Issuu on Google+

Running head: BUSINESS CONTINUITY AND DISASTER RECOVERY

Investigation of Business Continuity and Disaster Recovery Prepared by Aaron Dacey and Christine Bertie IT 486: Critical Issues in Information Technology Central Washington University Prepared for: Terry Linkletter May 31, 2013

1


BUSINESS CONTINUITY AND DISASTER RECOVERY

2

Table of Contents Abstract ......................................................................................................................................................... 3 Introduction ................................................................................................................................................... 4 Business Need for BC/DR Plans................................................................................................................... 4 BC/DR Investigation with Input from CWU Students and Research Sources ............................................. 5 Risk Assessment ....................................................................................................................................... 6 Cost Assessment and Scalability .............................................................................................................. 7 Company Involvement ............................................................................................................................ 10 Conclusions ................................................................................................................................................. 11 References ................................................................................................................................................... 12 Appendix A ................................................................................................................................................. 14 Business Process Example ...................................................................................................................... 14 Appendix B ................................................................................................................................................. 15 Points of Failure Assessment Example ................................................................................................... 15


BUSINESS CONTINUITY AND DISASTER RECOVERY Abstract This paper explores business’ needs for Business Continuity and Disaster Recovery (BC/DR) plans. These two concepts work together to provide businesses with solutions in the event of a disaster or significant interruption of the business’ operations. Disasters can vary in nature and size and BC/DR plans should be scaled to both the size of the disaster/business and the financial capability of the firm. Information Technology (IT) Departments should seek input from all levels of the firm to ensure the success of the BC/DR plan. Risks of not having a plan are discussed and explored. Alternative methods and strategies, such as Business Impact Analyses (BIA) to develop effective BC/DR plans were examined and explored. Input from CWU students in the Information Technology Administrative Management program about BC/DR practices, benefits and best-practices was sought and incorporated in the paper. Additional research articles were used to better understand BC/DR and how it is crucial to the long-term success of a business. Keywords: business continuity, disaster recovery, BC/DR

3


BUSINESS CONTINUITY AND DISASTER RECOVERY

4

Investigation of Business Continuity and Disaster Recovery Introduction In today’s high stakes business world, the need to plan for a business’ future and survival are imperative. This planning is typically part of a Business Continuity (BC) and Disaster Recovery (DR) Plan. Together, each part of the plan helps to ensure the continuation of business activities after a disaster. The SANS Institute defines and compares Business Continuity and Disaster Recovery as follows: “Business Continuity refers to the activities required to keep [an] organization running during a period of displacement or [interruption] of normal operations. Whereas, Disaster Recovery is the process of rebuilding [the] operation or infrastructure after the disaster has passed.” (SANS). The BC/DR concept, therefore, actually consists of two distinctly different yet integral concepts that work together in order to ensure the survival of a business. Neither, by itself, is substantial enough to mitigate a disaster. Failure to have a BC/DR plan can result in complete business failure.

Business Need for BC/DR Plans Another important point to be aware of, and which should be included in any BC/DR plan is the varying degree to which disasters can occur. Keep in mind that for the sake a business, a disaster can include any event that can cause the inability of a business to function, either in part or whole. These events can range from human error resulting in the loss of data; a power outage causing compete lack of access to data, point of sale, and imperative business function; or natural disasters and terrorist attacks. The list is never ending making the planning process quite extensive; unforeseen disasters may have needs not yet considered. According to


BUSINESS CONTINUITY AND DISASTER RECOVERY

5

industry analysts from IDC and Gartner approximately 30 to 40 percent of all IT shops either do not have a disaster recovery plan in place or do not know how to use it (Preimesberger, 2011). Even if a plan is in place, it may not address crucial system needs. This would suggest that no company is safe without having a plan and testing and updating it as needed. With so many potential disasters waiting to happen, companies need to be sure they develop a BC/DR plan that addresses both business and client needs. Not only is a plan imperative, but it must be well thought out and carefully designed. To see proof of this one only needs to look at the numbers reported by FEMA and the SBA. According to a report written by Corina Mullen of Chamber101.com: “Forty percent of businesses do not reopen after a disaster and another 25 percent fail within one year according to the Federal Emergency Management Agency (FEMA). Similar statistics from the United States Small Business Administration indicate that over 90 percent of businesses fail within two years after being struck by a disaster.” (Mullen) These numbers should terrify any business owner, especially those without a plan. If a company does not have a well-defined BC/DR plan, the company is risking the welfare of the business, employees, vendors, stakeholders, and suppliers (Snedaker, 2007). So the question is, “Why do so many businesses fail to react to such an enormous threat?” To learn more we asked students to help find out. Twenty Central Washington University students, all in the Information Technology and Administrative Management baccalaureate program gave insight and helped to steer our research.

