Posts in The ‘Business Continuity’ Category

« Older Entries
Newer Entries »

Four IT Assessments and Why Your Business Needs Them

Tuesday, September 21st, 2010

IT assessments, in general, can maximize your technology efforts, ensuring you get the most for your investments. However, there are many types of assessments and all are not created equal. When IT budgets are being cut left and right, here are four IT assessments that will serve your business well now and into the future.  

Business Impact Analysis/Risk Assessment
A vital part of an organization’s disaster recovery plan, a Business Impact Analysis (BIA), sometimes called a Business Risk Assessment, is an information-gathering exercise designed to methodically identify the processes performed by an organization, the resources required to support each process performed, and the possibilities and impact of process failures on business operations. This provides a solid foundation for developing a business continuity strategy, allowing the organization to continue to perform critical processes in the event of a disruption.

Data Center Management and Operations Assessment
This assessment provides strategic planning for people, process and technologies in and around the data center. Making tactical changes in how the data center is administered and managed can result in significant cost savings.  A holistic approach is necessary when analyzing data center assets; business goals, objectives, and requirements need to be considered in order to provide actionable recommendations.

The business need is related to the operational process around data center management and operations. Streamlined processes improve how the data center is managed on a daily basis from compute infrastructure requirements to decommissioning of assets and all the operational processes performed in between. Cost savings in deployment, consolidation, virtualization, and management of assets provide significant cost savings in asset inventory, support contracts, and maintenance costs. There are also overall reduced data center operating costs savings derived from reduced cooling, power, and space requirements once recommendations are implemented.

Data Protection Assessment
Through qualitative and quantitative information, this assessment identifies key gaps in asset protection and data security while offering recommendations for immediate improvement as well as long term strategic business continuity considerations.  The ultimate goal is to deliver a data protection plan that prioritizes customer requirements, maps IT technologies and processes to business drivers, and delivers actionable solutions to successfully minimize risk.

Virtual Infrastructure Assessment
Using capacity planning tools to collect and analyze performance and utilization metrics in the IT environment, a virtual infrastructure assessment measures and tunes server, storage, network, and application performance against business and service requirements.  Opportunities for IT consolidation are identified that focus on manageability, availability, cost, and risk.  Cost savings and real efficiencies are not automatic with deployment of virtualization.  Effective processes and controls must be in place to gain these advantages regardless of where a business is in the virtualization adoption lifecycle.

Tags: , , , , ,
Posted in Business Continuity, Data Protection, IT Solutions | Comments Off

Business Continuity / Disaster Recovery: Where do I start?

Thursday, September 2nd, 2010

Recently, I conducted a presentation on how to develop a successful Business Continuity(BC) / Disaster Recovery (DR) plan. As I was going over attendee feedback afterwards, there was one fundamental question that showed up multiple times — where do I start?

A valid question. It’s easy to get overwhelmed with the thought of implementing a comprehensive business continuity strategy. It’s one thing to know that a BC/DR plan is a “must-have” for your business. But it’s another, completely different thing to implement one. So as you set off on your quest to devise a BC/DR plan, use these guidelines as a starting point and you’ll soon see that a good BC/DR strategy is not only necessary, but doable.  

One: Cultivate an Understanding
Before devising the plan, you must understand the terminology. There are many acronyms and industry buzzwords that mean different things as they pertain to departments and individuals. Once your organization agrees on what it is you are trying to accomplish, only then can you move forward. 

Two: Develop the Business Case
Everyone within the organization has to be on board before you can proceed because a true BC/DR plan encompasses every facet of the business. To ensure cross-departmental involvement, it helps to first establish the business case, or your argument for developing the actual BC/DR plan. Are there specific business drivers or regulatory issues that make a business continuity strategy essential? If so, state your case and get executive support now. This will hopefully help alleviate some of the corporate politics that you may encounter.

Three: Assess the Current Environment
Pinpoint what it is you will be protecting — be specific — and identify all the risks involved. You can accomplish this via a number of ways, by conducting the following: a Business Impact Analysis (BIA) and/or a Risk Analysis. These more formalized processes will help you evaluate existing resources and establish a foundation for your plan. This is an excellent time to bring in an outside consultant; an experienced BC professional can drastically reduce the time and money needed to gather this information.

Four: Prioritize
Know the costs involved and define what absolutely needs to be done now then set priorities accordingly. You don’t have to devise a comprehensive BC/DR plan all at once. Apply a phased approach that models your immediate needs. Take baby steps. But be sure you address the following: Recovery Time Objective (RPO), Recovery Point Objective (RPO), critical applications and associated dependencies.

