International Disaster Recovery Planning
- Published on October 30, 2007
Submitted by David G. Ball of Kenneth A. Hansen & Associates Pty. Ltd.
The Chairman, Ken Hansen, established the first off-site tape storage business in Australia in the early 70's and set up the first Cold Site Recovery Center in 1978:
- There are three main suppliers of off-site storage in Australia
- All major Australian banks are “encouraged” (virtually obligated) by the Reserve Bank to have duplicate processing sites, so they back themselves up in the event of a disaster. Some government agencies have friendly arrangements with each other.
- Alternate Site Storage
About four or five companies subscribe to one of the two facilities which offer partitioned backup on a large processor with theoretical space capacity (these are all in the MVS/ESA environment, whether IBM, Hitachi or Amdahl).
Hansen is really the only provider of cold-site capability with 17 subscribers to our site near the Melbourne central business district. Tow of the subscribers have their Data Center in Sydney, which is over 900 kilometers distant, or one hour by aircraft.
IBM and one or two independent suppliers have set up and offer Recovery Center facilities for AS/400 and other mid-range systems, where the installed population runs into many hundreds.
ICL has a System 39 Level 80 hot-site in Sydney, set up in collaboration with one of its major customers (whose data center is in Melbourne); IBM had such a service in Perth, but closed due to lack of customers. Unisys, with our company, has a system 1100/93 in Melbourne providing backup to Australian Airlines, and is offering membership to other OS1100 customers (of whom there are less than 20 in Australia).
- Data and Service Communications Backup
Telecom Australia has a monopoly over this, and while technically very good, tends to react too slowly to business needs.
- Five of the main U.S.-based PC Planning Software packages are available from Australian agents. Only DP90, sold here by Coopers and Lybrand, has a local user group, sponsored by Coopers. DP90, TRPS, Recovery PAC, Disaster Master and LRDPS have together achieved sales in the last 12 months of around 10 copies, the same numbers we have sold of AIM/SAFE 2000.
Before the end of 1991, an AIM/SAFE User Group will be in existence, incorporating the New Zealand customers.
We sold the tape business in 1983 but have expanded our interest in Recovery Centers, added Risk Analysis consultancy, and have been the Australian distributor for AIM/SAFE 2000 since February, 1990. In conjunction with Unisys in Australia, we have just set up a large 1100/220 hot-site and have just published a report for several of our customers/projects on the feasibility of accessing a major Singapore hot-site, the most economic solution for Australian organizations which can accept down time of up to 72 hours.
This company started as a supplier of security projects, but now earns most of its revenue through a major Unisys and IBM bureau and software development on behalf of bureau customers. Nevertheless, we remain the only commercial supplier of the full range of products/services, with 17 subscribers to our cold-site.
Australian organizations pay a lot of lip service to the concept of Data Center Security, but generally “take the plunge” only when driven to that action by their overseas Head Office (where, as in the U.S., there may be a legal requirement to have protection) or their auditors. We understand this well and keep in touch with the trends in the U.S., Europe, and Asia through our various contacts.
Submitted by Doug Woodcock of Hewlett-Packard, Australia:
Hewlett-Packard Disaster Recovery Services in Australia enables subscribers to continue their critical computer operations should any situation arise that strikes the computer facility that the customer interprets as a disaster.
HP Disaster Recovery Services in Australia consists of two products: disaster recovery planning and HP Backup and Site Restoration Services. Disaster Recovery Planning aids the customer in developing and documenting a detailed D/R Plan, and HP Backup provides the customer with an HP computer system that can be used in the event of a disaster and assists the customer in recovering the disaster site. Together, the two products provide a complete Disaster Recovery Program that ensures that critical business applications for the customer are maintained.
The Business Continuity Planning tool used by HP Australia is the TRPS and Disaster planning products from ChiCor Information Management, Inc. The Disaster Recovery Program offered by HP is focused on ensuring that the customers’ critical applications are identified and the correct recovery procedures are in place. The hardware backup, HP Backup--Express provides a loan system with a predetermined configuration as identified via the plan to ensure the critical applications can run.
Submitted by IBM:
IBM Australia Ltd. has AS/400 Hotsite facilities in Sydney and Melbourne. These companies comprise three dedicated configurations with backup access to many more AS/400s in IBM’s Customer Centers and other facilities around the country. The offering includes DRP education, test time and access to an agreed configuration.
