I’ve been doing a bit of work lately with an organization that finds itself in a pinch. The backend database system supporting their core business application, associated hardware enablements, and front-end application are all suffering performance problems.
Users – the business stakeholders – experience frequent screen-freezes… often requiring a closing and reopening of screens. It’s very frustrating. Worse, the business system no longer has a “screenflow” that follows workflow. It’s difficult to make logical progressions during data entry, during routine knowledge-seeks, and for reports generation. Ad hoc reporting is difficult, and so too is the creation of desired new, recurring, reports.
They’re on a path now for several modernizations – and that’s the good news. But it might also be time for an overall IT Asset Management System (ITAMS).
A good ITAMS can help to maintain a solid tune for all of your integrated IT assets – individually, and in terms of how they operate in unison as an integrated whole to your organization’s mission: and assets are woven more tightly now than ever before.
A good IT Asset Management System is a comprehensive, ongoing, IT audit: An inventory, risk detection, and risk mitigation system.
The system provides ready tracking and update to identity, location, configuration, and age of hardware and software assets. In addition, critical support information for total management of assets is maintained by this system, to include contracts, budgets, documentation sets, training materials, warranties, interdependencies, and backup/recovery elements. You should even capture data on personnel who are responsible for maintenance of assets, to include outside solutions partners/contractors/vendors, etc. Capture anything you feel that you can use and leverage in making effective management of all assets.
A solid ITAMS will ensure that assets are leveraged for optimum use and effect throughout their entire lifecycle, in maximizing Returns on Investments (ROI), reducing Total-Cost-of-Overhead (TCO), and in optimizing Time-to-Value (TtV).
Small-to-Medium Business (SMB)
Particularly for SMB, where budgets are tight and carefully allocated, it can be a challenge to get an ITAMS off the ground. IT’s “selling” of the idea to Business may not be easy.
You’ll need to do a cost-benefits analysis. Evaluate the time that IT is spending managing assets presently. Determine if you can save IT staff’s time with an ITAMS, thus redirecting key personnel to other positive pursuits.
Even better: If there’s been a costly “drift” in the recent past, whereby an asset or assets had to undergo an expensive upgrade, with attendant business “crunch” – and if you can show where money and time (same thing, really – time = $) could have been saved – then the case for ITASM may be made.
Next steps will be to make a comprehensive survey of assets, interview business and IT stakeholders, determine the expectations, convey them to a strong ITAMS-partner, and build the project to meet the demands.
By the way, a good IT asset management program and allied system does a fantastic job of supporting your DAPR efforts…
NP: Gimme Some Lovin’ – Spencer Davis Group, original LP, stereo version (I also have original mono vinyl). Great album, with a nice version of Midnight Special.
Begin to assemble the information you’ll need to reestablish business in any circumstance.
Couple thoughts: When planning protection and recovery from disaster, you must go to the highest levels of disasters and their impact, and your reasonable dispersal and application of available resources against the threats and risks. Don’t be afraid to be “ridiculous.” Why? Don’t cripple your definition of disaster – disaster is disaster.
This is not to say that we’re going to waste time with undue attention to potential, and unlikely, cataclysmic events at the expense of other more likely negative business impacts. However, a starting position of “This will never happen, but…” is important, and here’s why: You may not apportion much, or any, of your precious resources against the “never happens,” but by putting them on the table for discussion, Business and IT have acknowledged them, and have made certain that senior management, boards, governance, customer expectations, and any and all outside/inside regulatory requirements are being satisfied, and the org is in complete satisfaction with all requirements that your organization must adhere to, as regards all contingencies.
Also, by examining the largest disaster you can imagine, and by ticking down incrementally through various scenarios, you are less likely to miss an important accommodation to your recovery posture – as opposed to starting or stopping in some “reasonable middle.” (And, it saves the team the time of batting around what the “reasonable middle” is; it should also prevent a “discounting” of disaster, assuming proper sanction for appropriate disaster planning).
Get these the following things together, and anything else that comes to your team’s mind:
¨ Organization charts, key staff, staff disaster responders, emergency contact information
¨ Business process documentation
¨ eCommerce documentation
¨ All other real-time transactions and services
¨ Production lines
¨ Human Resources Management
¨ IT services
¨ Public relations/perception management
¨ Maintenance and support services
¨ Quality control, quality of service, terms of service, etc.
