Given the Severe Acute Respiratory Syndrome (SARS) outbreak in 2002, the idea that companies should prepare their IT systems for what health officials have warned will be an influenza pandemic isn’t so far-reaching.
Theft, power failure, terrorist attacks, fire, natural disaster, system failures, human error, virus, worker strikes, and systems testing, are just some of the possible disasters that can strike a company’s IT infrastructure, said Bruce Cowper, senior program manager for security mobilization initiative at Mississauga, Ont.-based Microsoft Canada. He was speaking at the World Conference on Disaster Management in Toronto, Ont. Tuesday.
The surprise of the SARS outbreak taught many organizations that their disaster recovery and business continuity plans were insufficient. Toronto, Ont.-based electricity provider, Hydro One, was no exception, said the company’s Dave Baumken, manager of emergency preparedness and business continuity planning.
“We didn’t have anything in place for high volumes of staff absenteeism,” said Baumken.
Among requirements to keep the business running, such as staff, Hydro One is also heavily reliant on its telecommunications and computer systems, said Baumken. “Loss of telecommunications and computer services is our biggest concern,” but insisted it’s an area under control where the company has placed a lot of disaster recovery focus.
If Hydro One is unable to continue providing service, said Baumken, a “cascading effect occurs” from vendor to consumer and so forth. Baumken said Hydro One employs back up data centres to enable business continuity in the event of disasters.
Actually, the company’s disaster recovery and business continuity plans are designed to handle multiple events, he said – an approach deemed appropriate when the electricity blackout of 2003 was followed by severe summer storms and a computer virus. “It’s not going to be a single event. It hasn’t been and it won’t be.”
When devising such plans, Baumken suggests getting support from executive leadership; and ensuring ahead of time that, in the event of employees having to work remotely, the company has the “horsepower” to sustain business communications via channels like conference calls.
Toronto, Ont.-based electricity provider Ontario Power Generation (OPG) began to develop a disaster recovery plan in 2005 when cases of influenza began to surface. The company’s approach may have begun with pandemic planning, however, the result is a broader plan covering all disasters, said OPG’s Gian Di Giambattista, director of emergency preparedness. “We needed enough of a capability to respond other contingences.”
The process, entailed creating a high-level corporate plan by assembling different subject-matter experts from areas like security, safety, communications, technology, and emergency preparedness, said OPG’s Mary Lou Sinclair, director of corporate safety.
That corporate plan was then distributed to individual business units – IT and security, for instance – to develop a specific approach tailored to their needs. That stage of the process is ongoing.
But basically, the goals, she said, are to protect employee health and company assets (IT infrastructure and intellectual property), and continue electricity service to customers while complying with legislative requirements such as occupational health and safety.
Disaster recovery and business continuity are a great way to start for any company, however, “no matter how prepared you really are, there are probably many things that you’ve never even considered,” said Cowper.
In creating a plan, he recommended that companies assess their assets (communication channels, hardware, intellectual property that resides on the network), and the risks associated with those assets. Then evaluate the business impact those risks pose, and the current controls in place designed to mitigate those risks.
Next, he said companies should decide on the time frame by which to recover (in other words, how long can you wait to restore all data and services?), and categorize assets by degree of importance to determine how much the company is prepared to lose.
And, ensure that IT systems are structured or restructured to take into account recent system changes, such as new software installation, which might affect another part of the infrastructure.
This is particularly important, said Cowper, because often the failure of IT systems is not due to hardware or software issues, but rather things like system complexity, misconfiguration and out-of-date processes.
Also, he said, it’s a good idea to keep isolated systems, such as separate data centres, and mobile recovery facilities.
Employee preparedness plays a large role, too, in a successful disaster recovery plan, although he’s observed staff training is not usually something that’s warmly welcomed.