When disaster recovery's down to you

Computerworld - When a discussion turns to disaster recovery and business continuity planning (BCP), the talk of IT staff quickly turns to ensuring that system and service availability is raised "to five nines" -- an allusion to 99.999% annual availability or about 5 minutes of downtime per year.

Ponder, then, the numbering of BS 25999, a revision of the British Standards Institution (BSI)'s Publicly Available Specification 56 (PAS 56:2003) "Guide to business continuity management." No, they couldn't have. Could they? Did they? Oh, my head hurts.

From joke to disaster

It's no joke, however, when the task of disaster recovery planning (DRP) is dropped in the laps of information security managers and IT staff. Justification comes from the last part of the security "C-I-A triad" -- "availability." Following this logic, DRP becomes a security problem, and it's often handed off to an organization's information security officer or IT director with little or no support. The result is usually either a skimpy collection of procedures without a solid foundation in risk assessment, or a long-winded tome that overreaches the high-level governance and compliance requirements that can be predicted by IT.

In this context, a disaster recovery plan might do more harm than good. Thinking that disaster recovery is assured by a novice's tape backup rotation plan and off-site storage in a cabinet down the hall could lead to overconfidence, false attestations during audits or contract negotiations, or even encourage risky data, network, and service management. Confusing a data recovery procedure for a full-blown plan, or cognitively inflating a data-focused plan into a management policy and standards is dangerous stuff for the livelihood of a business.

Worse, there's the possibility that minimal action on the part of IT to protect information assets will cause senior management to cool its support for enterprise risk management, disaster recovery and business continuity. Organizations making the transition from small to medium size occasionally check disaster recovery off the list when they have information asset-preservation policies in hand, and neglect to scale up disaster response decisions and processes where they concern human safety. Therein lies real risk to real people.

A helping hand

What to do then, if an information security officer has DRP dumped on him or her, without requisite support? All is not lost; addressing DRP isn't a completely black art. There are trade magazines, countless books on the topic, and no shortage of consulting and service sales seminars from the likes of Sungard that offer a variation on the the response themes promulgated by the Federal Emergency Management Agency (FEMA). And then there's BS 25999.

In a nutshell,