Proposal Paper

145

Chapter 7

Disaster Recovery and Business Continuity Planning

Kevin McLaughlin

There must be a self-regulatory process…with internal rules, as that is efficient. However, self-regulation is not enough—you need both legis- lation and self-regulation.

—Bernhard Otupal Interpol

Contents Introduction ......................................................................................................162 Background .......................................................................................................162 Developing the Contingency Policy...................................................................165 Business Impact Analysis ...................................................................................165 Controls and Mitigation ....................................................................................165 Government Involvement in Business Continuity and Disaster Recovery ..........166 Facilitated Business Continuity and Disaster Recovery Theory ..........................166 Conclusion ........................................................................................................166 References .........................................................................................................168

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

146  ◾  Information Security Fundamentals

Introduction Organizations continue to take large-scale losses and even go out of business by not adequately planning for large-scale disasters that affect their ability to conduct business. When a disaster hits an area, its socioeconomic effects are compounded when the citizens of that area also end up out of work and not receiving a paycheck. These citizens often file civil lawsuits for damages. These lawsuits frequently cite management neglect and lack of disaster recovery (DR) planning as one of the reasons for seeking damages. Lawsuits like this often add to the postdisaster economic distress suffered by communities and businesses. Picou et al. (2004) stress that the negative effects of a disaster can damage com- munities and their citizens for a long time after the event. These communities struggle through postdisaster recovery and have a hard time being successful with their postdisaster recovery efforts. One of the most negatively impactful activities that slow down the recovery process is excessive postdisaster litiga- tion. Although many items contribute to this slow recovery, Picou et al. (2004) contend that “none are as debilitating as the litigation processes that… ensue to redress” (p. 1494) the negative socioeconomic effect experienced by the members of the community.

Due to the heinous socioeconomic effect a disaster can bring to both an orga- nization and the community within a geographical region when its businesses are unprepared to recover from such an event, it is important to have necessary busi- ness continuity and DR plans in place.

Background Many organizations voluntarily spend money and time attempting to design DR systems, processes, and methodologies that will enable them to continue business operations in the event of a disaster. To bring the appropriate systems up, it is important that organizations are able to contact the resources needed and that they have methods in place to ensure that resources can actually make it to the recovery area. Adding strong leadership roles for the responding resources is also of critical importance for successful DR postevent recovery (Biddinger 2007). Another necessary component of successful recovery is ensuring that informa- tion technology professionals spend time testing the hardware and equipment needed to make sure the organization can recover business critical systems in the time required as cited by the senior management. Before an event, organizations need to complete a business impact analysis (BIA) so that they clearly under- stand which systems need to be restored to maintain adequate enough business operations.

There is currently a dearth of government regulation that requires business enti- ties to have robust business continuity and DR plans, strategies, and infrastructure

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Disaster Recovery and Business Continuity Planning  ◾  147

in place. Lacking this regulation, organizations need to look elsewhere to deter- mine how to plan, implement, test, and assess business continuity and DR plans. Thankfully, there are, however, many standards in place that assist organizations in designing effective business continuity and DR plans. The National Institute of Standards in Technology (NIST) Special Publication (SP) 800-34 is one such standard and its book on contingency planning outlines methodologies for orga- nizations to follow and strongly suggest that each organization have such plans in place so that they do not suffer unrecoverable postdisaster loss.

In order to have an effective DR program an effective DR process framework needs to be developed within the organization. This process framework allows an organization to put a sustainable, repeatable and easy to follow step by step pro- cess in place for handling the management of their DR solution. While at the University we used the following: Design and approve the DR Policy, Conduct and Complete an organizational BIA, Develop and get buy in for the recovery strategy as focused on the BIA results, Design the organizationally approved DR plan, Plan and Complete training and testing, and lastly make sure that the plan is a living document that is maintained ongoing throughout the year.

