Continuity and Business

Information Inventory for Disaster Recovery: Cases In Point

2010-03-08T15:35:00.001-06:00

By David Smith and Scott LamanIn an instant -- a fire, flood or hurricane can erase years of business operations. Most companies have thought about how they would manage in the event of a disaster; and some have even taken steps to prepare. But one disaster recovery priority companies often overlook is how fast they can restore critical digital content.
Digital and hard copy intellectual property like email, web pages, account files and HR documentation are the lifeblood of today’s enterprise. It is expensive and unrealistic to believe that an organization needs all of its documents and data restored minutes after a disaster. But businesses should take inventory of the information that is critical to run the business, prioritize what data needs to be restored as soon as possible, and what can wait for backups to be pulled.
Since most businesses don’t have the knowledge internally to plan for or prepare for a disaster, many turn to an experienced partner that can deploy innovative solutions based on an understanding of their specific risks and requirements. These disaster recovery partnerships help companies:• Reduce the costs associated with managing multiple vendor contracts and improve the capture, preservation and sharing of critical information.• Enhance enterprise accountability and transparency through improved access to, and preservation of content.And being proactive about disaster recovery has benefits beyond basic business restoration during a disaster. By making document and business processes more effective and efficient for a disaster recovery plan, organizations like Tulane University reduce costs, improve productivity and increase security and compliance.
Back to Business in the Aftermath
Tulane University is one of a variety of customers working to digitize and archive their digital content and protect against a serious interruption. In 2005, about two thirds of Tulane University’s main campus flooded when Hurricane Katrina hit. Aside from disruption to academic coursework and administration, the University experienced significant infrastructure damage. As one of the largest private employers in Louisiana, Tulane faced the challenge of getting its staff and facilities fully operational and resuming its momentum as an academic leader. The University’s Document Services Center was forced to entirely rebuild its operation, while being tasked with doing more with less to spur the recovery effort and future growth. Hurricane Katrina clearly outlined the business impact for Tulane. In 2008 the University decided to extend efforts to build a continuity program and optimize its document management and print technology and services to be prepared for the next disaster. The solution goals were simple – speed processes to improve service, control costs, identify continual improvements. The recommended solution was Xerox DocuShare. The content management platform was rolled out to three departments in a phased approach, resulting in wide acceptance of the changes, significant productivity gains and cost savings more than $80,000 to date.
Identifying Mission Critical Data
Similar to Tulane’s disaster recovery approach, companies need to look beyond IT systems and consider business processes and support functions as a part of the plan. An assessment of intellectual property can help determine what is essential to keep the company running. This formal review of content provides:
Risk analysis: evaluates how different types of events or disasters will affect business operations.
Business impact analysis (BIA): identifies the functions and processes that are essential for day-to-day operation by analyzing the impact of losing those critical functions and processes – to finances, productivity, etc. – while determining how quickly they must be restored to limit the business impact. During this analysis, a company assigns a Recovery Time Objective (RTO), the amount of time to recover a system from the moment of disaster to functional state and a Recovery Point Objective (RPO), the point in time when the information will be restored.
Business availability plan: outlines decisions and actions that should be performed to prevent or respond to a situation that disrupts normal business processes. ACS, a Xerox Company, assigns a level of recovery importance to documents, ranging from immediate recovery to waiting for a few days.
o Traditional Recovery is typical a tape backup solution that is shipped to an offsite recovery facility.
o Advanced Recovery is faster than Traditional Recovery and can include local disk mirroring that allows multiple backups to be executed daily and database shadowing that applies database logs to a remote copy of a standby database.
o High Availability is an immediate response to the disaster and it is unlikely anyone will notice the data was affected.
Continuity program: plans to develop and sustain business availability such as establishing a formal program office, complete with standards and governance policies and enterprise-wide business continuity plans.
Putting it into Practice
Companies like The Members Group, aren’t waiting until they are brought to a halt by a catastrophic event. The Members Group created a flexible, cost effective disaster recovery solution. The Des Moines-based financial services organization needed to maintain a maximum level of responsiveness should the business experience an unexpected interruption of normal operations. Working with ACS, The Members Group completely integrated disaster recovery across all of its critical business systems, along with integrated WAN network failover by relying on tape backup for servers and real time replication of its Windows environments. The solution was tested and operational in less than four hours, which ultimately met the RTO and RPOs outlined in the analysis phase. BIOsDavid Smith is vice president, general manager for Xerox DocuShare enterprise content management (ECM) software. He holds a master's degree in business administration from University of California at Berkeley, and a bachelor's degree from Kansas State. Scott M. Laman, director of Continuous Availability for ACS, A Xerox Company, has been involved with disaster recovery / business continuity program management for more than 20 years. Laman is a Certified Business Continuity Professional (CBCP) and a member of the North Texas Chapter of Association Contingency Planners.

The technology pro's greatest enemies-How to spot -- and take down -- the six most nefarious adversaries of IT

