Be Prepared: Continuity in the Face of Disaster
eSecurityPlanet Columnist Penny Klein takes a look at working out a continuity plan to keep your business running despite disaster.
Unfortunately, these issues happen not only in our personal lives, but in businesses, as well.
Foresight is a virtue, to be sure. We all have heard our mothers telling us to ''wear clean underwear without holes in case you are in an accident.'' The Boy and Girl Scouts have preached to always ''be prepared''.
And yet, many times we just aren't prepared.
Because it takes a conscience effort, as well as time, to plan in advance for these type of events. In business, they are known as continuity plans or disaster plans. Both federal agencies, as well as industry, have identified methods and guidelines to prepare for unforeseen events. For example, there is the National Response Plan (NRP) and the National Incident Management System (NIMS). The NIMS encompasses the principles of the Incident Command System (ICS), a nationally recognized incident management system. There also is the Disaster Recovery Institute International (DRII), which provides continuity and disaster recovery concepts and principals.
Even with these regulations and guidance, Continutiy of Operations Plans (COOP) are still not being viewed with great importance-- although they need to be.
For example, the terrorist attack on Sept. 11, 2001 proved that there is significant oversight in contingency planning. Backup IT plans are not disaster recovery plans. Getting employees quickly back to work and performing enterprise functions after a disaster can mean the difference between enterprise survival or failure.
''Two out of five businesses that are struck by a disaster will cease operations within five years,'' according to industry analyst firm Gartner Inc., of Stamford, Conn.
So, how do you manage a disaster or a disruption?
In today's uncertain environment, one of the ways to protect your critical enterprise functions and information is through development and maintenance of an enterprise continuity plan. No longer can we assume that if IT has a back up plan, we are secure and safe.
One misconception is that the IT systems are the business functions. This is a false, and often fatale, conception. IT systems support the enterprise functions. Enterprise functions depend on IT systems to complete the tasks associated with the function or mission of the business. Therefore, enterprises require a continuity plan. An Enterprise Continuity Plan (ECP) encompasses more than the information technology (IT) -- it includes the enterprise functions, processes, people and assets.
Continuity of Operations Planning (COOP) processes and documents have been developed for many years, focusing solely on the IT level and failing to recognize the importance of the functionality level of an enterprise. A good COOP process should provide an enterprise infrastructure with reasonable methods to prevent, respond, resume, recover, and restore services at the enterprise functionality level should events occur which prevent or disrupt normal operations.
A basic COOP should include a business impact analysis, a concise plan that identifies backup and recovery strategies, an implementation plan to ensure the backup data site is operational, the personnel site has been identified and the appropriate agreements are in place. The COOP also needs to be tested at least yearly. And, no, testing does not include those actual events when a COOP goes into effect.
In addition, COOP exercises and maintenance also should be addressed in the overall plan. Testing and exercising the plan can be accomplished through various methods. A desktop exercise is where personnel review the plan and identify any weaknesses. Another method is a walkthrough, whereby a panel gets together and ''walks through'' the plan to identify weaknesses.
The most complete method is the simulation, though it requires resources. A simulation tests the COOP completely. Simply put, a disaster is simulated and the plan is put to the test. Only the minimum number of people should know that a simulation will take place, otherwise the results will be false.
The plan is a living document, meaning that it should be updated regularly to meet its objectives. There are many issues which would cause a COOP to require an update. Any results or lessons learned from testing will require an update to the COOP. New systems or business processes will need to be added to the COOP.
Only by keeping the COOP up to date, can it be effective.
This type of approach provides an overall plan that will mitigate risk by providing the ability to continue critical enterprise operations in the event of a contingency and cultivates a risk management culture focusing on continuance, not just recovery.
Contingency plans are important to us all -- not only in our private lives, but in our professional lives. Without a plan, chaos will become the only thing you have going when disaster strikes. Wouldn't you rather know where you want to be and how to get there than leave it up to chance?
The only way to accomplish that is to have a solid and tested COOP. And, of course, wearing clean underwear.