Hi,

This is a new forum to discuss what I consider to be a rather ignored aspect of IT security.

Ask yourself: "what would happen if we lost our computing facility?"

You know, a hurricane, typhoon, flood, fire, and so on. It doesn't really matter what sector you are in: school/college, .gov, .mil, .com, .net................

As I have always seen things there are two facets to this:

1. Recovering from an IT specific disaster.
2. Business (organisational) continuity in the face of of a more global disaster.

So, I thought I would post a poll to see what sort of level of penetration and awareness these concepts have.

What I am interested in is basically:

1. Do you have an IT disaster recovery plan?
2. Do you have a global Business Continuity plan?
3. Are they formally documented and disseminated?
4. How often do you test it?
5. Does it involve all areas/departments of your organisation?
6. Has everyone been trained, and do they know what to do?
7. Does it have a budget and contingency reserve fund?

This is a new discussion forum, where I hope that we can share ideas and experiences; so please be patient (and contributive :D ) whilst it takes shape.

Thanks,

Johnno

EDIT: Multiple choices are allowed in the above poll

Please note, I have voted for two options because I have multiple clients, some of whom cannot have a global policy........ if your hotel or shop burns down, you cannot expect to have alternative facilities on tap? ;)

I work as an IT contractor, and my previous client was an international business, with the full cold and hot rooms set up and ready around the planet. And the war rooms were used monthly to keep the policy fresh in everyones mind .........

Right now, I'm with the UK NHS, and their disaster recovery plans appear to be a lot less in scale, restricted to continual backups, with off site storage.
So, yeah, it does matter who you are, and what the implications of loss would mean, that determines just how much you need to spend to ensure continuity ...............

It also explains why I haven't put a vote up, as I do not actually work for them on a permanent basis

Hi Foxy~,

Yes, daily backup and offsite storage is pretty popular with my lot as well, especially the professionals (accountants, lawyers) who tend to have more than one office reasonably close.

For the pubs, restaurants, hotels and guest houses this is really all they can do as a disaster would generally mean a total loss of their business.

Also, for these small outfits their hardware can be replaced within hours.

:)

Hi

Some of our clients do have implementations of BCM
standards, in particular PAS56/BS 25999, in accordance with
ISO/IEC 17799 (ISO/IEC 27002 in the new 27000 series).

Main motivation of these clients certainly is compliance with SOX
and/or Basel II.



These BCM standards exactly try to minimize risks of distruptions caused
by minor incidents or major disasters, like hurricane, earthquakes, etc.
Part 1 of BS 25999 _is_ a code of practice and thus applicable even by SMB's.
Nevertheless, I am wondering which SMB's really had a look at this code
of practice let alone tried to implement them. Internally, we haven't, we
do have a DRM and BCM though.


I haven't said much substantial yet, but I think the effort done
by good people should not be ignored - there is no need to re-invent
the wheel :)



As per your 7 questions. I personally think and it is my experience,
that the points mostly ignored are 4 und 6:

4 - Externals usually audit that the implementation is compliant
with the standard/documentation. Whether it works at all in the specific
case rarely is tested!

6 - It all comes down the the people. Right before and shortly after
the audit, usually the they have an idea of what to do. Period...



Would be nice to have catch participating in this discussion :)


Cheers

Hi sec_ware,

Thanks for your contribution. The additional concept that you have added I would look at as being sort of the "interface with regulatory compliance, industry standards" and possibly even insurance provider requirements.

I too have a certain cynicism regarding these "Standards"............. it is the same with BS, ISO and ASA.............. like I have processes that are BS9000 compliant................ all it says is that I have something documented and implemented.

It could be the most foolish and inefficient on Earth, but I would still get my certificate.

:D

I agree it is all well and good to have iso compliant procedures but they need to be tested once in a while and most definatly updated at least once a year.

Hi

Nihil, I was hoping that my cynicism was not so obvious :) I really do
appreciate the work of a few smart people who write together formal
considerations, sometimes even with reasonably applicable code of practices.
However, in the end, it is as you say: you have to document something,
which you do implement (it is not always like that of course, but take
ISO 9001 as an illustrative example).


I just came across another issue in a BCM-"concept". Standards provide a lot
of helpful considerations und help to reduce forgetting obvious elements.
Without them, it happens that external dependencies simply gets forgotten:

Thought has been given to every process within a company - except external
providers, such as the email-provider (for god's sake). So if the
email-provider does not have a reasonable DR and BCM, your BCM is flawed...
this happens...

Cheers

Hi, am interested on this disaster recovery planning and i wanna know the basics of it and how to document those planning. i wanted to propose this kind of planning but i dont have any idea where to start. can anyone point at the right directions?

As stated ..depending on the business you are recovering ...will determine your strategy to recover it.

Also the strategy will greatly depend on the type of "disaster".

Off site storage of data is required by most insurance companies here in Canada....again depending on the business..I work mostly for manufacturers and retail stores....and am responsible for the recovery of data and systems.

A few years ago we had a flood where the retail stores lost a huge amount of inventory and there was water damage interior of the stores....the recovery of that was based on insurance and government funding.

Google is your friend...

Find a business model similar to yours....and go from there

MLF

Where do i click if CISO of the company send's a mail to me with (http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot) and asks me if Symantec is protecting us from Spyeye bot

PS: I kid you not, he actually did that today.

ByTe,

The answer is "yes, but only if it is a version that they know about and can detect"

There are a few considerations to the OP's question. There are different levels or aspects:

1. Computing facility destroyed by fire, earthquake, flood, terrorism etc. For this kind of eventuality you would probably go for an offsite backup facility.

2. Minor problems such as power or a localised fire or flood just affecting IT. Here you might look at portable buildings and equipment brought onto site.........not so easy in a city centre?

3. Business continuity. This is just being able to run the business in the event of a problem. You need to include all the departments in this one, as the people need somewhere to work, to produce, to distribute etc. Here you might look at subsidiaries and different branches/sites.

With business continuity you need to look at just how critical your applications and access really are.

Don't forget UPS and emergency generator facilities with this one.;)

I have the best DR plan.. It's called a RESUME :D