Disaster Prevention and Recovery

Evan Happel, Sheena McLeod, Colin Millison

Aeneas Case Study

Internet and Telephone of Jackson TennesseeMay 4, 2003 400 businesses hit by a category F4 tornado with 200 mph winds.11 deaths and $50 million in damagesHow did their disaster recovery plan help?

Aeneas Case Study Cont.

Backup systems

Employees worked from remote locations.

Less than 72 hours they were back, fully serving the customers needs.

Most people never even lost service

Planned for the worst case scenario.

How Much Do You Know?

Take out a piece of paper and pencil.

Quiz time!

See how much you know, then we will give you the answers at the end.

Quiz

1) True or False- Disaster recovery planning is complex and expensive?2) Which option is not a required item in a disaster recovery plan?

– A. Location of recovery facility– B. Computer equipment list– C. List of phone numbers of key people in the

company– D. Disaster recovery testing results

(www.paeinc.com/book/paefrm.html)

Quiz Continued

3) True or False- Why should you care about disaster prevention. There is nothing that can be done to prevent a disaster. (www.paeinc.com/book/paefrm.html)

4) Reviewing of a disaster recovery plan should take place

– A. Once – B. Once a year– C. Twice a year (Total Contingency Planning for Disasters)

Quiz Continued

5) What are the three types of disasters?

6) What percentage of business organizations have a workable disaster recovery plan?

(Total Contingency Planning for Disasters)

Disasters

Can fall into one of three types• 1. Natural-Caused by a natural event • 2. Environmental-Related to environmental

problems• 3. Incited-Provoked and urged on

(Total Contingency Planning for Disasters)

Natural

Examples:

Flood

Earthquake

Tornado

Fire

Hurricane(Total Contingency Planning for Disasters)

Environmental

Examples:

Aircraft crash

Explosion

Contamination

Power

(Total Contingency Planning for Disasters)

Incited

Examples:

Arson

Sabotage

Vandalism

(Total Contingency Planning for Disasters)

Facts and Statistics

At least 1/4 of all businesses that close because of disaster never reopen (www.ibhs.org/business_prtection.com)

Current estimates put business losses as high as several billion dollar each week to various forms of cyber attacks (www.ready.gov)

A company loses around $1 million/hour due to down time or idle employees (Disaster Recovery Planning)

Getting Started: Contingency Planning

Objectives of a contingency plan– 1)Prevent disaster from occurring– 2)Contain the impact of a disaster if one does

happen– 3)Provide an organized response to a disaster– 4)Minimize disruptions to cash flow– 5)Provide alternate ways to service customer

orders– 6)Prevent a significant long-term loss of market

share (Total Contingency Planning for Disasters)

Contingency Planning Basics Continued

Knowing what to plan for– Visit FEMA’s website and explore “are you

ready”

Impact analysis-examine four areas– 1)The relative value of the information of

infrastructure component– 2)The possible public fallout– 3)The denial of business potential– 4)The ease of attack (Total Contingency Planning for Disasters)

Cyber Protection: 12 Step Plan

1) Use strong passwords and change them regularly

2) Look out for e-mail attachments and internet download modules

3) Install, maintain, and apply anti-virus programs

4) Install firewalls

Cyber Protection Continued

5) Remove unused software and user accounts; clean out everything on replaced equipment6) Establish physical access controls for all computer equipment7) Create backups for important files, folders, and software8) Keep current software updates

Cyber Protection Continued

9) Implement network security with access controls10) Limit access to sensitive and confidential data 11) Establish and follow a security financial risk management plan; maintain adequate insurance coverage12) Get technical expertise and outside help when you need it (ready.gov)

After Plan Is Created

Communicate

Reassess annually

(Total Contingency Planning for Disasters)

Recovery Planning

Practical Reasoning– To avoid extended periods of downtime

• Idle = big $

– To avoid loss of data/information/physical goods• Due to uncontrollable situations, such as terrorist attacks

Legal Reasoning– Governmental agencies pass regulations and acts to ensure

companies implement a recovery plan • IRS (cross-industry)• Banking, Health Care, and Financial sectors

(source: Disaster Recovery Planning)

