Disaster Recovery and Business Continuity Essential Guide

Disaster recovery and business continuity
Your expert guide to Subtitle

In this e-guide
In this e-guide:
Disaster recovery: Risk

Investing in technologies and processes that can safeguard an enterprise
assessment and business and its operations in the face of downtime should be a must for any
impact analysis business, as end-users can be remarkably unforgiving when unable to
access the services they need during work and at play.
Disaster recovery training
and staffing strategies Not only can a solid business continuity strategy protect organisations
from reputational damage and lost trade, but for those operating in
Coming up with a new
regulated industries it can also prevent firms being hit with downtime-
configuration and change
management plan related enforcement action.
But even the most diligently prepared disaster recovery plan should be
Disaster recovery
awareness and testing subject to review from time-to-time to ensure it delivers the expected
require training, strategic results.
plans
In this guide, we take a look at the steps enterprise can and should take
Evaluating BC/DR program to ensure, should their infrastructure fail, they can continue to trade and
performance
operate, and why it pays to regularly test the robustness of their disaster
recovery processes.
Case study: Cloud
collaboration boosts
Cumbria County Council's
Caroline Donnelly, Datacentre Editor
disaster response abilities
Page 1 of 38
In this e-guide

assessment and business
impact analysis Paul Kirvan, Guest Contributor
Disaster recovery risk assessment and business impact analysis (BIA) are
crucial steps in the development of a disaster recovery plan. But, before we
and staffing strategies
look at them in detail, we need to locate disaster recovery risk assessment
and business impact assessment in the overall planning process.
To do that, let us remind ourselves of the overall goals of disaster recovery
management plan
planning, which are to provide strategies and procedures that can help
return IT operations to an acceptable level of performance as quickly as
Disaster recovery possible following a disruptive event. The speed at which IT assets can be
awareness and testing
returned to normal or near-normal performance will impact how quickly the
require training, strategic
organisation can return to business as usual or an acceptable interim state
plans
of operations.
Evaluating BC/DR program Having established our mission, and assuming we have management
performance
approval and funding for a disaster recovery initiative, we can establish a
project plan.
Case study: Cloud
collaboration boosts A disaster recovery project has a fairly consistent structure, which makes it
Cumbria County Council's easy to organise and conduct plan development activity.
Page 2 of 38
In this e-guide

impact analysis


management plan
Disaster recovery
Adapted with permission from the BCM Lifecycle developed by the Business Continuity Institute.
plans As you can see from The IT Disaster Recovery Lifecycle illustration, the IT
disaster recovery process has a standard process flow. In this, the BIA is
Evaluating BC/DR program typically conducted before risk assessment. The BIA identifies the most
performance important business functions and the IT systems and assets that support
them. Next, the risk assessment examines the internal and external threats
Case study: Cloud and vulnerabilities that could negatively impact IT assets.
Page 3 of 38
Following the BIA and risk assessment, the next steps are to define, build
In this e-guide and test detailed disaster recovery plans that can be invoked in case
s critical IT assets. Such plans
Disaster recovery: Risk provide a step-by-step process for responding to a disruptive event with
steps designed to provide an easy-to-use and repeatable process for
impact analysis
recovering damaged IT assets to normal operation as quickly as possible.
Disaster recovery training Detailed response planning and the other key parts of disaster recovery
and staffing strategies planning, such as plan maintenance, are, however, outside the scope of this
article so let us get back to looking at disaster recovery risk assessment and
Coming up with a new business impact assessment in detail.
management plan Disaster recovery risk assessment
In the IT disaster recovery world, we typically focus on one or more of the

Disaster recovery
following four risk scenarios, the loss of which would have a negative impact
plans
Loss of access to premises
Loss of data
Evaluating BC/DR program Loss of IT function
performance Loss of skills
Case study: Cloud Risk assessments focus on the risks that can lead to these outcomes.
collaboration boosts Peter Barnes, FBCI, managing director of London-based 2C Consulting said,
Cumbria County Council's the impact on
Page 4 of 38
the business if delivery of critical applications and services were to be

