Information Technology Disaster Planning

By Linda Hooks

Information Technology Disasters come in many different forms:

- Fire- Flooding- Viruses- Hacking- Sabotage

Flooding is perhaps the greatest threat to a data center since most enterprise data centers have been located on the bottom or basement floor of main buildings.

Augusta, Georgia flooded on September 10 and 11, 1888.

The city flooded again in 1990, not from the Savannah river but from heavy rainfall from two hurricanes.

Disasters have changed in recent years.The most common disasters today involve things

like internet fraud, identity theft, viruses, spam attacks, phishing, hacking, piracy, and sabotage.

Viruses from Wikipedia for 2008

All organizations need to develop and maintain a disaster recovery plan in the event of a disaster that mandates the following:

• Alternate location for doing business• How to communicate to employees the new location and

work procedures • How to inform customers of how to do business with the

organization after the disaster

The following are four basic steps to creating an IT Disaster Recovery Plan:

STEP 1

• Determine disaster recovery service levels for all applications.

• The IT staff works with the system owners to establish the DR service level.

• After considering the real costs involved, the system owners may consider a lower DR service level for an application.

Example of service level classifications used by a major financial services corporation

Backup and recovery plans for each application need to be chosen, along with a hardware replacement plan. The method chosen for a database depends on the kind of data being backed up and how fast the data needs to be recovered.

Solutions available to enable businesses to protect and

recover their data in a timely manner are:• Full Backup• Differential Backup• Transactional Log Backup

STEP 2

Full Backup

• Backup the entire database including transaction logs

• Recovers to the point in time of the backup• Uses heavy resources to perform and users

will see system degradation• Needs to run when as few users as possible

are on the system• Files created are large

Differential Backup

• Backup of changes to the database since the last full backup

• Recovers to the point in time of the backup• Quicker than a full backup and uses less

resources• Used for very large databases since it is

quicker than a full backup• Files created are smaller than full backup files

Transactional Log Backup

• Backup uses a transaction log to track all of the modifications performed within a database.

• Recovers to the point in time of the last committed transaction to the database

• Uses fewer resources than a full or differential database backup

• Can run during high user usage of the system

All personnel involved in the disaster recovery plan must be trained in the execution of the disaster recovery plan.

You need to cross train personnel in the event that the key personnel are unavailable at the time of the disruption.

STEP 3

STEP 4• The disaster recovery plan must be validated and tested.• The disaster recovery plan needs to be tested at least annually.• This involves many groups: operating systems support, database

administrators, middleware support, application support, personnel who monitor the batch cycle and support the scheduling system, and personnel who support the backup system.

• Continuously testing the disaster plan allows the personnel to find and resolve problems in the plan and to additionally become more familiar with the plan.

• This will increase the response time and help eliminate any errors if and when the disaster recovery plan is executed.

Now more than ever, it is becoming almost mandatory to have a disaster recovery plan to open your doors for business.

• For businesses, ISO 17799 requires appropriate business continuity management and planning.

• For publicly traded businesses, the Sarbanes-Oxley Act does not mandate how, but you must document the policies and procedures you put in place to safeguard your data and make sure it's available for reporting on an annual basis.

• For healthcare, current HIPAA security standards require that hospitals “protect against any reasonably anticipated threats or hazards to the security or integrity of” electronic protected health information.

• HIPAA also requires contingency plans “for responding to an emergency or other occurrence that damages systems that contain electronic protected health information” (2007).

• Joint Commission on Accreditation of Healthcare Organizations (JCAHO) data security requirements for hospitals include planning for communications equipment in an emergency, transporting sensitive data to a recovery site, established physical recovery site security procedures, and extensive disaster recovery testing (2007).

• For all companies regulated by the Federal Deposit Insurance Corp. (FDIC), Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004 (Chapter 10) specifies that directors and managers are accountable for organization wide contingency planning and for "timely resumption of operations in the event of a disaster.“

• For all utilities, Governmental Accounting Standards Board (GASB) Statement No. 34, June 1999 requires a Business Contingency Plan to ensure that agency mission continues in time of crisis

So in conclusion, if you come in to work and see this, you better have a Disaster Recovery Plan!