DISASTER RECOVERY

PLANNING
• Disasters such as earthquakes, floods, sabotage, and even power
failures can be catastrophic to an organization’s computer center and
information systems.
• The more dependent an organization is on technology, the more
susceptible it is to these types of risks. For businesses such as
Amazon.com or eBay, the loss of even a few hours of computer
processing capability can be catastrophic.
• To survive such an event, companies develop recovery procedures
and formalize them into a disaster recovery plan (DRP).
• This is a comprehensive statement of all actions to be taken before,
during, and after any type of disaster. Although the details of each
plan are unique to the needs of the organization, all workable plans
possess four common features:
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedure
Identify Critical Applications
• The first essential element of a DRP is to identify the firm’s critical
applications and associated data files.
• Too often, this task is incorrectly viewed as a technical computer issue
and therefore delegated to IT professionals. Although the technical
assistance of IT professionals will be required, this task is a business
decision and should be made by those best equipped to understand
the business problem.
Creating a Disaster Recovery Team
• Recovering from a disaster depends on timely corrective action.
Delays in performing essential tasks prolongs the recovery period and
diminishes the prospects for a successful recovery. To avoid serious
omissions or duplication of effort during implementation of the
contingency plan, task responsibility must be clearly defined and
communicated to the personnel involved.
Providing Second-Site Backup
• Among the options available the most common are mutual aid pact;
empty shell or cold site; recovery operations center or hot site; and
internally provided backup.
Mutual Aid Pact
• A mutual aid pact is an agreement between two or more
organizations (with compatible computer facilities) to aid each other
with their data processing needs in the event of a disaster. In such an
event, the host company must disrupt its processing schedule to
process the critical transactions of the disaster-stricken company
• In effect, the host company itself must go into an emergency
operation mode and cut back on the processing of its lower-priority
applications to accommodate the sudden increase in demand for its
IT resources.
• The popularity of these reciprocal agreements is driven by economics;
they are relatively cost-free to implement.
Empty Shell
• The empty shell or cold site plan is an arrangement wherein the
company buys or leases a building that will serve as a data center. In
the event of a disaster, the shell is available and ready to receive
whatever hardware the temporary user needs to run essential
systems.
• This approach, however, has a fundamental weakness. Recovery
depends on the timely availability of the necessary computer
hardware to restore the data processing function.
Recovery Operations Center
• A recovery operations center (ROC) or hot site is a fully equipped
backup data center that many companies share.
• In addition to hardware and backup facilities, ROC service providers
offer a range of technical services to their clients, who pay an annual
fee for access rights. In the event of a major disaster, a subscriber can
occupy the premises and, within a few hours, resume processing
critical applications.
Internally Provided Backup
• Larger organizations with multiple data processing centers often
prefer the self-reliance that creating internal excess capacity provides.
This permits firms to develop standardized hardware and software
configurations, which ensure functional compatibility among their
data processing centers and minimize cutover problems in the event
of a disaster.
Backup and Off-Site Storage Procedures
• All data files, applications, documentation, and supplies needed to
perform critical functions should be automatically backed up and
stored at a secure off-site location. Data processing personnel should
routinely perform backup and storage procedures to obtain and
secure these critical resources.
• Operating System Backup
• Application Backup
• Backup Data Files
• Backup Documentation
• Backup Supplies and Source Documents.
• Testing the DRP
• The organization’s management should seek measures of
performance in each of the following areas:
(1) the effectiveness of DRP team personnel and their knowledge levels;
(2) the degree of conversion success (i.e., the number of lost records);
(3) an estimate of financial loss due to lost records or facilities;
(4) the effectiveness of program, data, and documentation backup
and recovery procedures
Audit Objective
• The auditor should verify that management’s disaster recovery plan is
adequate and feasible for dealing with a catastrophe that could
deprive the organization of its computing resources.
Audit Procedures
• In verifying that management’s DRP is a realistic solution for dealing with a
catastrophe, the following tests may be performed
• Site Backup
• evaluate the adequacy of the backup site arrangement
• Critical Application List
• review the list of critical applications to ensure that it is complete
• Software Backup
• verify that copies of critical applications and operating systems are stored off-site
• Data Backup
• verify that critical data files are backed up in accordance with the DRP
• Backup Supplies, Documents, and Documentation
• verify that the types and quantities of items specified in the DRP such as check stock,
invoices, purchase orders, and any special purpose forms exist in a secure location
• Disaster Recovery Team
• verify that members of the team are current employees and are aware of their assigned
responsibilities
OUTSOURCING THE IT FUNCTION
• Oftencited benefits of IT outsourcing include
• improved core business performance
• improved IT performance (because of the vendor’s expertise)
• reduced IT costs.
• By moving IT facilities offshore to low labor-cost areas and/or
through economies of scale (by combining the work of several
clients), the vendor can perform the outsourced function more
cheaply than the client firm could have otherwise
Core Competency Theory
• argues that an organization should focus exclusively on its core
business competencies, while allowing outsourcing vendors to
efficiently manage the non–core areas such as the IT functions.
Risks Inherent to IT Outsourcing
• Failure to Perform
• Vendor Exploitation
• Outsourcing Costs Exceed Benefits
• Reduced Security
• Loss of Strategic Advantage