In this e-guide denied as a result of a fire or server failure, for example, and to assess the
risks
assessment and business A key aspect is to know what services run on which parts of the
impact analysis infrastructure, said Andrew Hiles, FBCI, managing director of Oxfordshire-
based Kingswell International
Disaster recovery training company had grown by acquisi

configuration and change One easy way to create a risk assessment is illustrated by this table.
management plan
Disaster recovery
plans
Evaluating BC/DR program

performance
Working with IT managers and members of your building facilities staff as
well as risk management staff if you have them, you can identify the events
Case study: Cloud that could potentially impact data centre operations.
Page 5 of 38
Based on experience and available statistics, you can estimate the likelihood
In this e-guide of specific events occurring on a scale of 0 to 1 (0.0 = will never occur, and
1.0 = will always occur). You can do the same with the impact of the event,
Disaster recovery: Risk using a 0 to 1 range (0.0 = no impact at all, and 1.0 = total loss of operations).
The final column lists the product of likelihood x impact, and this becomes
impact analysis
your risk factor. Those events with the highest risk factor are the ones your
disaster recovery plan should primarily aim to address.
and staffing strategies Another way to capture and display risk information is with a risk matrix.
Entries in each part of the above table can be plotted on a four-quadrant
Coming up with a new matrix, as shown here.
management plan
Disaster recovery
plans

A risk matrix, adapted with permission
performance
from "Principles and Practice of Business
Continuity: Tools and Techniques," by Jim
Burtles, copyright 2007 by Rothstein
Case study: Cloud Associates; ISBN 1-931332-39-8
Page 6 of 38
In terms of how we treat these risks, we can use the following

In this e-guide categorisation:
Disaster recovery: Risk Prevent: High-probability/high-impact events (actively work to

assessment and business mitigate these)
impact analysis Accept: Low-probability/low-impact events (maintain vigilance)
Contain: High-probability/low-impact events (minimize likelihood of
occurrence)
Plan: Low-probability/high-impact events (plan steps to take if this
occurs)
Coming up with a new Types of risks to consider

configuration and change In the previous section we described a basic disaster recovery risk
management plan assessment. But, there are many types of risk, so what are some of the key
ones that should be addressed from a UK IT perspective?
Disaster recovery
awareness and testing Supply chain disruptions present a key risk, said Susan Young, MBCI, a risk
require training, strategic management professional with a London-
plans an IT standpoint, reliance on outsourced providers not only presents a pure
IT risk but also a supply chain risk. For example, in the Lloyd's insurance
Evaluating BC/DR program market in London, all businesses depend on a firm called Xchanging to
performance provide premiums and claims processing. This is a huge dependency with
Case study: Cloud

collaboration boosts Hardware failure is another key danger to UK organisations. Kingswell
Cumbria County Council's report on UK email downtime
Page 7 of 38
showed hardware failure (server and SAN), connectivity loss and database
In this e-guide corruption (in that order) as the main causes of downtime. A 2010 SunGard
report said the most common cause of UK invocations was hardware,
Disaster recovery: Risk followed by power and
impact analysis Water damage is a key risk to organisations in the UK, and sometimes the

and staffing strategies area may be
when taps are left running in the toilets two floors above when everyone
management plan The BIA
A BIA attempts to relate specific risks to their potential impact on things

Disaster recovery
such as business operations, financial performance, reputation, employees
and supply chains. The table below depicts the relationship between specific
plans risks and business factors.

performance
Case study: Cloud

Page 8 of 38
Risks can affect the entire company or just small parts of it. Operational and
In this e-guide financial losses may be significant, and the impact of these events could

assessment and business BIAs are built on a series of questions that should be posed to key members
impact analysis of each operating unit in the company, including IT. Questions should
address the following issues, as a minimum:
and staffing strategies Understanding how each business unit operates
Identification of critical business unit processes that depend on IT
Financial value of critical business processes (for example, revenues
Coming up with a new generated per hour)
configuration and change Dependencies on internal organisations
management plan Dependencies on external organisations
Data requirements
Disaster recovery Minimum time needed to recover data to its previous state of use
awareness and testing System requirements
require training, strategic Minimum time needed to return to normal or near-normal operations
plans following an incident
Minimum number of staff needed to conduct business
Minimum technology needed to conduct business
performance BIA outputs should present a clear picture of the actual impacts on the
business, both in terms of potential problems and probable costs. The
Case study: Cloud results of the BIA should help determine which areas require which levels of
Page 9 of 38
protection, the amount to which the business can tolerate disruptions and
In this e-guide the minimum IT service levels needed by the business.
to define the
the tolerances to an outage for critical applications or infrastructure
impact analysis
and reduce the risk of service loss, such that you can provide service to the
Disaster recovery training business in an acceptable timeframe.
Coming up with a new Next article

