A lot of IT professionals implement a data center disaster recovery plan to prepare for events, like earthquakes, tornadoes or floods. But according to Burton Group vice president and disaster recovery expert Richard Jones, natural disasters should be third on the list of reasons to do disaster recovery.
Ahead of natural disasters are data security and regulatory compliance.
"The risk independent of global location is accidental deletion or virus attacks," Jones said, who gave a talk titled "Disaster Recovery: Are you prepared?" at Burton Group's Catalyst conference this week. "This is one of the No. 1 things they should address."
A wide variety of things can happen to cause security breaches, including how well your hardware and software can prevent virus attacks, how difficult it is for hackers to penetrate firewalls, how sophisticated your disk backup and data protection software is, or how competent your IT staff is about protecting files or preventing laptops from being stolen.
Regulatory compliance fuels disaster recovery thinking
Next is regulatory compliance. Meeting government requirements, such as the SarbanesOxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and in European locations, Basel, requires the proper retention of certain sensitive documents, as well as their proper destruction when they're no longer needed. Failing to have a plan to deal with those regulations can cripple a business.
But Jones said that many companies are actually overly zealous and end up saving documents they don't need. He gave the example of SOX, which only applies to those officials who have responsibility for finances in a company. Most other employees don't fall under the act.
"But because they don't understand the intricacies, they just apply Sarbanes Oxley to everyone in the organization," he said. "That's a lot of overkill and a lot of extra money spent."
Planning for natural disasters
Finally, location is a factor. Jones said that a lot of companies crafted a disaster recovery plan in response to the terrorist attacks on the World Trade Center in New York on Sept. 11, 2001. But then Hurricane Katrina came along, and companies realized that they weren't prepared for that type of natural disaster event. Businesses in other areas of the country, meanwhile, should be ready to deal with earthquakes and tornadoes.
Jones said that some companies still do not understand where to build a disaster recovery site. A lot of them, he said, had their disaster recovery sites across the Hudson River in New Jersey while their main site was in Manhattan. He even spoke to one company that had its main data center in lower Manhattan and its recovery site in upper Manhattan. That's a no-no.
Even if your data center is immune from natural disasters, you still need to be aware of where your distributors are located. If they're at risk and you don't have a backup option, then you're at risk.
Creating a data center disaster recovery plan
So how do you create a data center disaster recovery plan? Jones said that absorbing all of the information and trying to craft a perfect, complete plan is unrealistic. According to him, planning is everything. He suggests conducting a business impact analysis to determine which systems and applications are most critical to the operation of your business.
You can then work on developing a disaster recovery plan for those applications, whether it's by building a separate site or renting out data center space in a collocation facility. Jones said that you need to determine at what point you start to suffer business loss or a threat to people from not having a particular business process in place. You may find that you don't have any real revenue impact for two days; in that case, your recovery time objective (RTO) should be two days.
Aside from protecting applications, a company needs to have a logistics plan in place in the event of a natural disaster or other event that is disruptive to the physical business. Jones said that all employees need to have a way to contact the company in this situation, where to go for emergency operations and what will be expected of them. In addition, the company's suppliers and distributors must know how to contact the business in case of emergency.
Disaster recovery is "starting to come to the forefront," Jones said. "People are starting to learn and understand disaster recovery. Not everyone is on the same page -- it's a very broad range as to how far along businesses are in understanding how to build a good business continuity or DR plan."
Let us know what you think about the story; e-mail: Mark Fontecchio, News Writer.