Tulane University, like many organizations in New Orleans, was prepared for an event like Katrina but it did not have plans on how to recover from such an event and ended up missing its August payroll run, an event that compounded the trauma that many families were already going through (Anthes 2008). John Lawson, Vice President and Chief Information Officer (CIO) for Tulane, stated that

We did have to face the music. We stopped paying adjuncts on August 29. We stopped paying part-time faculty and staff members on September 30. Beginning November 1, we began using vacation and sick leave to help pay full-time faculty and staff members (The Chronicle of Higher Education 2005, p. B.203).

The aftermath of the Katrina disaster was tough on the communities affected and better business continuity and DR planning would have gone a long way toward minimizing the socioeconomic downfall that the event brought to New Orleans and its surrounding communities. It took so long for universities in Louisiana and Missouri to recover from the aftermath of Katrina that 26,000 students in the state of Louisiana and 9,000 students in the state of Mississippi failed to return to their schools (Marcus 2007). Two years after the event, the University of New Orleans was still 6,000 students under its pre-Katrina enroll- ment numbers and Loyola University was still 1,000 students under its pre- Katrina enrollment numbers. A secondary effect of this decrease in enrollment is that 217 faculty members who lived and worked in the New Orleans commu- nity were fired from their University positions (Marcus 2007). This means that postdisaster within their local institutions of higher education, the community

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

148  ◾  Information Security Fundamentals

of New Orleans had 7,217 fewer consumers’ spending money and helping their community rebuild and recover its economy. In a separate disaster event, the United States 9/11 Twin Towers attack, it was noted that for a number of months after the event, workers in New York City experienced a decrease in the num- ber of hours at work. This decrease rebounded within a 6-month period, but it does confirm that a community does suffer negative postevent economic effects (Hotchkiss and Pavlova 2004).

One of the major issues faced by organizations when they are considering business continuity and DR strategies such as integrated automation to facili- tate business continuity process management (BCPM) and DR high availability (Lumpp et al. 2008) is the large budget that is necessary to implement a success- ful business continuity and DR program. These monies are often needed on an annual basis and they are to be spent on contingency items that might never be used. In 2009, a lot of IT shops were facing budget shortfalls, with capital bud- gets being nonexistent in many organizations. With the current economic woes, it is not uncommon for senior executives to view redundant infrastructures as cost-doubling effort wastebaskets that they are dropping money into but that has zero practical and likely no future use or benefit (Rice 2009). It is very difficult for managers within an organization to spend scarce dollars for an event that might never occur.

Tulane did not have a formal DR plan for replacement of machines with any outside vendor or institution. That was a cabinet-level deci- sion, made during times of fiscal stress. We had just shifted to a decen- tralized system for fiscal management, so IT was a shared resource. When I presented the plan for off-site DR, it was for $300,000 a year or so. We decided that we could not ask the deans to pay for that as they were already upset about recent budget cuts and increased IT recharge rates. (The Chronicle of Higher Education 2005, p. B.201)

Of interest to note is that John Lawson, the CIO of Tulane, has related publicly that after Katrina, his off-site DR plan was approved at a cost of approximately $600,000 per year, double the amount Tulane management turned down before Katrina.

Senior managers for organizations need to understand that the infusion of technology across their business processes makes ignoring business continuity and DR planning borderline gross neglect (McKinney 2009). In many cases, the failure to follow all of the seven NIST SP 800-34 contingency planning steps to fully prepare for a disaster can be seen as a failure of the organization’s senior management and lead to a civil lawsuit for damages. In some cases, this lack of prudence by organizational management can compound events sub- sequent to a disaster to such an extent that the organization is incapable of

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Disaster Recovery and Business Continuity Planning  ◾  149

postevent recovery. In some postevent cases, we can even go as far as to say that “managerial errors are the root causes of the technological disasters” (Shaluf 2007, p. 387).

Developing the Contingency Policy One of first items that information assurance/security professionals need to do to ensure that their organization is going to take the necessary precautions to make sure that if a disaster occurs they will be ready and prepared to recover is to develop a Business Continuity Contingency Policy. As is true with any policy, vetting and alignment with organizational senior management is the first thing that needs to take place. Once this approval of the policy takes place, it then needs to proceed through an organizational governance process to ensure that proper buy-in from the affected community members’ takes place. The activities during this time will be ongoing review, edit, review, and finally acceptance and alignment. The vetting of organizational policies should also make sure to include review by the organiza- tion’s general counsel. When finalizing the policy, keep in mind that 100% align- ment is not usually possible and the organizational governance process should take that into account.