BC/DR Investigation with Input from CWU Students and Research Sources We asked CWU students what risks need to be addressed and how to address them. They pointed out that disasters come in all shapes and sizes. Also, disasters can happen at any point


6

BUSINESS CONTINUITY AND DISASTER RECOVERY and are not restricted solely to natural catastrophes. In fact they are correct; a disaster can be large scale event such as a category five hurricane like Hurricane Katrina, a terrorist attack that takes out the world headquarters of multiple businesses-such as the attack on the World Trade Center in 2001. A disaster can also be a small localized event such as a hacker attack, data theft,

or an accidental deletion of a project folder. It is important to understand that the small localized events can have just as a dramatic effect on a company as the big ones. The Huffington post cites Cheri McGuire, vice president of global government affairs and cyber security policy at Symantec as saying “One data breach can mean financial ruin for a small business” (Smith, 2011). In fact the data breech that was orchestrated against Sony’s Play Station Network in 2011 cost the company a reported $171 million, as reported by Colin Moriarty of IGN (Moriarty, 2012). While security breaches may be a better discussion about network security, the problem is very relevant for business continuation. This sort of issue needs to be addressed in any BC/DR plan as the CWU students surmised. The CWU students are correct, while Sony is a large company, any smaller business that was dealt the blow Sony was, would most assuredly suffer a worse fate then just a write-off. Had Sony included a contingency plan for this type of disaster, they likely wouldn’t have felt the financial, an undetermined amount of damage to their name. While the discussion of hacker attacks or data theft may be better left to a discussion of network security, the effects of such attacks have the ability to wipe out businesses, making it an important addition to the BC/DR. Risk Assessment It seems apparent that the task of determining risk can be an insurmountable obstacle. CWU students helped us find where to begin. They identified that in order to develop an effective BC/DR plan, the company needs to perform a Business Impact Analysis (BIA).

An


BUSINESS CONTINUITY AND DISASTER RECOVERY

7

effective BIA will be a tool that assesses risks and identifies critical services, functions, and personnel. As referenced in the appendices, effective BIA requires assessment of critical points of failure and analysis of key business processes, (Sikdar, 2011). IT should list the hidden benefits of performing a BIA when developing a BC/DR to promote buy-in from upper management. Examples of these hidden benefits were discussed in Sikdar, 2011 and include: • • • • • • • •

Identification of obsolete technology Communication of the plan to all employees Company being better able to recover Being able to assess where the company might fail Being aware of how vendors or suppliers might fail Having a better awareness of how customer needs might change during a disaster Knowledge of where business processes need to improve Establishment of record retention periods

However, creation of a BC/DR plan can be a costly process. As already described, simply identifying risks can be extremely time consuming, hence expensive. Providing the technology required to safeguard the company can be equally as prohibitive. While BC/DR is crucial to a company’s continuance, IT is under constant pressure to justify costs. Forrester Research as reported that BC/DR is typically only 6% of a company’s budget. Given the risks involved in not having an adequate BC/DR plan, (company failure, inability to regain company growth rates, bankruptcy) not having a BC/DR plan far outweighs the expenditures involved. Cost Assessment and Scalability Even with a low cost of only six percent of the budget, many companies feel it is too much. That six percent can quite simply eat up profits and make the business less lucrative. However, a less lucrative business is better than no business at all. Since the bottom line is so important, companies that feel they cannot afford the expenditure need to be aware that initial


BUSINESS CONTINUITY AND DISASTER RECOVERY

8

costs in creating and implementing the plan will be higher than ongoing costs. This one time sticker shock is unavoidable, but very scalable. When companies state that they cannot afford a BC/DR plan, the IT department needs to present a cohesive argument that supports creating a plan that will fit the company’s budget. Scalability is the key. Many key points of the plan can include economical solutions that don’t necessarily need to accommodate a budgetary battle. In fact, making a plan scalable was the number one solution to combating cost, as provided by the CWU pool of students. With scalability in mind, companies will need to consider and answer two critical questions. First, what is required for the company to function and second what preventative measures can the company take? As stated earlier, failure rates of companies after disasters are frightening. Paul Kirvan, 2006, takes this frightening statistic even further, he suggests that as many as 90% of companies without a plan will be closed within 2 years of a disaster and that companies that experience a computer outage lasting more than 10 days will never recover financially or will become bankrupt. This scenario makes BC/DR look much more appealing as an insurance policy. If IT can sell the plan as such, they should. The IT department should point out the detrimental cost of not having a BC/DR plan while at the same time remaining conscious of cost controls within their power while being aware of the cost concerns that interest management the most. This is in fact where scalability comes into play. While CWU students identified network and data backups as the primary concern for a BC/DR plan, they also identified it as one of the most scalable. Backups can be a very expensive undertaking, requiring hardware, media, personnel, and even third party vendors to provide proper and redundant backups. A prime solution for backups would include onsite tape backups, with archived backups stored offsite, and involve a third party that also creates a backup that can


