Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, September 11, 2006

Six sensible steps to keep disaster recovery real

Unless we’re living under skies of brimstone and hellfire, most companies shouldn’t have to replicate every piece of data to protect their business from the next cataclysmic event.  Nor should they necessarily have to cough up millions for a mirror site that traces every network transaction.  And let’s face it, unless you’re cyber-cynical, catastrophes are extremely rare.  Be that as it may, enterprises are increasingly being held accountable for their data and prudence points to being prepared.  They asked three experts what the most commonly overlooked elements are in today’s disaster recovery plans.

On this topic IBM aims continuous data backup software at SMBs One in five firms has no disaster recovery plan MessageLabs launches e-mail archival service Protecting Remote Office Data: D2D Backup/Recovery Solutions Protecting Microsoft Exchange: The Need for Disaster Prevention and Optimization Best Practices for Disaster Recovery Across the WAN Costs and Consequences: Securing sensitive data at the edge of the network and beyond Data Protection - A Top Priority: Reduce the Risk of Costly Data Breaches A Guide to Reducing the Risks of Costly Data Breaches security.itworld.com.

Ultimately IT is there to serve business, and disaster recovery planning should be no different.  Well, most IT shops still don’t get it, according to EMC Canada consultant Iain Anderson.  People are still making technology decisions, and not business decisions.

According to Paul Saxton, lead consultant in business resiliency at IMB Canada Ltd., recovery capabilities have to be matched to the business requirements.  “Understand that disaster recovery and business continuity are part of overall risk management,” he says.

“One of the challenges I see all the time is that business continuity and disaster recovery fall back to the responsibility of IT, and IT’s normal response is to throw technology at it,” says Anderson, client director at EMC Corp. of Canada.  Anderson says IT has a responsibility to understand how business workflow ties in to business applications, and how those applications in turn are supported by infrastructure.  “We tend not to spend enough time communicating out there with the business units and understanding what their business problems are,” he says.

As a type of insurance policy, it’s helpful to know what threats and vulnerabilities you’re likely to come up against.  Unless you’re in a tornado area, on a fault line or flood plane, you probably won’t be building a mirror site of your entire IT infrastructure.  But going through that vulnerability and risk assessment can be a heated debate, says George Kerns, president and CEO of Fusepoint Managed Services Inc.

The budget for a recovery plan is large compared to the operating budget, and if the chance of a disaster occurring isn’t high, how do you avoid spending too much?  “I think this has to come down to a rational conversation between the CIO and the CEO,” says Kerns.  He says most business units believe their IT systems can be back up within hours, while IT will estimate a couple of days and an actual assessment of the technology will reveal a further gap.

“This is a big area where more testing needs to be done, with a more rigorous, more integrated approach and a stronger level of governance around it,” he says.  And don’t test to pass; you have to test to fail, says Anderson.