¨ Customer service
¨ Sales and related administration
¨ Finance, treasury, accounting, and auditing
¨ Research and development
¨ Strategic initiative and planning activities
¨ List of vendors, suppliers, contractors, and contact information.
¨ List of emergency services and contact information
¨ Business locations, premises, addresses, maps and floor plans
¨ Evacuation procedures
¨ Fire, health and safety regulations and procedures
¨ Operations and administrative procedures
¨ Systems documentation and specifications
¨ Maintenance and service level agreements
¨ Offsite storage and recovery procedures
¨ Alternate business location information
¨ Insurance documentation
Alternatively: An effective alternative to beginning at the highest level of disaster (the Earth blew up, Recovery Step 1), is to start low, with the most mundane outcomes and recoveries: User error, local drive restoration, for example – move up the scale.
Be imaginative, and be covered.
NP: Mott the Hoople: A Retrospective. If you haven’t gone off the beaten track and listened to this stuff, it’s well worth your while.
Your organization must assess your specific vulnerabilities relative to threat, risk, likelihood, and business priorities. As you examine each area of risk, consider the impact to functional business areas. When planning protection to, and recovery to, specific business areas, it helps to simplify and focus things by ordering risk-effect, within these broader considerations:
– Loss of All Centralized Processing and Systems
– Loss of Some Central Processing and/or Some Systems
– Loss of Content
– Damage to Content
Harming Events and Circumstances: By no means comprehensive, these things should be accommodated by your DAPR policy and planning process:
– Environmental Events
- Natural Hazards/Danger
– Deliberate Acts of Disruption
- Cyber Attack
- Hacks at Random (HaR)
- Competitor Hacks (CH)
- Malware, etc.
- Loss of electrical power
- Loss of gas
- Loss of water
- Oil shortage or unavailability
- Loss of local or National communications system
– Equipment and Systems
- Internal loss of power
- Loss of air conditioning or heating
- Production, plant, or equipment failure (excluding IT)
– Information Security and IT Equipment
- Exposure of sensitive content
- Damage from Cyber crime (attacks, hacks; as above)
- Damage to content and/or systems from malware (viruses, keystroke monitoring, tracking software, malicious code to destruct data, etc.)
- Loss of content, or loss of access to content
- IT system failures
- Loss of connectivity to the Internet
- Loss of eCommerce capability
- Unavailability of e-mail
- Damage to main business system(s)
- Legal issues
- Mergers or acquisitions
- Emerging and impacting business, health, and safety regulations
- Workplace violence
- Public transportation, public utility, neighborhood hazard, loss of shipment, freight, and other like-issues that can impact employee availability, product availability, etc.
- Negative publicity
- Employee morale
Any of these things represent a threat to the effective conduct of business. Remember that in addition to the core-business systems that you use and “see” every day, there are other systems supporting your business that you may not think much about. You need to reestablish e-mail connectivity to the world. You need to reestablish any eCommerce, web traffic, and presence that you have. You’ve got to get voice communications going, and you need to reestablish customer service endeavors. You may need public relations, or perception management, help in communicating the organization’s status to the public.
Also, don’t overlook the fact that following disaster, DAPR does not go away during the challenge of continuing business: you must reestablish your backup and recovery scheme: For example; if you’re in a new location, you may need new solutions partners, etc.
NP: Zeppelin boxset. Amazing.
A Plan: The DAPR Plan, and its actualization, is the manifestation of your policy. Your policy should set the overall mission, beliefs, values, and standards for prevention – as well as recovery, when recover is necessary. The mission and its associated quality will be realized in detail by the plan. In this way, prevention is defined, and a schedule and level of recovery is established. And, when prevention and recovery are performed according to plan, they satisfy the policy.
Threats and Risk: The condition of threat is the thrust behind planning. Threats enter your awareness, you assess associated risk, and where necessary you make a plan of action in order to deny threats’ delivery of harm. You also plan recovery actions when threat manifests as actual harm.
As you consider your DAPR policy and plan, you must assess various threats for consideration of risk to your business, and to what level you need to accommodate these risks. The same threat may pose different risks to different organizations. For example, an organization that serves reference material to customers can possibly afford to be off of the web for an hour or so. However, for an organization that relies heavily or solely on real-time, time-sensitive online transacting, such as stock brokering, or something like ebay, being offline for even a few minutes can cause extreme inconvenience or even damage to customers. It can also hurt that organization’s reputation tremendously – imagine if AOL were “offline.”