By taking the time to understand, analyze, and prioritize, you will be better prepared for your next step in creating a comprehensive, holistic BC/DR plan: Developing and Implementing a Business Continuity Management (BCM) Response. More on this in Part Two (coming soon).

Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity
Vice Chairman – Contingency Planning Association of the Carolinas (CPAC)

Tags: , , , ,
Posted in Business Continuity | 1 Comment »

Employee Spotlight: Practice Manager – Business Continuity and Disaster Recovery Patrick Dunn

Wednesday, August 25th, 2010

No wonder Patrick is engaging and dynamic at his numerous business continuity speaking engagements around the country…as a two-time All American cheerleader and former University of Maine mascot, Bananas the bear, he’s had plenty of practice motivating crowds!

Consonus is pleased to have Patrick Dunn as practice manager - business continuity and disaster recovery. His extensive background comprises over twenty years of industry experience providing crisis management, business continuity development, disaster recovery planning, information security, IT assessment, and project management for Fortune 500 and Big Five accounting firms. Impressive credentials include time spent at SunGard Availability Services as a BC/DR Consulting Practice Manager, as well as Cap Gemini, Wright Express, Check Free/FISERV, and Fairchild Semiconductor.

As if his job doesn’t keep him busy enough, Patrick is an active member of numerous highly-regarded industry organizations up and down the east coast, including the Contingency Planning Association of the Carolina’s Inc. (CPAC) where he was recently appointed vice chairman. Industry certifications include: Certified Information Systems Security Professional (CISSP), Certified Business Continuity Professional (CBCP), and National Incident Management Systems (NIMS).

On those rare occasions of downtime, Patrick enjoys wine tasting (Shiraz is his favorite), American Revolutionary history (as a former Park Ranger for the National Park Service he led historical tours), and watching his beloved Boston Red Sox. Obviously a proud graduate of the University of Maine at Orono, Patrick lives in Flowery Branch, Georgia.

Three cheers for Patrick!

Tags: , , ,
Posted in Business Continuity, Inside Consonus | Comments Off

Data Protection and Your Career Dissipation Light (CDL)

Monday, August 23rd, 2010

As you look back over your IT career, you’ve probably (hopefully) had your share of success stories and significant accomplishments.  But there are events looming out there that may have a massive impact on your company and your career in the worst possible way.  The classic line from the movie Backdraft (1991) sums it up perfectly, “You see that flash of light in the corner of your eye? That’s your career dissipation light. It just went into high gear.”

Game Over.

Here are just a few reasons why your Career Dissipation Light can go into high gear (this = bad):       

1.    The Finance System is DOWN.  And has been for 48 hours.
The financial system is technically up and running but no one can login, receive payments, issue new invoices or cut purchase orders.  Turns out that you’ve got a network worm running rampant on the internal network … who knew?  Your team was supposed to!

2.    Contractors Gone Wild
So your company develops applications that are used by 95% of the Fortune 500.  Your source code repository is your company’s most critical data asset.  Here’s the news flash:  Your most critical data asset was stolen this morning when the new app dev contractor reported to work.  He simply went in, archived all the source code and uploaded it to his home network.  Problem is no one stopped it…hey, no one even knew about it.

3.    Losing your job to Asian hackers?  PRICELESS. (A MasterCard Moment)
This one will put your CDL into overdrive. Picture this:  Your company is experiencing explosive growth.  It sells goods and services over the ‘Net and you are picking up new customers by the hundreds every day.  Life is good!

You leave for vacation expecting some well earned rest and relaxation.  However on day one, your vacation is blown out of the water when you get “the call.”  It’s the network team lead calling every number he has to track you down.  When he gets you live, he gives you the low down:

  • MasterCard has contacted your company.  Thousands of MasterCard customers are reporting credit card fraud … going back for 90 days.  The common thread among all of these reports is that 100% of these consumers are your customers.
  • Network packet captures from this morning show that customer records are being copied in real time to a server at a university in China.
  • The network team lead thinks that multiple servers have been compromised in your cloud computing environment and some person or process is continually resetting the admin password.
  • MasterCard is demanding that your company’s system be taken off the ‘Net immediately and is threatening a $25k per month fine because of non-compliance with PCI.

The network team lead wraps by saying the CEO has an emergency meeting with the board at 8:30 AM tomorrow morning so he wants you in his office by 8:00 PM tonight.  You hang up the phone, tell your spouse and kids to pack their bags, and head home early to try to save your job.