management plan
Disaster recovery
plans

performance
Case study: Cloud

Page 10 of 38
In this e-guide

What are some steps companies can do to mitigate downtime resulting from
a lack of trained IT staff in the aftermath of a disaster? Obviously, one
answer is "Train additional IT staff members to perform IT tasks," but how
realistic is that? And what if those staffers are unable to respond following a
disaster as well?
management plan
Business continuity plans and disaster recovery training plans should
examine the staffing issue initially as part of the business impact analysis
Disaster recovery (BIA) and risk assessment (RA) phases. These initiatives should identify
staffing issues that need to be addressed. From a budget perspective,
adding staff may not be an option. If that's the case, cross-training of
plans
existing IT staff is highly recommended, as is rotating the alternate staff in
and out of production assignments, if possible, to ensure their skills are
current.
performance
If your organization has only one data center and your budget cannot
Case study: Cloud underwrite a second data center, consider one of the many hosted data
collaboration boosts center options currently available. These can be found under such headings
Page 11 of 38
as Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Data

In this e-guide Center as a Service (DCaaS). You can subscribe to as much (or as little)
resources as your budget can handle. You'll also be contracting with trained
Disaster recovery: Risk IT professionals, who should be able (with advance training, knowledge and
suitable documentation) to step in and support your production systems if
impact analysis
your existing staff is unavailable.
Disaster recovery training If your recovery time objectives (RTOs) are aggressive, it may be necessary
and staffing strategies to arrange for data backup and recovery services, in addition to other
managed IT services, to ensure that interruptions to your production
Coming up with a new systems will be minimal. Of course, if your organization has more than one
configuration and change data center, and if the data centers are sufficiently distant from each other
management plan (e.g., at least 20-30 miles), you could replicate data from one data center to
the other and mitigate the impact of a staffing loss by spreading your IT
Disaster recovery staff across sites and ensuring there is plenty of cross-training of all
awareness and testing employees.
plans
Next article
performance
Case study: Cloud

Page 12 of 38
In this e-guide

impact analysis Alex Barrett, Guest Contributor
In the context of information technology, the change management plan --

and its kissing cousin configuration management -- are usually thought of as
subsets of IT service management, or ITSM. They require configuration data
about an organization's IT infrastructure and the services running on it.
They say the only constant is change, and nowhere is that more true than in
management plan
the data center. Despite all our practice dealing with change, doing so
gracefully and efficiently is still one of the most challenging aspects of IT
Disaster recovery operations.
require training, strategic Change management helps IT operations professionals follow established
plans
procedures for making changes to an environment -- or discover the
changes that cause a service to go awry, said Rob England, an IT consultant
Evaluating BC/DR program and blogger known as The IT Skeptic based in Wellington, New Zealand.
performance
According to England, these tools and processes can help IT departments
Case study: Cloud can answer two central questions: "How fast and how accurately can you
collaboration boosts assess the impact [of a change] to your organization?" and "Does the cost
Cumbria County Council's of downtime exceed the cost of adding more processes and tools?"
Page 13 of 38
Indeed, no one does change management for the hell of it. IT organizations
In this e-guide follow established practices and procedures in the hopes of minimizing
outages and maximizing service levels (the metric by which many of them
Disaster recovery: Risk are judged). But while we all want more uptime and the better outcomes that
change management promises, the number of organizations that have
impact analysis
effective processes in place is small.
Disaster recovery training The CMDB letdown

Part of the change management problem is the industry's own making. Not
so long ago, IT management vendors and practitioners got it in their heads
configuration and change that the first step toward change and configuration management was to
management plan implement an IT Infrastructure Library (ITIL)-inspired configuration
management database (CMDB).
Disaster recovery
At its core, a CMDB is a simply a database that stores so-called
configuration items (CIs). CIs describe and track individual assets, how they
plans are configured, and their relationships to one another. That data is often
used in support of other IT management tools such as a service desk and
incident management.
performance
This sounds straightforward enough, but depending on whom you ask,
adoption of CMDBs has been somewhere between modest and downright
Case study: Cloud
disappointing. While CMDBs are commonplace in the Fortune 1,000, the
Page 14 of 38
number of implementations trails off for smaller organizations, said Ronni

In this e-guide Colville, an IT operations management analyst at Gartner.
Disaster recovery: Risk Among the problems that organizations have cited are high costs for
assessment and business software and consulting, difficulty in populating the database, intergroup
impact analysis politics, and inflated expectations about CMDB capabilities.

