Steven J. Ross, CISA, CISSP, MBCP
IT leaders were among the first to recognize planning for response to disasters as a business concern, so that the term “disaster recovery planning (DRP)” is usually applied to the recovery of systems, applications and IT infrastructure. Sometime in the 1990s, many people realized that business interruptions happened for reasons other than disasters, and that they affected more than IT, so the term “business continuity management (BCM)” started to be used for the management of the recovery or continuation of business activities in the event of a business disruption.1 Finally, the term “crisis management planning (CMP)” has been used to refer to preparations for management oversight of the response to the external effects of disruptions to an organization’s business affairs.
There is lively debate about the relationship and relative importance of the three concepts. Broadly speaking, in the 1980s, DRP was the main focus; the 1990s was the time of BCM; and the decade just past saw CMP at the top of the pile.2 There is no need for me to enter into the discussion because I consider it irrelevant. Organizations should be prepared for unexpected disruptions; no more need be said. Nonetheless, the priority given to one or the other concept has swung like a triangulated pendulum for quite a few years. I see that pendulum swinging once more to the recovery of IT for a number of reasons that may be more substantive than semantic, offering a path to integrating DRP, BCM and CMP.
Not surprising to ISACA Journal readers, information systems have massively changed the way organizations conduct business and, thus, the unavailability of those systems would have a massive impact on them. An IT disaster is ipso facto a business continuity crisis. As a result, the emphasis in IT has moved in recent years from cure to prevention, i.e., from recovery to resilience. Of course, it was always preferable to prevent disruptions than to react to them. Today, the technical means to continue systems in operation despite disastrous events is now more readily obtainable. The most important technology in this regard is the ability to replicate data from one location to another as they are being written, or at a reasonably short time thereafter.
The cost of data replication is very much an issue, limiting adoption to those organizations with the most money and, then, usually to their most critical information. The interconnectedness of information systems, greatly driven by integrated systems such as enterprise resource planning (ERP) and customer relationship management (CRM), has led to circumstances in which critical data are approaching the totality of organizations’ databases. Thus, to replicate just essential data is close to replicating all data.
The cost is justified for businesses with either a high volume of transactions (e.g., orders, trades, shipments) or very limited tolerance for loss of information (e.g., tax filings, research lab findings, medical records). In these instances, the loss of even a relatively small amount3 of data would have great enough consequences to justify the investment in duplicating data instantly in a remote location so that it would continue to exist if the primary database were destroyed.
Data replication is not a new technology, but the breadth of its acceptance is a recent development. What is important is more than just the underlying technology. The vital point from a security perspective is that continuity is being viewed as data-driven. For most of the time that DRP and BCM have been discussed, the primary concern has been the length of time that information systems would be unavailable. It is not that the length of outages is now less of an issue, but that data loss has been recognized as a more serious matter. Business functions are increasingly aware that they can absorb some degree of downtime as long as the information is current (or close) to the point of disruption when systems are recovered. A salutary consequence is that if the investment is made to minimize data loss, the incremental expense to keep application systems running is less of a constraint.
This is made possible to a large extent by virtualization. A few physical servers may be used for purposes other than recovery (e.g., testing, development), with production applications loaded but inactive until they are needed in an emergency, thereby significantly reducing capital expenditure. The greater cost and very much a limiting factor is the cost of an inter-data-center network to transport replicated data. To avoid that expense, most organizations continue to rely on physical and virtual tape backups for less-critical data and applications. The constraint is still the amount of time to restore destroyed data, but the ability to read data from the most advanced tape systems has greatly reduced the amount of downtime. With streaming LTO 5 (or Ultrium) technology, it is possible to transfer a terabyte of data in just over six hours from a single tape.4, 5 Assuming that multiple drives would be used, the possibility of having data available—if not current to the point of disruption6—has made shortened downtime possible. Use of virtual tape libraries (VTL) helps with management of the tapes, but capturing data remotely on tape incurs network cost.
The pendulum swing toward DRP has been pushed by advances in replication, tape, storage, network and even cloud technology. In what way does this drive the integration of DRP with BCM and CMP? If technology is in place to keep data available and to resume processing quickly, the business impact of an IT failure is reduced to the point that neither a business continuity plan nor a crisis management plan would need to be put into effect. In addition, the Internet and virtual private networks make working remotely a reality, even when there is no disruption.
It is fair to say that this applies only to information-based industries and business functions. People cannot make steel from home.7 But even steel companies are dependent on their information systems; to a great extent, the failure of centralized IT affects entire organizations more than a disruption at a single factory. In short, BCM and CMP can be dissociated from DRP, but data disruptions ripple through entire organizations.
1 British Standards Institute, BS 25999, Business continuity management—Part 1: Code of practice, UK, 2006, p. 12 It was inevitable that the subject would descend into TLAs (three-letter acronyms).3 The definition of “relatively small” differs from organization to organization. In some cases, there is zero tolerance for data loss, which significantly raises the cost of replication and limits the location of secondary sites. If the loss of data created or altered in the previous few seconds can be accepted, costs and constraints go down markedly.4 Sharwood, Simon; “LTO 5: Fast, vast but still in the past?”, TechStorage.com, 30 July 2009, http://searchstorage.techtarget.com.au/news/2240019182/LTO-5-Fast-vast-butstill-the-past5 Individual vendors of tape systems quote different speeds, some faster, some slower. These should be checked for accuracy. See for instance, IBM (www-03.ibm.com/systems/storage/tape/ts2250/specifications.html) or HP (http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12169- 304612-3446236-3446236-3446236-4150338.html).6 Thus, actual recovery time includes the time needed to reprocess lost transactions, which for some business functions may not be an issue. Those are the ones for which tape-based data recovery is the preferred alternative.7 Originally attributed to Professor Michael Osterholm, University of Minnesota (USA)
Steven J. Ross, CISA, CISSP, MBCPis executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.