Tag Archives: DRP

How Much Does Disaster Recovery Cost?


To view this article in its original location, please click here.

Good disaster recovery may be what saves an enterprise from extinction. But disaster recovery planning and preparation has a cost in terms of time, effort and money. Senior management knows that a company will need to make an investment in order to build the robustness to survive an IT catastrophe. Now it wants to know how much that investment will be; not just to understand impacts on profitability, but also to be able to plan it appropriately to gain optimal protection with expenditure that can be controlled or phased over time.

There are two main ways to set about budgeting for a given expense. The first is use the last set of budget calculations and then factor in changes such as new or discontinued items and inflation. The second is to do the complete budget from the ground up (zero-based budgeting). Each method has its pros and cons. Whichever solution you choose, a good way to start is often to map out the major expenses including IT systems maintenance, specific DR items such as cloud storage or purpose-designed recovery solutions, utilities/power, and staff salaries. Additional expenses might then be rent, travel and third party assistance. Industry benchmarks where available can help to judge the realism of a budget, as can information about industry DR trends.

Next comes the question of who will pay for disaster recovery. The company as a whole pays for its own DR of course. However, the cost may be divided up among different departments according to their current use of IT resources and their DR needs (not everybody needs split-second data recovery). If your company is already running its IT department as a profit centre by billing groups according to usage, it may well make sense to finance DR in the same way. However, it is also important to maintain an overall perspective on DR expenditure to make sure that opportunities to leverage DR over several groups can be taken, thus lowering total costs and individual departmental contributions.

Where are the Likely Holes in Your Disaster Recovery Planning?


To view this article in its original location, please click here.

No disaster recovery plan is perfect. However, there is a big difference between knowing about and managing limitations; and being caught wrong-footed by a problem you never thought about. Some items seem to consistently make the ‘hit parade’ of omissions and absences in DR plans. Before spilling the beans, here’s a hint to help you guess what they might be. They each involve a lack of vision beyond the limited point of view of IT servers and applications in a data centre.

  • Getting the workforce back to work. Disaster recovery applies to IT systems in particular. But people need to know they can get back to work again after an IT outage has been resolved. Workers don’t always automatically resume operations. So make sure your disaster recovery also triggers productivity recovery by telling people it’s time to start work again.
  • Recovery for remote locations. The corporate IT centre may be vital to survival, but that’s no reason to forget about branch offices or distant sites. Your organisation may have a policy that separate business entities should look after their own resources. Make sure this does not lead to blinkered thinking or silo management. As a minimum, check that a workable solution has been defined and prepared for all parts of the business.
  • Supply chain end-to-end operations. High performance supply chain operations are finely balanced with many moving parts. If one part such as a particular software application fails, it can throw other parts out of kilter too. Damage may extend beyond a local IT outage and need thorough checking and subsequent ‘knock-on’ problem resolution in other parts of the supply chain.

To guard against such shortcomings, remember to start your planning process by clearly understanding the business objectives for your organisation. Check that your disaster recovery plan covers all entities making critical contributions to reaching those objectives and all inter-dependencies between those entities. If you find gaps, revise your plan until you have filled them.

Have You Completely Understood Your Data Recovery Needs?


To view this article in its original location, please click here.

The whole is greater than the sum of the parts. Although you may have planned for individual components of data recovery after an incident, the overall impact must also be assessed. An example is the need to recover operations that have been successfully transferred to a disaster recovery backup site, in order to have them running once again on the primary site. In some cases, this final step can be even more complicated than the initial move out to the secondary site. Or you may have forgotten to include computing systems that live outside the perimeter of ‘official’ enterprise backup. A combined top-down and bottom-up approach can help to cover all the bases.

The top-down part of your understanding is driven by knowledge of the organisation’s overall objectives and critical sub-objectives. When you know which the mission-critical activities are, you can establish which data must be safeguarded and recoverable at all times for those activities. You can map out the systems they run on, the people who use those systems and the ‘go-to’ person for the security of any given system. With this portfolio of goals and systems in mind, you will be able to define any necessary priorities and take precautions to make sure that data recovery is done as fast as possible, but without overwhelming any individual application.

The bottom-up part requires observation of what is in fact being used by different employees or departments. Bring Your Own Device (BYOD) computing may mean data being stored on mobile computing devices that have not yet been included in systematic data safeguards. Strategically important spreadsheets may be held on local systems that are isolated from your data centre servers. All these devices need a suitable path defined back upwards to bring them into the data recovery plan. When you can track every top-level goal down to its constituent systems and data, and every IT resource back up to a business activity and objective, your understanding of your data recovery needs will be measurably improved.

Building Reality into Your Disaster Recovery Plan


To view this article in its original location, please click here.

Do you have a written disaster recovery plan for your organisation? Putting disaster recovery procedures on paper or into a file to read on your computer or smartphone is a key part of good disaster recovery planning. But just by itself, it’s not a guarantee of DR success. For one thing, the outside world moves on whereas your plan does not (unless you make the effort to revise it). But adjusting for the reality of a changing environment is just one way that your disaster recovery plan needs to be kept real.

Ensure that your disaster recovery plan makes sense for your enterprise. Your plan must bring operations back to normal as quickly as required and in the correct order of priority. That means correctly identifying the core business of your enterprise. This may not be as easy as you think. In many organisations, even senior managers are unable to state clearly or consistently what the organisation’s objectives are. But if you’re in charge of disaster recovery planning, you must know. And if you don’t know, you must find out.