Also realize that the same threat may represent differing demands on resources to differing organizations. For example, some organizations will be in a sole location – they may store their offsite backup data within that same city or general geographic area. We know this to be a condition for many organizations. A catastrophic disaster could conceivably wipe out the whole of their business intelligence – or ready access to it, and hence would impede their whole recovery effort. They may have to consider the expense of offsite storage to another city.
Another organization may be more dispersed, and may be able to afford and secure more “redundancies” (of data, and complete business platforms) because of already existing alternate business locations. Indeed, each discreet business location within a chain could be a backup to another location. A citywide disaster at one of their locations would, from a strictly business point of view, be far less threatening to their continuity of business. The former organization at the sole location may have to allocate a larger proportion of their total resources to DAPR than the latter.
Therefore, you must get the issues on your table for threat evaluation of the risk imposed, against ranked business processes. Even if you feel that some items are beyond your capacity or resource to deal with, you should still document them; the reasons why their scope of treatment is as it is; and document whose authority set the scale of treatment.
Apportion your resources for DAPR against a sanctioned policy and plan that is understood and agreed to by all relevant parties.
Next: Harming Events and Circumstances.
Leveraging Documentation: In some cases, you may be “rediscovering” knowledge, and this is extremely important. As many of us are painfully aware, there are countless systems out there that were put into place by people long gone from the organization. These are “mystery systems” – the people utilizing them and counting on them hope that they keep working. Often, no one knows how to service them, or how to upgrade them for currency. Perhaps associated vendors and companies have gone out of business, or sold their product to someone else. Maybe you have systems that were developed in-house, and that were never properly documented. Some of these systems’ technical concerns are too complicated to understand in the fast moving environment of the usual business day – imagine trying to recover them following a disaster.
These systems drifted so far off the maintenance map that only through Herculean effort can we bring these systems back into the ‘zone of known’: A nice benefit of DAPR is that it often helps your ongoing business efforts by identifying and documenting all areas so that you have comprehensive, “bullet-proof” knowledge that is independent of employee turnover and other change. Therefore, DAPR should also prevent any business process or system from drifting into an undocumented and poorly maintained state. The DAPR posture and the documentation you build also contributes to content, and its management.
Assessing Risk: Once these key business areas have been ranked, they should be assessed for risk. Risk can influence how you direct your resources, and can even re-order some of your key areas in terms of priority for protection and recovery. You may have an internal business process that is critical, and which, at first glance, occupies a high order on your list for protection, recovery, and resources. However, this process may be in the exclusive control of internal, trustworthy, personnel, within a physical security space. Perhaps equipment and process are in a secure laboratory at a business site. The site may already have “local” departmental control and protection that already makes demands on resources, and which are sized to protection in accordance with DAPR. In this circumstance, the DAPR policy can nod to this condition, and better utilize the organization’s resources elsewhere on the list.
Other conditions may take seemingly lower-priority areas to a greater elevation on the list. Let’s say you’re transferring data on a daily basis to business locations that have unreliable connectivity due to surrounding, relatively undeveloped, infrastructure. Here you may choose to place alternate, backup, means to transport data to these locations. You may employ redundant point-to-point connections that rely on different service providers and transports, for example. In this example, you may allot greater resource to the external business locations than you would have at first surmised necessary – having assumed data-transfers to be “mundane”.
There are other influencers as you develop your plan. For example, you may have a critical business function that is an absolute necessity for business continuity. However, if that process is hosted – that is, if it is being supported mainly by a vendor, at their site – it largely falls under their DAPR-equivalent plan. The continuity of business mission, beliefs, values and standards would translate as a service level agreement (SLA) within your contract with that vendor. That vendor should provide test results, and also conduct any testing in concert with your organization, to your satisfaction. Thus, realize that your DAPR resources will not always weight in direct proportion to risk, or even importance, of key areas. There will be many influencers that will evidence themselves as you plan – another important realization for the need to bring DAPR into focus. Once the organization has a good understanding of how to rank process and systems within the scope of critical business functions, their dependencies, and risks – a definition of the mission will begin to take shape, and an assignment of resources can be made. Resources such as money, personnel, and time must be fairly and proportionately budgeted according to accurate requirements for prevention and recovery.