Business Impact Analysis A discussion on BIA and a sample procedure are included in Appendix B.

Controls and Mitigation Bergland and Pedersen (1997), in a report on the effects of safety regulation on the safety and well-being of Norwegian fisherman, found that costly regulation induced “the individual rational fisherman to behave in a way which increases their risks” of injury (p. 291). This behavior is caused by a fundamental risk analysis being conducted on the part of the regulated entity. Will it cost me more to follow the regulation than it will to suffer the accident or loss caused by a negative event? Extrapolating that risk analysis to the area of business continuity and DR planning, it is feasible to believe that senior business managers in other industries will con- duct similar analyses. Will it cost me more to implement the required business con- tinuity and DR infrastructure than it would for me to recover from a catastrophic event that may or may not occur sometime in the future? This is an impactful ques- tion that needs to be fully considered in our current economy downtrend that is causing organizations to pull back from IT spending and is in line with the current

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

150  ◾  Information Security Fundamentals

economic trends, which depict IT budgets trending downward instead of upward (IndustryWeek 2008).

Government Involvement in Business Continuity and Disaster Recovery The goal is not to eliminate the risk but to design business continuity and DR strategies that generate more benefits to the community than the negative effect of the costs incurred (Viscusi and Gayer 2002). This type of cost–benefit analysis and risk- versus cost-based thinking is a critical component to consider when deciding if business continuity and DR strategies should be implemented.

Facilitated Business Continuity and Disaster Recovery Theory One scalable and relatively easy way to make sure that all of your business IT departments have a successful DR plan is to leverage the understanding and capa- bilities of the Facilitated Risk Analysis and Assessment Process (FRAAP) and cre- ate your DR teams and methodologies in the same manner as the FRAAP. This includes splitting the workup among the teams, making sure each team has one trained DR specialist/trainer who is responsible for instructing department DR per- sonnel on how to make use of the templates and tools associated with the organiza- tion’s DR efforts.

Conclusion My children will live with the mistakes I make.

—Representative Zoe Lofgren in a speech on government regulation of DR methods for the Internet

Lawsuits are also not the answer to resolving the issue of successful postdisaster recovery, and are actually counterproductive to the goal of maintaining a stable socioeconomic climate that is ripe for successful recovery (Picou et al. 2004). Many of the businesses that suffer a disaster do not have the financial means to recover and continue their operations in the community, and having to pay postdisaster settlement costs will drive them closer toward bankruptcy and not being able to reestablish normal business operations.

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Disaster Recovery and Business Continuity Planning  ◾  151

Because the CIO of an organization has a fiduciary responsibility to protect cor- porate assets in good times and bad times (Lumpp et al. 2008), business continuity and DR planning is the component that has to be put in place if organizations are to remain open and viable after a disaster strikes their geographical region. “Data recovery is now a $20 billion per year sector of IT” (Preimesberger 2008, p. 31), which is a strong indicator that the increasing number of natural and man-made disasters that have hit communities and the publicity generated over those events, which discuss how many businesses failed to recover, is finally causing organizations to start implementation of recovery plans, tools, and strategies. A lot of organiza- tions have changed their posture and thought process in regards to BCP and DR planning and have decided to make efforts in this space a part of Organizational strategic planning instead of just nice to haves (Payne 2010). A plethora of DR soft- ware and hardware are available to IT managers; tools like Ecora, Orange Parachute, Compellent, NetApp, Xiotech, SunGuard, open source DR software from Berkeley, etc. (Preimesberger 2008), allow organizational IT shops to create recovery plans and methodologies. Organizations are starting to understand that developing and maintaining a comprehensive business continuity and DR plan and supporting infrastructure is of critical importance (McKinney 2009). The Loews Corporation, a New York–based holding company, in part because of the 9/11 disaster, has devel- oped multiple points of redundancy and recovery plans just in case they are affected by future events (Mearian 2003). Similarly, the ninth item on the list of the top 10 trends in higher education is to increase focus on planning for catastrophe and DR (Martin and Samels 2007).