Complementing this is a full range of Business Recovery Planning consulting available via IBM’s Business Partners, TAP Technologies Pty. Ltd.
A large systems (3090) hot-site is available from IBM in Perth, primarily addressing local user needs in Western Australia.
Submitted by Robert Brigden-Jones, Manager of DRP at Price Waterhouse in Sydney:
Five years ago in Australia, the term “disaster recovery planning” was, to most, relatively meaningless. Certainly, those very large banking institutions had done research on the subject in the USA and most certainly had a hardware strategy for recovery.
However, many computer managers--particularly users--had rarely given any thought to the effect of system failure or disaster.
We have a saying down here “she’ll be right mate,” meaning all will be OK sir, don’t you worry about it. It is an attitude that we see far too often, but one that is changing rapidly in the computer industry.
With the ever increasing dependencies on computer systems and businesses running much tighter operations due to the deep recessions we are now facing, organizations are finding it increasingly difficult to avoid DRP issues.
They are being pushed from all directions to act--auditors, hardware vendors, insurance companies, and overseas headquarters. However, it should be noted here that we do not have the federal or state legislation that exists in the USA that demands DRP to be addressed.
The good news is that over the past two years, we have seen quite massive changes taking place whereby organizations are actively addressing these issues.
Planning tools such as TRPS and DP90 RiskPack have been available here for some three to five years. Many large organizations have or are in the process of buying these tools to help prepare their recovery plan. Many of the mid-sized organizations are preparing plans using cut down planning tools. These organizations utilize mini-computer systems such as DEC, HP, IBM, AS400, Wang and Prime.
We are now seeing a resurgence of hardware recovery vendors in our market. They include IBM, HP and DEC, all of whom provide a combination of services, including hot-site, priority machine delivery, cold-site and other permutations to suit client needs. These services are well-priced considering the small market that exists in Australia and New Zealand, resulting in poorer economies of scale.
Other vendors include the Ferntree Computer Services, State Bank of NSW, Hot Site, First State Computing, Hansen and Associates, and Data Security Services.
For those of you who know little about Australia, our population is 17 million with seven major cities in an area the size of North America. Our climate is not as extreme as North America, ranging from the very hot tropical north to the cool winters in the south. Snow rarely falls in major cities.
We have our share of cyclones, hurricanes and flooding in both coastal and inland areas. We experienced our first major earthquake in December, 1989, which hit the city of Newcastle 120 miles north of Sydney. Most of the damage was structural, with most organizations having problems with building access rather than complete destruction. The quake did, however, shake not only the city of Newcastle, but parts of New Zealand as well.
Vendors of all DRP services have really seen a big increase in activity in this relatively new industry and expect it to increase steadily over the coming years.
As with most countries around the world, the DRP industry is catching on very quickly, particularly as directors of organizations become more aware of the importance of this issue. The risks and threats will never go away; therefore, as the dependencies increase, so must the countermeasures and the planning that is required to be implemented.
The United Kingdom
Submitted by Charlie Veale of FAILSAFE ROC, a joint venture company between AT&T ISTEL and Comdisco Disaster Recovery Services:
One of the founder companies in the UK disaster recovery industry, FAILSAFE ROC, established in 1983, is now jointly owned by AT&T and Comdisco Disaster Recovery Services (CDRS). They act as the UK node for the CDRS global recovery network using satellite links the U.S. and Far East and ISDN to link to Europe. With the impending removal of trade barriers in Europe and the increasing internationalism of companies--many choosing the U.K. as their European base--the market is looking for global solutions.
In comparison with our U.S. counterparts (CDRS), the UK industry is about two to three years behind in such areas as continuous availability resources. As with the U.S., due to the UK’s commitment in the Gulf, our company is experiencing an increased awareness of potential computer disasters and subsequent orders for backup services due to the threat of terrorist actions on soft targets domestically. Additionally, the recent fire at DEC’s UK headquarters, damage caused by the ferocious gales last year and the computer disaster recovery legislation proposed by Emma Nicholson MP, are all focusing the attention of UK management on the potential damage such disasters can inflict on businesses.
The UK Data Protection Act and recommendations from the Bank of England already suggest the need for computer backup. The proposed UK legislation would go further, building on the existing Computer Misuse Bill 1990, following the U.S. example.
