How we change what others think, feel, believe and do
Resolve to Build a Reliable Business Continuity Plan: Recognizing the Threats to Disaster Recovery
Guest articles > Resolve to Build a Reliable Business Continuity Plan
By: Dwayne Melançon
As 2006 ends and you begin to set goals for the coming year, you may be reflecting on the success of the current year’s resolutions. For instance, did you intend to implement a change control process, limit access to IT systems, or develop best practices, such as frequently testing your disaster recovery plan? If, like so many IT organizations, you were too busy firefighting to keep those promises, your next outage could result in a doozy of lost data.
One of the most significant events involving lost data since the beginning of the information technology age was the result of the terrorist attacks on Sept.11, 2001. Of the 131 technology sites affected, only two performed a successful "failover" to a redundant system. Of the 129 sites that failed, 70% of data was recovered after 120 hours, but 30% was lost forever. This means $3.1 billion worth of technology did not work as expected.* As a result, for many companies the big technology issue became "how to rebuild", not "how to recover."
Unfortunately, none of this comes as a surprise. Many organizations are at risk of unsuccessful failover because of the three, "public enemies" of any disaster plan or business continuity plan.
Public Enemy #1: Unplanned/undocumented changes
Public Enemy #2: Too Much Access
Public Enemy #3: Lack of Accountability
Make a Resolution to Rid Your Organization of "Public Enemies"
While many companies use configuration management tools to reduce risk and manage change, these tools can be easily circumvented—they do not have a universal view of all change taking place within on your entire IT system. Adding a change control solution provides a "detective" with a universal view that can continually monitor all systems to discover unplanned, undocumented or unauthorized changes, alerting the IT staff to such events. Change auditing controls also help establish a necessary zero tolerance policy for undocumented changes. Eliminating unplanned changes also reduces time-consuming "firefighting" and frees up resources for a more useful activity–such as ensuring your BCP is in good working order.
Limiting change to a specific window of time (planned vs. unplanned) is what the Information Technology Process Institute (ITPI) calls "electrifying the fence." You can use this change window to track the number and type of unauthorized change, and to begin the process of identifying and prioritizing the "fragile artifacts", those assets in a data center at most risk of crashing or negatively impacting service delivery. A specific change window lets you find out who implements what changes and when, which is a clear view of the level of access to your IT systems. Use this information to review access privileges and explain to personnel that restriction is critical to the integrity and success of disaster recovery and business continuity.
As for accountability, IT is one area of business that can be managed entirely on facts and analysis, from urgent matters to day-to-day operations. There’s no reason to "manage by gut feel" or circumvent processes; in fact, circumvention can ruin a BCP. Adherence to change management policies and procedures is a strategy that benefits the business as a whole and ensures recovery after a disaster.
These are just a few of the New Year’s resolutions organizations can make to ensure business continuity in the case of a disruptive event. The ITPI Visible Ops process offers a step-by-step approach to implementing a thorough, secure change control system. Tripwire Enterprise works hand-in-hand with Visible Ops and the unique needs of your organization’s processes and systems to ensure data is secure and recoverable.
* Source: Center for Research on the Epidemiology of Disasters; SunGard; U.S. FEMA
Contributor: Kristin Wall
Published here on: 14-Dec-06
Classification: change management, business