There are many areas that the government can be involved in when it comes to protecting the United States’ infrastructure and improving DR among government and private organizations. One of these items is to assist in the development of stan- dards, best practices, and training (Anonymous 2009). Good examples of the type of standards and best practices that governments can develop and promote are the US Government’s NIST 800-34 Contingency Planning and the UK Government’s ITIL Continuity Planning.

A combination of government regulation, self-regulation, government and private training of business continuity/DR professionals, and government and private sector partnerships and associations is necessary to minimize the negative socioeconomic effect caused by a large-scale disaster. The partnership programs should be modeled after the Federal Emergency Management Agency’s (FEMA) free post-9/11 inte- grated government and private sector training for emergency responders across the United States (Whitworth 2006). The business continuity/DR integrated training courses should consist of free nationwide awareness classes on why businesses need to be worried about and prepared for a disaster affecting their ability to conduct business and the economic effect suffered by their community when they fail to go back into business after a disaster. Additional courses should be offered to business and IT man- agement on the seven NIST 800-34 contingency and ITIL continuity planning steps.

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

152  ◾  Information Security Fundamentals

References Anonymous. (2009). Self-regulation plans polarise industry. The Safety and Health Practioner

27(12), 8. Anthes, G. (2008). Tulane University; following Katrina, the university’s top priority was get-

ting its people paid. Now its payroll system is safer than ever. ComputerWorld, Special Edition 1–2.

Bergland, H., and Pedersen, P.A. (1997). Catch regulation and accident risk: The moral haz- ard of fisheries’ management. Marine Resource Economics 12, 281–291.

Biddinger, N. (2007). The information technology role in DR and business continuity. Government Finance Review 23(6), 54–56.

The Chronicle of Higher Education. (2005). A look back at a disaster plan: What went wrong and right. The Chronicle of Higher Education 52(16), B200–B203.

Hotchkiss, J.L., and Pavlova, O. (2004). The impact of 9/11 on hours of work in the United States. Working Paper Federal Reserve Bank of Atlanta 16.

IndustryWeek (2008, November). Capital budgets for IT hit the wall. Information Technology 68.

Lumpp, T., Schneider, J., Holtz, J., Mueller, M., Lenz, N., Biazetti, A. et al. (2008). From high availability and DR to business continuity solutions. Systems Journal 47(4), 605–619.

Marcus, J. (2007, October 5). Katrina-hit campuses try to return to normal. Times Higher Education 1–2.

Martin, J., and Samels, J. (2007). 10 trends to watch in campus technology. The Chronicle of Higher Education 53(18), B.7.

McKinney, M. (2009). Plan before panic. Hospitals and Health Networks 83(11), 35–38. Mearian, L. (2003). Global firms confident about DR. Computerworld 37(12), 6. Payne, L. (2010, January). Changing security theory to security practice. Security Magazine

60–63. Picou, J.S., Marshall, B.K., and Gill, D.A. (2004). Disaster, litigation and the corrosive com-

munity. The University of North Carolina Press: Social Forces 82(4), 1493–1522. Preimesberger, C. (2008, July 21). On the brink of disaster. eWeek 31–38. Rice, J. (2009). Budget ax falls on DR. Computerworld 43(2), 28. Shaluf, I.M. (2007). An overview on the technological disasters. DPM 16(3), 380–390. Viscusi, W., and Gayer, T. (2002). Safety at any price? Regulation 25(3), 54–63. Whitworth, P.M. (2006). Continuity of operation plans: Maintaining essential agency func-

tions when disaster strikes. Journal of Park and Recreation Administration 24(4), 40–63.

Peltier, Thomas R.. Information Security Fundamentals, Auerbach Publishers, Incorporated, 2013. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=1375200. Created from apus on 2025-04-18 03:10:32.

C op

yr ig

ht ©

2 01

3. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .