Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery Prepared by: Janis Elain and Kristin Myers IT 486: Critical Issues in Information Technology Central Washington University Prepared for: Terry Linkletter February 13, 2012

BUSINESS CONTINUITY AND DISASTER RECOVERY - 2

Abstract This paper explores three challenging topics related to Business Continuity and Disaster Recovery. Preparing for unknown threats by identifying as many threats as possible, comprehensive planning and practice will aid in a companies ability to deal with ALL threats. Increasing cyber security through data protection planning and recovery insures a business can continue to operate or recover quickly in the aftermath of unfortunate events. Management support, employee buy-in and transparent communication processes create a culture of accountability throughout the organization. Solutions, benefits and rationale to support our recommendations are discussed within this paper. Keywords: business continuity, disaster recovery, accountability, cyber security

BUSINESS CONTINUITY AND DISASTER RECOVERY - 3

Business Continuity and Disaster Recovery Solutions Introduction Business Continuity and Disaster Recovery (BC & DR) is an essential discussion topic related to critical issues in information technology. Business Continuity insures critical business systems are available to everyone who needs access. Disaster Recovery is a subset of Business Continuity that guarantees and organization will be able to recover after a potentially catastrophic event. Preparing for unknown threats, increasing cyber security through planning and accountability throughout the organization are priority areas for improvement within our organization. This paper discusses possible solutions, benefits and rationale to support our recommendations.

Preparing for Unknown Threats The consensus of Central Washington University Information Technology and Administrative Management 486 Winter 2012 class is that the best way to prepare for unknown threats is to be prepared for as many known threats as possible. Companies developing and practicing an effective BC & DR plan are more likely to deal effectively with ALL threats whether or not they were previously identified as possibilities. Let us discuss several important points that are included in this all-inclusive preparation. Maintain an Updated BC & DR Plan An organization’s BC & DR plan should include a risk assessment that spells out possible threats, their impact on the organization, and the likelihood that they will occur. Numerous government resources are available online that help to identify many naturally-occurring and man-made disasters that organizations may face, it may also be helpful to brainstorm among key employees from various departments (a “Disaster Recovery Team”) to determine threats to

BUSINESS CONTINUITY AND DISASTER RECOVERY - 4 which the organization may be exposed. A SWOT (strengths, weaknesses, opportunities and threats) and “what if” analysis is also helpful. In addition, it may be beneficial to network with other organizations of a similar nature to find out what they perceive as possible threats. Once identified, a plan for dealing with each emergency type can be proposed, prepared and practiced. Involve Employees Employees are more likely to “buy in” to something they help create, so including employees in the development of a BC & DR plan is important. It is equally important to continue employee involvement through regular communication and training, so disaster preparedness and emergency response procedures are always on the forefront of employee thought. An alert staff member can go a long ways toward detecting a problem early, bringing it to the attention of the company’s management, and initiating the processes outlined in the organization’s BC & DR plan. In addition to developing BC & DR procedures and plans, it is important to practice different scenarios with employees, so they understand what to do in different kinds of situations and can modify their actions accordingly when the unexpected happens. Promote Early Detection and Quick Responses Having the systems in place to quickly identify and respond to an emergency – whether previously known or unknown – is crucial. The sooner a threat is identified, the quicker the response can be initiated. Depending on the nature of the threat or disaster, a speedy response may make the difference between saving and losing the company’s resources, profits, and reputation – and possibly even people’s lives. An early detection system may include a combination of physical alarms (fire alarms, security alarms, network firewall alarms) as well as, alert employees who know what’s “normal” and what is not. With rapid identification of a threat

BUSINESS CONTINUITY AND DISASTER RECOVERY - 5 and intervention, a company can implement its BC & DR plan as rapidly as possible improving the chances of a positive outcome.

Increasing Cyber Security through Planning Preparing a comprehensive Business Continuity and Disaster Recovery (BC & DR) plan includes taking steps to increase cyber security; and having good cyber security better prepares a company for BC & DR when disaster strikes. Thus, there is a lot of overlap between these two topics. In this portion of our paper, we will examine some of these areas of overlap, emphasizing how having a BC & DR plan in place will involve cyber security issues and vice versa. Data Protection For most organizations, data protection is crucial to maintaining business continuity after a disaster strikes. After all, a business cannot continue to do business if its data files are compromised or wiped out – an outcome that is all too possible with many forms of natural and human-caused disasters. Regular data backups are a must with consideration given to the timing, method, and storage of the backed up information. Real-time updates with redundancy provides the most reliable – but most costly – form of backup. Less expensive options are available, like cloud computing, offsite data backups, and hosted services, which may be appropriate for meeting the company’s ongoing data needs while providing backup plans in the event of a disaster. According to the BC Management Survey, 24% of companies surveyed use a mixed model of vendor and internal solutions for backup and recovery (BC Management Survey, 2009). Up-to-date firewalls, anti-virus programs, and security practices that protect data are also important, not only for everyday use but also to protect against cyber attacks of various types. Protective hardware, software, policies and procedures will not guarantee that outside threats

BUSINESS CONTINUITY AND DISASTER RECOVERY - 6 cannot get into a company’s computer system, but they will greatly enhance a company’s ability to protect itself against attack (or to recover more quickly and with less long-term damage after an attack). Since the nature and content of cyber threats change over time, it is imperative that organizations stay abreast of these changes and do their best to protect themselves using every measure possible. Top-Down Support and Involvement It almost goes without saying that security (including cyber security) participation, support, and buy-in are required across the entire company’s organizational chart, from the top down. Upper management must believe that security measures are important and setting aside the manpower, money, and other resources needed to implement a security program that is right for the organization. Involvement from employees at all levels is also imperative. Department heads need to communicate to their staff not only the company’s general security policies and procedures, but also specific guidelines that may apply to their unique jobs – including cyber security. Employees on the front line need to be trained on what to look for, what’s “right” and what is not – and what to do when something seems wrong. On-going training keeps awareness high. Working together, upper management, middle management, and frontline employees can identify and mediate potential threats that might derail the company. IT Department is at the Forefront Although security support is needed from all parts of the company, as previously stated, the IT department plays a key role in keeping the organization’s computers and data safe from potential threats. In order to do their jobs effectively, the IT department must be adequately staffed and financed. BC & DR often takes a “back seat” when more immediate projects demand the attention of IT employees. So making security a priority – and providing the IT

BUSINESS CONTINUITY AND DISASTER RECOVERY - 7 department with the manpower and resources it needs to design, implement, and test security and backup systems are crucial for success – not just when dealing with disasters, but at all times. Identify and Remedy Weaknesses A healthy BC & DR plan includes identifying weaknesses, potential threats, and taking steps to remedy them to minimize exposure and risk. The same is true for security in general (and cyber security specifically). An organization should periodically take stock of its weaknesses, identify gaps or areas that need improvement, and install the systems or solutions needed to correct them. This pro-active approach to security will help to prevent many problems before they have opportunity to occur. Conclusion Strong cyber security makes good business sense not only for keeping the company and its data safe during daily operations, but also to protects the organization from a variety of threats and prepares it for a more successful recovery after a disaster strikes. A comprehensive BC & DR plan will include cyber issues to protect the company on a day-to-day basis, as well as in times of crises.

Accountability throughout the Organization Accountability within an organization originates in the company culture, “it is not only for what we do that we are held responsible but for what we do not do” (Molière, n.d.). Many companies are good at creating policies and procedures, but have a very difficult time enforcing them. Management must set a good example, so accountability flows from the top of an organization downward. An integrated cycle of planning, practice and improvement reinforce operational success of the BC & DR program. Communication, management priority and employee buy-in helps to promote a cohesive system of participation and accountability.

BUSINESS CONTINUITY AND DISASTER RECOVERY - 8 Company Culture Culture grows, develops and changes within a company. Management can influence or control employee behavior, but culture evolves from all employees. Employees must hold each other accountable for facilitating organizational change. Making group decisions, sharing information and improving processes are part of building trust at all levels of the organization. This trust must be in place to allow employees to engage and truly care about saving the company in a disaster situation. This is not something that can be mandated and enforced; it must be cultivated over time. Leading by Example Managers must set the standards for accountability within an organization. Often the word accountability is associated with punishment or negative consequences. When applying accountability to BC & DR it is important to remove the negative image and focus on empowering employees to make good decisions, in potentially bad situations. Executives, managers and anyone in a leadership role must take responsibility for their own actions and set good examples. Similarly, BC & DR policies and procedures must flow from the top-down in the organization, but employees need to accept ownership. According to Grimaldi (2002), “business continuity plans fail most often because of a lack of initial effort and subsequent commitment; this is largely due to the fact that developing and implementing Business Continuity Plans can be an arduous and politically sensitive project.” If management views BC & DR as an organizational burden, so will its employees. Planning, Practice and Improvement Planning is essential to BC & DR. A well-developed plan will insure your organization can continue to operate or recover quickly from disaster. This planning must incorporate all

