Disaster recovery planning: a strategy for data

security

Steve M. Hawkins
Department of Decision Sciences and MIS, Miami University, Oxford, Ohio, USA
David C. Yen
Department of Decision Sciences and MIS, Miami University, Oxford, Ohio, USA
David C. Chou
Department of Business Computer Information Systems, St Cloud State
University, St Cloud, Minnesota, USA

Keywords . man-made threats, such as vandalism,

Disaster recovery, Data security, Introduction hackers, and sabotage; and
Networks
The centralized computer systems are now . human error, such as improper computer
Abstract replaced with or connected to the distributed shutdown, spilling liquids on the
The migration from centralized systems. Also, multiple servers are connected computer, and cigarette ash.
mainframe computers to to each other on a corporate network to
distributed client/server systems Disaster recovery was a term coined by
has created a concern on data
balance their processing power. If one of the computer vendors between 1960 and 1980 ±
security. If a disaster occurs to servers in the networked environment the era of the centralized mainframe
the organization that destroys a crashes, troubles will arise for both the users computer (Colraine, 1998). During that time,
server or the entire network, a and the company.
company may not be able to a disaster recovery plan was used to backup
There are a variety of reasons that cause
recover from the loss. Developing mainframe computers.
an effective disaster recovery plan systems to crash. For example, the lack of A disaster recovery plan was similar to an
will help an organization protect system security and employee sabotage are insurance policy that provided a protection
them from data loss. the main concerns. While computer hackers from natural disasters, such as earthquakes,
live outside of the company walls, this is not floods, hurricanes, and tornadoes. Disaster
always the case. Although passwords and recovery plans during these years were
firewalls help keep viruses and intruders typically used by organizations that have
from entering the corporate systems, large mainframe computers and data sites for
sometimes they are useless. Corporate daily business operations. Since data
management needs to recognize the necessity recovery planning process was expensive, an
for data security. alternative was to backup the data from the
A disaster could cause companies an mainframe computer and store it at alternate
interruption for a period of time. The locations. During the 1970s, providing backup
Business Recovery Plan is the document used data services was a lucrative business.
to assist an organization in recovering its According to the third annual information
business functions. A Disaster Recovery Plan security survey conducted by Information
(DRP), however, is a document designed to Week and Ernst & Young, nearly half of the
assist an organization in recovering from more than 1,290 respondents representing
data losses and restoring data assets. A DRP information systems chiefs and security
should be a pro-active document, a living and managers suffered security-related financial
breathing document. It does not document losses in the past two years (Panettieri, 1995).
the tasks, it is an action plan that is used to Most companies hesitate to develop a
identify a set of policies, procedures, and disaster recovery plan until a disaster
resources that are used to monitor and occurs. According to another survey
maintain corporate information technology (Patrowicz, 1998), 85 per cent of the Fortune
(IT) before, during, and after the disaster. 1,000 companies have disaster recovery
Possible IT disasters include (Semer, 1998): plans. Within these companies which have
. natural disasters, such as fires, disaster recovery plans:
earthquakes, lightning, storms, and static . 80 per cent have plans that protect their
electricity; data center resources;
. software malfunctions; . 50 per cent have plans that protect their
. hardware or system malfunctions; networks; and
. power outages; . less than 35 cent have plans that protect
Information Management & . computer viruses; their data on PC LANs.
Computer Security
8/5 [2000] 222±229 In an Ernst & Young/Computerworld Global
The current issue and full text archive of this journal is available at
# MCB University Press Information Security Survey of 4,255 IT and
[ISSN 0968-5227] http://www.emerald-library.com
information security managers, 84 per cent of
[ 222 ]
Steve M. Hawkins, them said that their senior management planning process that an organization could
David C. Yen and believes that security management is follow to develop their own DRP. Finally,
David C. Chou ``important'' or ``extremely important.'' Of conclusions are stated.
Disaster recovery planning: a
strategy for data security these respondents, over 50 per cent of them
Information Management & stated that they lack a disaster recovery plan
Computer Security (Anthes, 1998). However, most of the Benefits and cost of disaster
8/5 [2000] 222±229 problems stem from the lack of recovery plans
communication at the corporate level.
