Home > Security > Business Continuity

Computerworld - The following is excerpted from the book, Disaster Recovery Planning: Preparing for the Unthinkable, 3rd edition, by Jon William Toigo. It is posted with permission from publisher Prentice Hall PTR, copyright 2003, all rights reserved.

For a data recovery plan to be meaningful, it must ensure the "right" data -- data that is required by critical business processes and necessary for recovery -- is identified, safeguarded against loss, and made available in an acceptable recovery timeframe. This is a deceptively simple premise. Consider these facts:

• Depending on the analyst one reads, data is growing at a rate of between 70 to 100% per year in most corporations. Replicated data, "enhanced" data (e.g., document files with graphics, sound clips and other data objects embedded), and large program files account for some of this growth -- perhaps as much as 50%, according to some analysts. However, the balance is new data, including e-mail and transaction entries in databases, that is constantly being created and stored by end-users and automated systems.


• A significant percentage (some argue as much as 80%) of the data stored on hard disk drives is never referenced again. This applies to databases as well as files, fostering significant discussion of the possibility of shortening data recovery timeframes by "prestaging" static or nonchanging data at the recovery center.


• Databases measured in terabytes are becoming commonplace within Fortune 1000 firms. Even in medium-sized firms, it is not uncommon to find databases sized in the 400 to 700 GB range.


• In most companies, policies and standards do not exist for the classification of data by its importance to the organization. According to the 1998 Information Week/PricewaterhouseCoopers Global Information Security Survey, 43% of the 1600 companies surveyed worldwide indicated that they never classify data and 14% classify their records only on an annual basis. [2] Says George Symons, vice president of product management and development with Legato Systems, Inc., "Today CIOs are being forced to determine the relative importance of different applications. They cannot afford to invest in tools and people to protect all applications at the 24 x 7 level. Decisions need to be made as to which applications must be available 24 x 7, which are 19 x 5 and which are 12 x 5." [3]

Against this backdrop, clearly the DR coordinator may confront a major challenge at the outset of data recovery planning: learning where the data is stored in the organization. This task, according to vendors, can be facilitated through the use of software products that automatically "discover" volumes, databases, and files recorded on data storage devices throughout the IT infrastructure. Storage management software is being pressed into service to aid in ferreting out data, determining its usage characteristics, and using this information to plan capacity requirements for recovery in the wake of a disaster.

Discovering the locations and usage characteristics of electronic files stored on PCs, server-captive storage arrays, stand-alone arrays, network attached storage (NAS) devices, and storage area networks (SANs) does not, however, define the criticality of the data or its suitability to a backup strategy. According to Legato's Symons, companies are not going to cull through data sets to assess their importance and set policies for backup, policies will be set based on the application producing the data, and the priority given to that application.

To perform backups of distributed data effectively requires policy-driven management. Policy-driven backup and recovery [using an enterprise-wide data backup product like Legato NetWorker], helps reduce the staff requirements necessary to manager these complex environments. Policy-based systems automate key functions in order to provide consistent management of repetitive tasks.[4]

In addition to electronic or machine-readable data, data recovery planning must also concern itself with identifying business critical information stored on paper and with the interdependencies that may exist among paper or other documentation, electronic data, source documents, and worker knowledge that make all data usable. This, too, can be a laborious and time-consuming task. To the list of information storage repositories that must be examined by the DR coordinator an assortment of safes, file cabinets, microfiche and microfilm storage racks, and old-fashioned desk drawers must be added.