There are a range of imperatives in our lives. We do some things because we have to, as laws and regulations require us to take certain actions. There are things we really ought to do for purposes of prudence, like buying life insurance or checking tires. There are things we should do for good practice, like taking out the garbage or changing the oil. Creating an effective
In the United States, information controls for business continuity are generally not written into law. In those cases where there are legal and regulatory requirements, they are organized by industry verticals. These are lightly stated for pharmaceuticals (21 CFR 11), more explicitly for health care (HIPAA compliance) and in significant detail for banking (FFIEC compliance).
All of these controls deal with information. The requirements for protecting data files from disastrous destruction are clear. To a lesser extent, the continuity of a business is included, at least by reference. Managing crises beyond impact to the business is not addressed, except implicitly through the other concerns. Emergency response, the actions taken to protect people and property, are the domain of other laws such as the Occupational Safety and Health Act, or OSHA. So much for the gottas. In affected industry verticals, requirements receive a lot of attention and result in larger staffs with larger budgets than in other industries. The rest of U.S. industry does what it can with the oughtas and shoulds.
In dealing with executives from industries without specific recoverability laws, I often hear, "We're not a bank. We can't afford all this fancy disaster recovery stuff." True enough: Without the goad of the gottas, manufacturers, retailers, distributors or publishers do not have a specific list of disaster recovery requirements. But they do have one overarching one: Organizations owe it to their shareholders to stay in business and, while in business, to exercise such due diligence that they can continue indefinitely. To achieve this end, executives need to explicitly accept a certain level of risk and provide protective measures to eliminate or mitigate the effects of the rest. They are not required to live by the gottas; they operate somewhere between the oughtas and the shoulds.
What, then, are the minimum actions an organization should take to ensure that it can withstand a major disruption to its business operations? There are boundaries to the question -- very small organizations, the proverbial "Mom and Pop stores," need to do less. Massive companies in nonregulated industries do more because their risks are greater, approaching those of a financial institution. Even Mom and Pop need insurance on their business to limit the effects of catastrophes. The majority of businesses need to do merely the minimum for business continuity that is consistent with their risks and their budgets.
A culture of business continuity
All businesses should make arrangements to continue their operations under adverse circumstances. Where feasible, they should not concentrate business functions in one location. They should avoid dependence on key personnel, which is often a difficult problem in organizations where a small cadre of executives is effectively irreplaceable. More than anything, these businesses should think about business continuity. What can they withstand? What they are willing to invest to blunt the worst of improbable disruptions? What will they do if the worst happens, anyway?
Those familiar with detailed disaster recovery plans might make light of informal, generalized preparations for response in the face of disasters or other sources of disruption. A culture of business continuity may well be more effective in the throes of an actual disruption than a richly detailed set of procedures that are ignored when printed and forgotten when needed. Many companies have a culture of business continuity. Broadway show staffs know that "the show must go on" and always have understudies and cast members who know all the parts. This ethos applies to other industries as well. The terms may differ: the show does not go on, but the customer is always served. Production lines must roll. The shipment has to get there.
There are numerous examples of companies with disaster recovery plans that have rallied in the face of disasters and not only survived, but also thrived. They had embedded a sense of loyalty and ingenuity into their workforces that were the basis for their recovery. And every one of them that I have met has said that they wanted to have a formal disaster recovery plan before the next disruption, in case the right people were not there the next time.
IT disaster recovery
Any organization with enough information to need computer systems to manage it also has sufficient reason to protect it all. Access controls are a basic requirement, at least sufficient to keep outsiders out of sensitive data. For disaster recovery purposes, equally fundamental are steps to back up data files and then to store them somewhere other than the original site.
These are the inescapable basics. This disaster recovery baseline does not address, however, how much and how often data should be backed up, nor how reliable the off-site storage should be.
The solution, not surprisingly, is a business impact analysis (BIA). This sort of BIA need not be a drawn-out affair, replete with forms and software. An executive simply needs to ask how long the company might survive if it could not function for a period of days. How much harm would be done by losing a fair amount of data? Pure gut feel, no science involved. The executive will sacrifice precision for accuracy, let us say to a level of 80% confidence. Thus, if the conclusion is that an outage of five days is sustainable, the supposed executive must realize that that means anywhere from four to six days. If it would take longer than that to find a replacement site for the computers and to restore the data, then alternate arrangements must be made in advance of any disruption.
Crises occur every day; it is management's job to sort them out. Some crises are routine in the course of business. Others are extreme enough to require the concerted attention of a group of senior managers. The key preparatory step is to identify the core group of managers who should be involved in the resolution of all major crises, which include but are certainly not limited to disaster recovery.
Instantaneous communications among them are essential. Given the vast majority of executives toting smartphones around with them, this is readily achievable. That's provided, of course, that the server is not in the same location as the computer systems whose unavailability might be the cause of a crisis.
In most U.S. cities, fire evacuation routes must be clearly posted and fire drills run periodically. To some extent, emergency management is a mandated requirement. What is not spelled out (but every company should consider) is who
has the authority to declare that an emergency is under way and that employees should evacuate. Waiting too long could cost lives; jumping the gun will cost money.
Common sense would dictate that employees should know where to assemble once they leave company premises, not so much so that they can continue working elsewhere but so that all persons might be accounted for. Moreover, when an emergency that caused them to evacuate is over or found to be a false alarm, employees will be in a place where an authorized individual can instruct them to return. Conversely, someone must have the authority to tell everyone outside the building to disperse.
Again, little investment is required. All that is needed is forethought, but many managers are so focused on their day-to-day activities that they cannot foresee a serious disruption. Achieving the should of disaster recovery, to say nothing of the oughtas and the gottas, is a serious business best not left to the time of an incident. Just as vision and dedication are required to manage a business to success, so they are needed to deal with major disruptions along the way.
Steven Ross, CISSP/MP, MBCP, CISA, is a contributing writer based in New York. Let us know what you think about the story; email firstname.lastname@example.org. Follow @ITCompliance for compliance news throughout the week.
This was first published in March 2010