These different scenarios illustrate how absolutely vital a comprehensive data protection plan is to your business; one that includes 7×24x365 monitoring, high availability, and multiple layers of protection. Unfortunately, there is no one single antidote to ward off all attempts. But a cross-functional approach is the best choice and absolutely necessary to safeguard your business-critical information and applications from outside attacks. You can’t afford NOT to have a well-defined security policy in place; the future of your job and the longevity of your company depend on it!

Jim Brown, CISSP
nGuard, Inc.

Headquartered in Charlotte, NC, nGuard is a valued Consonus manufacturing partner in the security arean, providing security assessments, managed security services and security solutions to companies located in the US.  nGuard’s intense focus on real world security expertise and internationally recognized security certifications allows the firm to service a broad range of companies and industries. For more information, please visit www.nguard.com.

Tags: , , , ,
Posted in Business Continuity, Data Protection, IT Solutions | Comments Off

The 12 Layers of IT Security

Monday, August 9th, 2010

In Ancient Greek warfare, Alexander the Great popularized a combat formation known as the phalanx – a rectangular mass composed entirely of heavily armed infantry deployed in ranks of eight men deep.

This historic phalanx model of protection applies to IT security today, where the need for organizations to deploy a multi-layered defense to fend off attackers is imperative. Each layer reduces the number of attackers that get through until the numbers dwindle down to a manageable amount. 

In terms of IT infrastructure security, here are the levels of fortification that should be a part of your data  protection strategy for the enterprise: 

  1. Anti-Virus
  2. Anti-Spam
  3. Intrusion Prevention
  4. Intrusion Detection
  5. Active Email Scanning
  6. Active File Scanning
  7. Firewall
  8. Monitoring
  9. Security Best Practices
  10. Data Loss Prevention
  11. Educated and Attentive employees
  12. Well Defined, Implemented, and Enforced Corporate Policies

Like the Phalanx, even the most layered defense still has its vulnerabilities. The weakest components in a data security plan are usually corporate policies and employee education; these two elements are more apt to expose your business to internal risk by opening up the corporate network to attack.

Ultimately, the goal of any data protection strategy is to guard your business-critical information and applications from attacking armies of hackers and mal-intents. Unfortunately, there is no one silver bullet to ward off all attempts. But a layered approach to security comprised of robust levels and supported by skilled IT professionals will ensure you win not only the IT security battle, but the data protection war.

Tags: , , ,
Posted in Business Continuity, Data Protection, IT Solutions | No Comments »

On a Tight IT Budget? Failover to the Cloud

Monday, June 28th, 2010

By now you’ve likely received your one millionth email bulletin regarding virtualization or the cloud and you no doubt recognize its value in your environment.  Regardless of where you are in your virtualization strategy, you still need a comprehensive disaster recovery (DR) plan.  While the gold standard for many years was a contract with SunGard for cold-, warm-, or hot-site failover, there are better options available today that provide faster recovery, shorter restore time (RTO) and restore point objectives (RPO), and are significantly less expensive.

More importantly, it is now possible to actually test a full scale failover – something that has been very difficult with traditional technologies.  In the old model, you had to ship the data (on disk or tape) to a distant facility, load the data (possibly onto gear that you paid for but is sitting idle), and pray.  Even then you were only able to test a small subset of the overall DR environment because you simply didn’t have the time in your test window to get it all done.

Today, the technology exists and service providers have well developed solutions to provide near zero RPO’s.  Failover can occur on dozens of production servers in remote cloud environments in just a fraction of the time previously required.  The real benefit of this is that you can run your DR test against a snapshot of your live data while your existing environment continues to replicate just in case there is a true disaster at or near your test window.

A great example of technology that uses the cloud for failover is the patented Virtual Business Continuity (VBC) solution offered by Consonus.  A predictable cost model that minimizes capital investment, pricing is based on the amount of customer data protected and the number of servers used in the Consonus remote replication service.

Check it out.

Daniel Milburn, CISSP
SVP & COO Hosting & Infrastructure Services

Tags: , , , ,
Posted in Business Continuity, IT Solutions, Virtualization | Comments Off

Observations from a Business Continuity Professional…

Friday, June 18th, 2010

It is sometimes easy to second guess others during a crisis, especially ones as devastating as Katrina or the current disaster in the Gulf. But to not criticize the disaster recovery plans or the lack of disaster recovery testing by British Petroleum should be considered negligent by any self respecting business continuity professional. 