The growth of distributed systems and the Corporate decision makers must look at
global business environment make corporate every aspect of a DRP before implementing it
decision makers believe that having a within their organization. Listed below is a
backup or recovery plan is necessary. Many culmination of the benefits and costs of
companies need to process the mission- developing a DRP.
critical information stored in distributed or
client/server systems throughout entire Benefits of developing a DRP
enterprise networks. One of the success Developing a DRP is to identify various steps
factors for a company's business operations to assist an organization in recovering from
is based on the continuance of these data losses and restoring data assets. This
enterprise networks. Client/server systems process generates the following seven
have replaced the centrally located benefits:
mainframe, residing at multiple sites in a 1 Eliminating possible confusion and error.
building or across a corporate WAN. By organizing the response teams to take
Consequently, protecting these client/server care of specific responsibilities during a
systems has become a major priority for disaster, management can focus their
corporations today (Colraine, 1998). attention on other critical issues related to
Distributed systems are becoming an disaster recovery. Depending on the
architectural standard for networked nature and scope of the disaster,
organizations. These systems have diffused managers need to handle customer
mission-critical data across local area relations, company liability, vendor
networks which extend corporate resources issues, additional staffing needs, and legal
to remote work sites. As distributed systems issues.
continue to replace the ``glass house'' 2 Reducing disruptions to corporate
environment of the mainframe, the data operations. As tactical response teams or
decentralization is going to increase in the qualified personnel are in place and an
future (Mello, 1996). alternate site is available within a short
According to a survey conducted by the amount of time, corporate operations can
research group of David Michaelson & be re-established quickly with minimal
Associates, the respondents stated that 43 delays.
per cent of the data housed on corporate PC 3 Providing alternatives during a disastrous
LANs today is mission related (Mello, 1996). event. By developing a DRP before disaster
Of these respondents, 77 per cent employ a strikes, top-level management can take
continuous or daily backup for their PC the time needed to consider all of the
LANs, and 89 per cent of them follow some alternatives and choices for disaster
kinds of backup procedures. It is a dramatic recovery.
increase from a similar 1993 survey, in 4 Reducing the reliance on certain key
which only 45 per cent of the organizations individuals. If the responsibilities of re-
stated that they backed up their PC LANs establishing a LAN were left to the
on a continuous or daily basis. As the systems administrator or network
distributed system model continues to administrator, and that particular
become the de facto standard in most individual was injured during the
corporate networks today, companies will disaster, the corporate network would
eventually learn ± either by proper have a difficult time re-establishing
planning or their own unfortunate itself in the shortest amount of time. By
experience ± that having a disaster delegating recovery responsibilities to
recovery plan is vital for their survival in key individuals who know exactly what
today's networked environment. to do in an emergency situation, the
This paper identifies the importance of company can develop redundancy
disaster recovery planning in the business within its corporate hierarchy so that
world. The benefits and limitations of they can replace those individuals who
developing a disaster recovery plan are are unavailable in the disaster.
identified in the next section. An analysis 5 Protecting the data of the organization.
framework for developing a disaster Data are one of the most important assets
recovery plan is introduced next. It follows in an organization. Data are stored in
by illustrating a step-by-step strategic many different forms, including
[ 223 ]
Steve M. Hawkins, databases, spreadsheets, and documents. management, the cooperation from
David C. Yen and The data that are vital to the organization employees in the company, and the
David C. Chou may include customer databases, availability of an inventory of all the
Disaster recovery planning: a
strategy for data security financial documents, mailing lists, and mission-critical resources of information
Information Management & EDI forms from vendors and customers. technology.
Computer Security Most of this data could be stored on If a company lacks the experience of
8/5 [2000] 222±229 magnetic media, such as tape backup or developing its DRP, outsourcing could be
on hard drives in LAN servers. If a a good choice. Consultants such as IBM,
company locates in an area that is Comdisco Inc., and SunGard Recovery
vulnerable to floods or severe weather, its Services Inc. could provide assistance to
DRP may include elevating computer all of its needs.
equipment off the floor and onto wall-
mounted racks where initial flooding will
not damage the computer equipment. Analysis framework of DRP
6 Ensuring the safety of company personnel.
When a disaster demolishes the building, Any company beginning a DRP project
corporate offices need to be relocated. A should perform a risk assessment for its
DRP could also include a logistical information technology. This involves
support group that would provide checking their network inventory and
comprehensive support to employees. identifying the resources needed to maintain
7 Helping an orderly recovery. A disaster daily business operations. After analyzing
recovery plan covers most of the problems the resources, they must develop a plan of
that could happen during a disaster and it action. This could be a set of procedures or
provides the necessary resources to solve the multiple-volume instruction manual.
those problems, management can focus its After developing this plan, the company
attention to other critical issues. could integrate it into its business strategies.
