Upload
certitude
View
646
Download
1
Tags:
Embed Size (px)
Citation preview
2012
IT
DISASTER
RECOVERY
SURVEY
CertitudeTECHNOLOGY RISK SERVICES
Organisations operating in Australia
12 of the 19 ANZSIC Industries
Representation of all employee sizes
All annual IT spend, except for $0.5m to $1m
DEMOGRAPHICS
Certitu
de
DR Budget (% of IT)
Outages vs DR Spend
Most outages reported by those who spent 1% of their IT budget on DR
Respondents who spent > 10%, incurred 12% of all outages reported
Those with IT budgets <=$100k, spent nearly nothing on DR
BUDGETRespondents spend around3% of their IT budget ondisaster recovery. However money doesn’t necessarilybuy fewer IT outages.
Certitu
de
Location
Recovery Site Location
Most respondents (55.88%) recover to the same city
Size & geographical presence have a significant influence on recovery location
Respondents who have a regional presence are taking full advantage of their geographical diversity
RECOVERY LOCATIONSmall and / or geographically non-dispersed organisationsHave difficulty findingsuitable recovery locations.
Certitu
de
MATURITY
Maturity
Outages vs Maturity
Higher levels of disasterrecovery maturity canreduce system disruption.
Most describe their DR maturity as ‘repeatable, but intuitive’, or ‘defined’
Size does not influence maturity.
The higher the maturity, the lower the number of outages and harm (e.g. average and longest duration)
Certitu
de
STANDARDS & REGULATIONS
Standards / Guidelines
Disaster recoverystandards and guides do not significantly influencemost organisations’disaster recovery.
Regulation / Legislation
Standards have no significant influence on disaster recovery
Broader standards have greater influence than DR specific ones
There are changes to APRAs Practice Standards that affect DR
Certitu
de
PROCESS INTEGRATION
Where DR is EmbeddedDisaster recovery is poorlyembedded into project andservice level management,As well as service deskprocesses.
Most have DR embedded into IT Service Continuity, ICT Infrastructure, Availability, Change, Incident, Security & Financial Management
Few have DR embedded into Release, Management, Service Desk and Service Level Management!
Certitu
de
THREATS
Where DR Threats are Identified
Trends learned fromincident & problemmanagement are not oftenused to identify DR threats& opportunities to preventfuture system disruption.
Most use various forms of risk assessment to identify threats
Few (<30%) use information recorded by incident and problem management processes to identify threats
Certitu
de
KEY CONTROLSThe management of servicelevels and 3rd-party serviceproviders is being missed tocontrol disaster recovery risk.
Not Identifi…
Identified, but …
Identified and …
Manage Changes
Manage Performance& Capacity
Manage Problems
Define & ManageService Levels
Manage Third-Party Providers
Few evaluate important DR controls such as managing performance, capacity and problems
Even fewer recognise the importance of managing service levels, and third-party providers.
Manage PhysicalEnvironment
Certitu
de
Nearly half experienced unplanned outages in the past 2 years
Direct correlation between maturity, and outage frequency and duration
DISRUPTIONS
Average (hrs)
Longest (hrs)
Certitu
de
Outages
DISRUPTIONS
Root CausesMany system disruptionsare essentially self-inflicted..
Many causes of disruption can be controlled by processes that affect outages are in the direct control of the organisation
Processes that help manage 3rd-parties are neglected even though many outages are caused by third-parties
Certitu
de
RECOVERY REQUIREMENTS
RTO ConsiderationsUsers are involved indetermining disasterrecovery requirements.
RPO Considerations
Work-arounds, and system dependencies are well considered
The re-entry and processing of lost data, and the clearing of any work backlog is not well considered
Certitu
de
EXPECTATIONS & IMPACT
Expectation ManagementThe most difficult area of harm to quantify, reputation, is ofthe greatest concern.
Areas of Harm
Users are involved but expectations are not well managed
Reputational damage was of high concern, and is the most difficult to actually measure, and quantify
Operational and financial impacts also ranked highly
Certitu
de
DESIGN & TECHNOLOGY
Use of DR Architecture
Use of Production Technologies
Only 75% of respondents make good use of the DR architecture
12% have no DR architecture at all
Most make good use of existing technologies in their production environment
Cloud-based services not popular
Technologies in productionare well utilised for recoverycapability. However, use of DR architecture is not widespread.
Certitu
de
DOCUMENTATION
Documentation Tools
Documentation Status
38% review or update their documentation at least once every year.
94% use generic word processing tools to document their disaster recovery plans
Supporting documentation is often neglected
Plans are often out of date,and supportingdocumentation is oftenunidentified or unavailable.
Certitu
de
TRAINING
Training Frequency
Many respondents usedisaster recovery testing asthe primary method oftraining.
Training Methods
47% have never conducted disaster recovery training
Some considered regular disaster recovery testing to be the best form of training
Certitu
de
TESTING
Testing Frequency
Few (34%) of respondentshave their recovery testindependentlyevaluated and reported.
Testing Methods
Most test at least once every year (note APRA)
8% do no testing at all
A wide range of testing methods are used, with failover to DR site the most popular
Certitu
de
2012IT Disaster Recovery Survey
@ www.certitude.au.com