I want to offer a few comments on Disaster Recovery (DR) and Business Continuity (BC) planning in general, as it pertains to the situation in the Gulf. 

  1. An experienced DR/BC professional follows leading best practices and would not create a boiler plate template that is implemented in all regions of an organization’s business.  A good DR/BC plan should be modified and customized to account for regional and cultural differences.  An oil company’s disaster strategy for Alaska should be vastly different from a recovery plan developed for the Gulf of Mexico because there are different environmental elements that must be considered and that will have a significant impact on the practicality of the plan.
  2. All DR plans need to be tested on a regular basis, especially ones that have the potential to save an entire region.  If these plans had been tested in the Gulf, then it would have been discovered that having a plan to save walruses was of no use in the Gulf of Mexico and their Call Trees would have had correct names in place.
  3. When creating Crisis Management Plans, it is not always necessary or desirable to have the CEO of a company giving status updates — that in itself can turn into a disaster.
  4. Don’t be afraid to accept assistance from vendors, suppliers, foreign governments etc.  They may have more experience in the type of event.
  5. Have a clearly defined Incident Commander and make sure everyone knows who is in charge.

If you don’t have a current disaster recovery plan in place, create one. Start with a Business Impact Analysis to inventory your current efforts. Then develop a viable, practical plan that can be tested, updated, and approved. Then repeat this process again and again to guarantee your plan remains effective and appropriate.

And by all means, utilize a business continuity expert to assist you. This will ensure you have a true and usable plan. 

Do all that is necessary, take all the needed steps and don’t shortcut the process…unless of course you want the end results to mirror what’s happening in the Gulf.

Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity

Tags: , , , ,
Posted in Business Continuity, IT Solutions, The Water Cooler | 1 Comment »

Disaster Recovery Best Practices

Friday, June 18th, 2010

 For those who need a refresher course in disaster recovery, here are standard disaster recovery best practices according to the Disaster Recovery Institute.

1.  Program Initiation and Management
Establish the need for a Business Continuity Management (BCM) Program, including resilience strategies, recovery objectives, business continuity, operational risk management considerations and crisis management plans.  The prerequisites within this effort include obtaining management support and organizing and managing the formulation of the functions or processes required to construct the BCM framework.
   
2.  Risk Evaluation and Control
Determine the risks (events or surroundings) that can adversely affect the organization and its resources (example(s) include: people, facilities, technologies) due to business interruption; the potential loss from such events can cause  the controls needed to avoid or mitigate the effects of those risks.  As an outcome of the above, a cost benefit analysis will be required to justify the investment in controls.

 3.  Business Impact Analysis (BIA)
Identify the impacts resulting from business interruptions that can affect the organization and techniques that can be used to quantify and qualify such impacts. Identify time-critical functions, their recovery priorities, and inter-dependencies so that recovery time objectives can be established and approved.

 4.  Business Continuity Strategies
Leverage the outcome of the Business Impact Analysis and Risk Evaluation to develop and recommend business continuity strategies.  The basis for these strategies is both the recovery time and point objectives in support of the organization’s critical functions.

 5.  Emergency Response and Operations
Identify an organizations’ readiness to respond to an emergency in a coordinated, timely and effective manner.  Develop and implement procedures for initial response and stabilization of situations until the arrival of authorities having jurisdiction (if/when).

 6.  Business Continuity Plans
Design, develop, and implement Business Continuity Plans that provide continuity and/or recovery as identified by the organization’s requirements.

 7. Awareness and Training Programs
Prepare a program to create and maintain corporate awareness and enhance the skills required to develop and implement Business Continuity Management.
     
8. Business Continuity Plan Exercise, Audit and Maintenance
Establish an exercise/testing program which documents plan exercise requirements including the planning, scheduling, facilitation, communications, auditing and post review documentation.    Establish a maintenance program to keep plans current and relevant.  Establish an audit process which will validate compliance with standards, review solutions, verify appropriate levels of maintenance and exercise activities and validate the plans to ensure they are current, accurate and complete.
     
9. Crisis Communications
Develop and document the action plans to facilitate communication of critical continuity information.  Coordinate and exercise with stakeholders and the media to ensure clarity during crisis communications.
    
10. Coordination with External Agencies
Establish applicable procedures and policies for coordinating continuity and disaster recovery activities with external agencies (local, regional, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes and regulations.

Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity

Tags: , , , , ,
Posted in Business Continuity, IT Solutions | 1 Comment »

Is your business prepared for hurricane season?

