|Mark T. Edmead|
It's hard to believe it's been a year since my first security column was published. It's even harder to believe that it's been a year since the Sept. 11 attacks on our nation. It was ironic that my first column dealt with business continuity and disaster recovery. In this column, I reference the 1993 World Trade Center bombing and discuss how businesses -- with weak or non-existing business-continuity/disaster-recover plans -- weren't able to continue their operations.
What are the lessons learned regarding business-continuity and disaster-recovery planning? Do business now recognize the importance of such plans? I don't have research numbers from any scientific survey, but from my own observations I find that business-continuity planning (BCP) is on the mind of business people, but it's still not considered to be a vital part of their information security program. About two weeks after the September attack, my phone was ringing off the hook and my e-mail box was full of requests for quotations from companies wishing to "evaluate" their business-continuity plans.
One company in particular hounded me for days. They wanted a quotation for developing and testing their disaster-recovery plan right away. They felt vulnerable because they didn't have any plans in place. Like many other companies who contacted me, they felt that a disaster would adversely affect their business operations, and they wanted the plan in place immediately, an assurance that they'd be able to do what's necessary to continue business operations. To my knowledge, they haven't implemented any plans yet. The last communication I had with them was in February when they mentioned they were still "thinking" about it. Maybe they eventually went with another consultant and finally got something going. But I found as the months went by, the panic mode slowly dissipated. It went from "WE NEED HELP NOW!" to "Well, we're still thinking about what we need to do."
How quickly we forget about the past. Does anyone remember Y2K? Remember the major work companies faced determining if their systems were vulnerable? After Y2K, companies developed complete configuration control databases of all of their IT systems, and they had complete details of their system configurations. Unfortunately, many companies didn't continue maintaining these databases. Once the crisis was over, it was business as usual.
Hopefully companies will learn that anyone can be affected by a disaster. It doesn't have to come in the form of planes crashing into buildings. Fire, water damage, electrical storms and, yes, the human operating error are still disasters that can happen at any time. The better prepared you are, the more likely you'll survive.
People have asked me "What's the top BCP/DRP development mistake companies make?" Last year I would have said it was the lack of plan prioritization, lack of plan ownership or limited plan scope. Today, I'd say that businesses think of BCP/DRP as an IT issue only. (Thank you, Arno Brok.) Business people forget that the purpose of these plans is to recover the entire business, not just the IT systems. Management expects the IT department to take care of it, not realizing that the IT people need input (as well as business focus) from upper management. Business-continuity and disaster-recovery planning is a companywide effort. Let's make sure we work together and apply the lessons learned.
About the author
Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software, Inc. (www.mtesoft.com), and has more than 25 years of experience in software development, product development and network systems security. hacking. He is co-author of the book "Windows NT: Performance, Monitoring and Tuning" published by New Riders and editor of the "SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide."
This was first published in September 2002