Dealing with Disaster

By Stacey McDaniel

Before embarking on a continuity and recovery program, it is important to know that even though the terms "Disaster Recovery" and "Continuity of Operations" are often used interchangeably, there are some key differences:

• Disaster Recovery is the process of developing advance plans and procedures that enable an organization to respond to a disruptive event and restore the information technology infrastructure supporting critical business functions.
• Continuity of Operations Planning (COOP) is the process of creating procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. COOP is concerned with more than just IT -- it also includes the people, processes and technology necessary to maintain critical operations.

It is also important to take into account all of the things your agency depends upon to operate and identify what is most crucial.

• Recovery Requirements identify the tools needed to support the agency's essential functions in the event of a disaster.
• Recovery Time Objective is the amount of downtime an agency can sustain before irreparable harm is done.
• Recovery Point Objective identifies the amount of data that an agency can afford to lose.

Identify the risks at hand
For many agencies, finding ways to maintain continuity in an increasingly risky and costly IT environment is a continuing challenge. It helps to understand all of the unique operational and business risks that you face. Consider the following:

• Security Risk: Is your agency a popular target? Does it have significant amounts of valuable data? This increases the chances that you might be a target for computer crimes, IT breaches or cyberterrorism.
• Availability Risk: Does your IT undergo a lot of configuration changes? Does it lack redundancy in IT operations?
• Performance Risk: Does your agency experience seasonal peaks and valleys? For example, the IRS faces a peak around April and it should allot resources accordingly. One way to address your peaks and valleys is to employ resources usually reserved for backup in times of need.
• Scalability Risk: Have you experienced recent growth? Is your agency built upon siloed architectures?
• Recovery Risk: How do you address the constant possibility of hardware and/or software failure, external threats and natural disasters?
• Compliance Risk: What regulations and requirements are you subject to? Do you keep careful documentation and track policy compliance?

Addressing risk
After you have identified your agency's recovery objectives and areas of greatest risk, you can map out a plan to protect and recover your most mission-critical assets. When planning for disaster, there are three areas to focus on:

• Prevention: Enlist solutions that identify and then proactively block vulnerabilities, send early warnings and assure the availability of application, data and systems.
• Remediation: Find a solution that identifies systems that need to be patched, points of attack, application failures and data loss.
• Recovery: A system recovery solution will speed up the process and get you back on track faster. You will need to create detailed reports on attacks and outages and update security policies accordingly.

Stacey McDaniel has been writing about high-tech issues for more than six years.