2010-02-01T13:40:00.002-06:00

By Dan Tynan
Created 2010-02-01 03:00AM

Everybody keeps a list of the people who make their jobs and lives more difficult, even if they never write it down. It's a safe bet that IT pros' lists are longer than most.
You might think IT's greatest enemies are cyber criminals and malware authors. But far worse are those who make the lives of these evildoers that much easier. In fact, the greatest enemies of IT are members of the community IT serves: from clueless suits to annoying power users, from miserly managers to those friends and family members who are always hitting you up for free tech support. Any one of them can keep you from doing your best -- or getting anything done at all.
[ Find out which of our eight classic IT personality profiles [1] best suit your temperament. Learn about IT's dirtiest jobs [2], or have a laugh thanks to your network's weakest link in "Stupid user tricks 4: IT horror never ends [3]" ]
Making an "enemies" list is not just a cathartic exercise but also a useful one, says Mark Kadrich, CEO of The Security Consortium.
"Though they often curse the user community, most IT pros don't spend the time to identify good users from the bad ones," he says. "You ask most of them how many users have administrative access to their systems, and the answer is usually either 'I don't know' or 'all of them.' I think they need to take more time to classify their user communities."
Here are the classic enemies of IT, how to recognize them, and what you can do to keep them at bay.
Which tech enemies did we miss? Post your suggestions below [4].
IT enemy No. 1: The Ostrich [5]
IT enemy No. 1: The OstrichThe biggest enemy of many IT pros: bosses who bury their heads in the sand when it comes to technology [6], yet are still empowered to make critical IT decisions.
Businesspeople become the enemy when they refuse to acknowledge they have a role to play in how IT operates, says Daniel Teachey, senior director of marketing for data-quality specialists DataFlux. "Even if it's something as simple as defining what the term 'customer' means to their business," he says. "Data informs every action the business takes, and unless the business side takes some role in the management of data, IT will be left holding the bag and getting all the blame."
[7]
Even worse, upper management types that don't understand concepts like network security, yet override critical decisions of their network admins, says Randy Abrams, director of technical education for security vendor ESET [8].
"If you are in charge of network security but have no power to make decisions, then your job is to take the blame when things go wrong," he adds.
The classic example: email attachments.
"Several years ago IT managers had an incredibly hard time getting management to allow them to block executable attachments in email," says Abrams. "There was rarely a case when an executable file actually needed to be emailed, and the security advantages of blocking far outweighed the potential business costs of having these files blocked. Eventually the blocking of executables was built into Outlook, but it was a mindless battle of the clued vs. the powerful clueless for a long time."
Recognizing the enemy: That glazed-over look when confronted with technical questions, or the moment they open their mouths, says Abrams.
"They tend to say no first without ever understanding the problem or seeing the trade-offs -- even when the trade-offs are things that can ruin the business," he says.
Your best defense: Seek air support from high command.
"You need a data governance plan that spans the entire organization, which means getting a CXO type to step in and say, 'This is the way it's going to be,'" says DataFlux's Teachey. "They're the only ones with the will, the persuasiveness, and most importantly the budget to get it done."
But what if there's no one to give support from above?
"Then you're between a rock and a hard spot," notes ESET's Abrams. "The best you can do is hope to educate them. Figure out the best way to state your case so that it makes sense. Come up with a good analogy that's relevant to them. Knowledge can be power, but only if it's shared."
IT enemy No. 2: The Penny Pincher[9]
IT enemy No. 2: The Penny PincherWhether it's an enterprise-level CFO or a small-business owner, a penny-wise/pound-foolish manager can stand in the way of necessary IT investments -- making your job much harder.
Penny-pinching CFOs are among the biggest enemies of IT, says Nancee Melby, director of product marketing at Shavlik Technologies [10]. "Any CFO who thinks the free patching solutions from Microsoft are good enough needs to find a new job -- or get out of IT's business. Leaving your keys in the car and only locking the driver's door will keep out only the stupid criminals."
Granted, IT can be a bottomless pit, notes Peter Marsack, director of business development for Vision Computer Solutions, an IT services firm for SMBs. But that can often lead to an irrational fear of all spending.
"The beauty of technology is you can dump a virtually limitless amount of capital at it and still have problems in your technical infrastructure," he says. "Because of this, getting purchasing requests approved can be a tedious process even if the cause is just."
Marsack points to medical companies that refuse to become HIPAA-compliant -- despite the security benefits and the penalties noncompliance might incur -- simply because upgrading all their equipment cost too much.
"I have clients who refuse to replace their 7-year-old computers because 'they still work' even though their staff burns through 10 hours a week just waiting on slow machines," he adds. "Most people think they can just purchase computers, put a network in place, set it, and forget it. We have to explain to them these machines need to be maintained and supported."
Recognizing the enemy: Though you might garner clues from threadbare office furniture or those Windows 98 machines running in the reception area, the only way to know for sure is to ask pointed questions about how the organization allocates resources for technology, says Marsack.
"If they answer, 'We never do that,' or, 'We get things as we need them,' that's a red flag. If they say they devote X amount of dollars or allocate money on a regular schedule, they're more likely to invest the money required."
Your best defense: Gather intelligence. Find an incident where the organization's lack of IT investment hurt its bottom line -- say, a server that crashed or a backup that failed, leaving customers in the lurch -- and exploit it.
"These are the kinds of things that happen when you're not allocating appropriate resources to technology," Marsack says.
Still, he adds, defeating this enemy isn't easy.
"I've not met many people who enjoy writing a check for any amount budgeted for technology, even though their entire company runs on it," he says. "The person with the checkbook is the hardest person to please in the business."
IT enemy No. 3: The Power User[11]
IT enemy No. 3: The Power UserEvery IT pro has stories about plebes who suck the lifeblood from the help desk with questions about their PC's "any" key. But the real threat is posed by users who know just enough to be dangerous [12].
"For me the biggest enemy is not the clueless user, but the clued-in user who doesn't have the whole picture," says Kevin Thompson, information security manager for Minnesota State University at Mankato. "This is the guy that thinks he is helping by running pre-release software he downloaded from BitTorrent. This guy has all the passwords of the other users in his office and acts as the unappointed first line of technical support. Instead, he frequently breaks things."
Not only do Power Users cause support and management headaches, they can be walking, talking security nightmares, says The Security Consortium's Mark Kadrich.
"They're usually engineering types or Ph.D.s who firmly believe they know more about the computer and network than you do," he says. "They insist on having admin/root access so they can 'configure' their custom applications or memory, and believe firewalls are for the unwashed masses. They're 'savvy' and can outwit any hacker on the planet. Besides, they 'don't have anything that a hacker would want,' so why should they worry? Their naiveté borders on the criminal."
Recognizing the enemy: They might be wearing Armani or T-shirts and flip-flops, but they're carrying a jailbroken iPhone in one hand [13], a Palm Pre in the other, and two laptops in their bag. Also: Anyone with a "Dr." in his or her title.
Your best defense: PsychOps. The only way to get a Power User's attention is to scare the hell out of them, then gradually bring them over to your side, says Kadrich. The exact approach depends on the position they hold in the corporate ranks.
"Executives don't give a damn about security, but they do care about their brand," he says. "You tell them, 'What you just did caused a huge number of emails to go out proving how screwed up our brand is.' That generally gets their attention."
For lesser tribe members, Kadrich makes the threat personal. Thanks to the Power Users' meathead behavior, their personal financial information has been compromised; now they have to call their bank and cancel all their accounts.
The second prong of attack? Training and awareness. Low-key regular luncheon sessions talking about the latest security breaches is the most effective way to alter people's behavior, he adds.
"You want to make the people in your organization security ambassadors," he says. "Taking the enemies of IT and converting them into true believers is the best approach."
IT enemy No. 4: The Politico [14]
IT enemy No. 4: The PoliticoAs technology rises in importance across virtually every organization, office politicians will be looking to surf the IT wave into the executive suite -- even if they have to ride on your back to do it.
That's why CIOs who play politics are IT enemy No. 1, says Steven Levy, CEO of Lexician Consulting. "These CIOs don't understand the businesses they serve, and they'll say or do anything to get 'a seat at the table.'"
In the long run, says Levy, they end up undermining the value of IT to the enterprise.
"When they talk about reducing complexity, they mean cutting the number of applications IT has to support, not simplifying the life of the business customers they serve," he says. "They talk about IT being up to date and then can't figure out how to roll out a new version of Windows or Office until three years after it shipped. They hire bureaucrats that they think are technocrats, but the technologists in IT laugh at their skills. And they're terrified by the idea that departments and business teams might develop their own applications, seeing that as a threat to their fiefdoms rather than as a way to help the business support itself."
Recognizing the enemy: Look for managers who've mastered the art of talking out of both sides of their mouths at the same time, says Levy.
Your best defense: Dig a trench and try to outlast them. Effective CEOs are veterans at spotting those playing office politics, and the CIO honeymoon period may be short, notes Levy. Or make allies with high command to shield yourself from radioactive fallout when things implode.
"The best solution is to get the business leaders in the C-suite or with highly respected voices to laud your work and talk up your solutions, thus covering your back in a way that the CIO can't effectively undermine," says Levy.
Next: IT enemy No. 5: The Freeloader [15]
IT enemy No. 5: The FreeloaderIf you know anything about technology, you've surely encountered this time- and patience-sapping foe. A "simple" question about computers morphs into demands for free 24/7 tech help when you have actual paying customers to support.
"The absolute worst offenders are people who assume that they can pick up the phone and call you anytime they have even the most minor computer problems," says Dan Nainan, a comedian and "computer genius" whose acting credits include an "I'm a Mac" commercial [video] [16] (he's the guy in the bubble wrap). "Having been a senior engineer with Intel and a computer nerd for my entire adult life, I am beset on all sides by people who think they can just pick up the phone and call me anytime with a computer question. Haven't these people ever heard of Google?"
Clueless and greedy users are the No. 1 enemy, agrees Howard Sherman, founder of on-demand tech support site RoyalGeeks. "They don't have a clue, don't want a clue, and don't even know what a clue is, yet they expect you to answer each and every question they have at work, on the golf course, at a dinner party, the bar, or a bar mitzvah. They shamelessly suck the knowledge out of you, in addition to your will to live."
Recognizing the enemy: When they find out what you do for a living they immediately (a) ask for your card, (b) start flirting shamelessly, or (c) launch into a tale of technical woe.
Your best defense: If possible, retreat. "When you spot a user like this just start running down the hall screaming," suggests Sherman.
Unfortunately, since you're often related to these people, you will eventually run into them at weddings and funerals. Dan Nainan keeps a short list of those who deserve tier-one support -- like his agent or the superintendent of his NYC apartment building. The rest he sends to voice mail or redirects to actual tech support lines. "I find if you wait 24 hours the problem solves itself -- or they've found some other sucker to fix it for them," he says.
IT enemy No. 6: You/Me/Us [17]
IT enemy No. 6: You/Me/UsWe have met the enemy and he is us, to quote Pogo's Walt Kelly. When things go wrong with technology, IT people often have no one to blame but themselves [18].
"I'd say human nature is the primary 'enemy' of IT people," says Vladimir Chernavsky, president of DeviceLock, provider of data leak prevention software. "We as humans can be reckless beings who don't feel the need to follow protocols at all times. We can take things for granted, which will result in doing wrong or stupid things, creating havoc and annoyance for people working in IT."
Scott Dunlap, author of "The Dung Beetle Manager [19]," says IT people can be their own worst enemies [20], in part due to both an excess of optimism and overconfidence in their own abilities.
"IT people want to say yes and they want to impress," he says. "But what ends up happening is that, each time they try to circumvent normal procedures for deploying enterprise IT, they end up taking some shortcuts around some hard but necessary steps. Just like you can't make a baby in four months, you can't make IT work without following the right processes."
Recognizing the enemy: Look in the mirror, my friend.
Your best defense: Return to boot camp. Discipline and training help IT pros avoid succumbing to their weaker natures, says Chernavsky. However, no matter how well trained you and your IT colleagues may be, you'll still have to deal with users who aren't, he adds.
"Adopt a disciplined process and hold to it as much as the physics and politics of your systems will allow," advises Dunlap. "Anchor yourself to a good foundational systems-engineering and software-development process. That's the only insurance you have against a lot of stuff getting out of hand."

Cloud storage hype: Customers not buying it

2010-01-26T10:04:00.001-06:00

For all the hype around cloud computing, few business customers are actually storing data on Web-based platforms, according to a new study that casts doubt on the popularity of cloud storage.
Just 3% of companies have implemented cloud storage, and the vast majority of the customers have no plans to put data in the cloud, according to a survey of 1,272 IT decision-makers at enterprises and SMBs in North America and Europe.
FAQ: Cloud computing, demystified
Storage vendors and IT professionals both have spent much time discussing the cloud over the past year, because data storage needs are growing at least 30% per year while budgets stay flat, writes Forrester analyst Andrew Reichman in the report ?Business Users Are Not Ready For Cloud Storage.?
But so far, ?this is just talk,? Reichman states.
?Respondents in all geographies and of all company sizes appear to have little interest in moving their data to the cloud any time soon,? he writes. ?There is long-term potential for storage-as-a-service, but Forrester sees issues with guaranteed service levels, security, chain of custody, shared tenancy, and long-term pricing as significant barriers that still need to be addressed before it takes off in any meaningful way.?
The Forrester survey asked IT decision makers if they have any plans to adopt cloud storage services such as Amazon S3, EMC Atmos, Nirvanix, The Planet, or AT&T.
Forty-three percent of respondents said they are not interested in cloud storage, and another 43% said they are interested but have no plans to adopt. Three percent plan to implement a cloud storage platform in the next 12 months, and another 5% plan to do so one year from now or later.
While 3% of respondents have already implemented cloud storage, only 1% are expanding an existing implementation.
In general, enterprises are slightly more interested in cloud storage than small- and medium-sized businesses, and interest in cloud storage for backup is greater than interest in general purpose storage clouds, Reichman says. The market has numerous mature backup services such as Asigra, EMC?s Mozy, i365, IBM Business Continuity and Resilience Services and Iron Mountain, he writes.
?Why the greater interest and adoption of backup-as-a-service? First, it?s a complete service offering, not just CPU or storage capacity,? he writes. ?You get the backup software intelligence and storage capacity in a fully managed service. Second, it?s solving a very specific pain point ? the pain of bringing a costly and error-prone, but very necessary, IT function under control. This is in contrast to storage-as-a-service offerings where the user has to figure out how to put it all together.?
Overall, though, storage-as-a-service offerings still need time to develop, Reichman says. Before adopting, customers need to consider how cloud storage integrates with existing applications and processes, and analyze the total cost over at least a three-year period.
?The hype is strong around storage-as-a-service, but given the fact that your peers are adopting it very slowly, it makes sense to wait on this,? Reichman writes. ?It?s likely to be several years before offerings are mature, so don?t rush into anything here.?
Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin
Original story - www.networkworld.com/nwlookup.jsp?rid=198462

UK businesses not prepared for Olympics challenge | Business - InfoWorld

2010-01-18T16:35:00.001-06:00

UK businesses not prepared for Olympics challenge | Business - InfoWorld

Posted using ShareThis

Almost 60% of small firms admit their business suffered from last week's snow through lack of business continuity, shows GoToMyPC poll

2010-01-18T16:33:00.000-06:00

Almost 60% of UK small businesses admit their business suffered as a result of the winter weather last week, despite 78% saying they thought their company was prepared to cope with the snow chaos, according to a survey commissioned by Citrix GoToMyPC.
The YouGov poll of over 500 senior decision makers at small firms showed some firms did take measures to improve business continuity. The survey found that 25% of companies enabled more staff to work from home, and 10% held more online meetings. But small businesses could have done more to prepare, as only 42% said they have a business continuity plan in place.
A quarter of small firms said staff were late into work, while 26% reported that some staff couldn’t make it into the workplace at all. In addition, 21% found that key suppliers and contacts were not available, and 26% had to cancel or postpone business meetings.
As many as 74% of British workers were affected by last week’s winter conditions, with 8% forced to stay home due to school closures and 12% not able to work at all, according to a related GoToMyPC study of more than 2,000 adults.
Andrew Millard, director of eCommerce EMEA for Citrix Online’s GoToMyPC, said, “Many businesses thought they were sufficiently prepared to handle the snow, but the sheer scale of the disruption and a lack of planning from the government has taken its toll. With more snow on the way, now is the time to revisit or put in place business continuity plans."
Citrix GoToMyPC top five tips for businesses to stand them in good stead for handling the unexpected:
Communicate clearly in advance with your workers so that they know what they need to do if they can’t get into the office.
Equip employees with remote access and web conferencing technology.
Communicate with your customers – let them know of potential problems as early as possible and keep communication channels open.
Consider alternatives – for instance, conduct meetings online instead.
Put in place a business continuity leader responsible for coordinating efforts and informing all staff of the potential impacts and company policies.

