Issue link: https://securitytechnologyexecutive.epubxp.com/i/229956
BUSINESS CONTINUITY By Nick Chandler, Burwood Group If disaster strikes, how quickly can you recover? The longer an organization takes to recover, the more costly it becomes I f a hurricane, fire, earthquake or even a high-impact human error were to render your business facilities unusable, how long could your organization operate without mission-critical IT systems? How long would it take you to restore operations — and to what extent could you repair the damage short- and long-term? In the face of a natural or man-made disaster, companies can be crippled for days, weeks or even months, and many risk a permanent loss impacting customers, revenues and reputation. Given the extent to which most companies today are dependent on computerized business processes, a disasterrecovery plan is a necessity. The longer it takes to restore systems and data, the more difficult it will be to recover from the disruption. Creating a disaster-recovery plan involves prioritizing current systems, pinpointing mission-critical applications and data, and establishing the most cost-effective backup and recovery strategies. Since implementation of the plan may involve significant capital investment in IT infrastructure, fully realizing a disaster-recovery plan may require several years of phased implementation. Following are a series of questions that your disaster-recovery plan should answer: • Whatareyourbusinessneedsrelatedtodisasterrecovery? • Wherearethegaps? • Howcanyouclosethegaps? • Howlongwillittaketoclosethegaps? • Whatareyourdisaster-recoverybusinessneeds? Disaster-recovery planning should begin with a review of possible threats and impacts to your organization's processes and systems. Health care and higher education organizations, for example, may use hundreds of applications in many different departments — and near-constant uptime is more critical for some than for others. Prioritization is essential, because establishing immediate recovery for every single system will require more investment than would be feasible for most organizations. The best way to separate mission-critical from "nice-to-have" applications is to interview end users, application owners and other stakeholders, and toquantifythebusinessimpactofpotentialsystemdisruptions.Whatwill impacthumanhealthandlifesafety?Whatscenariosmightariseifanapplication or data set becomes unavailable? How long can a service be unavailable withoutcausingirreparableharm?Whatisthetruecostofsystemdowntime? Quantifying the business impact will enable the planning team to objectively separate the mission-critical from secondary systems. This "business impact analysis" (BIA) can be used to establish the "recovery point objective" (RPO) for data and a "recovery time objective" (RTO) for each critical system. 38 SECURITY TECHNOLOGY EXECUTIVE • November/December 2013 www.SecurityInfoWatch.com