Also, this company needs to train its
Costs of developing a DRP employees about specific tasks to be done and
Developing a DRP is not easy. It needs to how each employee is involved in the
consume corporate resources to make it process. This implementation process should
successful. It has at least the following two be reinforced by the company at least once a
types of costs: year by conducting mock disaster scenarios.
. Cost of DRP preparation. Corporate This process will ensure each employee
management could spend a long time keeps his or her skills up-to-date in the event
identifying mission-critical systems that of a disaster.
must be implemented after a disaster. The DRP development involves three
This project could cost a company a process stages: construction, adoption, and
tremendous amount of man-hours. If a evaluation. The DRP development starts with
company chooses a third party vendor to the construction process. During this
develop their disaster recovery plan, the process, ideas and concepts are transformed
costs could be considerably higher. The into tangible tasks and procedures. A DRP
challenge to developing a DRP is to planning committee is formed to include
convince top-level management that the representatives from all functional areas of
plan is worth the investment. the company. This committee performs risk
The New York World Trade Center analysis for each functional area of the
bombing in 1993 displaced thousands of company in order to determine the
workers for weeks, causing a financial consequences and potential damages caused
impact on 350 firms located within the by a disaster. When the analysis is complete,
trade center (Stefanac, 1998). By a plan of action is developed and presented to
performing some risk analyses to top management for approval.
corporate management, they may well After management's approval, a DRP is
consider adopting a DRP. adopted and integrated into the company's
A disaster recovery plan does not have daily business functions. This process stage
to be an elaborate framework of policies, includes the activities such as employee
procedures, and hardware. In fact, training and awareness, modification of job
preparing a disaster recovery plan may descriptions, and integration of DRP into
simply outline the procedures for normal operating procedure.
performing nightly data backups to a Finally, management plays a main role in
mirror site via a telephone line. The supporting the new plan by conducting
minimum goal of developing a DRP is to regular evaluations. If new computers are
protect the data. installed into a particular department, the
. Cost of corporate resources. Implementing plan should be re-evaluated and modified to
a DRP requires a strong commitment. It provide an additional security blanket to the
needs the support from top-level company's assets.
[ 224 ]
Steve M. Hawkins, Preparing a disaster recovery plan is not a computer hardware from natural disasters,
David C. Yen and solitary effort. It requires the expertise, such as flooding, tornadoes, and earthquakes.
David C. Chou ingenuity, and cooperation of corporate
Disaster recovery planning: a Also, a company needs to make sure that they
strategy for data security employees and top-level decision makers. A have the proper coverage for all geographical
Information Management & well-planned DRP requires three main areas.
Computer Security functional areas (management, information
8/5 [2000] 222±229 technology, and human resources) to Organizing specialized response teams to
participate and prepare themselves for execute the DRP during an emergency
subjects such as employee awareness, and A DRP should be up-to-date and every team
safety of computer technology and data member involved in the recovery process
security. Activities and involvement of three should be familiar with it. The
functional areas are discussed in the implementation of a DRP should involve
following sections. specialized teams to be responsible for
certain areas of expertise, including initial
Management involvement and activities response team, restoration team, recovery
Keeping current with IT knowledge operations team, and logistical support team
The top-level decision makers may not want (Semer, 1998):
to be confronted with computer technology . Initial response team. This team is the first
for three reasons. First of all, they may not set of eyes to evaluate the nature and
consider themselves as ``computer people,'' extent of the damage. These people will
and consequently leave the computer determine whether or not business
problems to either their subordinates or operations can continue on-site or should
their IT staff. Second, they may want to learn be moved to an alternate location. If the
more about computer technology, but are
damage is severe, this team will contact
overwhelmed and confused by all of the
additional response teams for further
literature available in bookstores or in the
assistance.
library. Finally, they may feel intimidated by . Restoration team. This team coordinates
IT counterparts who know and understand
the damage control, restoration, and
something that they cannot understand. As
executives, they may feel intimidated by reactivation of network resources, which
their lack of understanding and avoid the include data files, software, network
issue altogether. If, however, they take the infrastructure, and communication lines.
initiative to learn how computer technology
. Recovery operations team. If the initial
can help them make better decisions and response team determines that operations
protect their data, they will become better need to be re-established at an alternate
managers and be able to communicate with location, the recovery operations team
their IT counterparts. will set up and run the operations at the
new location. Their responsibilities
Employing qualified professionals to
include re-establishing the distributed
develop and maintain the company's DRP
network infrastructures, retrieving
Individuals who are certified can prove their
value and knowledge. Certifications such as backup files, setting up hardware and
the Microsoft Computer Systems Engineer communication lines, and other related
(MCSE) for Windows NT or the Certified activities.
