Why have an Information Technology (IT) Disaster Recovery Plan?

Are you taking information communication technology seriously enough? 47% of UK organisations do not haveaplanintheeventofadisaster, according to a survey carried out in 2013 by the Chartered Management Institute, identifying that some of the most experienced causes of disruption during 2012 were loss of IT (40%) and loss of Telecommunications (27%) The need for planning is supported by The World Economic Forum (WEF) Global Risks Report 2015 which points towards a breakdown of critical information infrastructure and networks, due to improvements in efficiency and lowering of costs, various systems havebeen allowed to become hyper dependent on one another. Therefore, the failure of oneweak link – whether from natural disaster, human error or terrorism – cancreate ripple effects across multiple systems and over wide geographical areas.

What this means in real terms is that many organisations could unwittingly be sitting on a time bomb in the event of an unforeseen catastrophe, be that devastating natural disasters such as fire, gale, flood, or even man-made, warns Steve Yates, Director Resilience for Acertia Limited

Organizational Communications and Operational Continuity

In a networked world, network communications are the most critical element of your information Communication Technology (ICT), and the need for infrastructure resilience.  Communications have therefore become fundamental to operational continuity.

Have you considered how your organization would manage without telephones or internet access, or how critical email and supporting technology has become?

Furthermore, the way we actually use our communication devices, mobile and fixed, has become more critical than ever, in not only our personal, but also most significantly in our professional lives.

If disaster should strike, have you considered what would be the impact on your day-to-day operations if your communications’ network ceased to function?

Imagine there’s no communications network….

There are many quite feasible scenarios that could lead to a network outage.

For example, a digger could inadvertently cut through your telecommunications cables. Have you ever actually considered the tangible consequences of this, or of any other disaster occurring?

• What if key commercial data was interrupted, back-up delayed, or just when you need it unable to be read?
• What if intranet access, or internet, were no longer available?
• What if access to your organization’s external website was down?
• What if your contact center was unable to receive inbound, or make outbound, calls?
• What if your remote offices could no longer communicate, or connect with each other?

Serious food for thought, as any one of these could have potentially devastating consequences for your organization’s viability.

Communications networks have therefore become the backbone of our working lives, so take a moment to consider what would be the real impact on your  organization if it stopped functioning. At the very minimum this would be an inconvenience. More seriously, supply chains could collapse and customer management operations would then break down. You would be unable to take orders or even contact your customers – and more importantly, they would not be able to communicate with you. Public sector organizations in particular are charged with being openly accountable and are exposed to frequent media and public interest. Suddenly not being unable to communicate or respond would be deemed unacceptable.

The far-reaching consequence of network downtime therefore would be detrimental to the credibility of any organization, underlining the importance of Operational Continuity.

The chances of a disaster striking your organization may appear slim but then again, is it really worth the risk of doing nothing to prepare for it? Organizations and individuals take out insurance to cover loss, but that can only provide delayed financial recompense in the event of an incident.

So, what contingency plans can your organisation put in place to ensure Operational Continuity? How can you maintain communications with your end users to give the impression of ‘business as usual’? Should this plan cover all sites, or just your head office, or selected services/products?

The communications challenge

In order to make informed decisions, it is necessary for your organisation to define its overall service objectives, which will in turn identify key areas of risk with regard to voice, data and internet communications.

When considering Business Continuity, the 80/20 rule is a good way to start. For example, 20% of high risk and mission critical capability requires 80% of the available resources. Organizations must recognize which communications need 100% network availability and those where contingency plans or service level agreements will suffice.

Identifying areas of risk

To identify operational-critical communications it is necessary to carry out a business impact analysis (BIA) and audit. This audit will enable an organisation to define its Information Readiness for Business Continuity strategies (see ISO/IEC 27031).

The information derived from the BIA should make it possible to identify communications that are ‘critical’, through to those which constitute a ‘high risk’ if they are disrupted, and hence must be restored within a ‘business acceptable period of time’, thereby requiring a ‘contingency plan’. These preparations will assist in the development of plans to deliver ICT resilience and manage service disruptions.

