Untitled Document

W3 Discussion Comments

Insurance: Many of you were surprised that companies were not better prepared for disasters. The preparation can be very costly. Also, the preparation can be next to useless if recovery procedures are not tested periodically. This testing can also be expensive. Sometimes business look at this expense and make a bad calculation on risk vs. reward.

In the future, you may be involved in making decisions about how much to invest in Disaster Recovery Plans and Drills vs. projects that could increase sales and profits. How much risk will you be willing to take? Will you be able to sell your point of view to the person that makes the decision?

Many of you mentioned file backups in this discussion. Another key aspect of disaster recovery is having a way to get in contact with the people in the company who will be involved in the recovery. In a major disaster, how can you find out which employees are still alive and uninjured? Not being able to find people who know passwords or know where recovery passwords are stored can delay recovery even if backup files are available. What procedures and lists would you setup in advance? Remember, as Brian mentioned, that the normal phone systems may not be working.

War Story 1: Never assume that automatic backups are automatic. Last year in Tech Republic, there was an article where a consultant discovered that backups at his client had not taken place for two weeks because someone unplugged the external hard drive in order to charge his cell phone.

War Story 2: I had a client in Houston that had the following line in their Disaster Recovery Procedures: "Carry the tapes from the tape library to the second floor starting with the lowest shelf first." The "starting with the lowest shelf first" made me think that they had dealt with water problems previously.

Trade-offs: Estimating the time to recovery helps management understand the trade-off between cost and recovery time. Having servers off-site ready to go allows for a quicker recovery. This is expensive in terms of initial investment and requires that data and programs be frequently replicated to the "hot backup" site. It is a business decision to determine how to balance costs vs. the business needed for a quick recovery. For example, Could Dominican survive a one-week outage? (I would say yes). Could the Chicago Mercantile Exchange survive a one-week outage? (I would say they would never recover their reputation and lost business).

LOGISTICS: What about passwords, procedures and lists of personnel and phone numbers? What if the only person that knows the administrative password is lost injured in the disaster? Remember, as Brian mentioned, that the normal phone systems may not be working.

What if you are not in the IT Department? Even if you run a department other than IT, you should determine how your department will operate under various disaster scenarios (no power for 2 days, fire in your department, flood keeps 75% of your workers from reaching the office etc.).

Dominican: An outside consultant can provide technical and project management help but you cannot delegate the Disaster Recovery planning to the outside consultant. A very important part of the planning is making the decisions that trade off cost vs. time to recover and the consultant should not be the person doing this.

In the case of Dominican, relocating and/or separating the servers might make a small difference in the time it takes to recover but (in my opinion) not enough to make up for the expense. The server location issue is not as important as having the right off-site backups, testing recovery plans, and being able to contact and account for the people.

The Priory Campus is probably too close to be considered for use as a Disaster Recovery Site. http://www.computerworld.com/s/article/80262/U.S._regulators_issue_disaster_recovery_guidelines suggests a minimum distance of 200 - 300 miles. However, the government regulations apply to financial exchanges that are important to the national economy. Dominican is not required to follow these regulations.

Personal Disaster Recovery (D3):

Personal disaster recovery planning also involves more than cell phone and hard drive backup. You did mention wills. Depemding in your situation, health insurance, disability income insurance, life insurance and home/renters insurance could also be very important.

Systems like Carbonite and MozyHome allow you to specify what files on your personal hard drive should be copied to an off-site server. Other types of cloud backup include copying documents and files to Google Documents, Hotmail, Gmail, Flickr, or Windows Live.

Although this is not a course in computer security, you need to consider the security of backup copies of your personal and company files. Backups should be encrypted so if someone finds your backup files, they cannot easily extract information from them. Ritu mentioned this.

Personal Comment: You mentioned that you could not imagine living without technology. I can imagine life without technology because I lived it as a child. There were no ATMs, cell phones, or personal computers. Large department stores and oil companies accepted their own credit cards (no master card or visa). Banks closed at 2:30 pm so that bank tellers could manually balance the day's activity. Long distance telephone calls were so expensive that we used snail mail (3 cent stamps).