Recovery Planning: Storage Options

Consolidated Storage– Multiple platforms using a Storage Area Network

(SAN) to put all their data into one centralized/secure location

– Sold at Dell.com, starting at $1000– Also sold by Hewlett Packard,

Hitachi Data Systems, and Data Domain

(source: Disaster Recovery Planning)

Recovery Planning:Storage Options

Tape Storage– Magnetic tapes/cassettes used to back up data– Most affective when stored off-site– Need to be checked regularly to

make sure they are storing data properly

– Sold at Dell.com ($699 to $20,000+)– Also at Hewlett Packard, Hitachi

Data Systems, and Data Domain (Source: Disaster Recovery Planning)

Recovery Planning: Storage Options

Remote Mirroring– Saving data simultaneously in two or more

locations using a high speed Local Area Network (LAN)

– Geographically separate to avoid destruction a data by the same disaster

– Service provided by RADirect.com (no prices listed)

(source: Disaster Recovery Planning)

Recovery Planning:Storage Options

Off-site Cooperative Storage– Sharing a warehouse or facility with another

company• Pro: less expensive• Con: less secure, can you trust who you are sharing

with?

(source: Disaster Recovery Planning)

Recovery Planning:Storage Options

Off-site Commercial Storage– Moving-and-Storage Facilities (tangible files)

• U-Haul $45 to $130 per month• Also offered by Secure Storage and Shurgard

– Data and Records Storage (digital files)• US Data Trust; $119 to $2,763 per month

– depends on level of service, amount of storage• Service providers: Iron Mountain, Global Data Vault,

Sure West, and Recall

(source: Disaster Recovery Planning)

Off-Site Commercial Storage Guidelines (6)

Reputation– How long have they been doing business?– check with Better Business Bureau – Reputation with other companies

Security– Should be as good or better than the

security at your facilities(source: Disaster Recovery Planning)

Off-Site Commercial Storage Guidelines

3. Media Management– all magnetic media in same location– Separation between competitors

4. Environmental Factors– Weather proof– Fire suppression– Temperature/atmosphere control

(source: Disaster Recovery Planning)

Off-Site Commercial Storage Guidelines

5. Transportation– Is it safe in transit from your business to

theirs? (i.e. weather, damage, theft)

6. Fees– Are the fees for service more than it costs

to deal with the data on your own?

(source: Disaster Recovery Planning)

Quiz Answers

1) False-does not have to be expensive. Best way to keep costs down is to apply KISS “keep it simple stupid”

2) D-Disaster Recovery Results are not needed in the plan but are nice to have. If you do test the plan use the results to modify the plan and correct problem areas. (www.paeinc.com/book/paefrm.html)

Quiz Answers Continued

3) False-Disaster planning can prevent some potential disasters. Many computer disasters are caused by the facility itself. With proper planning these problem areas can be corrected before they become a disaster. (www.paeinc.com/book/paefrm.html)

4) B-Review of disaster recovery plan should take place once a year. (Total Contingency Planning for Disasters)

Quiz Answers Continued

5) Three types of disasters are natural, environmental, and incited.

6) Less than 25% of businesses have a workable disaster recovery plan.

(Total Contingency Planning for Disasters)

References

www.Ready.govwww.FEMA.govwww.FEMA.gov/kidsMyers, Kenneth. (1993) Total Contingency Planning For Disasters; John Wiley and Sons Publ.,Canadawww.ibhs.org/business_protectionwww.sba.govwww.paeinc.com/book/paefrm.htmlToigo, Jon William. (1996) Disaster Recovery Planning; Harris, Steve. (1992) PC Recovery and Disaster PreventionBritt, Phillip. (2005) Taking Steps for Disaster Recovery; Information Today, Vol 21, Issue 34, 83.

References Continued

Bowen, Ted Smalley. (1999) Planning for Recovery; Infoworld, Vol 21, Issues 34, 83.Greenberg, Eric (2002) Managing Risk; PC Magazine, Vol 21, Issue 1, 66-68Tennant, Roy. (2001) Coping with Disasters; Library Journal, Vol 26, Issue 19, 26-28Rogers, James and Jack Smith. (2001) Advantages and Challenges of Implementing ASP’s; Plant Engineering, Vol 55, Issue 10, 61Stead, Eleanor and Clive Smallman. (1999) Understanding Business Failure; Learning and Unlearning from Industrial Crises; Journal of Contingencies and Crisis Management, Vol 7, Issue 1, 1.