Novell Engineer (CNE) for Novell networks
. Logistical support team. During the
are examples. If a company's future plans transfer of operations to an alternate site,
involve an enterprise network that will the logistical support team provides
include hubs, routers, and bridges, it might logistical support by ensuring that
also consider employing Cisco trained employees can access alternate offices and
professionals with Cisco Certified Network facilities. They also provide personal
Associate (CCNA) or Cisco Certified support for employees, which includes
Internetwork Engineer (CCIE) certifications. travel and relocation assistance, cash
Employing MCSEs, CNEs, and CCIEs to run a advances for emergency expenses, crisis
company's network also saves time and counseling, and employee family
money on IT training. assistance.
Similarly, there is training and
certification available for disaster recovery. Information technology involvement and
An organization such as the Disaster activities
Recovery Institute offers training and Developing a detailed network blueprint
certification on disaster recovery. When a disaster destroys most or all of the
Ensuring insurance coverage for LAN building, the network will have to be rebuilt.
A comprehensive insurance policy may The blueprint of the company's network
cover data restoration, business architecture will allow the IT staff to rebuild
interruption, recovery costs, and damage to the network quickly.
[ 225 ]
Steve M. Hawkins, Gaining management's support to the backup and recovery procedures. Any failure
David C. Yen and disaster recovery plan of backing up these applications may
David C. Chou complicate the recovery process and the
Disaster recovery planning: a Senior management is recognizing the
strategy for data security outcomes of losing corporate data. An integrity of data and system.
Information Management & effective CIO could understand both IT and
Using redundant array of independent
Computer Security management needs, thereby translating the
8/5 [2000] 222±229 disks (RAID) technology to capture on-line
schematics of the technology into
transaction activity
management's language.
RAID provides mirrored copies of data on
Monitoring employees' Internet accesses multiple disk drives that create up-to-date
While the Internet provides the worldwide copies of data files. RAID also provides
information at a moment's notice, it also capability of fault tolerance, providing
brings with it the threat of sabotage from accessibility to data in the event of a partial
hackers and viruses. Many of the security disk failure.
concerns regarding the Internet stem from
the design of the Internet itself, making it
Preventing LAN from viruses' attack
Choosing the right anti-virus software for the
difficult to identify and trace where data are
LAN is imperative for protecting the data.
coming from or where they are going
After selecting suitable programs, system
(Garfield and McKeown, 1997). Consequently,
the best way IT can protect their administrators should make regular sweeps
organization from hackers and viruses is to of the LAN to ensure system integrity at all
monitor employees' Internet accesses times.
through firewalls. This will greatly reduce Protecting hardware from environmental
the dangers from hackers outside the damage
company. Make sure that surge protector and anti-
Standardizing hardware and software static mats are installed on all LAN servers
Any organization having heterogeneous in order to protect them from static
hardware and software will create electricity. According to a report, computer
difficulties of rebuilding the network. For users in the Midwest and North Central USA
example, if some departments are using suffer the most data loss due to static
Macintosh computers while others are using electricity during the winter dry air (Sutton,
PCs, the rebuilding process will take even 1998).
longer. Therefore, having a homogeneous Connecting uninterruptable power supplies
enterprise system can reduce the complexity (UPS) to key servers and equipment
of rebuilding the network. The power-related problem is one of the
Securing support from IT vendors major causes of losing data. If a server
Implementing a DRP needs to secure support suddenly loses its power, there is a chance
from both routine vendors and specialized that the data on the hard drive will be lost. By
vendors. Routine vendors are suppliers who installing UPS and/or a backup power supply
provide daily services, such as hardware and on the entire LAN servers could maintain the
software support, e-commerce support, and integrity of the data on the server.