Snow puts business continuity plans to the test - 07/01/2010 - Computer Weekly

2010-01-11T13:26:00.000-06:00

Snow puts business continuity plans to the test - 07/01/2010 - Computer Weekly

UK government needs to do more to raise awareness of business continuity: BIBA

2010-01-05T13:59:00.000-06:00

The British Insurance Brokers’ Association (BIBA) is calling on the government to help raise awareness of business continuity after independent research commissioned by BIBA revealed that 45 percent of businesses have no, or at very best, rough plans business continuity plans.
Steve Foulsham, BIBA technical services manager, commented: “There have been slight improvements since our previous research in 2006 but we still have concerns that businesses are still not adequately protected. Every business needs to be properly prepared for a major incident. I urge every small business to urgently speak to their broker to ensure they are properly covered.”
Steve Foulsham added: “It is vital to raise and maintain awareness of the need for businesses to prepare for the potential impacts of a natural disaster or terrorist attack. The Buncefield Oil Depot fire, 7/7 bombings and continued incidents of flooding illustrate the need for all to plan for the unexpected.
“BIBA will call for the support of the government in campaigning for all businesses to set continuity plans in place.”
Key findings from the BIBA survey included:
* Businesses are most likely to plan for the loss of physical equipment; loss of IT, premises, telecommunications and plant are the risks most likely to be covered by business continuity plans.
* BCPs are least likely to address negative publicity and the loss of overdraft and loan facilities.
* Only 37 per cent of businesses have credit insurance protection in terms of their suppliers and / or customers.
* The number of businesses saying a disaster or serious disruption on their premises would ‘significantly impact’ their company within an hour has increased slightly, from 19 percent in 2006 to 24 percent in 2009. However, the number saying the impact would occur after an hour but within the day has decreased by a corresponding number – from 31 percent to 27 percent.
* Businesses are now more pessimistic about their ability to operate without their office than they were in 2006. The number saying that if a disaster left their office unable to operate they could recover in less than a week has dropped from 39 percent in 2006 to 28 percent in 2009.
* The numbers who claim it would take more than six months for their business to recover has nearly trebled – from 4 percent in 2006, to 11 percent in 2009.
* Few (15 percent) of the directors interviewed were aware of BS 25999.
* There has been a slight rise in the number of businesses with comprehensive business interruption cover; from 84 percent in 2006, to 88 percent in 2009.
* Of the businesses who have rough or no business continuity plans, 66 percent felt that they could cope without a written plan, 34 percent felt that a putting a formal plan together would be too time consuming and 26 percent had never thought about it or would not know where to start.
* 43 percent of businesses have no protection against denial of access to their business premises. This is available as an extension to business interruption insurance.
* Of the businesses who were affected by the 2007 floods, 60 percent were affected by loss of plant or equipment, 30 percent were affected by loss of premises and 30 percent were affected by sudden significant decrease in trade or demand.
* 61 percent of businesses felt that the financial security rating of their insurance company was important.
biba.org.uk

Lack of Telework Preparedness Puts Business Continuity in Danger?

2009-12-15T10:13:00.001-06:00

Research from Telework Exchange finds organizations expect employees to work from home in a pandemic, yet don't provide adequate resources

By Joan Goodchild, Senior Editor December 10, 2009 — CSO —

A study released this week claims many organizations have an inflated sense of confidence about just how seamless it will be to allow staff to telecommute if the need should arise.
The study, conducted by Telework Exchange, a public-private partnership focused on expanding telework adoption, surveyed 301 public-and private-sector IT decision makers about their business continuity and mobile IT infrastructure. The research, titled "Mobilizing Against Pandemic," reveals that 81 percent of government and business IT decision makers have written business continuity plans, but both sectors report implementation challenges and lack assurance that employees could work remotely during an emergency. The report finds 44 percent of government agencies and 22 percent of businesses do not provide remote network access to all employees.
Why aren't more businesses prepared to give remote access to staff? According to respondents, nearly one in three organizations experience management challenges while testing their business continuity plans. Encouraging managers to telework and implementing performance-based management processes can help engage management to accept a more mobile workforce, research authors suggested.
The research also recommends IT departments do a full evaluation of the security features of remote equipment assess current mobile equipment inventory to meet emergency requirements. Survey respondents admitted one in seven laptops in their organization lacks built-in security. Organizations must select laptops with integrated security features, including encryption, according to the study's authors.

Disaster Recovery Is All About Imagination

2009-12-03T14:26:00.000-06:00

Within our IT-centric world, we tend to forget that disaster recovery is more – much more – than getting mission-critical data restored. In fact, getting the data back might be the easiest part of the process. Tougher is knowing what is going to happen with that data after it is restored.

Take a large disaster, for example. How will your employees gain access to that data? What about your customers? What happens if your key users are no longer available to use the data? (After all, you have just experienced a disaster.) Many of our basic assumptions are probably not correct.

And what about the smaller, more common disasters? What happens if you lose a single mission-critical system? Have you thought about how you would exist without that system for some period of time? It is these kinds of disasters that surprisingly require the most thought.

Disaster recovery is about imagination. A simple exercise involving key business and IT folks sitting around a conference table and imagining what disaster could happen -- and what might happen afterward -- can set a business on the right course. If you give thought to something before it happens, the chances of a better reaction are higher.

For this exercise to be most effective, it is essential that you involve as many people outside of IT as possible. If this is an IT-only exercise, it will be much less effective. Use your other stakeholders. Their impressions are probably different from yours; different, but equally as valuable.

The steps below will guide you in your imagination process.

1. Imagine the most likely events that will cause disruption within your data center.

For most of us there are perhaps two or three events that will wreck our ability to conduct our business. Some are geographical: hurricanes in the southeastern Unites States, earthquakes in California or tornados in the Midwest. Other problems like water main breaks, fires, etc., do not have a geographic component and can affect any of us.

Part of your exercise is to think about which of these could happen and to assess what the impact might be. Impacts include the inability to access your data center or your entire site or the unavailability of key personnel who cannot reach your site, etc.

Some events are smaller than others. For instance, an event could be as simple as losing the telephone lines into your site. This is probably more likely than the hurricane and will cause as much disruption. Focus on these. They are much more likely to occur. Much of our disaster recovery planning involves worrying about things that will not happen while ignoring those that are much more probable. Granted, the Black Swan event, the highly unlikely event, will be devastating, but do not become too focused on it. The smaller disasters will hurt just as much and are more likely to happen.

Think of as many of these events as you can, contemplate each and rank them according to how likely they are.

A good template for the discussion might be “What would we do if…” Let your imagination run wild. The more of these you think of now, the more likely you are to recover from them when they happen.

2. Determine the business impact of these events.

Again, some events have a greater impact than others. It may be that the relatively small event, like losing Internet access, has a higher impact on your business than a hurricane, especially since it is more likely to occur. In some cases, a catastrophe like the hurricane will make it impossible to conduct business afterward.

Many events will be localized. You may lose your e-mail database. The rest of the data center is up and running but your mission-critical communications application is down. What is the impact of this?

Business impact has two components: the criticality of the application and how long it will be inaccessible. List both of these components during your exercise.

Good questions are, “How much will it hurt if it is down for an hour? How much if it is down for a day?”

3. Rate the business impact from high to low.

There are lots of applications in most of our environments. Some are much more critical than others. Many of the things that can happen are simple annoyances while some can be devastating fairly quickly. Rate the impacts to your business.

Dollar impacts can often be elusive, but getting to this critical metric will be helpful in the later stages of the exercise. If you know how much one of these will cost, you will find it easier to gain funds to mitigate them. There may be a relatively inexpensive way to avoid the problem.

4. Develop a comprehensive plan to recover from each event, starting with the high impact events.

Pick the event that will have the most impact on your business. Imagine how you would maneuver around it.

Using e-mail as an example, it may be possible to use an alternative communications path. Perhaps most of your key employees have external e-mail accounts. Knowing their addresses and having a plan to switch communications to that path might be adequate to mitigate your e-mail outage.

The plan must be complete. Trying to plug the holes in your plan while in the middle of the outage does not work. The additional stress of knowing many are counting on you will not help your performance.

5. Develop the “Exist Without” process.

The outage will persist. What will you do while you cannot use that application? Will business come to a grinding halt?

It is essential to have a variety of plans in place based on the expected length of the outage. If the outage is short enough, perhaps you simply hunker down and wait it out. For longer outages, though, the business impact starts to be a problem. It is here that you need a well thought out Plan B.

Since this is an imagination exercise, you might as well think of many “exist without” scenarios. Some make more sense than others. Some are easier or harder to implement. Determine the best one to use and go with it.

6. Getting back to “Business as Usual.”

Once the application is back online, you must transition back to your normal business plan. Again, having a developed plan is important. Unwind what you’ve done and move on.

Application outages and disasters, both big and small, are part of our IT fabric. It is what we do about them that matters. If we simply spend an hour or two imagining what we would do, we will be ahead of the curve when the the disaster happens. Better yet, imagine how much better prepared you could be if you put a formal plan in place.

Time to let your imagination go wild.

Virtualized Disaster Recovery: Obvious Benefits, Hidden Obstacles

2009-12-02T16:13:00.001-06:00

Introduction
Virtualization has been widely used to speed application deployment, improve IT utilization rates, and reduce costs. Today’s “doing more with less” virtualized data centers require a closer management eye since problems on dense consolidated infrastructure impact more people – employees, partners and customers – then in more distributed, less utilized, and less stressed systems.