BUSINESS CONTINUITY AND DISASTER RECOVERY - 9 areas of the business with very clear assignment of tasks. A cross-functional team should lead the process with accountability to both management and upper management. Updates to the processes and procedures should occur on a regular basis. Clearly defined roles and responsibilities, with the appropriate level of decision-making power, must participate in the planning process. To insure accountability personnel must have the appropriate knowledge, training and background in BC & DR. Distributed duties across the organization, with contingency responsibilities will ensure sufficient coverage during an actual event. Regular practice of BC & DR plans insures everyone in the organization understands their responsibility and contribution. A good practice session proves the plan is usable, not just a document. During a crisis, it is unlikely that staff will be able to refer to a written copy, so everyone involved must have a good working knowledge of their required actions. According to the CPM and Strohl (2002) survey, a variety of testing methods are used: “58% of respondents use a combination of IT specific tests, walkthroughs and enterprise wide testing.” These practice sessions also help identify missing components. Practice should occur at regular intervals and at unplanned times using the element of surprise as a planning component. Even the best plans have room for improvement. Employees change positions, new technology arrives, systems are retired and change is one of the only constants in business. Regular review of BC & DR policies and procedures helps identify organizational changes. If the plan does not work effectively, continual improvements are necessary until it fits the organization. Case studies and reenactments of real scenarios are valuable when looking for ways to improve plans.

BUSINESS CONTINUITY AND DISASTER RECOVERY - 10 Communication Communication flows in all directions within an organization. Upper management announces management changes. Management informs employees of organizational changes. Employees discuss the changes around the water cooler. Information flows both horizontally and vertically. Transparency between all levels of management and employees gives credibility to communication and builds trust thought the organization. Effective BC & DR relies on your employees trusting each other and management during a catastrophic event. Communication is crucial to throughout the process. Very good communication planning happens on paper, but trust and accountability enable it to occur in the real world. Knowledge workers are the key to your business. They know the day-to-day operations better than any management personnel. The employees who are responsible for these operations are the best resource for formulating how business will recover or continue daily operations. Ask them what the minimum requirements are for doing their job and listen. Not only will you discover a lot of interesting business practices, your employees will feel like you care to hear their input. Brainstorming sessions are also a very good way to collect input from all levels of employees. Teams comprised of both management and non-management employees can make everyone feel valued. Management Priority Varying levels of management accountability are essential to BC & DR practices. The level of involvement depends on the size and structure of the organization. Regardless, employees must know that the senior management and executives set BC & DR as a priority in the organization. Regular management review and approval of all BC & DR policies and procedures is critical.

Sharing plans for improvements keeps higher management involved and

BUSINESS CONTINUITY AND DISASTER RECOVERY - 11 engaged in the process. A financial commitment through strategic business planning, even during difficult times, will show overall management support to the project. The same level of accountability is required for management as well as, employees. Employee Buy-In In the end, you are relying upon your employees to use their experience, knowledge, analysis and expertise to make good decisions regarding the recoverability of your business. Ongoing feedback to employees about BC & DR and the company’s progress towards implementation and improvement goals adds to employee buy-in. BC & DR should not be happening in a vacuum, sharing the budget, deliverables and progress through corporate metrics and the key performance indicators encourage employee participation. Companies often forget to celebrate success, rewards are appropriate after completion of milestones and goals. When all employees participate, all employees should celebrate in the success. Rewards do not have to be expensive or monetary, sometimes just saying thank you and acknowledging the completion of a large project is sufficient.

Conclusion Business Continuity and Disaster Recovery is critical to both information technology and business. Preparing for unknown threats, increasing cyber security through planning and accountability throughout the organization are priority areas for improvement within our organization. We proposed several possible solutions, explained the benefits and provided rationale to support our recommendations. Ongoing management support and employee buy-in are persistent themes throughout all our solutions. A cycle of planning, practice and improvement is critical to the success of any BC & DR program.

BUSINESS CONTINUITY AND DISASTER RECOVERY - 12

References BC Management Group Survey. (July 2009). International Business Continuity Program Management Benchmarking Report. Retrieved February 9, 2012, from http://www.bcmanagement.com. CPM Group and Strohl Systems. (October 2002). Study Reports on Plan Activation and Testing. Retrieved January 31, 2012, from http://www.auerbach-publications.com/. Grimaldi, R. L. (May 2002). Why do Business Continuity Plans Fail? Risk Management, Vol. 49 (5), May 2002, pp. 34-39. Retrieved January 31, 2012 from http://www.uplanit.com.au/index.php?option=com_content&view=article&id=17:whydo-business-continuity-plans-fail&catid=4:business-continuity-planning&Itemid=22. Molière, J. B. (n.d.). Harvard Business Review. Retrieved January 31, 2012, from Management Quotes Web Site: http://www.mgmtquotes.com/subject/Accountability/.