
disaster.
Digital Information Protection Matrix
|
|
Security
|
Backup |
Remark |
|
Digital |
ü |
û |
Firewall, Authentication,
Encryption & Ongoing Audit |
|
Physical |
ü |
û |
Human Resources Screening,
Physical Access Protection & Ongoing Audit |
|
Local (Hot)
|
û |
ü |
Local Hot Backup Resource For
Immediate Recovery |
|
Local (Worm)
|
û |
ü |
Local Worm Backup Resource
For Quick Recovery |
|
Local (Cold)
|
û |
ü |
Local Cold Backup Resource
For Recovery |
|
Remote (Hot)
|
û |
ü |
Remote Hot Backup Resource
For Immediate Recovery |
|
Remote (Worm)
|
û |
ü |
Remote Worm Backup Resource
For Quick Recovery |
|
Remote (Hot)
|
û |
ü |
Remote Cold Backup Resource
For Recovery |
|
Hard Copy (Local & Remote) |
û |
ü |
Local & Remote Hard Copy
Resource For Recovery |
In the Information Technology business, we must always be prepared
for the worst. And our Information Technology infrastructure, design and
procedures should reflect a similar value, while keeping in mind our day-to-day
needs, regulatory compliance, disaster recovery abilities and resources. There
is no perfect Business Continuity plan, nor is there perfect digital information
protection. But we should give ourselves the best chance we have of surviving
small- and large-scale disasters, manmade or natural.
The question is no longer whether it will happen but when it will
happen. And the answer is: when we’re least prepared.
Just ask the Federal Emergency Management Agency (FEMA). FEMA
predicted that three types of disasters would hit the United States: (1) A
terrorist attack in a major US city, (2) A Category 4 or 5 hurricane hitting New
Orleans, and (3) A major earthquake hitting California. FEMA even ran
simulations on some of the scenarios, including the hurricane in New Orleans.
So far, two of the scenarios have proven true, and we have all seen the same
results. We’ve all heard the reports of lives lost and properties destroyed.
But what is less visible and underreported is all of the digital information
lost during Hurricane Katrina.
Now, consider a major terrorist attack on the Internet or another
technical breakdown in the Internet infrastructure. This may be more likely to
occur at some point than other disasters.
So, are we ready?
By
Benson Yeung, Senior Partner
Back to Top 
Information Request Form
|
|