Just like their non-virtualized counterparts, virtualized infrastructures require a plan for when a business disruption or disaster strikes. Also like their non-virtualized counterparts, local redundancy while enhanced due to virtualization-enabled high availability and pooling of resources, only goes so far. It can never be a substitute for a second geographically segregated disaster recovery site. While the same disaster recovery tenets apply, the relative newness and consolidated nature of virtualized machines make individual components more critical and thus mandate a more deliberate and comprehensive approach using unique technology components to ensure a successful outcome.

The following is an executive level overview of Virtual Disaster Recovery (VDR) benefits and planning considerations
Virtual Disaster Recovery – Benefits

The benefits of VDR are very apparent for those who have virtualized their production environments. Besides reaping the same cost and flexibility attributes that virtualization brought to the production environment, a second remote DR location tuned for virtualization can greatly benefit from the enhanced reliability and speed with which virtualized applications can be recovered on separate hardware platforms in a different location. This is critically important when time is of the essence - when a production data center becomes unavailable.

Going a little deeper, one of the core capabilities of virtualization is physical hardware abstraction. This enables utilizing different hardware, brands or versions, so long as the x86/x64 chip set is consistent i.e., Dell to HP not AMD to Intel or HPUX to AIX. Virtualization greatly mitigates problems stemming from recovering a physical server on two disparate hardware brands, such as a Dell 2950 on an HP DL380 or even an HP DL380 to a DL580. Virtualization allows companies to mix and match their production and DR assets. Besides eliminating the need to buy two of everything and having to rigorously maintain all the system levels in lock step, organizations now can opportunistically provision their DR locations, even as “hand me downs,” from production or development. Further cost savings can be realized through provisioning with less robust equipment still capable of maintaining production in a limited capacity or for limited time until reinforcements can arrive.

Even further cost savings are possible if the DR site and strategy are architected where many resources are mapped to fewer. This “many to one” ratio, as it is sometimes called, allows companies to get the most out of a lesser number of servers compared to the production site. This may be a reasonable approach for organizations that are unlikely to lose their entire production capability; or if they do, can operate in a degraded performance mode until the production site is available again.

Virtual Disaster Recovery – Organizational Planning Considerations
It is expected that organizations running virtualized production should recover in a like manner - virtual to virtual. But what about organizations that have a mix of both virtualized and traditionally hosted applications? As in most areas, complexity compounds as more methods of recovery are deployed.

The truth of the matter is that most organizations have important applications deployed both virtually and in native physical operating environments, some of which may never be virtualized. A disaster recovery plan must address both operating environments and establish recover point objectives (RPO) and recover time objectives (RTO) for the applications as well as interdependencies and recovery order. For example, an individual email server may have a low RTO and RPO for a particular business unit, but that server may play a vital part in a higher priority business process (such as order management).

An application’s RPO and RTO primarily drive the DR solution plan. While the DR solution components and method are influenced if production is hosted on a virtual machine (VM) or in a native operating environment, at the end of the day, the solution must account for these hosting factors and deliver the required RPO and RTO.

Ideally, a disaster recovery plan should leverage a single DR solution to recover an organization’s virtual machines and native hosted applications. In some cases this might be possible, but in most cases, the differences in operating environments, information criticality and information availability needs may make a tiered solution approach more practical.

That being said, however, it makes sense to leverage common DR solutions whenever possible. Look for common operational system environments, similar RPOs and RTOs, compatible application hosting capacity, and performance levels. An example would be leveraging one off-site back up and recovery solution that uses the same backup sets for physical and virtual protection versus a best-of-breed back up just for virtual. In a recovery, more steps differing process for restoration create more opportunities for human error or system/process failure.

Taking the example a step further, if one can find a common solution that can protect both virtualized and native applications having the above parameters, all the better. This solution could be described as hybrid solution offering both V to V, P to P or P to V recovery.

We touched on the high level DR planning aspect that an organization with virtualized applications should consider. It can be paraphrased as this: be sure to build a virtualized DR solution that integrates with your organization’s overall DR plan and leverages common solutions whenever possible.

Virtual Disaster Recovery Solutions
Before we further discuss disaster recovery solution, here’s a small piece of advice. Take advantage of the tools offered by leading virtualization vendors such VMware and Microsoft to help promote intra-site high availability. This should always be your primary recovery option -- cost, access to a second site and skills permitting -- as it is always faster to first failover locally whenever you are able.

Now that we have a context for a VDR solution, let’s consider some specific challenges for Virtual Disaster Recovery. Disaster recovery comes into play when the local failover capability is not an option, i.e., all of the servers are effected or the failover capability, well, fails. These unplanned events can be caused by natural disasters, such as hurricanes and floods, but are more often caused by incidents due to human error.

Without having power, or not enough reliable power (think rolling power outages prevalent in California); the best option is to utilize an available second site in an alternate geography which will not be impacted by regional power outages or adverse weather conditions.

True disaster recovery mandates that a “copy” of an organization’s information resides offsite and suitable IT recovery platforms are quickly available for use. This “copy” can range from daily tape back-ups, periodic vaulting across the Internet, or real-time data replication across robust network connections – with these options providing (in order) decreasing RPOs and RTOs and increasing cost and complexity profiles.

As many organizations deploy virtualization to increase application agility and availability, consider real-time data replication as it best mirrors these objectives. Solutions such as VMware’s VMotion, and HA and DRS products and capabilities do a great job of managing and moving VMs and their data within a common data center location. However, they cannot by themselves replicate the data to a remote location that serves as a disaster recovery site. Therefore, a remote data replication solution must be integrated with the organization’s hypervisor (VMware ESX or Microsoft’s Hyper-V, for example) to get the data offsite. There are a wide variety of data replication solutions, with varying degrees of integration that can augment the example hyper-visor products, but most fall in to one of two categories: server/host based or storage/array based. VMware has integrated its Site Recovery Manager with leading storage/array based replication solutions.

As one might expect, each of these vary in cost/performance levels and extent of support for various operating environments. At one extreme, server-based replication solutions are the most affordable, cater to Windows and Linux environments and are best suited for small to mid-size workloads. For mid-range performance and pricing, appliance-based replication solutions are very flexible since they may have multi-vendor storage support, diverse operating systems and offer scalable performance. The appliance-based solutions generally require the client to use SAN storage, rather than internal or directly attached server storage.

Storage or array based replication are at the other extreme and offer the highest performance and price tag. Storage-based replication is usually specific to a given storage vendor’s architecture – and offers no support for heterogeneous storage environments. However, only storage replication solutions can span the complete operating environment spectrum, from small windows servers to the largest mainframes. The catch is that all these operating environments need to be serviced by the same SAN architecture.

Remote data replication solutions are reliable and well-established. Third party providers now offer the “replication engine” and second target site as hosted solutions. A hosted second site tuned for both the replication method and virtualization can take the complexity and capital expenders out while helping to meet application RPOs and RTOs

Virtual Disaster Recovery Conclusions
So how does one arrive at a DR solution for their specific virtualized machine environment?
Find a second site to act as your DR site. Disaster recovery mandates a secure and suitably remote second site.
Quantify your application RPOs, RTOs, and operating environment and performance requirements.
Consider the degree of integration and support between your deployed hyper-visor and the available data replication solutions.
Examine your VM application’s workload requirements and how powerful of a remote data replication engine is required. In addition to your VMs, if you have non-Windows or non-Linux native applications, note that server-based replication is very limited for those environments.
If you are using SAN technology for your VM production – then you have plenty of remote replication choices. If not, then you are limited to the server-based data replication solutions for your VMs.
Ideally, one would like the same data replication solution to work equally well for both VMs and native applications. Most data replications solutions do support both application environments however the extent and degree of VM support varies.
If you are running into challenges meeting any of these, consider a service provider that can supplement skills, provide a geographically separate second, and minimize capital expenditure.

There are plenty of considerations and trade-offs to be made when selecting the best disaster recovery solution for your physical and virtual environments and disaster recovery plan objectives. The good news is there are many options that can effectively meet your objectives, as well as providers which offer pre-integrated solutions combining virtualization and remote data replication technologies to make virtual disaster recovery feasible and practical for organizations.

HBOS power failure highlights importance of business continuity planning

2009-12-01T15:20:00.001-06:00

Neil Stephenson, CEO of Onyx Group, discusses the recent HBOS crisis and explains why disaster recovery will remain a business bugbear if not managed properly.

In November HBOS suffered a datacentre power failure which meant all Halifax and Bank of Scotland branches were unable to provide services - including cash machine, over the counter and online facilities - to customers for nearly a full working day.

The power cut, which was caused by severe weather conditions, questioned the quality of datacentres organisations are using to store critical data. It also highlighted an issue that is often brought to the fore following incidents like this - how disaster planning continues to catch businesses out time and time again, greatly impacting on a business' operations.

The HBOS incident has put a question mark over how safe data of large public organisations, which hold sensitive information and deliver essential customer services, actually is.

It is of utmost importance that the datacentres used provide a secure and resilient environment for data storage. Purpose built datacentres where environments are carefully selected, with features uniquely chosen to meet specific business needs are a much better option than facilities who use has simply been converted.

The power failure that affected HBOS could have been avoided if its contracted supplier had provided not only back-up power generation, but also insured that secondary or tertiary sites at which to store back-ups of data were made available. It is also vital to put in place a contingency plan to cater for loss of connectivity in case any of the many provider routes falter. The ability to re-route in the event of a problem on a network will avoid any unnecessary downtime.

The loss of service by the bank ultimately highlighted a failure in business continuity. Organisations must understand that it's not enough to simply have a disaster recovery plan in place - they need to ensure that it works in an event of a crisis.

As HBOS unfortunately realised last week, a fundamental part of any business continuity plan is regular, ongoing assessments and rehearsals of it to ensure it works when disaster strikes. Recent research, however, shows that while many companies have business continuity systems in place, only a staggering 26 per cent regularly test their plans.

Incidents like HBOS will continue to happen, disrupting business service if organisations don't ensure the very basics are covered when it comes to crisis preparation.