People: In the review of various organizations’ “disaster recovery” postures, and even when appraising “model” plans on the web, we will notice something curious. Many plans don’t account for the loss of people. Likely, it is because of the simple fact that we don’t like to think about losing co-workers, friends, and other associates. We also don’t like to think about our own risk in this regard. Yet, this omission is surprising, and we should expand on a concept here: People are our biggest challenge, our biggest resource, and, from a pure business perspective, they are a huge investment and a critical asset. We hope that we never lose people, but none-the-less have to plan for their loss – not planning for this contingency would be irresponsible.
Hopefully your organization already has a model in place to “cover” for absences. Vacations, arrivals of new children, emergencies, promotions, dismissals, turnover, all contribute to the necessity for a plan of coverage to essential duties and support of systems and processes. Here again DAPR assists in the normal course of business by helping us to establish an awareness, and subsequent construction of a “weave” of backup. We have personnel who are trained to a necessary degree and who know enough to step in as an alternate “player” to cover absences to positions. In the formal case of the DAPR policy and plan, people know what their duties are regarding recovery, and they know how to shift given specific absences of personnel. Let’s note here that unavailability of personnel doesn’t have to be related to death or injury from disaster. You may find that key people simply cannot reach the worksite due to environmental problems, as an example.
Next: A Plan.
Security must be made a routine part of the day. A good way to handle DAPR is to have delegates, such as members of a Business Implementation (BIT) Team, or their assignations, participate in the creation, maintenance, and evolution of your policies and plans in this area, in the testing of the deliverables necessary for continuity of business. Further, this team should deliver a regularized report to senior management regarding the organization’s security posture against evolving circumstances of risk.
Any denial is extremely risky as the destination is always moving further out: as you accrue new systems, exposures, and risks – and as the world turns. External challenges to the organization mount. You continue to drive toward the evolving destination in fulfilling the best state of preparedness you can – regardless of limits. Prevention is possible only through exposure and mitigation of risk. Recovery is possible only for having prepared for a recovery.
If and when your organization has a robust DAPR plan, still realize that there is always room for improvement, and that meeting essential DAPR requirements is a moving target. If your organization has no DAPR plan, or has one that is outdated, incomplete, or merely represents a “feel good” placeholder, then Business and IT need to begin an immediate address of the problem. Getting a basic plan in place is akin to acquiring your “wind” in order to compete in the race.
DAPR: Policy and Plan
Now that we’ve established an understanding of awareness, preparedness (which includes prevention), and recovery, let’s discuss policy and plan in further detail. It is policy that will help the organization at-large adopt and adhere to the appropriate level of awareness. It is the plan that will translate the organization’s awareness into achievement of proper preparedness. Let’s look at policy first:
Policy: Your policy defines and sets the mission. Your DAPR policy has to acknowledge some realities. If money were no object, all organizations, and each of us as individuals, would maintain a comprehensive “mirror” of our computing platforms, content, and systems. It’s been said that Lehman Brothers were back ‘online,’ conducting full business, 20 minutes after losing their primary business site in New York on 9/11. They maintained a staffed, duplicate, physical site across the river – essentially a comprehensive ‘backup’ of all content, platform, business systems, people, and real-time transactions as they went along. From a pure business perspective: Loss of their primary site simply meant a few technical changes to throw the alternate site online, as the new primary. Of course, Lehman Brothers later had problems of another sort.
It may seem a cruel example to discuss the continuity of business in the face of catastrophic human loss, such as that which occurred on 9/11 in America. But what we can realize here is that if we’re able to make business recovery as rote and as painless as possible, we’re then able to focus that much more on helping people. The need for a job, a solid place of employment, and the sustaining of an economy are not going to melt away in the face of disaster. Taking care of survivors, and surviving family members, does not go away. Indeed, meeting those needs will be of extreme importance to the organization. Therefore we can think of it as a manifest duty to secure the relatively “mundane” continuity of business in the face of human disaster – to have the path cleared of competition for attention of our bruised minds, as it were, so as not to blur or obscure our focus for taking care of people.
Setting Priorities, Apportioning Resources: The Lehman Brothers example is one of extremes: extreme disaster, and extremely good recovery (fast, comprehensive, and according to plan). Understand too that their recovery from disaster presented a “prevention” face to the world: they prevented the loss of their ability to conduct business, in the face of an extreme impact. Certainly if you’re part of an organization that has the resources to mount a security and recovery posture such as Lehman Brother’s, all to the good. The larger challenge is for the majority of organizations that have limited resources. It can be difficult to know how to apportion critical resources for DAPR vis-à-vis the daily concerns. Too, it can be difficult to know how to apportion resources within DAPR.