Although the U.K. is not plagued by earthquakes or hurricanes, in the space of a few hours FAILSAFE ROC was called out to the Hoskyns facility at Plessey Aerospace, as high winds blew off the roof and tore down the wall. We were then also put on alert by a further four customers because of the threat of freak storm damage to their computer installations.
As one of the first companies to serve this market, we now, along with other companies, provide hot-sites and mobile cold-sites--pioneered by ourselves--for customers. UK companies also use reciprocal agreements with varying degrees of success; the rate of change of technology and business requirements has made it difficult to find compatible partners.
In the UK, we are seeing an increasing realization that disaster recovery should not just concentrate solely on the physical facilities, but should adopt a much wider strategic business viewpoint, looking at the impact of a computer disaster on the company’s business as a whole.
A recent poll of The Times top 1,000 UK companies indicated that 41% put computer security at the top of the list of concerns. Hostile takeovers came in second, at 35%. In practice, UK companies can no longer limit their contingency planning solely to computer facilities. Turner & Newall, one of the UK’s largest automotive component suppliers’ computer division, regard their network as being just as critical as processing power since their divisions are spread throughout the UK. They also provide services for overseas divisions.
With companies including communications in their plans too, we have developed a network recovery service--Netsafe--to cover this sector. It provides communications equipment, both at the recovery center and shipped out the damaged site, to cope with the increasing moves towards distributed processing architectures within the UK computer industry.
As in the U.S., the major market for disaster recovery is in the financial sector, and it is estimated that 61% of companies in the UK disaster recovery market are financial service related.
However, the reliance of these organizations on information processing means the larger companies go for computer facility duplication with the rest looking toward third party suppliers like ourselves.
Abbey National, one of the UK’s largest building societies, recently used one of our hot-sites in a totally planned way by switching their processing over while they upgraded their computer powerfeeds.
There is no substitute for being prepared. One of the UK’s largest holiday tour operators not only involved the central computing facilities, but worked with all branches, who spent 300 hours swamping the backup system at our hot-site with work to check its viability during a recent test.
Although continuous availability products have not yet penetrated the UK market, our company sees this as the next natural step. With the number of on-line systems increasing in the UK, we are looking to develop a service to meet this need.
Even with the increasing use of PC-based systems, the majority of the data processing market is still based on mainframes, and with more UK companies looking to centralize--and thus rationalize--their computer operations, there is in fact an increasing demand for our “hot” and “cold” disaster recovery services.
The IBM U.K. Approach
Business Recovery Services
IBM U.K’s approach to disaster recovery is to provide comprehensive services, not limited merely to survival but to full business recovery.
Fire, flood, vandalism or a simple accident; disasters come in many forms, and if they can stop the computing function, they can cripple the business itself. IBM U.K. aims to ensure minimal impact to the business by providing services built upon 30 years of experience in building recovery plans to meet its corporate requirements for its business systems.
The offerings are constantly changing and developing customization and tailoring as well as extension and growth as technology advances.
The current services offer facilities for the mid-range (AS/400) customer and the mainframe (S/370 and S/390) customer, whether they be single, multi-system or multi-site.
The services are available round the clock, 365 days per year, and they provide a service within 24 hours of the declaration of a disaster.
The approach involves preventative and contingency planning, regular testing of recovery plans and specialist assistance at a time when most needed. IBM works with the customer to develop the plan. The customer provides the intimate business knowledge and the critical applications, and IBM brings the experience of information processing and background in business recovery.
Business Recovery Center Service
The Business Recovery Center Service for our mainframe customers is situated in Warwick in the Midlands. It has been purposely designed to offer our customer a secure, fixed site in which to recover computing facilities quickly and effectively so they can concentrate on getting their business fully reinstated.
Day-to-day business pressures make it difficult to focus on prioritizing the critical business applications that can break a company within days of a disaster. We start the planning phase by running executive seminars to gain this understanding and commitment so that the necessary resources are allocated to the project workshops. We regularly review the plan development and offer consultancy until the plan is completed. At this stage, an independent review panel makes an assessment to certify the plan as workable. Some insurance companies now recognize the value of this process and offer discounts against their policies.
By the time the test date arrives, the appropriate connections to support the network will be in place. Being at one of IBM’s major U.K. computing sites, it is easy for our technical skills and resources to be made available for use at Warwick to ensure the smooth running of the test and that an annual test allowance is made. As the location is also a fully equipped modern office complex, stress on customer staff is minimized by providing them with the facilities they need to devote their time to supporting the recovery.