"A CMDB sounds like a good idea in theory. In practice, if you try and
and staffing strategies implement every little nuance, it's like driving pins in your eyes," said Brian de
Haaff, Citrix Systems' senior product line director for GoToAssist, the
company's IT service management offering.
Indeed, in the early days of CMDBs, many organizations undertook initiatives
management plan
without properly analyzing the work involved or the business justification,
said Gartner's Colville. As a result, she said, "there were a lot of false
Disaster recovery
t doesn't solve world hunger. It's not making
dinner. What the heck?'"
plans
England calls shops that need a CMDB "The 5% Club."
Evaluating BC/DR program "There are 5% of organizations that are so complex that they need a CMDB
performance -- and have the resources to actually do it," he said. But for the remaining
95%, implementing such a project is rarely worth the cost, time or effort,
Case study: Cloud England said.
Page 15 of 38
"The main reason you would do a CMDB project is for impact assessment,"
In this e-guide England noted. "If people can answer questions about the impact of a
change fast enough, then you don't need to invest in a CMDB."
assessment and business For that 5% of shops that have paid their dues implementing a CMDB,
impact analysis however, it can be a beautiful thing.

In part two of this article, see how a large packaged foods corporation is
and staffing strategies using CMDB to pinpoint problems to keep production flowing in its
warehouses.
Next article
management plan
Disaster recovery
plans

performance
Case study: Cloud

Page 16 of 38
In this e-guide

Once you have drawn up a detailed disaster recovery plan, the next stages
in the project are twofold: to prepare and deliver disaster recovery
awareness and training programmes so all employees are prepared to
respond as required by the plan in an emergency, and to to carry out
disaster recovery testing to ensure the plan works properly and that DR
management plan teams know their roles and responsibilities.
Disaster recovery
awareness and testing ISO/IEC 27031:2010, Information technology Security techniques
require training, strategic Guidelines for information and communication technology readiness
plans for business continuity
Evaluating BC/DR program This is the global standard for IT disaster recovery as it applies to end users.
performance Another ISO standard, ISO/IEC 24762, addresses Information and
communications technology disaster recovery from a service provider
Case study: Cloud
perspective. Both these standards can help you develop and implement ICT
collaboration boosts disaster recovery programmes.
Page 17 of 38
Disaster recovery awareness and training strategies

In this e-guide
Disaster recovery: Risk implemented to ensure that processes are in place to regularly promote ICT
assessment and business DR awareness in general, as well as assess and enhance competency of all
impact analysis relevant personnel key to the successful implementation of ICT DR

and staffing strategies Perhaps the most important strategy in raising disaster recovery awareness
is to secure senior management support and funding for DR programmes.
Visible and frequently occurring endorsements from senior management will
configuration and change help raise awareness of and increase participation in the programme.
management plan
The next key strategy is to engage your human resources (HR) organisation
in the process. They have the expertise to help you organise and conduct
Disaster recovery
awareness activities, such as department briefings and messages on
employee bulletin boards. You can also encourage HR to incorporate
plans briefings on DR as well as business continuity into new employee induction
programmes.
Another important strategy is to leverage the Internet. If your organisation
performance
has an intranet, launch a DR page that describes what your programmes
does; answers FAQs; and provides links to forms and services, schedules,
Case study: Cloud
and other relevant materials.
Page 18 of 38
Be sure that any awareness activities are approved by management and HR,
In this e-guide as well as your own IT management. Your messages should be informative
Disaster recovery: Risk activities.

impact analysis Building an awareness and training plan

Here are additional activities for successful disaster recovery awareness
and staffing strategies and training programmes:
Conduct an awareness and training needs analysis.

