Since 9/11 many companies associate vivid memories with the term disaster. In addition to the devastating loss of life and the ripple effect on the families of the fallen, many businesses ceased operations due to their inability to execute a disaster recovery plan.
Arguably, that day has sparked renewed interest in disaster planning for many businesses. Companies are preparing for the next disaster by contracting traditional consulting companies to assess their recovery needs and develop a disaster recovery plan. These plans typically included the technical and operational plans to restore business systems and processes at off-site facilities.
Disaster recovery planning is only one step of a bigger process.
Companies often stop after completing a disaster recovery plan without addressing the ways in which disaster recovery planning fits into an organization's larger risk management, security, emergency preparedness and IT contingency planning programs.
By focusing on disaster, companies are often blinded to the need to construct networks capable of providing system and site availability when less than a disaster strikes. What happens when a major system outage occurs due to a failed server, corrupt database, worm outbreak or a downed Internet connection?
In many cases, the above gap exists because most disaster recovery initiatives do not include security and technology experts and many of the security initiatives do not include disaster recovery or technology experts.
By not soliciting input from all three groups an organization is incapable of creating a layered approach to system and site availability that encompasses threats such as a worm outbreak to a full scale disaster such as the loss of a building.
Companies must unite their security architects, business continuity planners and technologist to create a comprehensive system and site availability plan.
Quick Steps to Creating a Systems and Site Availability Strategy
We all know IT systems are vulnerable to a variety of disruptions, ranging from mild to severe. Risk management should identify threats and vulnerabilities so that appropriate controls can be put into place to either prevent incidents from happening or to limit the effects of an incident. In addition, risk management should identify residual risks for which contingency plans must be put in place. The contingency plan, therefore, is very closely tied to the results of the risk assessment and its mitigation process.
Many of the threats and vulnerabilities discovered during the Risk Management process can be minimized or eliminated through technology. During this phase the Security and Technology Architects take the findings from the Risk Management process and create a technology mapping. The end result is a blue print for implementing technology in a cohesive fashion to mitigate the threats and vulnerabilities discovered during the risk management process.
People and Process
Technology mapping, combined with proper processes and trained employees, completes the mitigation of risk defined by the risk management process. An example of this would be the development of a Cyber Incident Response Plan which is a process meant to mitigate the risk of a cyber attack on an organization. This plan incorporates people and process in a seamless fashion to identify, mitigate and recover from malicious activity.
Lastly, contingency planning is needed since it is virtually impossible to completely eliminate all risks. Contingency planning is designed to mitigate the risk of system and service unavailability by focusing on effective and efficient recovery solutions.
Because risks can vary over time and new risks may replace old ones as a system evolves, the risk management process must be ongoing and dynamic. The person responsible for IT contingency planning must be aware of risks to the system and recognize whether the current contingency plan is able to address residual risks completely and effectively. The shifting risk spectrum necessitates ongoing contingency plan maintenance and testing, in addition to periodic reviews.
The above process is a high level road map. Risk Management and Contingency planning are comprehensive undertakings with many sub components not mentioned in this article.
Marc Malizia is Chief Technology Office for RKON Technologies.