Measuring Disaster Recovery Maturity

Stephanie Balaouras

Each year for the past three years I've analyzed and written on the state of enterprise disaster recovery preparedness. I've seen a definite improvement in overall DR preparedness during these past three years. Most enterprises do have some kind of recovery data center, enterprises often use an internal or colocated recovery data center to support advanced DR solutions such as replication and more "active-active" data center configurations and finally, the distance between data centers is increasing. As much as things have improved, there is still a lot more room for improvement not just in advanced technology adoption but also in DR process management. I typically find that very few enterprises are both technically sophisticated and good at managing DR as an on-going process.

When it comes to DR planning and process management, there are a number of standards including the British Standard for IT Service Continuity Management (BS 25777), other country standards and even industry specific standards. British Standards have a history of evolving into ISO standards and there has already been widespread acceptance of BS 25777 as well as BS 25999 (the business continuity version). No matter which standard you follow, I don’t think you can go drastically wrong. DR planning best practices have been well defined for years and there is a lot of commonality in these standards. They will all recommend:

Read more

Categories:

The GRC Groundswell

Chris McClean

Chris McClean

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

Read more

Categories:

2009-2010 Forrester And Disaster Recovery Journal Survey

Stephanie Balaouras

Stephanie Balaouras

Two years ago, Forrester and the Disaster Recovery Journal partnered together to field surveys on a pair of pressing topics in Risk Management: Business Continuity (BC) and Disaster Recovery (DR). The surveys help highlight trends in the industry and to provide organizations with some statistical data for peer comparison. The partnership has been a huge success. In 2007, we examined the state of disaster recovery preparedness, in 2008, we examined the state of business continuity preparedness and this year, we examine the state of crisis communications and the interplay between enterprise risk management and business continuity.

We decided to focus on crisis communications because as last year’s study revealed, one of the lessons learned from organizations who had invoked a business continuity plan (BCP) was that they had greatly underestimated the importance and difficulty of communication and collaboration within and without the organization. In any situation, a natural disaster, a power outage, a security incident or even a corporate scandal, crisis communication is critical to responding quickly, managing the response and returning to normal operations.

Organizations approach crisis communication differently. In some organizations, crisis communications is a separate team that works together with BC/DR planning teams to embed communication strategies into BCPs/DRPs and in other companies, BC/DR planning teams do its best to address crisis communication.

Read more

The Role Of IT Operations In Archiving

Stephanie Balaouras

Stephanie Balaouras

Yesterday IBM announced the availability of their new IBM Information Archive Appliance. The appliance replaces IBM’s DR550. The new appliance has significantly increased scale and performance because it’s built on IBM’s Global Parallel File System (GPFS), more interfaces (NAS and an API to Tivoli Storage Manager) and accepts information from multiple sources – IBM content management and archiving software and eventually 3rd party software. Tivoli Storage Manager (TSM) is embedded in the appliance to provide automated tiered disk and tape storage as well as block-level deduplication. TSM’s block-level deduplication will reduce storage capacity requirements and its disk and tape management capabilities will let IT continue to leverage tape for long-term data retention. All these appliance subcomponents are transparent to the IT end user who manages the appliance – he or she just sees one console where they define collections and retention policies for those collections.

Read more

Categories:

How Should Auditors Deal With Such Oddities?

Chris McClean

Chris McClean

Two weeks ago, I commented on the changing role of the risk management professional, and thought it would be worthwhile to spend a few moments discussing the auditor as well. In a contest of which job is likely to see more change in the next two years, I would expect a photo finish.

Read more

From Scapegoat to Savior: The Risk Manager Story

Chris McClean

Chris McClean

Even in the toughest times, winners will invariably emerge. With the way expectations are changing regarding corporate controls and disclosure, risk management professionals (whose lack of influence was seen as a substantial cause of our current state of affairs to begin with) will likely be among the first beneficiaries of our new outlook on business.

