Wajih Halawa looks at what it takes to protect your critical business processes from nasty surprises.
A company's operations can be interrupted by the most untimely events these days: inclement weather like hurricanes, floods and sandstorms; power outages; fire; war and acts of terror; and many more. Of course, you've heard these lines before: don't forget to back up your data. Make an extra copy of your important documents. Don't leave your work unprotected. This is relatively easy to do at home, but when it comes to the corporate world, the number of users and workstations involved can become mind-boggling, and it is not enough to rely on people alone for securing data.
Every IT environment needs to make sure its data and operations are ready to face unexpected events like natural disasters, hacking, and corporate espionage. Company e-mail, for example, is often stored far into the future for legal purposes. Very often, correcting mistakes requires a coordinated response involving days, weeks, and sometimes even months of research into what happened at different points in time.A company needs a proper strategy to address the challenges of data backup and recovery, and there is a methodology behind setting up a system that allows for backing up and recovering data that is stored on corporate servers. The problem goes beyond the process of conducting a backup to the frequency of backups needed. The massive volume of transactions that take place in today's business world means that backups need to be conducted as often as every day or even every hour, depending on the nature of the data involved.
That being the case, it is not practical to make hundreds or thousands of backups and keep them all, nor is it possible to conduct so many backups that any change or loss of data can be corrected. This is where hierarchy comes in. Knowing that the probability of needing certain data declines with time, it can be subjected to "aging" or "grandfathering" in stages. When a new backup is made, the previous backup is maintained as a "father." It then moves to the "grandfather" hierarchy when the next backup is made, so that several generations of backups can be archived for use according to how far back a snapshot is needed.
Generally, backups follow three main types: full, differential, and incremental. A full backup involves all data in selected folders and files. This means that a full backup results in the most complete recovery of data, but also requires the most space and time. A differential backup contains everything that has changed since the last full backup, which is generally fast and convenient, but can only be performed a few times before another full backup is needed to avoid the size of the differential file exceeding the full backup itself.
An incremental backup, on the other hand, simply takes every additional change to the full and differential backups in increments. Therefore, each individual incremental backup is quite small, but a large number of incremental backups can take time to restore. Most organizations use a different combination of the three backup types according to their data needs in order to achieve the ideal situation.
But it's not enough to simply conduct backups of important data. Storing backup media at your premises is a recipe for disaster if a catastrophe strikes. Instead, there needs to be a procedure for off-site, secure storage of your backup data, with authorization in place for accessing this data when needed. Moreover, conventional media like magnetic tape are no longer the only means of backing up data. Increasingly, DVD-ROM discs are becoming popular because of their fast access and long shelf life. Online, Web-based backup solutions are a new means for backup storage, as well. Recent practices even call for separate Storage Area Networks (SANs) to allow for redundancy and ease of recovery.
Now, recovering critical data goes beyond backing up files. In terms of the big picture, data backup and restore procedures fall in the realm of disaster recovery planning (DRP), which is an extremely detailed process that involves fully studying critical business processes, and outlining what needs to be done to get the organization back on its feet. In the event of a disaster, important company secrets and plans can be lost, and operations involving customers can be disrupted, putting the long-term survival of the company at risk.
The starting point for the DRP team is to make a list of important documents that need to be on hand in case of business interruption. These include organizational charts showing names and positions, staff emergency contact information, supplier contacts, maps and floor plans, procedures for operations and administrative tasks, full inventories of information and communication assets, copies of maintenance and service level agreements, and off-site storage procedures, as well as insurance information.Once this is done, it is important to rank the major business areas in the organization in order of importance to critical business processes. Senior management should simultaneously authorize the development of the disaster recovery plan through a formal risk assessment. What possible disasters could take place? What needs to be done to mitigate the effects? What roles need to be filled during this time? The plan should be updated regularly, with a proactive communication strategy that involves all stakeholders in the disaster recovery process.
In conducting an impact and risk assessment, potential events include environmental disasters, organized or deliberate disruption (terrorism, sabotage, war, theft, arson, labor disputes), loss of utilities and services (electricity, water, gas, communications), equipment or system failure (cooling systems, production line, other equipment failure), information security incidents (cyber crime, loss of data, disclosure of sensitive information, IT system failure), or other emergency situations like workplace violence, local hazards, health and safety issues, employee morale, mergers and acquisitions, and negative publicity.
This is where backup and recovery enter the picture. Backup and recovery go beyond mere data and IT systems, and include actual business processes, customer service, administration, operations, and documentation. The cost can be extensive, but is all worth the while if the unexpected happens. Businesses that had DRP in place when the 9/11 attacks on New York and Washington, D.C. occurred were back up and running within just days, at new locations. Many companies which had no plans ready did not survive the event. At the end of the day, a company's disaster recovery plan is a blueprint for the business to revive itself in the event of an unforeseen disruption to its normal operations. The extent of the detail and expense involved in such an undertaking depends entirely on the buy-in of the company's senior management, the extent of employee involvement in the business continuity process, the complexity of the systems employed by the organization, and the level of business operations needed to sustain the life of the organization itself.
© Jordan Business 2006
