Disaster Recovery Planning is currently a leading topic of discussion for business IT administrators and owners, just as issues relating to business and technology operation and continuity have become a central point of discussion for many organizations. After the disaster occurs is the wrong time to determine whether or not your company is adequately protected. Unfortunately, when you need your plan most is when you find that you either do or do not have things well in hand.
Hurricanes, floods and tornadoes have taught many companies some hard lessons ranging from the inability to locate or communicate with employees to the entire loss of the business and surrounding community infrastructure. Certainly, the current situation is a reflection of the worst-case scenario, but it also points out some fundamentally important considerations that a company must incorporate when creating a technology plan for disaster recovery and business continuity.
EMPLOYEES ARE PEOPLE
One of the first things to remember in any disaster is that your employees are people. They have families, homes, lives outside the office, and responsibilities. They have fears and concerns. In short, they are human beings. This is a reality that is frequently overlooked in a disaster plan.
Much consideration may be taken with respect to handling business issues such as customer or vendor communications, technology and systems continuity, etc. But in the event of a disaster where lives are at stake, can the company expect personnel to overlook those personal impacts that present themselves, all in the name of keeping the company going? Probably not, unless perhaps they are in health care, law enforcement, or the military. Even in those cases, caring for family and loved ones may take precedence over job responsibilities. Businesses need to make certain that there are SYSTEMS in place to assist with continuity and recovery, as personnel may be hard to come by.
YOUR BUILDING IS NOT AN ISLAND
Businesses rely on facilities.
Facilities are created from infrastructure.
Infrastructure, more often than not, is not in your control.
Telephone service, connectivity, electrical power, street access to the building, access to the surrounding areas - these are infrastructure elements that you have little control over, if any at all. The loss of infrastructure, however, impacts you significantly. It does not matter how much backup power you have if you have no physical access to the building. And telephone service becomes valueless (frequently) if the power is out.
Redundancy can come in many forms, but creating fully-redundant facilities means being redundant with the infrastructure. Opening offices in multiple locations, distributing personnel and resources to various locations - these all come with potentially tremendous cost impacts to the business. There are, however, affordable technologies and services available today which can help mitigate the impact of the loss of a location or facility, and whenever possible these services should be incorporated into your daily processes to ensure portability and a smooth transitioning of systems should the worst occur.
DEGREES OF PROTECTION
Developing an IT recovery and continuity plan is similar in nature to purchasing various types of insurance. The level and cost of protection must be evaluated based on the benefit to be derived, and weighted by the risk. For example, low-cost flood insurance is probably not worth the investment where there is no water. Obviously, there is cost associated with different levels and types of protection, and different situations warrant different types and levels of coverage.
In terms of IT continuity and recovery, the most frequently-implemented form of "insurance" is redundancy or the duplication of a resource. Every business, however, has requirements that extend beyond a reasonable ability to fully duplicate. A small flower shop, for example, cannot reasonably afford to implement "alternative business locations" or a remote office in the event of the loss of the primary facility. With this reality in mind, the business must focus on addressing those conditions that are within its reasonable ability to control, as well as those that it can mitigate to some degree.
Infrastructure & Facilities
Business locations - building and access
Telecommunications - telephone and voice communication services; transmission lines
IP Connectivity - internet and IP network services
Electricity - electrical power
Utilities - water and sewer, natural gas
PBX and voice systems - telephone systems, handsets, voicemail systems
Network servers - file and print; applications, database, messaging, web, etc.
Network communications equipment - routers, switches, hubs, cabling systems
Power - UPS, battery backups, generators
Workstation equipment - desktops, laptops, peripherals
Software - operating system, applications, tools and utilities
Key Processes - information technology
System building; placement and installation
System and user account management and administration; patch management
Data management; backups and archives; version controls
Security administration: anti-virus, adware/spyware, intrusion detection and prevention
Key Processes -general business
Sales and billing functions
Receipts and banking functions
Payments and settlement functions
Accounting and reporting functions
Production and operational functions
Support and service functions, including employee, customer and vendor communications