Fri Apr 8 06:47:17 PDT 2016
Redundancy: Business continuity and disaster recovery: What information resources are where?
Option 1: No business continuity or disaster plan should be in place.
Option 2: Backup copies of critical data should be kept in a media safe.
Option 3: Off-site copies of backups should be kept and a tested process for getting things going again should be in place.
Option 4: A pre-arranged set of computer and human resources should be available for use in a short time frame.
Option 5: Multiple sites with redundant operational capabilities should be used.
No business continuity or disaster plan should be in place.
For businesses in which IT has low impact, an IT business
continuity and disaster recovery plan is purely optional. Most such
businesses could simply operate without IT or replace the small amount
of IT in place with a few new pieces of computer hardware and
off-the-shelf software. If IT has a low impact that means that things
like customer lists are not critical, accounts payable and receivable
are not done in computers, and so forth.
Backup copies of critical data should be kept in a media safe.
The justification for a disaster recovery plan is that disasters
happen all the time. Without a proper plan, a business may be unable
to continue after the disaster. Insurance usually covers the physical
losses to a business, but not the information losses or lost operating
time, business, reputation, people, customers, and cash flow. Because
information lends itself to being duplicated, it is a fairly easy
matter to make usable backup copies of information and store them in
locations that are unlikely to be affected by a disaster at the data's
normal location. Similarly, most computer hardware can be replaced
readily and on reasonably short notice if its replacement is planned
in advance. More rapid recovery of information technology and are
advised if significant challenges or expenses would result from the
loss of all IT capabilities and records. This is strictly a small
investment in exchange for slightly reduced cost and increased
convenience in case of a disaster.
Off-site copies of backups should be kept and a tested process for getting things going again should be in place.
For businesses in which there is a medium impact of information
technology on operations, some sort of disaster recovery plan is
strongly advised. If timeliness is important, for example, if product
support requires computer access in order to answer questions that are
asked 24x7 from customers in immediate need of help, outages can only
be allowed to cause delays on rare occasions and for relatively short
time periods. This means that, in a disaster, a rapid recovery process
is needed, but it does not call for a secondary real-time backup site
if the business impact of an IT failure isn't large enough to be worth
the extra expense of a full-time redundant site. Business services
will be down for hours to a day on rare occasions. In cases with less
of a timeliness requirement, businesses can afford to be less prepared
and spend less time, effort, and money on disaster recovery planning
A pre-arranged set of computer and human resources should be available for use in a short time frame.
For businesses in which IT is high impact, the loss of IT
capabilities is very expensive, perhaps life threatening, and could
lead to business collapse. In these cases, disaster recovery must be
done within required time frames, so higher surety and higher cost
options are called for. If the IT is critical but time is not very
important, the key is having a good set of backups that are well
protected. This means that off-site copies of backups and a tested
process for getting things going again in the required time frame for
business continuity are necessary. In cases where only days to a week
are available for recovery to normal operation, it may become
questionable as to whether a proper set of hardware can be located and
put in place at a reasonable cost in the necessary time. For that
reason, depending on the hardware requirements, availability, and
time, a pre-arranged set of computer resources may have to be
available for use in a short time frame. For example, this is common
in substantial insurance businesses, where instant availability is not
critical, but confidence will be lost in a few days if service cannot
be restored, and where systems typically in use are not available at
any local office supply store.
Multiple sites with redundant operational capabilities should be used.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
In cases when time is of the essence, this is a necessary
approach. For example, banks cannot sustain outages of some systems
for time frames on the order of hours without risking enormous
losses. If a bank cannot clear transactions with the Federal Reserve
system by the start of the next business day, they can lose enormous
sums of money in interest alone.