Thursday, May 20th, 2010

June 1st marks the beginning of hurricane season, continuing until November 30th.  With an above  average hurricane season predicted for the United States this year, government agencies, businesses and other organizations need to take steps now to ensure they are prepared for a disruption to both IT infrastructure and critical business processes.

Many business account for IT interruptions but neglect the business or people side of the organization. Unfortunately, the result is a plan where IT may be available, but the people have no place to go and work.  This is where business continuity planning can save a company.

Businesses in the southeast and gulf coast regions should account for natural disasters in their business continuity plans and take the following precautions:

  • Be able to communicate and account for employees. Have call trees in place. 
  • Consider the impact of hazardous materials – The Gulf region oil spill has the potential to affect the entire Gulf and Atlantic Coastline, so plan accordingly. 
  • Give your employees an alternative place to go by establishing a substitute business location in the case of an emergency. 
  • Present other options for transportation. 
  • Ensure drinking water and plumbing issues are addressed. 
  • Develop manual work-arounds for procedures. 
  • Find out if your primary vendors have disaster recovery plans. 
  • Define critical processes and applications and confirm they align with IT. 
  • Test the plan.

When it comes to hurricanes, wind speeds do not tell the entire story. Hurricanes produce storm surges, tornadoes, and often the most deadly of all — inland flooding.  It’s important that you also incorporate the following into your disaster recovery strategy:

  • Protect hardware/software/data records/employee records, etc. 
  • Routinely back up files to an off-site location. 
  • Use a generator for supplying backup power to vital computer hardware and other mission-critical equipment. 
  • Utilize a co-location, managed service provider or have a secondary data center in an area that is out of the impact zone, away from your primary facility. 
  • Prearrange the replacement of damaged hardware with vendors to ensure quick business recovery.
  • Assemble a crisis-management team and create a crisis management plan.

National Hurricane Preparedness Week is next week, May 23 through May 29. According to the National Hurricane Center, each year an average of 11 tropical storms develop over the Atlantic Ocean, Caribbean Sea, and Gulf of Mexico. About six to eight of these storms become hurricanes each year with the potential to cause devastating damage.  Make sure you have a viable, comprehensive disaster recovery plan so you can weather any storm. You’re business depends on it!

Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity

Tags: , , ,
Posted in Business Continuity, IT Solutions | No Comments »

Data Centers and Earthquakes

Wednesday, April 7th, 2010

According to reports, the force from Easter Sunday’s 7.2 magnitude earthquake in Baja, California caused high-rise buildings to sway back and forth not only in surrounding southern California towns, but also 103 miles northwest in downtown Los Angeles and as far away as Las Vegas and Phoenix. Caltech officials reported that over 20 million people felt shaking related to the earthquake. And aftershocks are still occurring…some as high as 5.4 in magnitude.

Not only does an earthquake rattle nerves and shake buildings, but it can do devastating damage to data centers. It can vibrate and shudder racks of servers and equipment, rendering them useless. If you host at a data center with no natural disaster technology in place, chances are high that your mission-critical data will experience devastating damage too; unless, of course, your data center has earthquake-tolerant technology.

When you want to protect your most valuable business asset, information, look for data center providers that specifically address natural disasters via technologies that minimize risk. Earthquake gliders, friction pendulums, and base isolators are just some of the methods data centers use to safeguard information in the event of a natural catastrophe; some techniques involve only the equipment, while others focus on the entire facility.

For example, base isolation technology affects the entire structure. A fixed-base building–built directly into the ground–will move with an earthquake’s motion. As a result, the building can sustain extensive damage. However, when a building is built away—isolated–from the ground, resting on flexible bearings or pads known as base isolators, it will barely move during an earthquake. Your data is still safe and business can go on as normal.

Consonus has two data centers in Utah that are designed to remain fully operational during and after a 7.5 magnitude earthquake. Using base isolation, our data centers are constructed from the ground up to prevent and minimize damage during an earthquake.

But not every data center uses earthquake technology. Look for a data center with a history of delivering disaster recovery and business continuity solutions. This will give you peace of mind, even in the event of an earthquake.

And prepare yourself and your business BEFORE a disaster strikes. Governor Gary Herbert has designated April 4-10 as Earthquake Preparedness Week. Find out what you can do to prepare for an earthquake and its aftermath. Visit BeReadyUtah.gov for helpful tips and resources.

Rob Muir
Vice President Western Operations

Tags: , , , ,
Posted in Business Continuity, IT Solutions | 1 Comment »

« Older Entries
Newer Entries »