Key Elements of a Disaster Recovery Plan Test

“Everyone’s got a plan until they get punched in the mouth.” I often think of that quote, from the boxer Mike Tyson (who ought to know), whenever I consider the current state of disaster-recovery planning in U.S. enterprises. Sure, most large organizations have disaster recovery plans in place. But many of these plans have a way of failing when an actual disaster strikes – when they get that punch in the mouth. So how do you make sure a disaster plan is meaningful and that it will work when needed? The answer is simple: disaster plans must be tested. Unfortunately, that’s something too many businesses fail to do until they’re flat on their backs with the ref standing above them, counting them out. Practice Makes Perfect Best practice calls for testing and adjusting disaster recovery plans at least once a year. Some organizations do it twice a year and a handful do it quarterly. Regardless of frequency, the goal of such a test is to make sure that following the plan leads to a working, production-ready recovery of designated systems and services. The test should also measure how long it takes to achieve the various recovery milestones included in the plan. These measurements often serve as the impetus to making changes in the plan to better meet the business’ needs. Key elements to measure and track during testing include: Recovery Point Objective (RPO): The point in time in the past to which systems and services will recover, to begin moving forward. Recovery Time Objective (RTO): The point in time in the future, following a disaster, after which the organization...

The Essentials of Business Continuity Are Found in the Cloud

Business continuity is a simple concept best understood as “a formal discipline of planning and preparation designed to ensure that an organization remains able to conduct business in the event of a serious outage, incident, or disaster.” The goals of business continuity planning is to ensure that your organization returns to an operational state within an acceptable period of time following the event. While the definition and goal are straightforward enough, there’s still a lot of work involved in the planning and preparation of business continuity. Getting it right will involve executives, managers, and other key stakeholders throughout the organization. Business continuity also requires testing to ensure that what is supposed to work in theory actually does work in practice. Planning, Prep, and Execution in the Cloud A typical business continuity plan requires the efforts of a two- or three-person team consisting of individuals with working knowledge of the business, its management, and its IT infrastructure. It will take several months to prepare the necessary documents, and to secure buy-in and funding from executives and stakeholders. While today’s cloud-based technologies cannot help with the planning and preparation part of business continuity, the “return to operation” (RTO) aspect is where cloud-based technology greatly enhances its implementation and execution. Before the cloud made it possible to mirror production servers and databases and, then, to restore operations at the click of a mouse, organizations had no choice but to engage in expensive and time-consuming DIY implementation efforts. This not only involved considerable capital expenditures to acquire the networking infrastructure and data center space necessary to restore the organization to operational status –...

Data Security: Adding Up the Costs of Compliance Failure

If your organization handles sensitive or confidential data, it’s vital to ensure you’re meeting all relevant compliance requirements. That’s indisputable wisdom, not only because it means staying on the right side of the law and regulations, but also because it vastly increases the likelihood of avoiding fines and other direct and indirect costs imposed when security breaches occur. According to the 2016 Ponemon Cost of Data Breach Study, the average cost of a data breach is $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information was $158. Although regulations and potential civil liabilities vary by country, state, and industry, in general, breaches of any kind of data that personally identify individuals (known as PII for “personally identifiable information”), or that is legally or contractually recognized as sensitive, private, or confidential, can lead to fines and penalties. Consider just one example from the financial industry. The Payment Card Industry Data Security Standards apply to every merchant who accepts credit or debit cards. A non-compliant merchant can face fines as high as $100,000 per month. Merchants can also face time-consuming and expensive audits, and must publicly disclose breaches, both to the public at large and to card holders who may have been affected. Other potential costs include those for making such notifications, for providing affected cardholders with identity theft insurance, and for paying legal settlements. That’s in addition to the potential loss of business and reputation damage that typically occur when breaches are announced. HIPAA Compliance Can Be Deadly Serious In the healthcare industry, failure to comply with...

Don’t Waste Your Money on too Much Owned IT Infrastructure

When companies tally up their assets, they’ll typically account for everything from their office furniture to employee laptops to their servers and other IT infrastructure. And while that might make sense from a financial reporting standpoint, the truth is that viewing technology infrastructure as an asset is more of a losing proposition today than ever. Let me explain. We quoted Nicolas Carr in a previous post about the total cost of infrastructure ownership, but the argument holds here as well: if owning technology, specifically infrastructure, provides no competitive advantage, than continuing to “invest” in that technology makes no sense. Today, except for rare cases like high-frequency trading where nano seconds matter, companies gain no competitive advantage from owning infrastructure. It is simply plumbing. Would any sane company invest in building an electric plant to power its operations today? Of course not. And yet most companies today still find themselves in the position of owning, operating, and investing in what amounts to plumbing. Why do they do it? Sure, it’s true that the depreciating value of owned infrastructure can be written off as a business expense. But given that the useful life of any given piece of IT equipment is fairly short – three to five years is a common figure for a server, for example – by the time its cost has been taken off the books, it’s time to buy upgraded equipment to meet the needs of a growing business. Then there are the front-loaded costs of infrastructure. With the average mid-sized data center costing about $100 million to build, it’s no wonder that companies have moved in...

Understanding the Business Continuity Management Process

No longer a nice-to-have, today’s businesses require a well-tuned, always-on IT infrastructure just to survive. But any organization can fall prey to disaster – be it from natural causes like fire, flood or hurricane, man-made problems like a denial of service or malware attack, or an accident such as a mass file deletion. You might think that most businesses would be prepared – especially given the increasing number of high-profile cyber-attacks, major weather events, and other business disruptions that have made the news lately. But you’d be mistaken. In fact, though many organizations have some kind of business continuity plan, only 27 percent of companies surveyed by the Disaster Recovery Preparedness Council scored a passing grade when it comes to disaster readiness. That means nearly three out of four businesses are not ready. And because the costs of system downtime can be extreme, the effectiveness of your response can determine if your organization keeps going, meets regulatory requirements, or fails completely. Consider that more than a third of businesses reported that they had already experienced at least one outage to a critical business application or a loss of vital data files in the previous year – and that nearly 20 percent of those who’d experienced such a disruption reported losing at least $50,000, with some reporting losses of more than $5 million. Ensuring ongoing operations when a disaster or outage occurs is where business continuity management comes into play. Traditional business continuity management involves three separate phases: Conducting a business impact analysis (BIA): Essentially, a BIA lays the foundation for the organization’s business continuity and disaster recovery plans. It...

Security Audits: Five Tips So You Can Sleep At Night

It’s the rare IT professional who rates a security audit as among his or her favorite tasks. But while conducting an audit is nobody’s idea of a great time, best practices dictate that they be carried out at least annually. It’s necessary to take stock of security as it pertains to assets, risks, and information, especially in context of the implementation of current security policy. In fact, a good security audit is an exhaustive inspection and analysis of how security is actually implemented compared to stated policy. That’s why establishing and maintaining a formal security policy is the first and most important tip to conducting an accurate and effective audit. Your security policy is a set of guidelines and principles for how security is to be applied in practice. It spells out everything from acceptable use policies to penalties and consequences for failures to observe or maintain security, to rules that govern roles, access controls, confidentiality, physical and technical security, and a great deal more. With your policy in hand, try these other tips for effective security audits. Take inventory of all information assets and assess the risk of each. Unless your organization knows what it needs to protect, it can’t formulate or implement good security policies. And unless your organization understands what its assets are worth, it can’t know how far to go – and how much to spend – to protect those assets. Conducting a thorough, up-to-date asset inventory, an estimate of asset value, and then understanding the risks to those assets and the business, are all essential to establishing and maintaining proper security. This is as...