[ISN] From Good To Great (Maybe)

InfoSec News isn at c4i.org
Tue Jan 4 06:32:46 EST 2005


By Martin J. Garvey
Jan. 3, 2005 

Business-continuity plans are good, but not good enough. Almost 80% of
300 respondents to InformationWeek Research's Outlook for 2005 survey,
part of our quarterly Priorities series, say business-continuity plans
are in good enough shape to ensure operations continue even in the
event of a terrorist attack, but nearly 70% also cite
business-continuity planning or disaster preparedness as a key
priority this year.

"There's always this dichotomy because companies include operational
recovery and disaster recovery under business continuity," says David
Hill, an analyst at IT market-research firm Mesabi Group. "Disaster
recovery is in place, but few companies have covered all operational
needs." They may have smart processes and technology to deal with
extreme emergencies but not, say, for recovering data after a virus

Other areas for business-continuity improvement may center on
performance issues. Companies are protected with backups on tape but
likely would prefer a faster medium when they need to recover data.  
"With tape storage, recovery could take hours, and even days," Hill

MidAmerica Bank, a wholly owned subsidiary of financial holding
company MAF Bancorp Inc., has set up mirroring and recovery between
sites on hard-disk storage--using a combination of Symmetrix Remote
Data Facility and MirrorView software from EMC Corp., the bank moves
information from headquarters to a hot-standby data center. That's the
highest form of availability, with the company able to assure business
units of data recovery within four hours, but the bank still wants to
finesse its continuity efforts.

That's because not all applications need to be recovered within four
hours. So in 2005, Paul Stonchus, first VP and data-center manager at
MidAmerica Bank, plans to create a multitiered recovery
infrastructure. Under that plan, only five applications require
recovery within a four-hour period. No hot-standby server will need to
be at the recovery site for lower-ranked apps, so the bank could
redeploy those servers as needed. If a case can be made to add other
apps to the fast-recovery list, they will be added. "Our business
units review their business-continuity processes, and we tie
contingencies to our disaster-recovery plan," Stonchus says. "Our IT
perspective is to always make data available to our users."

There's always room for improvement in planning because companies
learn from experience. Doug Smith, IT disaster-recovery manager at
Southern Co., a utility-holding company, says Hurricane Ivan tested
plans last year. "We already have much-improved
communications-infrastructure views, but we're finding out what went
wrong with our handling of Ivan," Smith says. "Our plan in 2005 is to
combine the right combination of IT and operations so we have the
right resources for support."

But not everyone puts business-continuity plans into practice--and
that's a problem. "Most business-continuity plans sit on a shelf, and
they're never tested," says Peter Gerr, an analyst at IT
market-research firm the Enterprise Strategy Group. "One out of five
recovery efforts fails."

More information about the ISN mailing list