BUSINESS CONTINUITY AND DISASTER RECOVERY

9

be utilized in the event of a major disaster. While the backup alone will insure against lost data, off premise backups ensure the data will always be retrievable. This can be costly. To address the cost CWU students repeatedly refer to ‘the cloud’ as a solution. In fact with the evolution of the internet to the cloud, backup solutions may have indeed become more cost effective. Companies like Barracuda are fighting a bidding war to get businesses to use them. Their solution provides for a plug and play local backup which is incorporated into a cloud backup that can be restored to local and remote servers quickly (Barracuda Networks). Their solution, which can be merely a local backup or one that can be implemented at a hot or cold site, is the perfect example of a scalable solution. The business can pay for just the local backup, or they can be more secure with the ability to restore from the cloud. To take it further, with presumably higher cost, the business can also choose to have offsite restorations available. The point behind scalability is that it allows a company to spend what it can afford to accommodate what it expects its risks could be. While the prime option is preferable, the simple onsite solution is best when faced with the cost associated with protecting future business. With cost being such a huge concern and scalability being the presumed answer, backups are not the only part of a plan that is scalable. Alternative sites for the business to continue at were also a leading concern amongst CWU students. The ability to continue at a new site should a business location become unusable fully addressed in a BC/DR plan. With this in mind, businesses have several options whether it is an office in the garage of the CEO or a fully functional site (hot site) ready to take over operations in the event of a major disaster as AT&T has done. While AT&T chooses to and can afford a fully functional hot site, many businesses cannot. The use of Hot or Cold sites is another perfect example of a necessity that doesn’t need to break the bank. As mentioned, a location in the CEO, or any managers home, would be quite


BUSINESS CONTINUITY AND DISASTER RECOVERY

10

suitable, though perhaps no preferable, in the event of an emergency. But the site needs to be planned and prepared; this is the purpose of the BC/DR. It is easy to set up a few computers and have data accessible to them if the forethought is taken to make that happen. If this is merely an afterthought, it will likely not be successful. Furthermore, if the planning strategy doesn’t encompass the entire company, the chance of the BC/DR plan failing will be high. Company Involvement The IT department isn’t the only department that matters when it comes to BC/DR. The entire business needs to be aware and involved. Successful planning strategies have involved incorporating BC/DR plans into every part of the company’s business objectives. If input is continually sought from all levels of the company and included at every planning stage, it is much more likely employees will have a better idea of how the BC/DR plan works and that the plan will be continually updated. This reduces risk to the company by having a plan that is able to keep the company’s infrastructure up-to-date and better able to recover during a disaster. For companies (especially small ones) that may not have the upfront money to implement an extensive BC/DR, they can use simple guidelines to create a BC/DR plan that will allow them to continue business in the event of a disaster or even human error. Other key considerations are having a good understanding of how your relationship with suppliers or vendors who fail or logistical problems could adversely affect a business. Guidelines for these types of businesses will include the creation (proactive action) of systems with documentation of what key systems are, creation of organizational charts that clearly identify key personnel and their duties, clearly defined data backup and retrieval plans, images or snapshots of critical systems, the ability to mirror or replicate servers at new locations


BUSINESS CONTINUITY AND DISASTER RECOVERY

11

or on the cloud, and will always include an action plan to test the plan on an annual basis at minimum.

Conclusions In order to have a good understanding of how BC/DR plans benefit a business and the community, it is necessary to understand how BC and DR work together and to analyze prior plans, disasters, and solutions. BC/DR is a critical component to a company’s future. Research that combines knowledge of existing problems, such as Hurricane Katrina or Japan’s failed nuclear reactor, along with advances in technology (Cloud) will help companies be able to improve BC/DR capabilities. Companies need to assess their needs for BC/DR and be aware of the risks involved in not having an adequate BC/DR plan. As companies assess their BC/DR plans, perform BIA’s, and continually update and communicate their procedures the likelihood of the company being able to continue in spite of a disaster is dramatically increased.