Coming up with a new Assess existing staff competencies regarding roles in DR plans.
configuration and change Establish an ongoing awareness and training programme.
management plan Establish record-keeping of staff training and awareness activities.
Establish competency levels for IT staff and how they should be
Disaster recovery maintained.
awareness and testing Conduct staff performance assessments post-disaster and re-
require training, strategic evaluate training.
plans
As part of these activities, you should develop and conduct training on:
Evaluating BC/DR program Technical recovery activities

performance Emergency response activities, for example, situation assessment
and evacuation
Case study: Cloud Specialised recovery, such as recovering to hot sites or cold sites or
collaboration boosts third-party managed DR services
Cumbria County Council's Return-to-normal activities
Page 19 of 38
Restoration of business systems and processes

In this e-guide
Since you will be working with a variety of vendors and specialised service
Disaster recovery: Risk providers, examine their training programmes to see if they can be
assessment and business leveraged into your internally developed training activities.
impact analysis
Disaster recovery testing strategies
The most important strategy in disaster recovery testing is simply to test,
test and test again. Your organisation depends on the availability of IT

operational but that they can survive an unplanned outage. Disaster
recovery testing will ensure that all your efforts to provide recovery and
management plan
resilience will indeed protect critical IT assets.
Disaster recovery
awareness and testing instances, the whole set of IRBC [ICT readiness for business continuity]
elements and processes, including ICT recovery, cannot be proven in one
plans
that continually addresses the entire spectrum of operational and

administrative activities that an ICT organisation faces.
performance
Based on the size and complexity of your IT infrastructure, disaster recovery
Case study: Cloud testing activities should address recovery of hardware, software, data and
collaboration boosts databases, network services, data centre facilities, people (for example,
Page 20 of 38
relocation of staff to an alternate site), and the business. For each of these
In this e-guide factors, critical information will be identified in the business impact analysis,
or BIA.
assessment and business Types of tests
impact analysis
ISO 27031 makes some key points with regard to disaster recovery testing:
should not expose the organisation to an unacceptable level of risk. The test
and exercise programme should define how the risk of individual exercise is
addressed. Top-management sign-off on the programme should be obtained
and a clear explanation of the ass
management plan
Disaster recovery wider business continuity management scope and objectives and
awareness and testing complementary to the organisation's broader exercise programme. Each
test and exercise should have both business objectives (even where there is
plans
no business involvement) and defined technical objectives to test or validate

performance Since there are many aspects of an IT environment to be tested, there are
different kinds of tests to be initiated. This figure shows the three basic IT
Case study: Cloud DR tests.
Page 21 of 38
In this e-guide

impact analysis
Types of IT disaster recovery tests
Basic disaster recovery testing begins with a desktop walk-through activity,
in which DR team members review DR plans step by step to see if they make
sense and to fully understand their roles and responsibilities in a disaster.
The next kind of test, a simulated recovery, impacts specific systems and
management plan
infrastructure elements. Specifically, tests such as failover and failback of
critical servers are among the most frequently conducted. These tests not
Disaster recovery
only verify the recoverability of primary and backup servers but also the
network infrastructure that supports the failover/failback and the
plans
specialised applications that effect failover and failback.
Operational exercises extend the simulated recovery test to a wider scale,

Evaluating BC/DR program typically testing end-to-end recovery of multiple systems, both internal and
performance
external, the associated network infrastructures that support connectivity of
those assets, and the facilities that house primary and backup systems.
Case study: Cloud These tests are highly complex, and provide a higher level of risk compared
to other tests, as multiple systems will be affected. Loss of one or more
Page 22 of 38
critical systems from this kind of test could result in a serious disruption to
In this e-guide the organisation.
Disaster recovery: Risk Tests have several key goals, as stated in ISO 27031:
impact analysis Build confidence throughout the organisation that resilience and
recovery strategies will satisfy the business requirements.
Demonstrate that critical ICT services can be maintained and
Disaster recovery training recovered within agreed service levels or recovery objectives
and staffing strategies regardless of the incident.
Demonstrate that critical ICT services can be restored to pre-test
Coming up with a new state in the event of an incident at the recovery location.
configuration and change Provide staff members with an opportunity to familiarise themselves
management plan with the recovery process.
Train staff and ensure they have adequate knowledge of ICT DR
plans and procedures.
Disaster recovery Verify that ICT DR plans are synchronised with the ICT infrastructures
awareness and testing and business environment.
require training, strategic Identify opportunities for improving ICT DR strategies or recovery
plans processes.
Provide audit evidence and demonstrate the organisation's ICT
Evaluating BC/DR program service competence.
performance
Developing disaster recovery testing plans
IT disaster recovery testing plans provide a step-by-step process for:
Case study: Cloud
Setting the stage of the exercise by defining the test scope
Page 23 of 38
Defining test objectives

