Posted by: David Scott
1 year plan
When we talk about Disaster Awareness, Preparedness, and Recovery, we stand a better chance for securing business in the real world.
The leverage to understanding and compliance is essential - DAPR forces, not a different question but, a set of questions:
“Are we prepared for disaster?”
“I guess so – we have a disaster recovery plan.”
“Do you have an updated awareness for current, evolving, and new disasters?”
“Well, let’s see – I guess we should list them.”
“Now that you have an awareness, are you prepared?”
“No. We’ve added some events, and we have a better understanding of others.”
“Are we properly prepared to prevent certain outcomes?”
“Prevention? I thought this was Disaster Recovery…?”
“Can you prevent harm where appropriate? For any “unpreventables” or the truly unforeseen, can you recover from those harming events – have you tested your preparedness?”
“Well, we’ll have to develop some tests, and then conduct them…”
As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front. DAPR helps us to better know ‘where we are’ in getting to where we’re going (the destination of ultimate security). Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and recovery.
Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we’, ‘how do we get there’, and ‘where are we going’ elements of the previous statement?
We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.
Who drives DAPR? One guess… particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or disaster recovery efforts. This is simply because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.
There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative too. Who owns “business-continuity?” IT? After all, it’s Business’ continuity. Further, IT can only establish DAPR according to its own allowance, safe-channel and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately.
To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.
Understanding the Elements of DAPR: Because prevention of, and recovery from, harm is so central to security, let’s take a closer look at some of the fundamentals:
Awareness: Awareness starts with the board or governing body’s commitment to establish and maintain a Disaster Awareness, Preparedness, and Recovery (DAPR) policy and planning process. From here, all management and staff are made aware of their requirements. Everyone has a duty to conduct business in the best possible way, in the most secure fashion, in
compliance with all policies and protections. Prevention of harm begins with awareness.
If harm comes, everyone has a duty in ensuring the ability to recover from it. It requires planning at every level in order to ensure that essential business of the organization is able to continue in the face of adverse events and circumstances.
Important projects like DAPR planning have to be approved and sanctioned at the highest level in order to secure the required level of commitment and resources throughout the organization. The sale for DAPR planning should be easy to make in today’s environment – for reasons we’ve touched on. Primary is one of business’ most important foundations, which we touched on earlier:
- An Awareness Regarding the Business Foundation: Business has shifted from a mostly linear, non-abstract system of paper, filing cabinets, adding machines, and largely non-intermediary systems of support – to a virtual, almost abstract environment. It is now one of electronic bits and bytes, accessible only through the intermediary of computer systems, allied applications, and associated availability. Further, there has been a steady expansion of this foundation. Growth of wide-area networks, their ties to the internet, their ties to other business locations, and remote access that ties in home and mobile computing and all manner of other access, has exploded the vulnerabilities to be managed. Thus, through the corresponding expansion of access to this foundation – there has been expansion of exposure and expanded risk of harm.
Remember that we are talking about a foundation to business here – not some “enhancement,” appendage, or luxury. This is a foundational underpinning that you cannot allow to be knocked out from under – otherwise your business “crashes”, and you cannot “do.”
Harm to this foundation can be unintentionally sourced: things such as earthquakes, power failures, weather damage, etc. Short of nature, harm can arise from simple human mistakes or oversights: someone can corrupt the content of a database by transferring the wrong information into it. Someone may accidentally delete or move (lose) entire structures of data, break important links, and throw crucial parts of business offline.
Harm from human interaction can also be intentional: things such as acts of sabotage from within or with-out, or terror attack. We’ll take a closer look at a number of specific risks when we discuss Threats. For now, awareness starts with a true appreciation for the vulnerability to this foundation, the sheer weight and range of disruption to business should this foundation be removed for any period, and the absolute necessity in securing it to the best possible degree.
Preparedness: Preparedness should first and foremost be seen as a posture of prevention from harm. Preparedness next defines action and resources in the event of harm. Preparedness begins with its contribution to policy, such that our awareness gets translated into a plan and an outcome. The plan can then be affected to meet the policy’s stated objectives.
You can combine your policy and plan: The XYZ Corporation’s Disaster Awareness, Preparedness & Recovery Policy and Plan. In fact, your policy will not completely take shape without the plan – they are reinforcing, particularly as they develop. But a firm sense of policy must precede the plan; so as to identify your organization’s concept of DAPR, and the basic principles and levels of prevention and recovery expected (you must know the ‘where you are’ of expectations before you can plan to your ‘where you’re going’ destination of deliverables).
The policy states the mission – the detail you deem essential in explaining your organization’s critical business functions, the expectations for preventions, the required recovery protocols for disastrous harm, and responsibilities. Further, it should expose the beliefs, values, and standards for these essential business functions and their dependencies, or supports.
Because resources are not unlimited, the organization must arrive at agreement for what constitutes the greatest risks, the likelihood of events, and the impact of those events on various ranked business elements. Once your organization has agreement among various lines of business, practices, departments, agencies, etc., you then have common beliefs in what merits protection – values – and can proceed with the plan for protection and recovery of those things. We can note here that you may not achieve total agreement, but in that case the belief will at least be acknowledgment of, and agreement to, compromises made, and actions resulting.
Once things have been prioritized, you can set various standards for prevention and recovery: the planning of the what, when, how, and where. When you’ve established the mission, beliefs, values, and standards through policy, and made the plan for meeting the policy’s objectives, we define the tests that we’ll employ to validate our recovery plan.
Recovery: Unlike other Business and IT objectives, your disaster recovery posture is usually never fully realized, and never fully known. That is to say, your ability to recover from disaster does not usually evidence itself (hopefully) in a real-world manifestation – and certainly (hopefully) not at the “10” of a 10-scale catastrophic chart. Conversely, almost anything else you do is reflected back to you in the form of real-world success and feedback. For example, if you launch a new product, it either succeeds in the marketplace, or it doesn’t. You may have tested it beforehand through survey or some small market, but you will have the ultimate arbiter of the real marketplace as your final ringing authority; it will either deem your product some measure of success, or deem it a failure. You won’t have to wonder.
Disaster recovery is something we hope never to test in the real world. Of course, right up front we know that we don’t want to experience disaster – that’s obvious. But secondarily, if there is a disaster, we don’t want our recovery efforts to be the first test. A test implies an unknown – will we pass or fail the test? That is the test’s purpose – to eliminate that unknown by exposing a true level of knowledge and ability.
Therefore, we want to test beforehand by virtue of simulations – and on some regularized basis, so as to expose points of failure, and areas where we can improve. Therefore, as our environment changes, our disaster recovery testing continually exposes and helps us to eliminate unknowns – divides between our ever-new requirements, and standards for recovery. This way, we can reasonably expect a yield of success in the form of a recovery that goes according to our plan, and meets our policy’s requirements when we have to deliver on a real-world “test.” As we eliminate those aforementioned unknowns, we – do what? – we add to our awareness – a key component of DAPR.
As best we can make it, recovery from disaster needs to be efficient, effective, predictable – and safe.
NP: Ringside at Condon’s: Eddie Condon and his combo, featuring “Wild Bill” Davison. Early microgroove 33 1/3 RPM on the Savoy label. Live and jammin’ in the club. Same signal chain. Great cover shot on the jacket.