Survey: Most Companies' Employees Cannot Work Remotely During a Crisis

2009-11-23T14:22:00.000-06:00

By Matthew Harwood
11/23/2009 -
The majority of employees at approximately three out of four organizations could not work remotely if they had to, according to a new survey.
The survey commissioned by Cisco and conducted by InsightExpress validates concerns that U.S. organizations, both public and private, could not continue operating if major business interruptions occurred, such severe weather, mass illness, major road closings, or public transit strikes. The survey was taken by 502 IT professionals from organizations large and small spanning five industries: healthcare, finance, retail, education, and government.
Only about one in four IT professionals said that 50 percent of their workforce could currently work remotely. When companies do provide remote access they generally do so through company-owned laptops, followed by smart phones. The survey also discovered that the healthcare and finance sectors were more likely to give workers the ability to work remotely than the retail, education, and government sectors.
Most of the IT professionals whose workforces do not have the ability to work remotely said that "business requirements do not necessitate it." Other reasons included budget constraints and security fears.
According to the survey slides shared with Security Management, Cisco, which offers remote access solutions, argues that businesses that do not implement remote access solutions because of budget constraints have their cost/benefit analysis all wrong.
"In most cases, cost to implement remote access across an entire workforce is a fraction of what the loss of business would be if employees could not work remotely during a crisis," the slide says.
According to Fred Kost, director of security solutions marketing for Cisco, remote access solutions don't have to be expensive, with simpler solutions costing only tens of dollars per employee.
More interesting, says Kost is that business continuity and resilience was not the main driver for implementing remote access for workers. Only 15 percent of respondents listed "pandemic or other disaster preparedness" as their top business driver.
Rather most respondents highlighted remote access' ability to create a better work environment with 71 percent saying it "increased employee productivity" and 55 percent saying it "enables efficient and competitive business operations."
While Cisco was surprised by these results, Kost says it makes sense. While remote access can certainly allow workers to do their jobs when a business interruption occurs, it has many other pros: a better work/life balance for employees, decreased overhead costs for businesses, and reduced carbon emissions due to less employee commuting for society as a whole.
Nevertheless, a recent event near Cisco's San Jose headquarters showed the utility of remote access when things do go wrong, according to Kost. At the end of October, two rods and a crossbar of the Bay Bridge came crashing down into the evening's rush-hour traffic. The bridge, which connects Oakland and San Francisco, was closed for six days resulting in a commuter nightmare. At times like these, he says, telecommuting can be a savior.
It was a sentiment echoed online.
"I suppose I may telecommute a bit more than usual during the Bay Bridge mess, and encourage our staff to do the same," blogged Marina Park, the CEO of the Girl Scouts, at SFGate.com.
"IT departments should take note: Secure remote access and business continuity go hand-in-hand," Kost says. "Technology that lets workers outside the office securely connect to the corporate network is a win for employees and employers."

Few US firms ready for workforce disruption: survey

2009-11-23T14:19:00.001-06:00

WASHINGTON — A survey published Monday of information technology managers at over 500 US-based companies has found that only about one in four has enabled more than half their workforce to work remotely.
Only 27 percent of those surveyed on behalf of Cisco, a major US provider of networking solutions, has equipped more than half their workers with the laptops, smartphones and private networks to allow them to work remotely in case of a major disruption of daily worklife.
Fifty-three percent said less than half their employees were set up to work remotely and 21 percent said none of their employees could do so.
Company-owned laptops (63 percent) and smartphones (46 percent) were the leading devices supplied by companies to provide remote access to employees, the survey found.
Thirty-eight percent said business requirements did not necessitate equipping more of their employees with the technology that would allow them to work outside the office.
Twenty percent listed budget constraints while 15 percent cited security concerns as a deterrent to providing more remote access for their workers.
Twenty-two percent of those surveyed said their current remote-access solutions have positioned their companies for business continuity in the event of workforce disruptions such as transit failures or natural disasters.
Fifteen percent listed "pandemic or other disaster preparedness" as a top business driver for providing remote access to employees.
Seventy-one percent said employee productivity is a key business driver for providing remote access and 62 percent of those who have adopted mobility and remote-access technology said it has resulted in increased productivity.
"Secure remote access and business continuity go hand-in-hand," said Fred Kost, Cisco's director of security solutions marketing.
"Companies that have made secure remote access broadly available have realized improved efficiency and continuity of operations."
The survey of 502 IT decision-makers from US-based companies working in the health care, retail, finance, government and education sectors was conducted by InsightExpress for Cisco between September 30 and October 6.
The companies surveyed ranged from fewer than 20 employees to more than 10,000 employees with about 33 percent employing more than 1,000 workers.

Consumer Business organizations should refocus security efforts to better respond to threats

2009-11-18T10:00:00.002-06:00

The FINANCIAL -- Many consumer business organizations are not focusing on the right areas to best respond to threats, according to the inaugural Deloitte Touche Tohmatsu (DTT) 2009 global Consumer Business security study, "Security can’t be discounted", released on November 17.

Infrastructure, security governance, insider threats, and budgets are among the areas that need to be re-examined in light of the current information security threat environment, the study reveals.

The DTT Consumer Business study is based on discussions with information technology executives and information officers of global consumer business organizations, and includes perspectives and commentary from Deloitte member firm subject matter experts.

“Consumer business organizations are the ‘front lines’ when it comes to customer information because of the amount of personal and financial data with which they are entrusted,” says Adel Melek, DTT Global Security, Privacy & Resiliency Leader. “Our study found that the industry needs to re-focus its information security efforts to best respond to increasingly sophisticated and innovative threats.”

The DTT study reveals that, in many areas, consumer business organizations are simply not focusing on the right areas to best respond to the threats that face them:

Many organizations still consider information security primarily a technology infrastructure issue. Fifty one percent of respondents identify their top security initiative for 2009 as security infrastructure improvement.
Respondents are placing a less prominent focus on security governance – 53 percent of organizations are operating without an approved security governance structure, despite the fact that security governance helps to ensure that proper security controls are in place.
Managing insider threats receives a low ranking among top security initiatives for 2009 – only 10 percent of organizations interviewed identify it as their top priority, despite respondents acknowledging that people, including third parties, are their organizations’ weakest link.
Additional findings include:
Business continuity and disaster recovery have been neglected in the past but are getting more attention. Only 9 percent of responding organizations have an enterprise-wide business continuity plan that has been documented and approved for all critical functions. But this is not a state that respondents are satisfied with, since disaster recovery is the second most-mentioned security initiative for 2009.
Consumer business organizations have a “last one to adopt” approach when it comes to security technology. When asked which category best describes their organization’s adoption of security technology, 52 percent of respondents state that they are “late majority”, meaning that they are content to use technology that is “proven”. However, old hardware and out-of-date technology may put customer data at risk.

Consumer Business organizations should refocus security efforts to better respond to threats

2009-11-18T10:00:00.001-06:00

The FINANCIAL -- Many consumer business organizations are not focusing on the right areas to best respond to threats, according to the inaugural Deloitte Touche Tohmatsu (DTT) 2009 global Consumer Business security study, "Security can’t be discounted", released on November 17.
Infrastructure, security governance, insider threats, and budgets are among the areas that need to be re-examined in light of the current information security threat environment, the study reveals.

The DTT Consumer Business study is based on discussions with information technology executives and information officers of global consumer business organizations, and includes perspectives and commentary from Deloitte member firm subject matter experts.

“Consumer business organizations are the ‘front lines’ when it comes to customer information because of the amount of personal and financial data with which they are entrusted,” says Adel Melek, DTT Global Security, Privacy & Resiliency Leader. “Our study found that the industry needs to re-focus its information security efforts to best respond to increasingly sophisticated and innovative threats.”

The DTT study reveals that, in many areas, consumer business organizations are simply not focusing on the right areas to best respond to the threats that face them:

Many organizations still consider information security primarily a technology infrastructure issue. Fifty one percent of respondents identify their top security initiative for 2009 as security infrastructure improvement.
Respondents are placing a less prominent focus on security governance – 53 percent of organizations are operating without an approved security governance structure, despite the fact that security governance helps to ensure that proper security controls are in place.
Managing insider threats receives a low ranking among top security initiatives for 2009 – only 10 percent of organizations interviewed identify it as their top priority, despite respondents acknowledging that people, including third parties, are their organizations’ weakest link.
Additional findings include:
Business continuity and disaster recovery have been neglected in the past but are getting more attention. Only 9 percent of responding organizations have an enterprise-wide business continuity plan that has been documented and approved for all critical functions. But this is not a state that respondents are satisfied with, since disaster recovery is the second most-mentioned security initiative for 2009.
Consumer business organizations have a “last one to adopt” approach when it comes to security technology. When asked which category best describes their organization’s adoption of security technology, 52 percent of respondents state that they are “late majority”, meaning that they are content to use technology that is “proven”. However, old hardware and out-of-date technology may put customer data at risk.

Call of Duty: The New Demand for Business Continuity Professionals

2009-11-17T16:18:00.000-06:00

Once Seen as "Insurance," BC/DR Pros Now Valued for Information AssuranceNovember 12, 2009 - Upasana Gupta, Contributing Editor