In this e-guide Defining success criteria
Defining the ICT assets to be tested
Defining the roles and responsibilities of test participants
Defining exercise steps in a logical sequence, plus unannounced
injects that challenge the delegates in how they respond to
impact analysis
unanticipated changes
Conducting a post-test review of what worked, what did not and
Disaster recovery training lessons learned
and staffing strategies Revising the DR plans based on test results
If possible, retesting the plan to ensure the changes work as intended
The following list provides a suggested table of contents for an IT DR test.
management plan
completed, such as researching the systems to be tested, researching
existing recovery procedures, identifying test scripts (if any), creating and
Disaster recovery
awareness and testing approving test scripts, coordinating with other IT departments and business
require training, strategic units in the company, and coordinating with external vendors and service
plans providers.

performance
Case study: Cloud

Page 24 of 38
In this e-guide

impact analysis


management plan
Disaster recovery
plans

performance
Case study: Cloud

Page 25 of 38
Next activities
In this e-guide
Once your DR plans have been tested and your awareness and training
Disaster recovery: Risk plans have been initiated, the next steps are to initiate a maintenance
assessment and business programme and initiate an audit and review programme. The first ensures all
impact analysis the previous DR activities we have been discussing are scheduled for annual
or semiannual review, testing and updating. The second ensures that all DR
Disaster recovery training programme activities are aligned with established policies and operational
and staffing strategies controls. Another part of the audit process is to establish a process of
continuous improvement. This ensures that DR programmes remain aligned
Coming up with a new to the business as well as international standards and good DR practice.
management plan
Next article
Disaster recovery
plans

performance
Case study: Cloud

Page 26 of 38
In this e-guide

Paul Kirvan, Guest Contributor
impact analysis How do you know your business continuity and disaster recovery (BC/DR)
programs and associated activities are performing up to expectations?
Disaster recovery training Setting metrics and expectations gives you the opportunity to check your
and staffing strategies program's performance against your goals. For example, performance
metrics addressing the frequency of BC plan exercises and business impact
Coming up with a new analysis (BIA) updates will help ensure proper plan performance. Be sure to
configuration and change involve your quality assurance (QA) and internal audit (IA) departments in
management plan
performance evaluations.
Disaster recovery In Section 9, Performance Evaluation, of the global business continuity

awareness and testing standard ISO 22301:2012, Business Continuity Management Systems --
require training, strategic Requirements, the following three subsections address performance
plans evaluation in detail:
Evaluating BC/DR program 9.1 -- Monitoring, Measurement, Analysis and Evaluation

performance 9.2 -- Internal Audit
9.3 -- Management Review
Case study: Cloud
It is important to examine what happens when something out of the ordinary
occurs, such as a minor operational disruption, system or technology
Page 27 of 38
outage, or supply chain interruption, and use those lessons learned to

In this e-guide improve your ability to anticipate potential disruptions. It is also helpful to
study real-world examples of disaster response in organizations similar to
Disaster recovery: Risk your own. The information that you gather will allow you to recommend
modifications to existing operational, strategic, planning, financial, legal,
impact analysis
technological, structural, physical, intellectual and human-based activities so
as to increase their reliability, resilience and recoverability from disruptive
Disaster recovery training incidents -- minimizing the impact to business operations.
Here's how this works:
management plan
Disaster recovery
plans

