Disaster recovery preparation is challenging because you don't know exactly what you're preparing for. Events like Hurricane Katrina also point to our inability to reliably predict the scale of damage and the inability of government at all levels to cope with the aftermath of an adverse event. The adverse event can range from extreme weather conditions or disturbances in the earth's geology to human-related events caused by errors, accidents or malice.
Regardless of the cause, adverse events become disasters when the event's negative consequences affect your company's ability to maintain operations. Even though IT planners cannot predict what event may threaten the continuity of IT operations, the basics of disaster recovery planning and recovery requirements change very little. To see how your company's disaster recovery efforts may measure up, consider using the following criteria to measure your
Grade F (Unprepared)
Grade D (Marginally Prepared)
Grade C (Prepared)
Grade B (Well Prepared)
Grade A (All Set)
The days of having your entire backup and recovery tapes and hardware in the same building should long be a thing of the past for any of today's publicly traded companies reliant on their data systems. The technology and communications options available allow placing replicas in geographically dispersed locations and communicating backup data in near real time. Should an organization not want to invest in the resources themselves, pooling with others or using third-party providers should be considered as alternatives. Management should know the company's disaster recovery profile and have an honest assessment of the time it would take to recover after an adverse event. The grading scale above should provide a starting point and help communicate the situation in easily understood terms to decision makers regarding the ability to recover. It should also help to demonstrate the funding and resources needed to prevent an event from becoming a disaster by moving up one or more grades.
About the author
Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.
This was first published in July 2006