Security must be made a routine part of the day. A good way to handle DAPR is to have delegates, such as members of a Business Implementation (BIT) Team, or their assignations, participate in the creation, maintenance, and evolution of your policies and plans in this area, in the testing of the deliverables necessary for continuity of business. Further, this team should deliver a regularized report to senior management regarding the organization’s security posture against evolving circumstances of risk.
Any denial is extremely risky as the destination is always moving further out: as you accrue new systems, exposures, and risks – and as the world turns. External challenges to the organization mount. You continue to drive toward the evolving destination in fulfilling the best state of preparedness you can – regardless of limits. Prevention is possible only through exposure and mitigation of risk. Recovery is possible only for having prepared for a recovery.
If and when your organization has a robust DAPR plan, still realize that there is always room for improvement, and that meeting essential DAPR requirements is a moving target. If your organization has no DAPR plan, or has one that is outdated, incomplete, or merely represents a “feel good” placeholder, then Business and IT need to begin an immediate address of the problem. Getting a basic plan in place is akin to acquiring your “wind” in order to compete in the race.
DAPR: Policy and Plan
Now that we’ve established an understanding of awareness, preparedness (which includes prevention), and recovery, let’s discuss policy and plan in further detail. It is policy that will help the organization at-large adopt and adhere to the appropriate level of awareness. It is the plan that will translate the organization’s awareness into achievement of proper preparedness. Let’s look at policy first:
Policy: Your policy defines and sets the mission. Your DAPR policy has to acknowledge some realities. If money were no object, all organizations, and each of us as individuals, would maintain a comprehensive “mirror” of our computing platforms, content, and systems. It’s been said that Lehman Brothers were back ‘online,’ conducting full business, 20 minutes after losing their primary business site in New York on 9/11. They maintained a staffed, duplicate, physical site across the river – essentially a comprehensive ‘backup’ of all content, platform, business systems, people, and real-time transactions as they went along. From a pure business perspective: Loss of their primary site simply meant a few technical changes to throw the alternate site online, as the new primary. Of course, Lehman Brothers later had problems of another sort.
It may seem a cruel example to discuss the continuity of business in the face of catastrophic human loss, such as that which occurred on 9/11 in America. But what we can realize here is that if we’re able to make business recovery as rote and as painless as possible, we’re then able to focus that much more on helping people. The need for a job, a solid place of employment, and the sustaining of an economy are not going to melt away in the face of disaster. Taking care of survivors, and surviving family members, does not go away. Indeed, meeting those needs will be of extreme importance to the organization. Therefore we can think of it as a manifest duty to secure the relatively “mundane” continuity of business in the face of human disaster – to have the path cleared of competition for attention of our bruised minds, as it were, so as not to blur or obscure our focus for taking care of people.
Setting Priorities, Apportioning Resources: The Lehman Brothers example is one of extremes: extreme disaster, and extremely good recovery (fast, comprehensive, and according to plan). Understand too that their recovery from disaster presented a “prevention” face to the world: they prevented the loss of their ability to conduct business, in the face of an extreme impact. Certainly if you’re part of an organization that has the resources to mount a security and recovery posture such as Lehman Brother’s, all to the good. The larger challenge is for the majority of organizations that have limited resources. It can be difficult to know how to apportion critical resources for DAPR vis-à-vis the daily concerns. Too, it can be difficult to know how to apportion resources within DAPR.
There is competition for all resources in sustaining the overwhelming normalcy of conditions: the daily business grind. It is a challenge just to meet those requirements in keeping up, and remaining functional and competitive. Even if you feel you have no real competition (perhaps you’re a non-profit with a unique set of products and services) you must still remain functional in an ever-changing world. Within the demands of the real-world day-to-day, and in planning the future of the day-to-day, how do we responsibly apportion and balance critical resources for something that might happen, and which “probably won’t?”
Rank and Document Key Business Areas: A logical start is for a DAPR team to identify, list, and rank key business areas. This way, the policy will guide Business’ application of resources. As we’ve said before, your BIT team can begin DAPR planning, or DAPR may be delegated to a subset of this group – whatever is efficient and effective. As with all projects engaged by BIT, the DAPR planning team will further assign responsibilities as necessary. This team will also bring other people onto the team where appropriate, or invite them into specific discussions as the planning goes along.
Assembly of coherent business documentation for each of these areas is crucial. We don’t need to provide a generic list here of functional areas: each organization should have a good start on this documentation. You can also find sample lists and ideas on the web for areas of inclusion to your own list, if your concern is that you’re overlooking something. With simple diligence, this ranking will not be difficult to do – particularly if you survey your department heads for their ideas to DAPR.
Remember too that your organization has likely already identified and described key business areas, and associated values, standards, and practices. Where this documentation exists, it can be appropriated and repurposed to DAPR (here is where content management and simple Business Intelligence [BI] can assist and streamline this process) – no need to reinvent the wheel. Even if you are not yet maintaining critical business documentation, you may still find surprising information in this regard: You can dig for important detail regarding business processes, and associated values and standards, in such things as job descriptions, RFPs, and sales and marketing literature. Consider other areas too; these often have comprehensive descriptions of business process and associated needs. Collect, repurpose, create, and build the documentation as necessary.
Once you have identified major business areas, your team can begin to rank the areas in order of importance to the organization. Your list should include a description of each business process, and its relation to other processes (its dependencies on, and its supports to, any other processes). Also document whatever other dependencies exist: internal systems and resources, external systems and resources, and personnel, for example. The list will reveal important interdependencies, many of which have never been known, formally recognized, and documented.
Next: Leveraging Documentation.