telecommunications service. Specialized
vendors are companies that provide specific Human resources services
disaster recovery services. Their services Providing employee-training programs on
include data salvage and restoration, computer uses and computer ethics
alternate office space, alternate backup sites, Any employee could carry viruses from his/
and emergent lease of hardware and her home computers to work computers,
equipment. which can destroy the integrity of corporate
network. Human resources departments
Performing routine backups need to alert employees to this risk by
A backup procedure should be performed in
educating them to keep their home PC
order to ensure that all mission-critical
applications off their work computers.
systems are stored on LAN servers instead of
Therefore, virus attacks could be kept at a
users' workstations, floppy disks, or ZIP
minimum level.
disks, which are not subject to system
Some disasters may be caused by unethical
backups. This ensures that the data are
practices. Practicing proper ethics on the
centrally located in one place to facilitate
computer is also becoming an issue within
backup and recovery procedures.
many organizations today. In an era where
Ensuring smooth interface between client/ computers have become an integral part of
server and mainframe systems society, many organizations discovered that
Interface applications that allow data to be employees who use their computers
exchanged between mainframe and networks inappropriately could cause companies a
will need to be identified and included in the significant loss in information, time, and
[ 226 ]
Steve M. Hawkins, money. As a result, many organizations are this assessment provide a blueprint of risk
David C. Yen and implementing corporate codes of ethics as assessment.
David C. Chou part of their employee agreement. In many cases, departmental managers are
Disaster recovery planning: a
strategy for data security familiar with their department's day-to-day
Promoting employee safety awareness operations and, therefore, they are in a better
Information Management & programs
Computer Security position to decide how their mission-critical
8/5 [2000] 222±229 A DRP can cover a broad range of scenarios,
resources should be restored.
from a corrupted LAN server to complete
destruction of a corporate building. Identifying possible vulnerabilities
Depending on the location of the Monitoring the vulnerability will prevent a
organization, management should implement problem before it occurs. For the most
safety awareness programs into their DRP in companies, the main areas of vulnerability
order to train employees on how to take care may include (Rothstein, 1998):
of himself or herself during a natural . backup storage locations for data;
disaster, such as an earthquake, tornado, or . security;
hurricane. These programs might include . physical security;
classes in CPR and first aid training that can . the room or building that is housing the
benefit employees inside and outside the computers,
company. Other types of training may . electrical power;
include fire drills, using a fire extinguisher, . fire detection and suppression;
and locating safe shelter during a disaster. . depending upon one person for
While many organizations may view a DRP information;
as an insurance policy of their corporate . management controls; and
assets, it is a good idea to include one of the . reliability of telecommunication services.
most important company assets, that is, their
Other areas of vulnerability include
employees. employee resignation, repairing a roof leak
in the computer room, computer virus
infection, and so on.
Development strategies for DRP
Developing a disaster recovery plan could be Developing a plan of action
a simple set of procedures describing how to One way of developing a disaster recovery
backup a server to a tape drive, or a multiple- plan is to conduct a brainstorming session
volume instruction manual describing for management and corporate employees.
Each department could develop their own
procedures for earthquake damage.
recovery plan that provides directions on
Companies need to identify certain suitable
how to quickly resolve a site crisis. The plan
development strategies for DRP. The
should include phone numbers of people who
procedures and strategies for developing a
must be notified immediately after a disaster
disaster recovery plan are discussed as
occurs, all of the vendor contact names and
follows:
phone numbers, and the location of an
alternate site. The plan should include but
Performing a risk assessment not be limited to the following possible
This process begins by checking inventory of
scenarios (Jackson, 1997):
the organization and identifying the systems . employees can access the building but the
and resources that are most critical to their computer systems are down; and
business operations. The two methods which . employees cannot access the building and
can be used to identify these resources are must drive to an alternate site.
