The State of the BCP and Network Disaster Recovery Industry: Where Are We and Why?

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Threats to Personal Privacy

xx The State of the BCP and Network Disaster Recovery Industry: Where Are We and Why?

The State of the BCP and Network Disaster

Recovery Industry: Where Are We and Why?

The events of September 11, 2001 resulted in Chief Information Ofﬁcers

(CIOs) scrambling to implement business continuity and disaster recov-

ery planning. Such business continuity investments appear to have been

only a spike after that dreadful date. Unfortunately, business continuity

has continued to slide downward on the priority scale when CIOs and

senior management are forced to make tough business choices in today’s

instant-on, ever-changing business environment. Gartner analyst Roberta

Witty estimated as late as July 2003 that even after the terrorist attacks on

the United States, less than 25% of large enterprises had comprehensive

business continuity plans [1].

We all know that disasters can result in large monetary losses, legal

ramiﬁcations, loss of customer conﬁdence, and, in some extreme cases, the

company’s existence. Organizations therefore need to have plans to recover

their assets, which include people, facilities, business applications, pro-

cesses, and IT systems, so they’ll be able to return to normal business oper-

ations as soon as possible. This requires sensible business continuity and

disaster recovery plans, and sensible management that takes the contin-

gency plans seriously. Disasters requiring these types of plans can be caused

by natural events such as ﬂoods, ﬁres, and earthquakes, or by systems-

related causes, such as network problems and power or telecommunica-

tions failures. Human and malicious causes, such as hackers, viruses, ter-

rorism, disaffected employees, and theft, also require planning and

preventative measures.

Historically, BCP has resided in the Information Technology (IT)

department of most organizations. For this reason, most companies have

some disaster recovery alternatives in place for their IT systems. The most

common disaster recovery alternative used is offsite data storage, in which

data is backed up on a regular basis onto a tape or disk and kept at a remote

location. Although several other technology alternatives for IT recovery are

available, such as hot and cold sites, electronic vaulting, shadowing, mirror-

ing, and disk-to-disk remote copy, all of which we will discuss later in this

book, they are not used by as many corporations as you might think. In this

tough economic environment, it is very tempting to cut resources for BCP.

Many enterprises mistakenly view BCP as an insurance policy for which

they will likely never have to place a claim.

However, we all know that disasters can happen at any time and any

place, and it is recommended that CIOs make contingency planning a high

The State of the BCP and Network Disaster Recovery Industry: Where Are We and Why? xxi

Introduction

priority in their organizations. CIOs should implement business continuity

plans, get buy-in from executive-level management, and require business

and IT managers to work together on the contingency planning process.

They should look into implementing limited business continuity plans. In

fact, although contingency planning is important for any business, it may

not be practical for any but the largest organizations to maintain fully func-

tioning plans in the event of a disaster. With the cooperation of executive

management, CIOs should allocate budget and time for contingency plan-

ning. Until the early 1970s, most companies had no serious form of contin-

gency or continuity planning at all. Major disasters were rare, and

companies relied on insurance to protect them against asset losses. Business

complacency was shattered, however, by the OPEC oil embargo. This event

showed U.S. corporations they were vulnerable to external events beyond

their control. In addition, dealing with the rest of the world suddenly

became riskier with the emergence of terrorism and global cultural conﬂict.

At the same time, and closer to home, the U.S. ﬁnancial sector realized they

were becoming more and more dependent upon new computer technology

and recognized the catastrophic impact that nonavailability might have on a

ﬁnancial institution’s ability to function. The regulators put considerable

pressure on the ﬁnancial sector to develop contingency plans to protect cli-

ents’ funds. The computer industry saw this as an opportunity to sell more

equipment. If the loss of a data center could put survival of the business at

risk, then surely it would be a good idea to duplicate it in a location that

could not be affected by the same disaster. Disaster recovery developed to

encompass the replacement of facilities and property lost due to ﬁre, ﬂood,

earthquake, or other disasters.

The emergence of business continuity planning was not about computer

disaster recovery. It was about a new way of managing a business, viewing

the continuation of business functionality in all circumstances as a key

responsibility. Recovery of computer systems was simply part of the techni-

cal implementation of the overall business strategy. In general, disaster and

emergency plans are written on the basis of recovery after an event. Business

continuity is a process of anticipating that things are beginning to go wrong

and taking planned and rehearsed steps to protect the business and share-

holder interests. It is about coordinating and integrating all the planning

processes across all departments, and presenting a conﬁdent image to the

outside world. Business continuity planning has progressively developed to

a point where today it takes an holistic view of an organization. Examina-

tion into the causes of most major disasters has found that there are several

incidents or circumstances that, when combined together, led to the even-

tual disaster.

xxii The State of the BCP and Network Disaster Recovery Industry: Where Are We and Why?

Business continuity planning is about prevention, not cure. It is about

being able to deal with incidents when they occur and taking actions that

mitigate loss (or greater loss) during such events. This process calls for the

identiﬁcation of potential incidents that would affect the mission-critical

functions and processes of an organization. Assumptions are commonly

made about which areas an organization is totally dependent upon, but if

the test of mission criticality is applied to these areas, they may be found to

be of lesser importance than other areas that had been overlooked. Until

the critical areas have been identiﬁed, work cannot begin to establish the

degree of impact on an organization if such areas are lost or disrupted.

Should the level of impact be severe, an assessment must be made regard-

ing the risk of an occurrence that would cause the loss of the critical func-

tion or area.

Business continuity planning requires that effective plans be established

to ensure an organization can respond to any incident. But the process does

not stop at the planning stage. Plans are worthless unless they are rehearsed.

The rehearsal of plans is essential. There is not a plan created that will work

correctly the ﬁrst time; rehearsing ensures that disconnections and omis-

sions are ﬁxed before the plan is used in real circumstances. The manage-

ment of business continuity planning is a continuum; plans must be kept

up-to-date as the organization changes. External environments and inﬂu-

ences are constantly in a state of ﬂux, so the process, to be valid, must con-

tinue throughout the life of the organization. Throughout this book, we

will show you how this process works and explain what is required to create

an effective plan for your organization. First, however, we need to cover

some fundamental concepts to ensure a solid foundation of security under-

standing before we cover the elements of security necessary to adequately

protect business environments.

For those among us who are tasked with managing business, and for the

ever-shrinking number of information technology (IT) professionals who

are not directly involved in the daily struggles of coping with cybersecurity

issues, one might be tempted to ask “What is the big deal about cybersecu-

rity, really?”

 How does it affect our company infrastructure?

 How does it affect users in our organization?

 Is it something our management team should worry about?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

18.217.187.19