There is competition for all resources in sustaining the overwhelming normalcy of conditions: the daily business grind. It is a challenge just to meet those requirements in keeping up, and remaining functional and competitive. Even if you feel you have no real competition (perhaps you’re a non-profit with a unique set of products and services) you must still remain functional in an ever-changing world. Within the demands of the real-world day-to-day, and in planning the future of the day-to-day, how do we responsibly apportion and balance critical resources for something that might happen, and which “probably won’t?”
Rank and Document Key Business Areas: A logical start is for a DAPR team to identify, list, and rank key business areas. This way, the policy will guide Business’ application of resources. As we’ve said before, your BIT team can begin DAPR planning, or DAPR may be delegated to a subset of this group – whatever is efficient and effective. As with all projects engaged by BIT, the DAPR planning team will further assign responsibilities as necessary. This team will also bring other people onto the team where appropriate, or invite them into specific discussions as the planning goes along.
Assembly of coherent business documentation for each of these areas is crucial. We don’t need to provide a generic list here of functional areas: each organization should have a good start on this documentation. You can also find sample lists and ideas on the web for areas of inclusion to your own list, if your concern is that you’re overlooking something. With simple diligence, this ranking will not be difficult to do – particularly if you survey your department heads for their ideas to DAPR.
Remember too that your organization has likely already identified and described key business areas, and associated values, standards, and practices. Where this documentation exists, it can be appropriated and repurposed to DAPR (here is where content management and simple Business Intelligence [BI] can assist and streamline this process) – no need to reinvent the wheel. Even if you are not yet maintaining critical business documentation, you may still find surprising information in this regard: You can dig for important detail regarding business processes, and associated values and standards, in such things as job descriptions, RFPs, and sales and marketing literature. Consider other areas too; these often have comprehensive descriptions of business process and associated needs. Collect, repurpose, create, and build the documentation as necessary.
Once you have identified major business areas, your team can begin to rank the areas in order of importance to the organization. Your list should include a description of each business process, and its relation to other processes (its dependencies on, and its supports to, any other processes). Also document whatever other dependencies exist: internal systems and resources, external systems and resources, and personnel, for example. The list will reveal important interdependencies, many of which have never been known, formally recognized, and documented.
Next: Leveraging Documentation.
In continuing from days prior, let’s understand the elements of DAPR: Because prevention of – and where necessary, recovery from – harm is so central to security and business continuity, let’s take a closer look at some of the fundamentals:
Awareness: Awareness starts with the board or governing body’s commitment to establish and maintain a Disaster Awareness, Preparedness, and Recovery (DAPR) policy and planning process. From here, all management and staff are made aware of their requirements. Everyone has a duty to conduct business in the best possible way, in the most secure fashion, in compliance with all policies and protections. Prevention of harm begins with awareness.
If harm comes, everyone has a duty in ensuring the ability to recover from it. It requires planning at every level in order to ensure that essential business of the organization is able to continue in the face of adverse events and circumstances.
Important projects like DAPR planning have to be approved and sanctioned at the highest level in order to secure the required level of commitment and resources throughout the organization. The sale for DAPR planning should be easy to make in today’s environment – for reasons we’ve touched on. Primary is one of business’ most important foundations, which we touched on earlier:
– An Awareness Regarding the Business Foundation: Business has shifted from a mostly linear, non-abstract system of paper, filing cabinets, adding machines, and largely non-intermediary systems of support – to a virtual, almost abstract environment. It is now one of electronic bits and bytes, accessible only through the intermediary of computer systems, allied applications, and associated availability. Further, there has been a steady expansion of this foundation. Growth of wide area networks, their ties to the internet, their ties to other business locations, and remote access that ties in home computing and all manner of other access, has exploded the vulnerabilities to be managed. Thus, through the corresponding expansion of access to this foundation – there has been expansion of exposure and expanded risk of harm.
Remember that we are talking about a foundation to business here – not some “enhancement,” appendage, or luxury. This is a foundational underpinning that you cannot allow to be knocked out from under – otherwise your business “crashes”, and you cannot “do.”
Harm to this foundation can be unintentionally sourced: things such as earthquakes, power failures, weather damage, etc. Short of nature, harm can arise from simple human mistakes or oversights: someone can corrupt the content of a database by transferring the wrong information into it. Someone may accidentally delete or move (lose) entire structures of data, break important links, and throw crucial parts of business offline.
