DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 32, Issue 1

Full Contents Now Available!

In the business world, computer disaster recovery planning is evolving toward business continuity planning. In recognition of this trend, in 1995, DRI International, an organization founded in 1988 to provide a base of common knowledge in continuity planning, replaced the designation for Certified Disaster Recovery Planner (CDRP) with Certified Business Continuity Planner (CBCP). What is the difference between disaster recovery and continuity planning? In theory, a disaster recovery plan is reactive and usually focuses on the computing environment.

Although work is done to harden the computing infrastructure to prevent a disaster, the plan’s main purpose is to recover from damage to the infrastructure. In contrast, a business continuity or contingency plan is not only proactive, but it is also targeted at keeping the business running, and not just recovering the computers.

Many companies today do not have a working continuity plan. Of those companies that do develop a continuity plan, many proceed without sufficient knowledge or input from end users.

For example, auditors or managers often direct someone within the IT department to write a plan to back up the company’s data centers. Frequently, the IT operations staff backs up everything running on a particular system, or even the entire data center, so that all information, critical or not, is recovered at the same time – even if the business function the data supports either is not critical or can be replaced by manual procedures.

Management and employee Ethical Misconduct Disasters (EMD) can be as or even more devastating than natural disasters or technological disruptions. These unexpected crisis contingencies can disrupt routine operations, cost work time, waste resources, lose organizational reputation, and result in fines and criminal charges against management. During the DRJ Spring World 2001 conference and exposition in San Diego, California we measured participants’ perceptions about the state of readiness and perceived threats of the EMD. The annual DRJ Spring World conference is the oldest and largest gathering of disaster recovery planners, business continuity experts, and crisis/contingency planners across a wide variety of industries and fields. We classified those who volunteered to return our survey as beginning, intermediate, and advanced industry leaders and subject matter experts in the field of disaster recovery planning. Their opinions are very important to those of us who conduct research in this area. This brief summary reports the preliminary results of that survey.

We were encouraged to find that 85% of DRJ Spring World 2001 conference attendees’ report that their companies have a Disaster Recovery or Business Continuity plan. Of those companies that have a plan, 72% of those plans specifically address management and recovery from EMD. However, approximately one-third of all companies and organizations represented at the DRJ Spring World 2001 did not as of this date have a written plan that specifically addresses EMD. (See figure 1)

Only 21% of DRJ Spring World 2001 conference attendees’ companies have on-going assessment, testing of EMD management and recovery plans. Over half (58%) of all companies and organizations represented at the DRJ Spring World 2001 do not have on-going assessment and testing EMD management and recovery plans. Further, only 13% of DRJ Spring World 2001 conference attendees’ companies use interactive simulations/exercises for EMD readiness training. Fully 67% of all companies and organizations represented at the DRJ Spring World 2001 do not utilize interactive simulations/exercises for EMD readiness training. Very few (15%) of DRJ Spring World 2001 conference attendees’ companies utilize expert consultants to review their EMD response readiness.

Every year more than 1 million mobile desktops and laptops are stolen, damaged or destroyed. Data on desktops and mobile workstations contain valuable data, but lose that information, and it can result in the loss of hours - even weeks - of work and replacing it maybe impossible.

What’s a company to do? Christophe Bertrand, a senior product-marketing manager for client data protection at VERITAS Software, takes us through the steps of establishing a disaster recovery plan for laptops and mobile laptops.

Note: As of this writing the final wording of the HIPAA regulation is still in flux. However, the essential characteristics of the regulation should be as described here. No significant changes are anticipated.

The final version of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 will be published soon. Among other things, HIPAA requires broad security and disaster recovery protection for “individually identifiable healthcare information”. Healthcare organizations, and those companies that serve them, now fall into the same category of business as banks, in that there is a federal agency that demands certain security and disaster recovery standards.

The Gartner Group has estimated that HIPAA will be the single greatest IT driver in the healthcare industry for the next three years. Some estimate that the cost to the healthcare industry will be three times the cost of Y2K.

What would you do if your business lost electrical power? How would you operate your production lines, heating and/or air conditioning systems, lighting, telecommunications, control systems, and computers? Five years ago, in most parts of the world, you didn’t have to worry about these problems - electricity was taken for granted. But recent events in California - a result of problems stemming from its electric power deregulation program - demonstrate the need to be prepared in case your electrical service is interrupted. If you have a major manufacturing facility, you could suffer millions of dollars in losses due to a prolonged production interruption. Your readiness for lack of electricity could mean the difference between business survival and disastrous loss.

What is Deregulation?

At one time, a single company in a certain geographical region would generate electricity, transmit it to cities and towns, and distribute the power to its consumers - industries, businesses, and residences. This company would be regulated by a public utilities commission or, in the case of the United Kingdom, the government. They would decide if activities such as changes in service, raising electricity rates, or increasing output were warranted. Traditionally, power companies that owned the wires and pipes that carried power into homes and businesses also would sell the consumer electricity and natural gas.