Mobile Business Recovery Service
IBM U.K’s self-contained Mobile Business Recovery units have been designed to support AS/400 computer users. These are mobile computer rooms, providing safe and secure facilities to support the business in time of need. As well as a fully configured AS/400 on each unit, workstations and network connections, they also have their own generator. Environmental monitoring tools are also on board, as well as the kitchen sink!
Annual plan review and testing is part of the service and local hardware, and software support is available.
A number of invocations have been experienced during the last 15 months, causes varying from security alert to hardware failure. In each instance, the service has been available well within 24 hours, on average within seven hours.
Even if disaster never strikes, executives have peace of mind in the knowledge that they have complied with statutory and regulatory requirements through their annual review process.
Submitted by Juan Gaspar of ESATEL, an information security company:
ESATEL is a recently established company (June ’88) in Spain. It aims to produce and provide information security services to the Spanish market with the main focus on disaster recovery services.
Our capital is 50% ALCATEL Group, telecommunications multinational, and 50% ESABE Group, the Spanish leader in security products and services. From both Groups we have incorporated the information technology experience from ALCATEL and the security experience from ESABE to our product catalog. We have also added our own experience gained through these three years developing our consultancy skill and the respect of our customers.
Basically, our services catalog is formed by physical and logical security audits; physical and logical security plans; contingency plans; distribution of Disaster Plan/90, software produced by EDP Security in Boston, USA; data processing back up--hot-site based on idle capacity, equipped with IBM 9000/500 and Comparex 8/95; off-site storage; magnetic media transport in armored vans; and seminars on information security and disaster recovery.
The disaster recovery market is not yet too developed in Spain. As far as we know, ESATEL is the only company that offers this set of services, although there are four others offering backup services (from AS/400 to 3090 range). Most security companies that offer cash in transit services also offer transport and off-site storage of magnetic media.
Submitted by IBM
In Austria, management awareness for the need of disaster recovery provisions is constantly growing--for example, most of the banks have their own hot-site backup. Other companies are in the process of developing disaster recovery solutions based on their business requirements.
The currently available solutions address the size of the individual installations and range from a mobile backup system at the low end, such as the IBM AS/400, to a warm site backup center capable of providing a CPU power of about 12 MIPS and 30 Gbytes DASD for other installations. In addition, workspace for personnel could be included in the offer if deemed necessary. There are even plans to extend this backup capacity to satisfy disaster recovery needs of larger accounts too.
Disaster recovery service is currently available from a few HW suppliers, as well as from a company offering to share its own hot-site backup system.
Submitted by the Disaster Recovery Association of South Africa:
The disaster recovery industry formally started in South Africa about 1984 with the establishment of a first, commercial hot-site service for users of IBM equipment.
Since then, a number of companies have entered the marketplace offering such a service on various suppliers equipment. There are currently about 10 such companies offering a Standby Service.
Interest is now increasing at a significant rate, and in 1989 the Disaster Recovery Association was formed to represent all parties interested in the subject throughout Southern Africa. The association currently has 55 corporate members and 20 individual members and is affiliated with DVDRIEG in the U.S. and Survive! in the UK.
The objective of the DRA is to be the foremost industry representative authority in Southern Africa on Security and Disaster Recovery Planning and to educate and supply its members with the most up-to-date, unbiased information on all aspects of Security and Recovery Planning.
Many of the larger organizations have set up their own backup sites, and an announcement was recently made regarding the establishment of a commercial hot-site to provide a service to the large financial organizations in South Africa who have countrywide networks.
Computer vendors, themselves, are now showing a much greater willingness to formally address the DRP problems of their customers, either directly through the provision of a hot-site or indirectly by funding a subsidiary company to provide such a service.
There are a number of consultants specializing in the field mainly involved with auditing practices. Attendance at seminars for DRP events has increased rapidly in the last three years.
If you would like more information, contact A.G. Smith, Public Relations Officer, Disaster Recovery Association, PO Box 32734, BRAAMFONTEIN 2107.
Submitted by Doug Allan,the Center Manager at the Computer Recovery Facility in Malaysia:
Malaysia, with a booming economy located in the strategic center of Southeast Asia, is also experiencing explosive growth in the computing industry. Computer utilization is expanding at a rate of 20% per year. The reliance on mini and mainframe computers is now deeply seated across all industry sectors. The expansion of processing capabilities includes all the conventional business applications as would be seen in any country in the world, such as large complex networks, on-line banking, EDI, electronic fund transfer, stock trading, etc. The hardware and software application is state-of-the-art and is represented by all the major players in the information technology world.