When Anne Marie Staley first became a business continuity/disaster recovery (BC/DR) professional, many organizations minimized the role.
"Until recently, most organizations treated business continuity like health insurance," says Staley, Senior Manager of Business Continuity Planning and Disaster Recovery for North America at the New York Stock Exchange. "[They focused on] getting the cheapest coverage, hoping nothing ever happens, reluctantly paying the premium each month and praying that when the inevitable happens, they have enough coverage."
Times clearly have changed. In this post-9/11 world, BC/DR functions have emerged to play critical roles in protecting organizations from natural, man-made and pandemic disasters. "We are now seeing a wonderful convergence and subsequent maturity in the form of a new paradigm of business continuity management which involves more formal risk management practices integrated with information security," Staley says.
With the emergence of BC/DR comes a greater emphasis on hiring professionals with the right skills and credentials.
The Right StuffRisk assessment skills have become significant in business continuity, says Stephanie Balaouras, Principal Analyst at Forrester Research. In the past; organizations often focused their BC/DR efforts on natural disasters and overlooked mundane events that actually cause most disruptions -- power outages, IT failures and human error. But leaders have come to realize that they must take the time to conduct a more comprehensive risk assessment to identify all probable risks to safeguard company reputation and meet the expectations of customers, external parties and internal auditors.
"Executives are forced to pay close attention to the areas where businesses are struggling: testing more thoroughly and frequently, involving business owners in the process from start to finish, and ensuring the business continuity readiness of strategic partners," Balaouras says.
Also, the emergence of increased threats such as pandemic outbreak, recession, power outages, terrorism and cyber fraud pushes the need for qualified business continuity professionals. "All of these events are uncomfortably recent, and as we've learned, any of them can bring a country or community -- let alone a single firm -- to a standstill," says Steve Ross, Executive Principal, Risk Masters, Inc., a New York-based business continuity and crisis management consulting firm.
The key questions: Who are the right people, and what role do they play within an organization?
"The right fit for business continuity function is professionals coming from a risk management background with exceptional risk monitoring, measuring and mitigating skills," says Cheyene Haase, President of BC Management, Inc. an executive search firm that places business continuity, disaster recovery, information security and emergency management professionals internationally. Key Credentials
Among the business continuity credentials most demanded by employers, Haase says:
Certifications: Professionals holding industry certifications such as CBCP, CISSP, CEM, PMP are largely preferred, as they show individuals will stay current with the industry through continuing education.
Academic qualification: A college degree is very often a requirement for BC/DR positions. "Furthermore, to achieve a leadership position, holding a master's degree puts a candidate in a more favorable position compared to competitors," says Hasse.
Business and technology focus: Strong understanding of business and technology issues in contingency planning, emergency response, crisis management and communications, risk management, organizational resiliency, IT continuity, testing, implementation, and regulatory issues is essential.
Prior business continuity planning experience: Previous experience developing contingency and business continuity programs globally is often an experience highly sought after by potential employers.
'Soft skills' a must in leadership roles: Individuals with well-rounded backgrounds in business and technology understanding are largely preferred for leadership roles. They also must possess the abilities to build business cases and to communicate with peers, as to senior management.
Industry associations: Professionals need to be associated with specific industry associations dedicated to business continuity, as well as related disciplines including: Association of Contingency Planners (ACP), Disaster Recovery Institute (DRI), Business Continuity Planners Association ( BCPA).
In addition to their primary roles of business continuity planning, business impact analysis and understanding of key risks and vulnerabilities to the organization, business continuity professionals also must: Seek Input - from executive management on risk tolerance, areas of concern and unknowns. Discussions on risk perception, business strategy and trends should become key aspects of moving beyond the traditional focus on natural disasters, fires and data corruption. "It's important to plan for these threats," says Ross, "but also to get input from executive management team about other financial and operational risks that may not be receiving focused attention." Get Engaged - move beyond executing methodology and begin learning the business, break down organizational barriers that get in the way of understanding all aspects of business continuity risk, and get involved by building teams to address business continuity risk and lead them toward a solution.
The recessionary impact is that organizations are selective in hiring, continuing to try and "do more with less." Which means employees often need to wear several hats in performing their role as BC professionals. A good background in related skills such as information security, risk management, incident response and business is hot in the job market. The career growth in business continuity is tremendous, says Ross, and individuals can branch into risk management, crises management, incident response, physical security, strategic planning and policy roles as well as get into upper management positions such as chief risk officer and chief strategic advisor.
Beyond insurance, BC/DR now is valued for the level of assurance the role brings to an organization, Staley says. "A key strength of successful business continuity professionals is their ability to facilitate a group of people toward a solution to mitigate risk to an acceptable level."

Best practices in information security

2009-11-17T16:11:00.000-06:00

Fortify Software and Cigital have announced the release of the ‘Building Security In Maturity Model for Europe’ or ‘BSIMM Europe’, a guidance document written from the results of a large benchmarking project. BSIMM Europe illuminates the software security practices of some of the most advanced organizations in Europe, including Nokia, SWIFT, Standard Life, Telecom Italia, and Thomson Reuters, and four companies that chose to remain anonymous.
Released in March 2009, the original BSIMM study was based on in-depth interviews with leading enterprises including Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC). BSIMM Europe describes a set of activities practiced by nine European firms chosen from among the 56 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real-world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.
“We are very grateful to the European participants in the BSIMM Europe study, and for the chance to compare and contrast large-scale software security initiatives in different geographies,” said Dr. Gary McGraw, CTO of Cigital and author of the best-selling book ‘Software Security’. “Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization.”
The authors collected data on each European firm’s software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including:
- In general, European approaches to software security have many activities in common with US initiatives. European software security approaches place more emphasis on process than do their US counterparts, and also emphasize privacy to a greater extent.
- Eleven activities were observed that all European firms practice, including publishing a process, identifying gates, creating secure coding standards, and identifying PII obligations.
- There are fifteen BSIMM activities (of 110) not observed in Europe at all.
‘Building Security In Maturity Model for Europe’ can be obtained free of charge from http://bsi-mm.com

Pandemic planning key for business future

2009-09-28T13:05:00.000-05:00

Business owners jaded by endless fear-mongering over such health threats as the West Nile virus and the bird flu shouldn't ignore the dangers of being unprepared for the H1N1 virus, according to industry experts.

The second wave of the illness, officially declared as a pandemic by the World Health Organization, is due to hit by mid-to-late October as the return to school is expected to proliferate the virus.

Even if the virus doesn't mutate beyond its current form, it's expected to create a rise in extended absenteeism, disrupting workflow and further threatening businesses already weakened as a result of the recession.

"It really is important for companies to have a plan in place," says Valerie Whalley, consultant with the Industrial Accident Prevention Association (IAPA).

"Waiting until something happens before you plan is sort of like waiting for the hurricane to get here before you hurry out and put the plywood on the windows. You don't have time to make decisions ... and some of your decision-makers may even be off ill, so being prepared really is crucial."

As the overall health impact of the next H1N1 wave is likely to be quite mild, Whalley acknowledges the "balancing act" of not using overly fearful language. Still, companies may suddenly find themselves without key staff members as they fall ill or stay home to care for loved ones.

Despite ample warnings for this and other illnesses seen in recent years, few businesses have instituted any plan to protect chain of command and general business continuity, she says.

"There is a great deal of complacency, and I haven't come across a lot of companies that are doing a great job," says Whalley, who warns that most businesses which close during a crisis rarely re-open.

This impression is confirmed by a recent study commissioned by the BMO Bank of Montreal, which indicates 82 per cent of Canadian small businesses have not developed a health-related continuity plan.

What's more, only one in 10 small businesses have either developed or reviewed a health-related continuity plan as a result of the H1N1 virus.

Although few businesses seem to be acting on it, the interest in learning how to cope with it has been on the rise. Whereas the IAPA typically hosts two such workshops every year, there are expected to be at least 12 that will be held by the end of October.

The solutions are simple, says Whalley, who insists any business' response must involve taking a team approach, with all sides coming together to identify critical areas and who will handle which responsibilities.

Frank Berdan, Northern Ontario regional vice-president with BMO Bank of Montreal, agrees with the broad approach.

"Everyone needs to identify scenarios of potential impact and how it will affect employees, and then list out the activities that will need to be undertaken," he says.

To ensure communication remains strong and that everyone is well aware of their role, specific plans need to be laid out and explained clearly to all corners of the organization. As an example, Berdan says a call tree has been developed within BMO, which is then tested every 30 to 60 days.

Such measures are important to put into place, but even more important to be updated and maintained on a regular basis, he adds.

Developing business continuity measures and developing a forward-thinking mindset will not only serve companies well for H1N1, but for any contingency.

Berdan says, "what we try to share with businesses is that this isn't a 'may happen,' there will be one day a major pandemic or a major power outage, or a web breakdown. Businesses that are best prepared for it are the ones that seem to manage their business better in general."

Human Swine Influenza Investigation

2009-04-26T18:42:00.000-05:00

Human Swine Influenza Investigation

April 26, 2009 12:45 ET

Human cases of swine influenza A (H1N1) virus infection have been identified in the United States. Human cases of swine influenza A (H1N1) virus infection also have been identified internationally. The current U.S. case count is provided below.

U.S. Human Cases of Swine Flu Infection
State	# of laboratory confirmed cases
California	7 cases
Kansas	2 cases
New York City	8 cases
Ohio	1 case
Texas	2 cases
TOTAL COUNT	20 cases
International Human Cases of Swine Flu Infection See: World Health Organization
As of April 26, 2009 9:00 AM ET

Investigations are ongoing to determine the source of the infection and whether additional people have been infected with swine influenza viruses.

CDC is working very closely with officials in states where human cases of swine influenza A (H1N1) have been identified, as well as with health officials in Mexico, Canada and the World Health Organization. This includes deploying staff domestically and internationally to provide guidance and technical support. CDC has activated its Emergency Operations Center to coordinate this investigation.

Laboratory testing has found the swine influenza A (H1N1) virus susceptible to the prescription antiviral drugs oseltamivir and zanamivir and has issued interim guidance for the use of these drugs to treat and prevent infection with swine influenza viruses. CDC also has prepared interim guidance on how to care for people who are sick and interim guidance on the use of face masks in a community setting where spread of this swine flu virus has been detected. This is a rapidly evolving situation and CDC will provide new information as it becomes available.

There are everyday actions people can take to stay healthy.

Cover your nose and mouth with a tissue when you cough or sneeze. Throw the tissue in the trash after you use it.
Wash your hands often with soap and water, especially after you cough or sneeze. Alcohol-based hands cleaners are also effective.
Avoid touching your eyes, nose or mouth. Germs spread that way.

Try to avoid close contact with sick people.

Influenza is thought to spread mainly person-to-person through coughing or sneezing of infected people.
If you get sick, CDC recommends that you stay home from work or school and limit contact with others to keep from infecting them.

Are Private-Sector Organizations Responsible for Failing to Plan for Natural Disasters? (Part 1 of 3)

2009-03-17T10:56:00.001-05:00

By Leo Wrobel,Sharon Wrobel

Date: Mar 16, 2009

In this three-part series, Leo A. Wrobel and Sharon M. Wrobel address an interesting question: If you're the company's disaster-recovery planner, and you're caught unprepared for a natural disaster (hurricane, earthquake, wildfire, etc.), are you at fault?

It's no secret that commercial and/or private-sector organizations can be held accountable for all kinds of negligence. This is the fundamental reason that organizations have disaster recovery plans. Most of the readers of this series know this to be true and are probably actively involved in the recovery-planning efforts for a critical computer center, call center, or other business function within their own organizations. Indeed, the hazards to any organization are myriad, including fire, flood, sabotage, computer viruses, disgruntled employees, and so on. We have covered quite a lot of them over the years in this venue. We now pose a totally new question: Is it time for the serious contingency planner to add active and proactive planning efforts geared toward dealing with natural disasters? We believe it is, and we present our rationale in this three-part series.

A Not-So-Rhetorical Question

Can contingency planners in commercial and private-sector organizations be held accountable for failing to plan for natural disasters? As a speaker at a recent Homeland Security Summit, I posed this question to an audience. While it's not by any means a scientific methodology, noting the instant responses and reactions of such a group (comprising security and disaster-recovery professionals) to such a question can be considered a barometer of things to come.

To spur some discussion, I offered several choices to the audience as suggested responses:

No. That's why I pay taxes as a business owner. It's someone else's responsibility.
No. What can I do as a businessperson to prevent a tsunami or steer away a typhoon?
Yes. Sources exist for predicting the possibility of damage caused by natural disaster: hurricane risk, geophysical data, elevational information, infrastructure vulnerability. These sources should be considered by commercial planners when deciding such matters as where to locate production facilities, and when crafting recovery plans.