Forrester customer inquiries seem to have taken a step back when it comes to risk management. While there are still plenty of incoming technology and vendor selection questions, there has been a noticeable spike in calls about fundamental issues, such as how to build and organize risk management programs. Knowledge and experience in risk management basics is in high demand.

Last week, the New York Times emphasized this demand by highlighting the current value of graduate degrees or certification related to risk management. The article explains:

Read more

Don't Rely On Industry Averages For Cost Of Downtime

Stephanie Balaouras

Stephanie BalaourasOn a weekly basis, I get at least one inquiry request from either a vendor or an end-user company seeking industry averages for the cost of downtime. Vendors like to quote these statistics to grab your attention and to create a sense of urgency to buy their products or services. BC/DR planners and senior IT managers quote these statistics to create a sense of urgency with their own executives who are often loath to invest in BC/DR preparedness because they view it as a very expensive insurance policy.

BC/DR planners, senior IT managers and anyone else trying to build the business case for BC/DR should avoid the use of industry averages and other sensational statistics. While these statistics do grab attention, more often than not, they are misleading and inaccurate, and your executives will see through them. You'll hurt your business case in the end because you haven't done your homework and your execs will know it.

I saw a study recently that stated the cost of downtime for the insurance industry was $1,202,444 per hour. You might be tempted to grab this statistic and throw it into the next presentation to your C-level exec but what is this statistic really telling you? Do the demographics of the companies in the study match yours? Do you trust the accuracy of the data? Consider the following:

 

  • What is the definition of insurance industry in this case? Is it companies that focus solely on insurance or does it include companies that also provide financial advice and monetary instruments to their clients?

     

Read more

Denial Of Service Attacks Have The Internets All A Twitter

John Kindervag

John Kindervag

My BlackBerry battery died more quickly than usual yesterday as I received a wave of calls from reporters wondering about the denial of service (DoS) attacks against Facebook, Twitter, and other social networking sites.  It seems many people are not aware of the long and storied history of denial of service attacks and this is their first personal experience with DoS. These types of DoS attacks have been around since the creation of the public Internet. A 15 year old named Mafiaboy famously brought down many of the top Websites of the day at the beginning of this millennium using similar techniques.

Read more

Please Fill Out These Forms...The SEC Will See You Now

Chris McClean

Chris McClean

Is regulatory oversight more or less invasive than oral surgery? Sure, both are necessary sometimes. But however you feel about the current level of corporate scrutiny, it’s clearly increasing, and that means the jobs of corporate governance, risk management, and compliance professionals are going to get even tougher.

The last month has seen some dramatic news related to corporate disclosure, most notably a bill approved by the House Financial Services committee that would require public companies to explain executive and employee compensation packages, and to write rules that would prohibit any compensation that could have a substantial, negative effect on financial markets. Lawmakers expect that this bill, if approved, will be rolled up with other legislation.

Read more

Cloud DR Services Are Real

Stephanie Balaouras

Stephanie Balaouras

There is a lot of hype surrounding cloud and I'm usually not one to join the hype but in the case of cloud-based backup and disaster recovery services (I'm trying to use the IT service continuity but it hasn't caught on yet), these service are available today and they address major pain points in IT operations and organizations of all sizes can leverage these services, not just small and medium businesses.

Storage-as-a-Service is relatively new. Today the main value proposition is as a cloud target for on-premise deployments of backup and archiving software. If you have a need to retain data for extended periods of time (1 year plus in most cases) tape is still the more cost effective option given it's low capital acquisition cost and removability. If you have long term data retention needs and you want to eliminate tape, that's where a cloud storage target comes in. Electronically vault that data to a storage-as-service provider who can store that data at cents per GB. You just can't beat the economies of scale these providers are able to achieve.

If you're a small business and you don't have the staff to implement and manage a backup solution or if you're an enterprise and you're looking for a PC backup or a remote office backup solution, I think it's worthwhile to compare the three year total cost of ownership of an on-premise solution versus backup-as-a-service.

Read more