May 20, 2002
(Computerworld)
Chicago
Companies are broadening their business continuity plans in response to business trends and to the events of Sept. 11, said analysts at a Gartner Inc. information security conference last week.
On the business front, the trend toward zero-latency networks, through which corporations can access and act on real-time business data, presents new risks to companies from a business continuity and disaster recovery standpoint.
The risks include those posed by insecure external service providers, data links to third parties, software vulnerabilities and human error.
Problems in any of these areas could seriously disrupt a network that needs to be on all the time and therefore have to be factored into disaster recovery and business continuity plans, said Roberta Witty, an analyst at Stamford, Conn.-based Gartner.
Know Thyself
Companies must understand their external links, the consequences of failure of any of these links and the contingencies to deal with such failures. In terms of architecture, it might mean looking at what kind of load-balancing and high-availability technologies are in place at a corporation, Witty said.
"This is not just about having [an application] that you bring up in recovery mode.... You are talking about having a production environment up and running all the time, whether it is in one location or more," she said.
Meanwhile, formerly asset-centric business continuity plans are broadening to include people, processes and work spaces, especially after Sept. 11, Witty added. New planning scenarios include loss of life, key decision-makers and communications capabilities, she said.
For instance, Aetna Inc. in Hartford, Conn., has broadened the scope of its disaster planning since Sept. 11 to include people and processes, said Kurt Bahrs, a disaster recovery specialist at Aetna.
Although the insurance company has two data centers in the Hartford area, it centralized most operations in one of the facilities about five years ago. Now Aetna is again dispersing staff between the facilities as a business continuity measure.
On the technology front, Aetna has already taken steps to ensure business continuity. All third parties linking into the company's Hartford network, for instance, must have fully redundant connections. In some cases, the Hartford network provides the redundancy at cost to the third party to ensure disaster tolerance, said Bahrs.
New York-based Cadwalader, Wickersham & Taft, whose offices had to be evacuated following the Sept. 11 attacks, has also expanded its disaster plans.
The law firm recently installed a laser-based communicator for replicating data between two of its facilities. Now instead of having to restart tape backups at a service provider location, the company is able to do so much more quickly from its own facility.
"It took us about a day to recover [from tape]. That's not good enough any longer," said Greta Ostrovitz, director of IT at the firm.
Cadwalader, Wickersham & Taft is also looking at building similar disaster tolerance into other aspects of its business, she said. For example, the company has direct electronic links with several of its clients around which it plans to build greater redundancy.
Recovery Advice
What to focus on when business continuity plans are limited.
CRISIS MANAGEMENT PLAN
for ensuring safety of employees, continuity of decision-making and view from outside world
ASSET LIST
and key supplier contact information
SECURE, off-site backup storage
SPENDING
on most critical business processes
WORK-AT-HOME PROGRAMS
for work space recovery
Source: Gartner Inc. Stamford, Conn.