performance
Case study: Cloud

Page 28 of 38
In both cases, the business continuity staff examined key operations within
In this e-guide the company in detail. A business impact analysis (BIA) is typically used to
gather information. Data from a BIA and risk assessment (RA) should
Disaster recovery: Risk identify what could happen if there was a disruption to the supply chain,
technology or other important business function. Analysis of other
impact analysis
companies' experiences can shed light on possible outcomes of a supply
chain and/or technology failure and will also identify strategies to prevent
Disaster recovery training these disasters from occurring.
By analyzing all elements in a supply chain, for example, and asking pointed
Coming up with a new questions regarding the impact of a supply chain disruption, business
configuration and change continuity analysts can pinpoint areas of greatest risk to a supply chain and
management plan thereby also identify strategies to prevent disruptions and mitigate the
severity of disruptions that may occur. The same can be true of critical
Disaster recovery technology operations.
require training, strategic Performance evaluation of BC/DR programs should be an ongoing activity.
plans An organization's BC staff should regularly examine all aspects of company
business operations, identify internal/external risks to those operations and
Evaluating BC/DR program then identify potential solutions to address those risks. Outcomes may come
performance in the form of modifications to BC plan procedures, updates to BC policies,
revisions to IT infrastructure operations, changes to training programs and
Case study: Cloud revisions to plan exercises.
Page 29 of 38
It's been said time and again that business continuity and disaster recovery
In this e-guide plans are living documents. They reflect current business operations and
requirements, and as such must be fluid enough to adapt quickly and
Disaster recovery: Risk dynamically reflect changes in those operational attributes. A key part of the
performance evaluation process is that it is an ongoing activity. It's not
impact analysis
something that occurs annually or on an ad hoc basis.
Disaster recovery training Summary

By constantly looking for ways to improve business operations and reduce
the likelihood of emergencies, BC/DR professionals can ensure that their
configuration and change efforts will keep the organization, its supply chain, its technology
management plan infrastructure and its employees performing in the most resilient ways
possible.
Disaster recovery
Next article
plans

performance
Case study: Cloud

Page 30 of 38
In this e-guide

impact analysis
Caroline Donnelly, Datacentre Editor

and staffing strategies The unsanctioned use of cloud services by employees is a common problem
within many organisations, and one that Cumbria County Council found itself
Coming up with a new facing up to in early 2014.
management plan The use of consumer-grade cloud file-sharing services was pervasive within
the council at this time, as employees sought ways to side-step file size
Disaster recovery
restrictions of their email accounts to pass on documents to colleagues and
awareness and testing external stakeholders.
plans In light of the sensitive nature of some of the information being shared, the
council knew it had to act, but issuing a blanket ban on using these services
was out of the question. At least, says Kevin Maxwell, service support
performance manager at Cumbria County Council, until a suitable and appropriate
alternative could be procured.
Case study: Cloud

certain cloud services using the internal network, but we knew if we just did
Page 31 of 38
that without offering an alternative it would have created resentment

In this e-guide atmosphere and people
Disaster recovery: Risk Give and take

impact analysis After assessing a range of enterprise-ready products and services, the
public sector-
focused cloud-based collaboration system for regulatory compliance and
and staffing strategies ease of use reasons.
-based public body, so we have to conform to PSN requirements

and other governmental security legislation, and we were specifically looking
for a solutio
management plan
says.
Disaster recovery -sharing solutions people were finding for themselves were
awareness and testing hosted all over the world with no guarantee about the security measures in
plans
Any file-sharing platform the council decided to use would need to let
Evaluating BC/DR program employees share documents with external third-parties without them
performance requiring an account, he adds.
Case study: Cloud

collaboration boosts want to go through the overhead of setting people up with accounts on the
Page 32 of 38
network for a one-

In this e-guide Maxwell says.
Disaster recovery: Risk For example, Maxwell

assessment and business regularly receives from members of the public conducting genealogical
impact analysis research.

and staffing strategies birth certificates, for example, which do not always fit in the limits of a

while the information
management plan
Disaster recovery
awareness and testing Objective Connect, with the service allowing team members to share
important documents, often at short notice, for use in court cases.
plans
hour to share
th
Evaluating BC/DR program sensitive and important case material with a barrister who might be going to
performance court that afternoon. So it is essential for them to set up access for external
Case study: Cloud

Page 33 of 38
Storm clouds gather

In this e-guide
The importance of being able to share huge files containing critical
Disaster recovery: Risk information with external parties was reinforced in December 2015 when an
assessment and business extratropical cyclone, dubbed Storm Desmond, hit Cumbria, leaving a trail of
impact analysis destruction.