``Business impact analysis'' and ``Risk
assessment analysis'' (Semer, 1998). Choosing an alternate recovery site
Business impact analysis identifies the If the cause of the disaster was due to a flood,
mission-critical resources in the company ± tornado, or fire, travelling to an alternate site
the resources that are absolutely essential for may be required. Mission-critical resources
keeping the organization running every day. should also be considered when relocating
Once these resources have been identified, business functions to an alternate site
the next challenge is to estimate how long the (Rothstein, 1998). Possible recovery strategies
company can continue their business are discussed as follows:
operations after suffering major losses. . Vendor maintenance agreement. This is an
After identifying the mission-critical essential strategy, particularly for
resources, it needs to analyze the potential organizations having computer networks
risks to these resources. Risk assessment of small size. Under vendor maintenance
analysis identifies corporate resources agreement, computer hardware vendors
development, including the infrastructure of are responsible for equipment recovery,
the network. The statistics gathered from repair, and replacement. If a standard
[ 227 ]
Steve M. Hawkins, agreement could not cover damages security and the computer vendors is
David C. Yen and caused by external factors such as a fire or required in order to ensure safe and
David C. Chou flood, a supplemental agreement may be timely delivery. Also, the replacement
Disaster recovery planning: a
strategy for data security necessary to cover these expenses. equipment may take several hours to
Information Management &
. Quick shipping program. The deliver, which may result in an increase
Computer Security maintenance contract could ask vendors of the system downtime (Leary, 1998;
8/5 [2000] 222±229 to deliver hardware replacement to Rothstein, 1998).
original site or alternate site within three . Mobile recovery facilities. This recovery
to five days. This quick shipping program site is a self-contained mobile trailer that
works well for companies that can afford houses all of the computer equipment.
to have networks down for a week or Most of these trailers are equipped with
longer. Also, the maintenance costs would backup power generators, and can be
be as low as $300 a month (Rothstein, equipped with all of the necessary
1998). computer equipment as needed. Although
. Hot sites. A hot site is provided and it may vary, the usual recovery time for a
supported by a disaster recovery plan mobile recovery facility is typically a
vendor. It is a fully equipped facility week or more (Rothstein, 1998).
furnished with the computer resources . Mirrored site. Similar to a hot site, a
required by the organization, including mirrored site is equipped with all of the
FAX, computer hardware and software, hardware and communications
telecommunications, office supplies, and equipment needed to assume immediate
other needed peripherals. A hot site operations. Since the company usually
provides a ready-to-go computer system in owns these sites, data are transmitted
a prepared location with a minimizing concurrently to these sites as they are
network downtime (Rothstein, 1998). A hot being processed at main facility, so they
site is usually located within 30 miles of a can be ready to go at a moment's notice.
client site to facilitate employees' travel Some companies send their nightly
(Patrowicz, 1998). Since the site could be a backup tapes to their mirrored site so that
distance away from many employees, it recovery will only involve the current
also provides living amenities including day's transactions. Whether data are
sleeping areas, showers, and cafeteria mirrored or sent to the site, the startup
(Leary, 1998). time is usually on the same day
An additional function for a hot site is to (Rothstein, 1998).
provide a practice model for training . Winging it. This choice involves no
personnel during corporate disaster alternative site location or a backup plan
recovery planning (Semer, 1998). for the organization. Organizations that
Management could practice their disaster use this method usually fail more than
recovery plan in a setting that will not they succeed in rebuilding their computer
disrupt normal business operations. By systems.
practicing a disaster scenario on a regular
basis, management and employees would Selecting a backup strategy
be prepared for any disaster that could Selecting a backup strategy could speed up
occur in the future. the process of disaster recovery. There are
. Cold sites. A cold site is simply an empty two backup strategies that are currently used
building that is wired, air-conditioned and today, including the in-house backup and the
computer ready (Patrowicz, 1998). Because offsite backup.
of the time factor involved with setting up 1 In-house backup systems. These are
the equipment and becoming fully backup servers strategically at different
functional, cold sites should only be locations inside the organization. Using
considered if the organization is not in-house hardware to remove the
pressed for time (Semer, 1998). dependence toward outside vendors could
The cost of leasing a cold site ranges from save the company a lot of expenses on
$500 to $1,500 a month, depending on the leasing equipment. If the backup servers
complexity of the computer system. Many are used for other purposes, however,
companies use their cafeterias as an on- special procedures should be included in
site cold site or use a company-owned the disaster recovery plan for relocating
warehouse as an off-site cold site. If any these systems (Semer, 1998).
disaster damages their facilities, a 2 Offsite backup systems with data
company would choose a vendor-provided encryption. Data are encrypted and backed
cold site as their alternative (Leary, 1998). up to a remote site for offsite backup
However, choosing a cold site encounters system. Since the communications to the
a few disadvantages. Since computer backup site are on the leased line, the data
equipment has to be shipped to the site, a transmission is virtually secure.