Much to my surprise, the audience in this non-scientific straw poll vacillated between blank stares (no opinion, or never really considered this question previously) and the strong opinion that planners are responsible, at least in part, for planning against natural disasters. No one expressed a strong opinion that planners are not responsible.

This unexpected response resulted in some additional discussion about the history of contingency planning in general. Stated briefly, the focus of the contingency planner changes over time. Technology and business processes change. Whether someone adds a mainframe, begins to use a call center, adopts just-in-time delivery, or introduces something entirely new to the business process, such changes alter the planning paradigm and introduce new complexity to the recovery plan.

Technology Changes Your Job, and Vice Versa

Later in this series, we'll discuss some of these topics in more detail, but first we'll briefly summarize the basic principle at work: Any change in business processes and/or technology leads to a common series of events. For example:

Changes in technology almost invariably outpace the ability to back up that technology.
Recovery resources and technology eventually catch up; as a result, new standards and practices are adopted for dealing with the new technology.
Commercial enterprises generally adopt these standards and practices as they become widely available and affordable.
The new standards and practices then become the responsibility of the corporate or private-sector contingency planner.

Let's consider how this system works in practice:

Consider "first alert" systems circa 1979 in use by the United States military. These systems utilized multimillion-dollar AUTOVON switches, satellite communications, and various types of radio backup systems such as tropospheric scatter systems.

Since the purpose of these systems was to detect missile attacks and other threats against the United States, they were mission-critical to the lives and livelihoods of hundreds of millions of Americans and their allies. Therefore, they were funded by the government, but certainly not required by commercial organizations—the cost was simply out of reach. The switches were superb for maintaining what the military calls "4Ci" (command, control, communications, computers, and intelligence). They could get word to policymakers in seconds in any situation, whether it was a possible missile launch or a call from the President. The switches also contained features whereby high-priority calls could preempt low-priority calls to ensure that the most important instructions always got through. But they were extraordinarily expensive to deploy—well into the tens of millions of dollars.

Now fast-forward to the present. Today, the capabilities of what used to be a $50 million AUTOVON switch fit in a $1,000 server. Moreover, things like satellite communications are available commercially, affordably, and practically anywhere. Even the public switched telephone network (PSTN) is extraordinarily diverse, compared with the networks of 30 years ago. Services that were prohibitively expensive in days past are available everywhere today, in the form of wireless networks, Voice over IP (VoIP) services, and other technologies. Even the multi-level preemption feature enjoyed by the military 30 years ago is available (after a fashion) under IP Version 6 or alternatively under programs like the Government Emergency Telecommunications Service (GETS) for landlines and Wireless Priority Service (WPS) for mobile phones. These government priority services allow for priority in a disaster, and while such government-sponsored priority schemes must be arranged in advance, they're certainly affordable.

When a technology becomes more affordable, there's less reason not to adopt and use it. For the planner who opts not to use such technology even after the reduction in cost, the exposure for possible negligence increases. Stated another way, a planner could not be found negligent for failure to acquire and use a switch costing $50 million. But saying no to a $1,000 server that could have averted disaster? That's a different story.

Overview of Past Paradigm Shifts in Disaster Recovery

As a preface for the next two articles in this series, consider the history discussed in Table 1, in which business processes advanced, new technologies were introduced, and recovery standards for backing up that technology changed. After you have an understanding of this evolution, we'll postulate our arguments in the second article of this series. Part 2 will expound on why we believe that the paradigm has shifted, and why today's serious recovery planners should be taking an active role in planning for natural disasters. Assuming that we get you to buy into our arguments, part 3 provides some affordable tips and resources for improving your planning to include addressing natural disasters.

Table 1 High-Level Evolution of Private-Sector Disaster Recovery in the U.S.: Motivations, Causes, and Effects

Date(s)	Event(s)
1948–1968	Military development of the concept of command, control, and communications (C3).
1968–1978	Continued refinement of C3, but the Cold War standoff demands that decisions be made more quickly than humans can achieve. This calls for the addition of computers to the concept of C3, resulting in the concept of 4Ci.
1978–1981	First commercial computer (mainframe) recovery centers, as the private sector begins to demand backup, restoration, and recovery technologies.
1981–1986	First best practices (a.k.a. operating and security standards) for mainframe computers used in the private sector.
1981–1991	First intensive and widespread use of commercial telecommunications to link mission-critical mainframe applications. Initially, these were private-line circuits; later came packet technologies such as frame relay and switched multi-megabit data services (SMDS).
1990	Publication of Disaster Recovery Planning for Telecommunications by Leo A. Wrobel (Artech), which was one of the first books to document disaster-recovery standards for telecoms, applicable to the non-military private sector.
1993–1998	Intensive and widespread use of client/server topology to link mission-critical applications. Auditors go mad as mission-critical applications leave the relative security of the mainframe computer and spread directly to end-user desktops and servers.
1993	Publication of Writing Disaster Recovery Plans for Telecommunications Networks and LANs by Leo A. Wrobel (Artech), which documents disaster-recovery standards for local area networks (LANs).
1996–2001	U.S. Telecom Reform Act of 1996 gives users the opportunity to buy piece parts of telecom services such as dark fiber. Price of telecom services drops dramatically. "Native LAN" speed circuits (10–100 Mbs) replace T1/T3 in U.S., E1/E3 in Europe. Technology such as online televaulting becomes cost-effective, first utilized in the financial services sector. Publication of Understanding Emerging Network Services, Pricing, and Regulation by Leo A. Wrobel and Eddie M. Pope (Artech), which discusses these concepts.
September 11, 2001	World Trade Center attacks. Largest mass activation of computer recovery centers in history. Not everyone makes it into a recovery center; some businesses never recover. New legislation results in the establishment of numerous new agencies, such as the U.S. Department of Homeland Security and the Transportation Security Administration.
2001 to date	Continued focus on terrorism but also natural disasters. Rising awareness of global warming issues. Hurricanes Rita, Katrina, Gustav, Ike. Indian Ocean tsunami causes unprecedented destruction. Earthquakes in Chile, China, and elsewhere. Private sector realizes the need for a military level of 4Ci to activate complex recovery plans when the unthinkable happens. Prices for enabling technology (from VoIP to server hardware to telecommunications services) drop. Wireless access capability proliferates. Local number portability comes into being, with the potential capability to relocate entire area codes. Satellite communications become portable and affordable. Commercial companies specializing in 4Ci come into being for both command and control communications as well as backing up complex call centers and other operations.
2009	Disaster Recovery Planning for Communications and Critical Infrastructure to be published by Artech House Books, the first operating and security standards and best practices for 4Ci. This book first suggests that the private sector bears some responsibility for natural disaster prevention.

Reputational risks around security

2009-03-09T11:23:00.000-05:00

Sunday, March 08, 2009
Who would trade places with a banker these days? Even before the economic crisis gathered momentum last year, they were in the spotlight for security breaches such as the laptops stolen from Bank of Ireland containing information about more than 30,000 customer accounts.

IT security industry sources believe laptop thefts are the rule, not the exception.

‘‘It’s a case of ‘hands up the first person who hasn’t lost something’,” said Michael Conway, managing director of Renaissance, which supplies IT security systems to financial services firms. ‘‘I would say there are vast numbers of PCs, memory sticks and mobile devices that are lost, but which people just don’t report.”

More than the loss of an asset, it’s the potential exposure of valuable or confidential information that matters. All of a sudden, organisations are placing greater value on their data and starting to take appropriate measures to protect it better. However, it’s not always a straightforward task. ‘‘The challenge for the financial services sector is where the data is stored,” said Conway. ‘‘It’s on devices that you do not manage and own - it’s potentially on smart phones, home PCs or netbooks.”

There are several different technologies in the market to prevent data leaks, ranging from tools to encrypt data on computers to monitoring and management systems which can track where data is being accessed and being copied. However, technology is only one part of the equation. ‘‘Data leakage is something that can be addressed by a product, but it must be addressed by education and practice,” Conway said. ‘‘You’ve really got to impress on people that data is an asset of the organisation. People need to be aware that they could expose the company’s data by accident.”

Smaller financial services providers are leaving themselves open to the greatest risks, according to Conway. ‘‘There’s less of a buy-in to issues of IT security,” he said. ‘‘A lot of those organizations would see IT security as a cost and a pain.”

Renaissance recently worked with some insurance brokers on IT security projects. ‘‘The two typical threats from a broker’s point of view are reputational and commercial,” Conway said. ‘‘The reputational risk is that some information gets out about any of their clients. We’re seeing the implementation of data leakage prevention products because the companies want to stop files being transferred, or to ‘shadow’ what is being taken in and out.

‘‘From a commercial standpoint, everyone’s looking to cut costs. If someone walks out with information about your customer base, you need device control.”

Device control is only one of the preventative measures needed, as this would not protect against files being sent from, say, a Gmail account. The concern over keeping data safe also extends to a company’s disaster recovery processes. There are new services which can help banks and financial providers to be compliant without incurring massive costs.

Traditionally, disaster recovery involved replicating a bank’s data and some of its key systems in an offsite location, so that it could continue functioning if normal service was disrupted.

‘‘For smaller financial services companies, it was expensive to do that,” said Susan Dixon, sales and marketing director of Savant Solutions. ‘‘They would have to buy the same equipment and replicate the data.”

Disaster recovery is not a discretionary part of security but is often required for regulatory compliance reasons.

‘‘A lot of financial services companies here would be subsidiaries of US or European parent companies and would be mandated to have some form of disaster recovery,” said Dixon.

Savenet has launched a hosted disaster recovery offering, said to be the first of its kind. It is aimed at small to medium-sized companies in the financial sector such as fund management firms or reinsurance providers.

‘‘It’s a cost-effective alternative to other forms of disaster recovery,” said Dixon. The cost for the service is calculated on the amount of data to be replicated, rather than the traditional per-seat pricing model.

‘‘It’s a la carte pricing: you can pick and choose, which is very flexible for the client,” Dixon said. ‘‘We would rebuild a virtual environment within our data centre and the customer logs on. Within a few hours of a disaster they can be back up and running. They can send staff to work from home, or if they have access from the building they can use that.” Online backup has also become more widely adopted in Ireland recently now that higher capacity broadband makes it more practical to save data remotely over the internet.