Make sure too that other people understand and can act on your disaster recovery plan. An untrained person (untrained in disaster recovery planning) must be able to use your plan to successfully manage disaster recovery, if you are not there. As a first test, try re-reading your own DR plan a week or so after you wrote it to see if you still understand it. Get an untrained person to read it. Consider blank looks and knitted eyebrows to be signs that you could improve the clarity and applicability of your plan! Likewise, in your regular testing of your disaster recovery plan, find different people to apply the plan to check that you’re continuing to write it in a way that makes sense to all.

Where Should Business Continuity Management Live?

Where in your company orgchart should you put BCM? The quick answer is ‘in the business continuity department’. However, unlike marketing, sales, production and so on, business continuity doesn’t always benefit from being a department in its own right. You could tackle the question by putting business continuity management in the department where it first started. You could put it in an area that reflects the way that BCM has grown from a technology-centric consideration to an enterprise-wide concern. You could even make it a direct responsibility of your organisation’s CEO or at least a C-level function like the CFO, CIO and so on. But which of these possibilities makes the most sense?

Business continuity management started some time ago in the IT department. Disaster recovery management that was initially centred on the data centre gave rise to new ideas. These were not just about reacting to disasters, but also preventing them from happening in the first place. The scope of continuity grew as well as organisations came to realise that interruptions could potentially happen anywhere, and not just in IT. As a result, some CIOs have seen how board-level interest in BCM has risen and have been pushing for BCM to remain within the IT remit.

In other cases, BCM has been integrated into the risk management function of the organisation. The advantage is to broaden the application of BCM to make sure that the whole enterprise benefits. However the greatest visibility for this essential function may come from having a CBCO (Chief Business Continuity Officer) at a peer level to the CIO. How many organisations are willing to take this step remains to be seen. What they should avoid however is simply positioning BCM as ‘everyone’s responsibility’ without a clearly designated manager or director to coordinate and drive BCM across the business. So choose the home for BCM that makes most sense for your situation – and is therefore not homeless.

What the World Needs Now is… More Good-Quality Cyber-Security Training


To view this article in its original location, please click here.

Love, sweet love, is a great idea for the world. Hal David and Burt Bacharach made a great song out of suggesting that we could use more of it. However, there also are a few more things that could be added to the list. One of them is cyber-security training. A recent study by Unisys indicates that almost 70 percent of critical infrastructure providers had at least one significant security breach within the preceding year. In a ‘cause and effect’ follow-on, the same study showed that employees lacked training cyber-security. In fact, only about one in 16 organisations (6 percent) did anything about it. So what’s the problem – complacency or lack of solutions?

Many enterprises are coming to the conclusion that security breaches will happen at some time. They realise that a zero-breach objective may be unrealistic. However, their best hopes lie in pushing such breaches out as far as possible, and in limiting their potential for damage. Complacency is not the problem: it’s fatalism. The Unisys report reveals that 78 percent of people responsible for security thought a successful attack on their industrial control and supervisory systems (ICS and SCADA) was likely within the next two years.

While security vulnerabilities will continue in vendors’ products, organisations can still do a lot to improve their situation by correctly educating their workforce. This includes training specialist IT staff to maintain applications and network software at latest vendor release level. It also means inculcating good information security practices in staff in general. The basics of proper password management, and strict ‘need to know’ and employee identification policies can go a long way to help protect both a business and its personnel. It takes time, effort and patience for all concerned. But in the end, tough love like this is what it takes to keep enterprises healthy and wealthy. So in that sense, Hal and Burt’s song still has a message for organisations today too.

5 Things that Can Go Wrong with a Disaster Recovery Plan


To view this article in its original location, please click here.

The biggest problem with a disaster recovery plan is when there isn’t one. If nothing has been prepared, planned or backed-up, then that’s what you can expect to salvage in the case of a serious incident – nothing. But even when the plan exists, too many organisations leave gaping holes. If you’re starting in a new position as disaster recovery manager, you have the advantage of bringing a fresh pair of eyes and seeing things that your colleagues have missed or dismissed as unimportant. Here’s a checklist to help you spot what might need to be fixed, and underlying causes of the problems.

  1. The disaster recovery plan is non-existent. If there is no plan, it’s possible that senior management is unaware or doesn’t care. You’ll have to use your DR management expertise to convince all concerned that DR planning is both vital and positive for the company.
  2. It’s incomplete. Disaster recovery goes beyond daily data backups. Backup sites for high priority operations like sales, home-working and communication plans for employees, and appropriate insurance policies are all part of the deal too.
  3. It’s too long. Often DR plans become bloated because the focus is on trying to provide a solution for every possible cause, instead of focusing on possible outcomes and what to do about them. You need to know what to do if your application servers are out, rather than how to react if a meteorite strikes your systems room.
  4. It hasn’t been tested. That means more than meeting-room ‘thought experiments’. You have to try restoring an entire server with all its applications and data and check it all really works, for instance. And you have to test regularly thereafter too.
  5. No backup for the DR plan actors. If key members of your organisation become unavailable in a disaster, your plan must define the backup contacts who will act in their place. Otherwise your recovery will stall for lack of decisive action.

You may discover other shortcomings too. Remember – it’s often the thing you didn’t check that breaks down on you just when you need it!