close coordination between the company Organizations that use this backup
[ 228 ]
Steve M. Hawkins, method include financial institutions, the also causes extra expenses and requires
David C. Yen and military, hospitals, large corporations, manpower. Despite the questions that arise
David C. Chou and the FBI (Sutton, 1998). when considering a DRP, companies should
Disaster recovery planning: a
strategy for data security focus on the most important commodity:
Information Management & Conducting a verbal walk-through company data. Depending on the importance
Computer Security Those employees involved in the recovery of the data, developing a DRP can be more
8/5 [2000] 222±229 plan need to participate in a verbal walk- economical than replacing the lost data.
through process, in which they talk through As corporations become increasingly
``what if'' scenarios and outline individual dependent on computers and the Internet for
tasks and responsibilities. This will provide their daily activities, the data generated from
each employee with a working knowledge of their work are becoming critical. Companies
the plan, rather than simply reading it on that rely on their computer systems and
paper (Jackson, 1997). networks to do their business can suddenly
lose everything if their computer systems go
Testing the plan on a regular basis to off-line or are corrupted by a virus. In this
ensure its integrity electronic age where computers are
Companies need to update their disaster enhancing the talents and skills of people, the
recovery plan on a regular basis. As the data are now filling the seats of executive
company grows, so does its data. If a DRP is boardrooms and corporate offices. At one
not updated to keep up with the growing moment in our country's history, the battle
needs of the company, the company may soon cry used to be ``survival of the fittest.'' Today,
discover that it will not be capable of as computer technology and data are
recovery operations. becoming the important commodities of the
Also, as the company grows, it eventually future millennium, the new battle cry is
needs more computers, hubs, and routers, ``survival of the data.'' Consequently, data are
among other things. The new need requires protected from corruption and it is one of the
some modifications to the disaster recovery major functions of top-level management and
plan. Companies need to modify their IT professionals today.
disaster recovery plan on a regular basis,
especially if the company is growing at an
References
accelerated pace (Leary, 1998). Anthes, G.H. (1998), ``Lots talk, little walk'',
Computerworld, Vol. 32 No. 38, pp. 70-1.
Colraine, R. (1998), ``Protect more, recover faster
Conclusion is the rule'', Computing Canada, Vol. 24
No. 30, p. 35.
A disaster causes an event that halts the Garfield, M.J. and McKeown, P.G. (1997),
critical business functions within an ``Planning for Internet security'', Information
organization. It can be as simple as a power Systems Management, Vol. 14 No. 1, pp. 41-6.
disruption to a data server or as serious as a Jackson, J. (1997), ``Give your LAN a hand'',
threat to the entire building. Disaster Security Management, Vol. 41 No. 8, pp. 44-52.
recovery is the process of correcting the Leary, M.F. (1998), ``A resource plan for your
problem and getting the critical business LAN'', Security Management, Vol. 42 No. 3,
functions back online. A disaster recovery pp. 53-60.
plan is, therefore, a predetermined set of Mello, J.P. Jr (1996), ``Taking a crack at backup'',
instructions that describes the process of Software Magazine, Vol. 16 No. 10, pp. 85-8.
disaster recovery. Panettieri, J.C. (1995), ``Security'', Information
Developing a DRP needs some hard work Week, 27 November, pp. 32-40.
such as planning, brainstorming, and Patrowicz, L.J. (1998), at http://www.cio.com/
cooperation from both corporate archive/040198_disaster_content.html
Rothstein, P.J. (1998), ``Disaster recovery in the
management and employees. The plan can be
line of fire'', Managing Office Technology,
as simple as describing how to back up a
Vol. 43 No. 4, pp. 26-30.
server, or as complicated as describing what
Semer, L.J. (1998), ``Disaster recovery planning
to do after a hurricane destroys the building. for the distributed environment'', Internal
The main source of developing a DRP is to Auditor, Vol. 55 No. 6, pp. 41-7.
understand the particular needs of the Stefanac, R. (1998), ``When it comes to disaster, it's
organization. pay now or later'', Computing Canada, Vol. 24
There are advantages and costs of having a No. 30, p. 35.
DRP. Some of the advantages are the Sutton, G. (1998), ``Backing up onsite or online: 25
reduction in data loss, minimizing the need smart ways to protect your PC from disaster'',
of decision-making process during a disaster, Computer Technology Review, Vol. 18 No. 2,
and the protection of company employees. It pp. 38 and 42.

[ 229 ]