Business Continuity Planning


Yesterday I attended the SIM lunch in Salt Lake. Michael Croy, from Forsythe was the speaker and the topic was disaster recovery and business continuity planning. This is one of the topics that every CIO knows they need to do something about, but no one really wants to discuss. When I was CIO for Utah, I tried to bring up the topic many times with business and IT folks alike and mostly got a cold shoulder. I even wrote a white paper tying it to Homeland Defense after 9/11. Still no interest. The common response was "oh, we did something like then for Y2K." As if dealing with the topic once were enough. You cannot begin to imagine the impact it would have on your life if a major disaster crippled the State's IT infrastructure. In any event, Michael made several points yesterday that caught my attention:

The primary question a CIO should ask is "How is the business mission sustained in the event of a disaster or security breach?" There are some specific issues to worry about:

  • What regulatory requirements do you have to protect data and to disclose gaps in your business continuity planning that you should disclose?
  • Can you recover all of your information? How long will it take to get from back-up?
  • After a crisis, can you validate the integrity of your data? Will you know if its been corrupted?
  • Can you confirm, through audits, logs (physical as well as online), etc. who has had access to the data during the crisis? What are your plans for security and control in the midst of the crisis?

In the end, of course, its all about risk and what you're willing to do. There are only three things you can do with risk:

  • You can accept it. That is, just say "we'll live with it." This is the de facto position that not making any decision at all leads to.
  • You can assign it. That is, you can make it someone else's problem. Insurance is one way to do this. Outsourcing is another way of assigning risk.
  • You can mitigate it. This is what you're doing by creating a plan and developing a business continuation strategy.

Which of these is the right strategy for you depends on the risk you face. The only way to know that is to identify and document vulnerabilities and let the business side drive the analysis to prioritize the tasks and make the decisions.

As you perform this analysis, its important to appropriately assign priorities and importance. Most data and the systems that supports it become slightly less valuable overtime moving from "business critical" to "essential" to "consequential" to "non-critical." Once data has reached the "non-critical" state, it quietly becomes "inconsequential" and is disposable. The amount of money you have to spend to protect this data should be proportional to its value according to the following SLA discontinuity classification:

  • Continuously availability - always available, no recovery ever necessary
  • High availability - recovery takes minutes
  • Transaction protection - recovery takes hours
  • Traditional recovery - recovery could take days
  • best efforts - no guarantees

Obviously, the further up this classification you are, the more expensive your IT investment will be.

The other day, I heard a story on NPR about the GAP taking the unprecedented step of releasing their internal audits of their off-shore factories. More and more, companies are required to transparent. How many publicly traded companies do you think there are that have material deficiencies in their business continuity and disaster recovery plans? If you know anything about IT, your answer is probably most of them. Yet, disclosure still revolves primarily around the financials. I'd bet that we see that change over the coming years and IT takes a more and more prominent role in the enterprise.