A business continuity checklist

Christopher M. Burry and David Mancusi, Avanade   Today’s Top Stories    or  Other Disaster Recovery Stories  

Zero Data Loss- Disaster Recovery Live Webinar Data Protection and Disaster Recovery with iSCSI and VMware Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results IDC Report: Major Considerations for Deploying a Thinly Provisioned Storage Solution Case Study: Simplified DR Planning and Implementation Virtualized iSCSI SANs: Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Computerworld Report: Virtual Reality Computerworld Report : Smart Storage Computerworld Report: Storage Gets Strategic Sign up to receive Security Resource Alerts

April 19, 2004 (Computerworld) -- It's spring -- time we turn the clocks ahead. For us, it's also a reminder that it's time for companies to plan for business continuity.

Why? One client whose IT environment comprised a mix of operating systems had not established a single time source. Systems ran just fine. But when a failure took place, the effects -- though apparent throughout the infrastructure -- couldn't be correlated, because the system clocks weren't synchronized.

As IT staffs continue to patch and modify heterogeneous operating systems, the variety and complexity of error conditions multiplies for business continuity. Disaster recovery -- restoring data and returning to a functional state -- is well understood. However, we've found that many companies may not completely understand the complexity of business continuity.

Before the alarm bell rings
The good news is that business continuity and disaster recovery share the same infrastructure. But many companies don't plan or execute effectively because they don't follow operational best practices. The IT Infrastructure Library offers a definitive approach to disaster recovery and business continuity. We frequently bring the following elements to our clients' attention:

1. Establish a service-level agreement.
All disaster recovery and continuity work begins with agreement on what matters most to the business. For example, if access to a trading-floor application is lost for 15 minutes, the financial effect can be tremendous. This agreement forms the basis for service-level agreements (SLA) about IT performance.

SLAs should be more than availability definitions. The familiar target measured in number of "9s" of availability is often chosen without thought for much more than uptime. In addition to performance and service outages, SLAs must include application updates, release-schedule guarantees, even patch management activity -- all of which factor into systems' continuous operation.

Don't oversimplify this aspect of planning. Consider that the components of the application infrastructure fit into the availability scheme: An application instance is supported by the presentation-layer, application-layer and data-layer servers.

In all practicality, an SLA of 100% -- though improbable -- won't mean that every component in the environment requires 100% uptime. Instead, a service-level objective should be defined for each component, relative to other components, so that overall environmental performance delivers the agreed-on service level. Start with the element most crucial to the SLA -- the database, for example -- and factor in other components' performance.

2. Identify potential problems with achieving the SLA.
Develop scenarios that outline exactly what could go wrong and what it would take to mitigate it. Then rank these scenarios for probability and cost. Next, prioritize them for executive sign-off. Agreement on projected losses gives a realistic idea of the resources required for continuity.

For organizations just beginning an implementation, the definition of failure scenarios is a chance to set options for creating an application environment to eliminate specific vulnerabilities. Buy-in from executive leadership will lead to a road map for deployment.

3. Perform data classification.
Many clients haven't evaluated what data an application requires and the sensitivity of that data. Data classification reflects data availability requirements and in turn determines storage infrastructure for business continuity. Skipping this detailed but crucial step makes it hard to define costs, easy to overengineer or overbuild application infrastructure -- and easy to overspend.

4. Understand the risk thresholds for different areas of the business.
This insight enables the services desk to make intelligent decisions when, for instance, a server has failed. If the recovery time objective is 30 minutes and it will take 15 minutes to identify a problem, it's important to know when your "go/no go" decision must be made.

5. Develop detailed procedures for each scenario approved.
The failure scenarios selected are the basis for disaster recovery and business continuity planning and need to be adequately communicated to all architects and developers to ensure consistency in approaches to application development and infrastructures. Failure scenarios shine a light on the risks so that all are engaged in mitigation.

6. Test, test, test.
While a "minor" change to the IT environment might not effect recovery, it could have ramifications for successful fail-over. Untested, minor changes have an unknown effect on site fail-overs.

A good time to test is with a new release of an application, especially one with business continuity requirements. Testing may reveal new options or the elimination of certain failure scenarios that should be factored into the final release.

The clock is ticking
In essence, disaster recovery and business continuity come down to planning and preparation. With proper planning, business continuity allows people to make smart decisions in compressed time frames, with little information. With adequate preparation, any event can be swiftly dealt with using tried and tested methods. Without either, your company stands to suffer losses that will extend far beyond the measured cost.

Christopher Burry is a technology infrastructure practice director and fellow at Avanade Inc., a Seattle-based integrator for Microsoft Corp. technology that's a joint venture between Accenture Ltd. and Microsoft. David Mancusi is technology infrastructure practice director of Avanade's Eastern Region. Comments or questions can be sent to Christopher.Burry@avanade.com.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Debian, the popular Linux distribution has just been shown to have made an all-time stupid security goof-up. They managed to..." Read more... "Houston area overrun by ants -- no, not atomic mutants. Sorry. Maybe even worse. At least you could kill Them..." Read more... Read more Security posts or See all Blogs

HP confirms XP SP3 endless reboot snafu, promises patch Yahoo tells Icahn that its own board knows best Tools circulate that crack Debian, Ubuntu keys More top stories...

Former Microsoft manager offers free fix for XP SP3 'endless reboot' Can Icahn take on the Yahoo board and win? Elgan: Hyperconnectivity: Friend or foe?

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Developing FIPS 140-validated Solutions for the Federal Government Using RSA BSAFE Software Get this white paper! (Source: RSA) The U.S. House of Representatives' Committee on Government Reform recently released the 2005 edition of its Federal Information Security Management Act (FISMA) report card. Unfortunately, the news was not good. The 25 major government agencies reported 15% of the IT systems remained uncertified/unaccredited while 6 agencies lacked effective corrective action plans, illustrating little improvement in the level of information security for government agencies compared to previous reports. Government agencies at all levels are entrusted with sensitive information about citizens, military personnel and others. As is the case with private industry, breaches of that information can create a public relations debacle and end up costing dearly-not just monetarily, but in public trust. Defense, security and diplomatic agencies are entrusted with even more sensitive information, which, in the wrong hands, could threaten national and international security. Download this white paper  Computerworld Report: Virtual Reality Download this Computerworld Report, free for a limited time, compliments of HP. (Source: Computerworld) The data center is real, but storage is turning virtual at many organizations that need to manage exploding storage needs. Learn how virtualizing your enterprise will save you money in this Computerworld Report, a $49.95 value, available free for a limited time, compliments of HP. Download this executive briefing  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Six Support Issues That Keep Execs Awake at Night Spam Spikes: A Real Risk to Your Business The New Foundation of Storage: Xiotech's Intelligent Storage Element View more whitepapers

• HP confirms XP SP3 endless reboot snafu, promises patch
• Yahoo tells Icahn that its own board knows best
• Tools circulate that crack Debian, Ubuntu keys
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Try Fluke Networks' EtherScope Analyzer on your network FREE Quickly solve the wide range of problems you encounter - 10, 100 and Gigabit, twisted pair and optical fiber, LAN or wireless LAN. The EtherScope Analyzer combines the essential tools you need to monitor network traffic and switch interfaces, discover devices, networks, VLANs, access points, mobile clients and more. See the power of this portable network analyzer on your network. Request free trial now *Terms and conditions: Evaluation units are available only for a limited time and will be scheduled on a first-come first-served basis. Not available in all geographies. Limited quantities available; customers requesting evaluation units may be waitlisted for the next available unit. It will be at the discretion of Fluke Networks to accept or decline requests for this free evaluation.