There's a saying I heard a long time ago, and it always stuck with me. The saying is "Plan for the worst, and hope for the best." Those are important words to live by when we are talking about the need to keep our information systems and business processes up and running. But what do they have to do with security? Well, think about the computer systems you use or manage. If you are in charge of system security, you have probably done the standard things you need to do -- installed a firewall, applied the latest patches, installed virus-protection software, backed up the data or protected your data using encryption. Those are all great things. But that isn't really planning for the worse.
Suppose something happens that brings your systems down, and it has nothing to do with a hacker attack. Perhaps it's a fire. An earthquake. A flood. Could your company survive such a disaster?
Remember the bombing of the New York World Trade Center in 1993? Did you know that of the 350 business that were affected by the blast, 150 eventually went out of business? Here are some other interesting statistics:
- Of the businesses that lost their records in a fire, 44% never reopened their doors after the event, and 30% of those that did reopen failed to survive beyond three years after the fire.
- Most businesses experience two hours of downtime per week.
- In a 3M study conducted in 1995, 30% of computer users spend one
- week per year reconstructing lost data.
- 72.2% of U.S. companies have had business operations interrupted because of power outages.
- 52.2% of U.S. companies have had business operations interrupted because of computer hardware problems.
- 43.1% of U.S. companies have had business operations interrupted because of software problems.
- 34.4% of U.S. companies have had business operations interrupted because of human error.
- 46% of U.S. companies have had business operations interrupted because of telecommunications failures.
What can you do to prevent that from happening to you? There are two plans you can develop to handle a disaster: a business-continuity plan (BCP) and a disaster-recovery plan (DRP).
Although you might hear those two terms used interchangeably, they actually address two different concerns. The business-continuity plan addresses the organization's ability to continue functioning when normal operations are disrupted. In essence, it addresses the continuity of the critical business functions. The BCP might include other plans, including disaster-recovery, end-user recovery, contingency, emergency-response and crisis-management plans.
The disaster-recovery plan, on the other hand, is used for the advanced preparation and planning necessary to minimize damage caused by a disaster. And it ensures that an organization's critical information systems are available.
In future columns I will discuss those two plans in detail, covering everything from what goes into each plan and the steps you need to take to start developing your own.About the author Mark Edmead has more than 22 years of experience in software development, product development and network systems security. He also co-wrote Windows NT: Performance Monitoring and Tuning and is working on a book focused on Windows 2000 security.
This was first published in September 2001