The meaning of resilience

Unless your organisation is prepared to separate and duplicate all network service and technology elements, both internally and externally5 across multiple sites, then inevitably there will be a service outage at some time.

Resilience is therefore required to prevent your voice and data networks from becoming compromised.

Building operational resilience: The seven Rs

One approach for building operational resilience for communications involves following ‘the seven Rs’ methodology:

1. 1.Responsibility

Identify who is responsible for delivering network resilience and establish a Resilience Programme Team that includes internal staff and vendor representatives. Secure agreement on resilience life cycle elements, including change management.

1. 2.Review

Identify risks to communication networks. Using the Resilience Programme Team, audit the network by deploying schematics of network

routing/cabling and system connectivity. Agree    provision, maintenance and service level agreements. Develop change management, contingency

and emergency procedures.

1. 3.Risk

Determine an acceptable level of risk by conducting a risk analysis of physical and logical network components, especially internal and external, high risk and mission critical systems.

1. 4.Redundancy

Highlight which critical communication elements need full redundancy by

conducting a business impact (‘what if...?’) analysis, reviewing both internal and external information regarding network design, the network service provider and the network and system- level resources needed for redundancy.

1. 5.Resiliency

Determine what resilient means and its value to the organisation, determine the cost for a truly resilient solution and perform a business case analysis.

1. 6.Recoverability

Identify how quickly mission critical infrastructure elements must be recovered. Do the same for non-critical communications assets and develop contingency plans for those assets where no resiliency can be provided.

Once recovery time frames have been identified, establish service level agreements with equipment and network service providers. Then, establish command and control procedures to manage recovery.

1. 7.Restoration

Establish the amount of time needed to restore full network operations. Activate contingency plans to restore services within acceptable time frames as required and ensure that management is aware of - and have agreed on - the proposed restoration time frames.

Not to be ignored – data back-up

Although resilience is widely acknowledged to be the most critical factor in keeping your communications network fully operational, it is also important to bear in mind other areas of your organization that are at risk, in order to prevent prolonged communications downtime. These include cyber security and data storage, both of which should also be incorporated into your readiness strategies.

With the former, privacy is a key element - ensuring that outsiders cannot access your data. Private lines ensure the clear separacy      of data over a dedicated medium with shared mediums, providing logical separation of customer data. Ensuring that data is encrypted adds a further layer of security for traffic on WANs (Wide Area Networks), as does the deployment of advanced firewalls. Data storage is also a key factor in Operational Continuity - information needs to be backed up on a regular basis and stored off-site so your organisation can continue business as usual.

Meeting the challenge of Resilience

Operational Resilience is far too often seen as a cost centre rather than a critical part of modern strategy. The prevalence of this attitude potentially exposes organizations to seriously reduced productivity, or, in the case of the public sector, a failure to meet its service objectives, and in the longer term, potential loss of credibility in the event of a disaster.

Any organisation seeking to protect its mission critical communication elements from such events must be prepared to invest time and resource into Resilience.

Resiliency is crucial to meeting the challenge of maintaining communications network connectivity in the event of a disaster, and fundamental to this is the establishment of an effective partnership with a trusted network service provider. With the assistance of your partner agencies, you can conduct careful mission critical analysis of your organisation’s operations to identify key risk areas. From this you can then formulate effective contingency plans which should ensure that you can successfully overcome any eventuality and guarantee your organisation’s ongoing continuity.

About the author

Steve Yates FBCI, FICPEM, MEPS is the Resilience Director for Acertia Limited. He is a founding Fellow of the Business Continuity Institute (FBCI), Fellow of the Institute of Civil Defence & Disaster Studies (FICDDS) and Member of the Emergency Planning Society (MEPS). Steve is also Chair of the Business And National Government (BANG) Forum.

Attend a 5-Day workshop with Steve Yates:

Certificate in IT Disaster Recovery Planning

For more information, contact PLUS Specialty Training

+971 (0) 4 556 7171      [email protected]      www.meirc.com/plus