Disaster recovery planning has not kept pace with the growth in information technology. A large void exists in the understanding and the capability of creating and maintaining a disaster recovery plan. However, there is now a keen awareness developing in recovery planning both within the government circles and business. Many organizations in the greater Kuala Lumpur area (Klang Valley) do not have a formal recovery plan. Some of the larger financial and industrial institutions have developed plans for reciprocal arrangements and in-house recovery centers.
An approximation of the mainframe and minis installed in the Klang Valley area of Malaysia is as follows (1990):
IBM Mainframe 100
IBM mini 72
Until recently, there were no organizations in Malaysia providing full recovery services within the computer industry. There remains a lack of skills in the areas of recovery planning, network recovery planning and risk management/impact analysis in the general business population. The awareness and interest is changing rapidly. Seminars on the subject are well attended, and guidelines are being developed by government and financial institutions alike. The awareness of the need for contingency planning at various levels of management does exist.
However, there are no voluntary support structures in place to assist in information exchanges on this subject. No one has, to date, organized chapters of support groups for monthly meetings to focus on disaster recovery planning subjects and to share success.
The Malaysian Administration, Modernization and Management Planning Unit (MAMPU) has prepared excellent guidelines on contingency plan and recovery, disaster recovery plans, steps in preventing disaster, and alternative strategies for contingency and recovery plans. However, it is not a support organization for direction and assistance. There are a number of consulting organizations available both from the major consulting firms and from two newly developed disaster recovery companies in Kuala Lumpur. Things are developing in this regard, but we are not there yet.
Submitted by IBM
On January 1, 1991, IBM Taiwan announced general availability of their AS/400 Business Recovery Services offering. The offering provides business recovery education, plan review, plan assessment, plan consulting, testing, technical assistance and use of the IBM Taiwan AS/400 recovery center or provision of an AS/ENTRY system to the customer site for signed contract customers. The recovery center is located in Taipei.
IBM Taiwan also announced availability of Business Recovery Consulting Services to assist their S/370 and S/390 customers.
Submitted by IBM
Colombia has the unique geographic characteristic of having seaports on both the Atlantic and Pacific coasts as well as having South America’s only land gateway to the north. This ideal location has contributed greatly to the development of a wide variety of industries by both national and multi-national companies.
Host computers located in the major cities commonly control production and distribution processes located in remote areas of the country, often separated by the Andes Mountains. As is typical throughout the world, increased dependence on these systems increases the impact of disruption. Risks inherent to this region are volcanic and geological fault zones as well as electrical storms that cause frequent fires and power outages.
IBM Colombia has responded to these concerns by offering Business Recovery Services (BRS) with a 4381 R91 and an AS/400 B45. The service includes testing, education, technical support and plan development consulting. BRS is a new service for IBM Colombia and is the first of its kind being offered in the country.
Submitted by IBM
On a September morning in 1985, a devastating earthquake struck Mexico City, causing destruction that can still be seen today. The world responded with aid and assistance. Local universities became temporary shelters, libraries became hospitals, and undamaged office space became computer rooms.
IBM Mexico worked around the clock to assist their impacted customers by sharing with them their own headquarters I/S facilities to process critical applications, as well as locating, shipping and installing the equipment necessary to restore customer operations.
In the aftermath of this tragedy, the I/S community in Mexico developed a stronger appreciation and concern for contingency planning. In 1985, Information Security and Contingency Planning activities in Mexico, as well as the rest of Latin America, fell far short of what was evolving in the United States. During the recovery period, IBM Mexico responded to these concerns with education, products, and services, to help close that gap.
Today, IBM Mexico offers a complete Business Recovery “hot-site” service, with a 4381-T92, which can include “Plan Development” consulting and formal education. Additional consulting and education on Information Security is also available.
Most of the “hot-site” customers are U.S. based multi-nationals who receive their contingency planning direction from their parent companies, but the number of domestic companies using this service is growing rapidly.
IBM Mexico and its customers will continue to move forward with expanded service for AS/400 in the near future, and support for larger enterprise systems at some point in time when the telecommunications infrastructures in Mexico can provide a practical backup solution for larger I/S networks.
This article adapted from Vol. 4 No. 2, p. 30.