BUSINESS CONTINUITY AND DISASTER RECOVERY

12

References Arduini, F., & Morabito, V. (2010). Business continuity and the banking industry. Communications Of The ACM, 53(3), 121-125. Barbee, T. (2011). Disaster recovery on a budget. Cio, 24(10), 48. Barracuda Networks. (2013). Don’t’ let data loss get you down. Retrieved from: https://www.barracuda.com/products/backupservice?&a=google-na_BackupServiceGeneral_CloudBackup&kw=cloud%20backups&gclid=CLqkpOyRuLcCFYU5QgoddRw AFQ Base salary plus incentive pay for disaster recovery administrators. (2011). Computer Economics Report, 24(6), 20. CIO. Business continuity and disaster recovery planning definition and solution. Retrieved from: http://www.cio.com/article/40287/Business_Continuity_and_Disaster_Recovery_Plannin g_Definition_and_Solutions Disaster recovery outsourcing recovers from fall. (2013). Computer Economics Report, 35(2), 18. Ganapati, N. (2013). Downsides of social capital for women during disaster recovery: Toward a more critical approach. Administration & Society, 45(1), 72-96. doi:10.1177/0095399712471491 Gold. S. (2011). IT disaster recovery: Lessons learned from surviving a data center fire. Firsthand recounting of a facilities manager discussing an IT data center disaster at a large university. SJG Consultants. Retrieved from http://www.youtube.com/watch?v=FxAavD5R8rE Introduction to Business Continuity. (2002). Sans Institute. Retrieved from: http://www.sans.org/reading_room/whitepapers/recovery/introduction-businesscontinuity-planning_559 Kirvan, P. (2006). New ways to justify BCP to management. Prevalent LLC. Retrieved from http://www.slidefinder.net/p/prevalent_justify_bcp_mgmt_9_12_06/prevalent_justify_bc p_mgmt_91206/1083115 Leatherby, D. (2007). IT disaster recovery and business continuity tool-kit: Planning for the next disaster. Nascio Publications. Retrieved from http://www.nascio.org/publications/documents/nascio-drtoolkit.pdf Mearian, L. (2012). Disaster recovery gets new urgency. Computerworld, 46(13), 6.


BUSINESS CONTINUITY AND DISASTER RECOVERY

13

Moriarty, C. (2012). One year later: Reflecting on the great PSN outage. IGN. Retrieved from: ign.com: http://www.ign.com/articles/2012/04/21/one-year-later-reflecting-on-the-greatpsn-outage Mullen, C. (2013). Business planning for disaster survival. Chamber101.com. Retrieved from: http://www.chamber101.com/2programs_committee/natural_disasters/disasterpreparedne ss/Forty.htm Overby, S. (2011). Disaster recovery goes virtual. Cio, 25(3), 22. Pratt, M. K. (2013). Disaster recovery: Don't forget mobile. Computerworld, 47(1), 28-29. Preimesberger, C. (2011). Why disaster recovery isn’t optional anymore. Eweek, 28(12), 12. Rinehardt, C. (2010). Business continuity: Mitigating and responding to ensure continuous customer support. Transfusion, 50(7), 1604-1607. doi:10.1111/j.1537-2995.2010.02736.x Scheier, R. L. (2012). Disaster recovery on double duty. Computerworld, 46(6), 20-26. Service benefits drive growth in disaster recovery outsourcing. (2011). Computer Economics Report, 24(2), 9-19 Sikdar, P. (2011). Alternate approaches to business impact analysis. Information Security Journal: A Global Perspective, 20, 128-134. Smith, G. (2011). Small Businesses A Growing Target For Hackers. The Huffington Post. Retrieved from: http://www.huffingtonpost.com/2011/10/24/small-businesshackers_n_1028781.html Snedaker, S. (2007). Business continuity and disaster recovery for IT professionals. Burlington, MA: Syngress. Technical Response Planning. (2011). Prepare for the unexpected: AT&T business continuity & disaster recovery. Retrieved from http://www.emergency-responseplanning.com/news/bid/38839/Video-AT-T-Business-Continuity-Disaster-Recovery Wai, L., & Wongsurawat, W. (2013). Crisis management: Western Digital's 46-day recovery from the 2011 flood disaster in Thailand. Strategy & Leadership, 41(1), 34-38. doi:10.1108/10878571311290061


14

BUSINESS CONTINUITY AND DISASTER RECOVERY Appendix A Business Process Example Table 1 from Sikar, 2011’s discussion of alternate methods of BIA included a sample business process model. Table 1 lists a possible format in which business processes may be listed, their criticality levels determined and possible recovery strategies can be suggested.

TABLE 1 Possible Format for Business Processes Business process Ex. Investments

Criticality Recovery Possible level time strategy objective Level 1 2 hrs Data replication

Underwriting Level 2

24–30 hrs

Data shadowing


BUSINESS CONTINUITY AND DISASTER RECOVERY Appendix B Points of Failure Assessment Example Sikar, 2011’s Table 2 lists internal and external single point of failure instances so that management may commit rectification or remedial measures for the same. TABLE 2 Points of Failure Business units

Internal single point of failure

Printing of policies for customers Underwriting department Research analyst Legal documents

Single point of concentration Single person incharge Stored hard copies at one place

External single point of failure Vendor X (monopoly vendor)

15


Business Continuity and Disaster Planning