Harm from human interaction can also be intentional: things such as acts of sabotage from within or with-out, or terror attack. We’ll take a closer look at a number of specific risks when we discuss Threats. For now, awareness starts with a true appreciation for the vulnerability to this foundation, the sheer weight and range of disruption to business should this foundation be removed for any period, and the absolute necessity in securing it to the best possible degree.
Preparedness: Preparedness should first and foremost be seen as a posture of prevention from harm. Preparedness next defines action and resources in the event of harm. Preparedness begins with its contribution to policy, such that our awareness gets translated into a plan and an outcome. The plan can then be affected to meet the policy’s stated objectives.
You can combine your policy and plan: The XYZ Corporation’s Disaster Awareness, Preparedness & Recovery Policy and Plan. In fact, your policy will not completely take shape without the plan – they are reinforcing, particularly as they develop. But a firm sense of policy must precede the plan; so as to identify your organization’s concept of DAPR, and the basic principles and levels of prevention and recovery expected (you must know the ‘where you are’ of expectations before you can plan to your ‘where you’re going’ destination of deliverables).
The policy states the mission – the detail you deem essential in explaining your organization’s critical business functions, the expectations for preventions, the required recovery protocols for disastrous harm, and responsibilities. Further, it should expose the beliefs, values, and standards for these essential business functions and their dependencies, or supports.
Because resources are not unlimited, the organization must arrive at agreement for what constitutes the greatest risks, the likelihood of events, and the impact of those events on various ranked business elements. Once your organization has agreement among various lines of business, practices, departments, agencies, etc., you then have common beliefs in what merits protection – values – and can proceed with the plan for protection and recovery of those things. We can note here that you may not achieve total agreement, but in that case the belief will at least be acknowledgment of, and agreement to, compromises made, and actions resulting.
Once things have been prioritized, you can set various standards for prevention and recovery: the planning of the what, when, how, and where. When you’ve established the mission, beliefs, values, and standards through policy, and made the plan for meeting the policy’s objectives, we define the tests that we’ll employ to validate our recovery plan.
Recovery: Unlike other Business and IT objectives, your disaster recovery posture is usually never fully realized, and never fully known. That is to say, your ability to recover from disaster does not usually evidence itself (hopefully) in a real-world manifestation. Conversely, almost anything else you do is reflected back to you in the form of real-world success and feedback. For example, if you launch a new product, it either succeeds in the marketplace, or it doesn’t. You may have tested it beforehand through survey or some small market, but you will have the ultimate arbiter of the real marketplace as your final ringing authority; it will either deem your product some measure of success, or deem it a failure. You won’t have to wonder.
Disaster recovery is something we hope never to “test” in the real world. Of course, right up front we know that we don’t want to experience disaster – that’s obvious. But secondarily, if there is a disaster, we don’t want our recovery efforts to be the first test. A test implies an unknown – will we pass or fail the test? That is the test’s purpose – to eliminate that unknown by exposing a true level of knowledge and ability.
Therefore, we want to test beforehand, and on some regularized basis, so as to expose points of failure, and areas where we can improve. Therefore, as our environment changes, our disaster recovery testing continually exposes and helps us to eliminate unknowns – divides between our ever-new requirements, and standards for recovery. This way, we can reasonably expect a yield of success in the form of a recovery that goes according to our plan, and meets our policy’s requirements when we have to deliver on a real-world “test.”
As best we can make it, recovery from disaster needs to be efficient, effective, predictable – and safe.
Next: DAPR is never finished.
NP: The Doors; Full Circle. The second, and last, album released by the surviving members of The Doors after Jim Morrison’s death. Whereas Other Voices is rather middling, with a few high points, Full Circle deserves a listen by Doors fans who may have eschewed it by virtue of the post-Morrison reviews and discussions. I’m pleasantly surprised upon hearing it for the first time. (Krieger and Manzarek handle vocals). Original vinyl.
In yesterday’s post, we began a discussion of Disaster Recovery vs. the more comprehensive Disaster Awareness, Preparedness, and Recovery.
When we talk about Disaster Awareness, Preparedness, and Recovery, we stand a better chance for securing business in the real world (recognize that the “preparedness” aspect of DAPR incorporates provocative standards of prevention, wherever possible, with the attendant posture for recoveries where the truly unforeseen, or uncontrollable, manifests). We must associate a reality-based handle to disaster, and all business/technical considerations that go with it. The leverage to understanding and compliance is essential:
DAPR forces, not a different question but, a set of questions:
“Are we prepared for disaster?”