Ultimately, banks are under more pressure than ever to get the balance right when it comes to security. While some financial services providers have implemented management systems to safeguard their data in a holistic way, others are still looking at the issue, Conway said. ‘‘They’re probably stronger in terms of policy than anyone, whereas a lot of other organisations - state, semi-state and commercial companies - weren’t so good around policies, but would buy products. Banks are mature around the thought processes, less so about the technology,” he said.

Don't ignore disaster recovery testing

2009-03-09T11:19:00.001-05:00

Companies facing IT budgetary pressures should not overlook testing their disaster recovery plans, especially those with virtualized environments, warned Glasshouse Technologies.

Jim Spooner, UK strategy services manager at the consultancy, which specializes in transforming a company's IT infrastructure, was speaking at last month's Data Center World exhibition in London.

He said that while most companies had some element of disaster recovery (DR) in play in case of acts such as terrorism, internal mistakes, staff sabotage, power blackouts and geographic issues (such as flooding), a lot of companies are not properly testing their DR plans, especially in times where IT budgets are increasingly being constrained or trimmed.

"Testing DR is often overlooked, but it is a key issue," said Spooner. "If you have invested £2 million ($2.7 million) in your DR environment, it makes no sense not to spend £50,000 ($69,500) testing your plan. Labs can be rented for DR testing purposes, and this should take place at the weekends in order to ensure minimal disruption to existing systems."

"It is also worth remembering that often it is the non technical issue that can be a show stopper," he continued. "For example, the primary site loses power but it will get power back online. When and who decides if that is a disaster?"

And when IT staff are suddenly confronted with a system collapse, "people can run around like headless chickens, deciding which is the best backup to use," he said.

Spooner advised that companies should set recovery tiers. This means that companies must prioritize their most important assets and assign appropriate recovery times. "Not everything needs to be recovered in four hours," he said. "So decide what applications and systems can take longer to recover."

"Classify what data is important, he added. "Some datasets don't require the highest level of recoverability. You must understand different classes of service and how to manage those configurations."

Spooner also warned against what he calls ‘rolling disasters', where a company is replicating data off site, as can be found in a typical virtualized or cloud-based infrastructure.

"What happens if the recovery data itself is corrupted?" he asked. "It is a vital these issues are considered," he said.

"In large organizations, not having data in sync is often worse than not having any data at all," said Spooner. "For example, an invoice has been generated and the amount has been paid, but what department was it for?"

He also questioned how a company goes about protecting itself and its data when it is actually in disaster recovery mode. "How do they protect their new data that is being generated, as it can often take three weeks or more to get back to normal operations," he said.

Spooner urged IT to get management support (or buy-in) for their DR plans. "DR is a business issue, not an IT issue," he said.

Organizations must understand their business drivers and they must realise that technology is a secondary issue, he advised. He also urged companies to test the DR plan, benchmark their SLAs against reality; and get outside help from experts. And perhaps most important of all, he advised firms to ‘stay flexible' - "your plan and tactics will change over time."

Survey: Continuity is top reason why companies virtualize

2009-03-05T10:23:00.002-06:00

By Melissa Chua , CIO Asia , 03/04/2009

The fear of business disruption is the number one reason enterprises choose to virtualise their data centres, according to a survey conducted by virtualisation vendor VMware.

The Web-based survey, which polled 1,038 VMware customers from North America, Europe and the Asia Pacific (Australia, India, China and Japan) found 45 per cent of respondents citing business continuity as the main driver for deploying virtualisation. Server consolidation, which leads to cost savings for the company, proved to be the second most popular reason, garnering 40 per cent of the responses.

Thirty per cent of the VMware customers polled also cited improved manageability as a driver for implementing virtualisation, while 25 per cent indicated the intent to increase the number of virtualised business-critical applications within the enterprise.

The uptake of virtualisation also appears to be on the rise, with 42 per cent of respondents indicating that they require all new server workloads to be virtualised, up from 25 per cent a year ago.

Related Content

Common applications

A variety of applications, both Windows and Linux-based, are being virtualised by companies today, according to the survey. Microsoft applications such as Dynamics GP, Exchange, SharePoint and SQL server are among the most commonly virtualised applications, along with customised NET-based applications.

Other popular choices include SAP, Lotus Notes and Oracle products such as PeopleSoft, custom WebLogic-based applications and Oracle database systems.

Desktop virtualisation

Survey respondents familiar with the concept of desktop virtualisation cited remote access as the most common reason for implementing desktop virtualisation. Centralised desktop deployment, which allows employees to access personalised desktops from most PCs or mobile devices, was the second most common response.

Protect your vital business assets

2009-03-02T13:34:00.000-06:00

What are the most important assets in your organization? Your people? Your premises? Your intellectual property?
What about your reputation?
Particularly in a challenging market place, reputation has to be right up there at the top of your agenda. After all, this is the main reason why many people do business with you.
"Reputation is all about trust and belief in your organization," says Ken McEwen of Ken McEwen Public Relations. "It is the result of a huge investment in terms of time and effort and it has been carefully nurtured, often over a period of many years. Yet, businesses that invest in the best possible financial and legal advice, often fail to give similar priority to professional support for their reputation."
This, despite the fact that corporate reputations are notoriously fragile.
Ken cites a classic example of how a reputation can be destroyed in an instant. He refers to Gerald Ratner’s infamous speech at an IoD event in April 1991. Referring to the low price of a silver-plated tray he explained it was “total crap” and added that Ratners also sold earrings that were “cheaper than an M&S prawn sandwich, but probably wouldn’t last as long”.
Almost overnight, £500 million was wiped off the value of the business.
"Then there are the reputation risks involved in handling crises," says the Aberdeen-based PR consultant. "Following the Lockerbie disaster, Pan Am, by all accounts, put up the corporate shutters. Three years later, the world-famous airline was history."
Tragically, Ken recalls how just weeks after Lockerbie, a British Midland flight crashed next to the M1. Immediately, chairman Michael Bishop headed to the crash location and conducted media interviews.
Amazingly, British Midland’s share price increased.
"It may be difficult to imagine your business facing a dramatic crisis of this type. But, crises come in many forms," Ken McEwen points out.
"It could be a negative campaign by a competitor, a disgruntled employee or a pressure group. It could be a failure in your regulatory systems, or a pollution incident. It could be a financial crisis, or a business continuity issue, such as a fire or data loss.
"What makes these particularly risky times for corporate issues and crises is the shift of communications power. These days your reputation is often in the hands of an increasingly intrusive and often campaigning media, pressure groups and empowered members of the public.
These groups and individuals have direct access to hugely powerful mass communication through websites, blogs and online services such as ‘YouTube’, ‘Facebook’ and ‘Twitter’. All can be used to enormous and, sometimes, devastating effect.
For example, in 2006 Oxfam’s ‘YouTube’ video targeting Starbucks, because of its stance against Ethiopia’s plans to trade mark coffee beans, attracted 50,000 viewers.
More recently, armed with nothing more than a mobile phone, two citizen reporters broke the news of the US Airways crash on the Hudson River in New York. The first text report on Twitter was 15 minutes before news broke on the conventional media and the first photo came from one of the passengers on a ferry, before the news helicopters even reached the scene.
With communication power like that in so many hands, it is now more important than ever to develop and protect one of your most important assets through reputation management. What are the most important assets in your organization? Your people? Your premises? Your intellectual property?

What about your reputation?

Particularly in a challenging market place, reputation has to be right up there at the top of your agenda. After all, this is the main reason why many people do business with you.

Reputation is all about trust and belief in your organization. It is the result of a huge investment in terms of time and effort and it has been carefully nurtured, often over a period of many years. Yet, businesses that invest in the best possible financial and legal advice, often fail to give similar priority to professional support for their reputation.

This, despite the fact that corporate reputations are notoriously fragile.

A reputation can be destroyed in an instant. Remember Gerald Ratner’s infamous speech at an IoD event in April 1991? Referring to the low price of a silver-plated tray he explained it was “total crap” and added that Ratners also sold earrings that were “cheaper than an M&S prawn sandwich, but probably wouldn’t last as long”.

Almost overnight, £500 million was wiped off the value of the business.

Then there are the reputation risks involved in handling crises. Following the Lockerbie disaster, Pan Am, by all accounts, put up the corporate shutters. Three years later, the world-famous airline was history.

Tragically, just weeks after Lockerbie, a British Midland flight crashed next to the M1. Immediately, chairman Michael Bishop headed to the crash location and conducted media interviews.

Amazingly, British Midland’s share price increased.

It may be difficult to imagine your business facing a dramatic crisis of this type. But, crises come in many forms.

It could be a negative campaign by a competitor, a disgruntled employee or a pressure group. It could be a failure in your regulatory systems, or a pollution incident. It could be a financial crisis, or a business continuity issue, such as a fire or data loss.

What makes these particularly risky times for corporate issues and crises is the shift of communications power. These days your reputation is often in the hands of an increasingly intrusive and often campaigning media, pressure groups and empowered members of the public.

These groups and individuals have direct access to hugely powerful mass communication through websites, blogs and online services such as ‘YouTube’, ‘Facebook’ and ‘Twitter’. All can be used to enormous and, sometimes, devastating effect.

For example, in 2006 Oxfam’s ‘YouTube’ video targeting Starbucks, because of its stance against Ethiopia’s plans to trade mark coffee beans, attracted 50,000 viewers.

More recently, armed with nothing more than a mobile phone, two citizen reporters broke the news of the US Airways crash on the Hudson River in New York. The first text report on Twitter was 15 minutes before news broke on the conventional media and the first photo came from one of the passengers on a ferry, before the news helicopters even reached the scene.

With communication power like that in so many hands, it is now more important than ever to develop and protect one of your most important assets through reputation management.

New standard launched for IT business continuity

2009-02-25T10:22:00.000-06:00

Companies will be able to prove their disaster resilience with official BSI code of practice

Written by Tom Young

Computing, 18 Feb 2009

The British Standards Institute (BSI) has launched an official code of practice to allow companies to show they are prepared for an IT disaster.

The standard will show that a company has an effective strategy to deal with the loss of internet, email or company information, providing reassurance to business partners.

The code of practice was created after advice taken from industry and government experts, according to Mike Low, director of business standards at the BSI.

"BSI’s latest standard in the area of continuity management focuses on the specific area of IT continuity that will help an organisation survive a crisis, " he said.

"We have brought together a wide range of expertise to produce a robust best practice guidance document which should help organisations regardless of size, complexity or sector."

A 2007 BSI survey of the FTSE 250 firms found that only 67 per cent of companies consider themselves "very well prepared for" catastrophic IT failure.

The standard will be known as BS 25777.