In 24 hours, 341.4mm of rain fell on Cumbria, flooding around 6,500 homes
and staffing strategies and leaving 45,000 without power. Key roads and bridges within the region
were also severely damaged, prompting the local police to classify the freak
The strength and security of around 600 roads, bridges and other pieces of
management plan
key infrastructure within the area needed to be assessed afterwards to work
out how best to repair and restore them.
Disaster recovery
economy and highways team, responsible for overseeing this on-going
plans
process, which involves compiling huge reports to detail the damage
inflicted.
performance
time, and most of those files were 20MB to 30MB apiece, with photos in
Case study: Cloud them as well. It quickly became a huge beast of data we were moving
Page 34 of 38
In this e-guide
the asset and the cost, requiring input from external contractors and civil
Disaster recovery: Risk engineers.
impact analysis
what resources and when, because you get updates when the other party
that information onto design so they can come up with solutions, and that
management plan
Meanwhile, the list of assets his team needs to keep a watchful eye on
continues to grow, as a result of subsequent weather events causing fresh
Disaster recovery
damage.
-survey some of the bridges because of high
plans

performance around 5m to 6m of resurfacing work we need to get up and running on
the higher-level roads before the temperature starts dropping as we move
Case study: Cloud into autumn, because the work
Cumbria County Council's Assessing the options
Page 35 of 38
Maxwell says setting up a Sharepoint site for Sheard and his team would
In this e-guide have bee
Disaster recovery: Risk chaos as a result of Storm Desmond too.

impact analysis
Disaster recovery training Maxwell.

to work because their homes had been flooded.

supporting staff around
management plan
Disaster recovery
awareness and testing Onwards and upwards
plans While Objective Connect has proved a sound investment, Maxwell admits
the council has taken a tentative approach to adopting cloud technologies,
Evaluating BC/DR program because of concerns about the maturity and reliability of off-premise
performance technologies.
Case study: Cloud

collaboration boosts the direction of travel is that we will start to go to the cloud more and more
Page 36 of 38
-premise
In this e-guide
felt the cloud market is mat
impact analysis Next article


management plan
Disaster recovery
plans

performance
Case study: Cloud

Page 37 of 38
In this e-guide

As a CW+ entire portfolio of 120+
impact analysis
websites. CW+
members-
of having to track such premium content down on your own, ultimately helping
you to solve your toughest IT challenges more effectively and faster than
ever before.

management plan
Take full advantage of your membership by visiting
www.computerweekly.com/eproducts
Disaster recovery Images; Fotalia
require training, strategic 2016 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means
without written permission from the publisher.
plans

performance
Case study: Cloud

Page 38 of 38

Disaster Recovery and Business Continuity Essential Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Disaster Recovery and Business Continuity Essential Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Disaster recovery and business continuity

Your expert guide to Subtitle

Disaster recovery: Risk

Disaster recovery: Risk

Disaster recovery: Risk

Disaster recovery training

Coming up with a new

In the IT disaster recovery world, we typically focus on one or more of the

the business if delivery of critical applications and services were to be

Coming up with a new

Evaluating BC/DR program

Evaluating BC/DR program

In terms of how we treat these risks, we can use the following

Disaster recovery: Risk Prevent: High-probability/high-impact events (actively work to

Coming up with a new Types of risks to consider

Case study: Cloud

Disaster recovery training

A BIA attempts to relate specific risks to their potential impact on things

Evaluating BC/DR program

Case study: Cloud

Disaster recovery: Risk

Coming up with a new Next article

Evaluating BC/DR program

Case study: Cloud

Disaster recovery: Risk

as Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Data

Case study: Cloud

Disaster recovery: Risk

In the context of information technology, the change management plan --

Disaster recovery training The CMDB letdown

number of implementations trails off for smaller organizations, said Ronni

Disaster recovery training

Disaster recovery training

Evaluating BC/DR program

Case study: Cloud

Disaster recovery: Risk

Disaster recovery awareness and training strategies

Disaster recovery training

Disaster recovery: Risk activities.

Disaster recovery training

Conduct an awareness and training needs analysis.

Evaluating BC/DR program Technical recovery activities

Restoration of business systems and processes

Coming up with a new

that continually addresses the entire spectrum of operational and

Evaluating BC/DR program

Disaster recovery: Risk

Operational exercises extend the simulated recovery test to a wider scale,

Defining test objectives

Evaluating BC/DR program

Case study: Cloud

Disaster recovery: Risk

Disaster recovery training

Coming up with a new

Evaluating BC/DR program

Case study: Cloud

Evaluating BC/DR program

Case study: Cloud

Disaster recovery: Risk

Disaster recovery In Section 9, Performance Evaluation, of the global business continuity

Evaluating BC/DR program 9.1 -- Monitoring, Measurement, Analysis and Evaluation

outage, or supply chain interruption, and use those lessons learned to

Evaluating BC/DR program

Case study: Cloud