Technology is not a Plan. Technology enables a Plan. A Plan coordinates the people and processes that are then enabled by the technology. A replication package only “copies” (I realize it does more than copy, but for simplification purposes that’s what we will call it) bits from one location to another one. How do you decide what to replicate? How do you decide whether there is corruption? How do you handle a hardware failure on one or both of the arrays which are involved in the replication during a disaster? Who declares disaster? Who makes the decision to purchase an array, if necessary? How do you communicate between team members if cell phones and land lines are down? Where do you go to connect if the normal location is inaccessible (blocked off by police, etc.)?
These are the things that a Plan addresses. Apologies for stating the obvious for some. As you can tell, one of my pet peeves is the belief by IT that technology IS the Plan. The same is true for the business assuming that because they think it is “backed up” it is instantly available and synchronized.
IT must NEVER assume that they know what applications / systems are mission critical. Unless you know the business inside and out and can explain where the revenue and risks reside to continue doing business, IT has only a clue. I say this not out of spite but out of experience. I have been in IT for many years and grew in the industry initially believing that I knew what was important only to be proven wrong time and again during disasters when the business wants something different or in a different priority that I originally thought.
A Plan balances the technology with what people and process to perform as well as the cost of doing such. If money were no object, we could protect everything; however, that points out a very good thing. Protect only the critical applications and the others are covered by business process.
Lets address whether there is a higher level Business Plan (Business Continuity Plan – BCP) that serves to incorporate all of the business units and divisions communication, procurement, and administration. At this level, IT is simply a business unit. I recently consulted at a large outsourcing firm. 99% of the contracts that they win are with customers that do not have an adequate Disaster Recovery Plan, if they have one at all. Secondarily, 75% of those think that “backup” (Operational Recovery as I like to refer to it) IS their Disaster Recovery Plan. Of those, 90% never re-evaluate risks, vulnerabilities, application criticality, or asset inventories. Inevitably, there is a failure of some sort and a customer “made an assumption” that it was covered under the contract. When the customer was transitioned to this outsourcer, the questions were asked:
- Please provide your most recent Business Impact Analysis (BIA)
- Please provide a copy of your most recent Business Continuity Plan (BCP)
- Please provide a copy of your most recent Disaster Recovery Plan (DRP)
- If you cannot provide any of these, please provide an accurate existing application matrix that maps applications to systems as well as up and down line dependencies
Of all of these requests, it is rare that any are provided. In fact, an accurate asset inventory is generally stretching it.
It is absolutely necessary and criminal in some countries not to have a Business Continuity Plan or Disaster Recovery Plan due to laws enacted such as Basel, Sarbanes-Oxley, and so forth. These laws state that it is the fiduciary responsibility of the board of directors and executives to adequately address the risks of doing business and in so doing they must have a plan to address them in the event of a Disaster to protect the individual investors, stakeholders, and financial industry under due diligence. I would say that it is simply criminal for any organization to not have these plans to address risk to the business.