“I guess so – we have a disaster recovery plan.”
“Do you have an updated awareness for potential disasters?”
“Well, let’s see – I guess we should list them.”
“Now that you have an awareness, are you prepared?”
“No. We’ve added some events, and we have a better understanding of others.”
“Are we properly prepared to prevent certain outcomes?”
“Prevention? I thought this was Disaster Recovery…?”
“Can you prevent harm where appropriate? Can you truly recover from disasters – have you tested your preparedness?”
“Well, we’ll have to develop some tests, and then conduct them…”
As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front. DAPR helps us to better know ‘where we are.’ Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and recovery.
Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we’, ‘how do we get there’, and ‘where are we going’ elements of the previous statement?
We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.
Who drives DAPR? One guess… Particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or business continuity efforts. Rather, this is because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.
There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative, too. Who owns “business-continuity?” IT? After all, it’s Business’ continuity. Further, IT can only establish DAPR according to its own allowance, safe-channel and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately.
To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.
Next: Understanding the elements of DAPR.
NP: The Doors: L.A. Woman; original vinyl release with the round-corners jacket and front cover window. Thorens TD-125, Shure v15v xMR, Carver C-1 and M-500t, Jensen cabs and Peerless drivers. Some other goodies in the signal chain, too.
Organizations, vendors, and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery Plan.” The venerable Disaster Recovery Plan is meant to secure business continuity in the face of disaster. However, security is ill served by this handle, and so too are many of the plans (and associated realities) that fall under it. “Recovery” is reactive, when we should have a plan that includes prevention of disaster. Some measure of prevention is within our internal control, and some lies within our ‘agility’ in sidestepping much of outside disaster’s influence. And, we strive to make disaster “transparent” to those whom we serve.
Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:
“Can you recover from disaster?”
“I guess so – we have a disaster recovery plan.”
Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).
Absent are identified, known, and agreed upon missions, beliefs, values, standards, and tests. Here, again, we’re building awareness.
¨ Mission will be defined by your requirements for prevention, recovery, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan.
¨ Beliefs include ‘prevention’ as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.
¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority.
¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.
¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.
You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.
When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for:
Disaster Awareness, Preparedness, and Recovery (DAPR)
To be continued…
First, recognize that social engineering is the biggest factor in personal breaches and matters of identity theft; the “grooming” of folks, getting them used to clicking on offers as distributed in e-mail, and even through social networking sites. Children can be especially vulnerable.
Oftentimes job offers, or “You’ve won!” scenarios, have templates for fill-in. If you’re not careful you, or perhaps children in your household, may end up divulging name, address, date-of-birth, and other highly sensitive information.
Be wary too of targeting that meets areas of your interest, yet is unsolicited. Scammers rake social media websites and glean all sorts of info. Avoid following your curiosity when assessing any unsolicited electronic contact with you, or your household.
Here are some tips – share them with younger people too:
- Encrypt your home wireless network, for those that have them, and pay attention to security setups on iPads; iPhones; Androids; laptops; desktops, etc. There are innumerable cases where people use others’ networks for the propagation of crimes – especially within large apartment houses and condominiums.
- Generate strong passwords – forget pet’s names; tricks like reversal of D-o-B. Use long passwords – consider 25 characters or more, as crazy as that sounds. Many can be stored anyway. The main liability with storage is, if you access an account on a device other than the one with stored password(s), you either may not remember it/them, or you’ll have quite a chore typing it/them in. But the extra security is worth it – algorithms now can hack just about any password, but if a program takes too long trying to crack yours, it’s more efficient to move on to a more vulnerable one. You can also use password generators/randomizers – just Google for that if you’re not familiar with the concept.
- Update your anti-virus/malware programs regularly; set these to do auto-updates in background where possible.
- Turn on personal firewalls. Search Help for “personal firewall” – check to see what’s available in your operating system.
- Consider using an Identity Protection program.
- Seek recommendations from your workplace: If you can check with your IT department, see if they have any suggestions for home protections.
Of course, on that last one, a good IT department will survey the user population for personal/corporate tethers anyway, and will perform their due dililgence in sewing shut this area of liability. But, it’s good to solicit advice and updates anyway, as things can get overlooked quite easily, even in these terms.
Stay safe out there.