Thursday, February 7, 2019

IT Disaster Recovery Planning: Theory vs. Reality





Many certifying organizations provide students attending their courses with information they should know to pass a certification exam, and to obtain a degree of subject matter expertise within a discipline. However, many students have difficulty applying textbook knowledge to the real-world environments they operate in every day.

Did You Know?

1) Taking time to create IT Asset Resource Profiles during Disaster Recovery planning – including functionality, classification, criticality, compliance, and end user communities – can significantly improve budget request outcomes for daily operational needs?

2) Improvisational Disaster Recovery exercises can be scheduled around planned external events – such as scheduled power outages, facility construction, unit relocation, and government drills – that are often overlooked?

3) The Disaster Recovery Plan is not a monolithic or linear document, and consists of no less than 10 constituent plans that reinforce each other?

4) According to the CDC (2017-2018), influenza epidemics (localized pandemics) caused US businesses $15.3 billion in lost revenue, $21 billion in lost productivity, and 17 million missed work days – yet epidemic planning is rarely funded by senior management?

5) When magnetic back-up media is exposed to temperature changes greater than 15-degrees per four hours (a reality when transporting media to a recovery site), the damage can be irreversible?

This type of information won’t be in your training materials or on your certification exam, but it needs to be in your head.

If you enjoy your training, score well on the exam, and earn a certification – but cannot apply the knowledge gained during the training on the first day you return to work – your time and money have been wasted. 

When we teach the Mile2 Certified Disaster Recovery Engineer cyber security certification, we include dozens of training hours above and beyond that which would be required to successfully pass the exam. A significant portion of that training occurs outside the classroom. Our real-world training environments at the Coastal Regional Commission of Georgia in Darien range from Data Centers and Geographic Information Systems, to Fleet Transportation and Executive Administration offices.

The field training experience will serve to bridge the gap between classroom theory and operational reality with experiential knowledge you need to know and can apply your first day back at work. Our goal is to have you leave this training both certified and prepared.

It’s been said that, “experience can be defined as that knowledge you gain the moment after you need it the most.” We prefer you have that knowledge in advance -- and be trained to stay ahead of life’s learning curve.



REGISTER FOR OUR NEXT
Certified Disaster Recovery Engineer
CYBER SECURITY COURSE

March 11-14, 2019



About the Author
Michael I. Kaplan is a certified Cyber Security Instructor and a Corporate Information Security Consultant with over 21 years of experience in the security industry.  His areas of expertise are Business Continuity and Disaster Recovery, IT Risk Management and Audit, and Incident Response Planning.  Click HERE to view his Cyber Security Training Calendar.

Wednesday, January 30, 2019

Disaster Recovery Planning: IT Work Areas


“Data data everywhere,
but not a place to sit.”




Business continuity and disaster recovery personnel in the Information Technology field are laser-focused on saving what matters most: DATA.  We design our systems to be resilient and redundant, ensuring high availability for the business units we serve. We select disaster recovery sites based on a strict set of criteria to limit data loss and operational disruption.

We plan, test and conduct exercises until we’re satisfied our disaster recovery plans can withstand the next impending apocalypse on the horizon. When disruptions happen, we initiate our protocols, and (if fortune favors us) everything goes mostly according to plan. Business continuity is maintained, availability of the data is confirmed, and we congratulate ourselves on a job well done without ever realizing we’ve missed a critical component: an adequate work area for our IT staff.

Data recovery without people to utilize it is useless, and a mindset that believes “we’ll fit them where we can when and if bad things happen” just doesn’t cut it. We’ve got to make sure key personnel can function in a work area that’s conducive to the highest levels of performance possible. This holds especially true in wide-area regional disasters, during which our preparedness allows us to remain operational, while our less prepared competitors remain off the grid indefinitely.

For those IT managers who focus exclusively on the data center and believe the work area is someone else’s responsibility, understand this statistically relevant fact: work areas are, and will continue to be, more prone to disasters than any data center (not built on an active volcano).

If you realize an IT Work Area Recovery Plan is as critical as the Data Recovery Plan, but didn’t minor in “structural engineering and seating arrangements” at your university, here are a few tips to make your life easier, and your staffs’ activities more productive.

1) Allocate 70 to 80 Square Feet per Person

WHAT?!  It’s true. This space takes into account team members working during the recovery effort, and common areas – such as bathrooms, break rooms, meeting rooms and storage areas – as well. Structural engineers much brighter than I will ever be came up with this formula, and my experience over the years has demonstrated it works.

2) Logically Co-Locate Staff and Departments

A secondary recovery site will always be short on space and squeezed under pressure like a diamond. Minimizing foot traffic increases efficiency and productivity, while at the same time minimizing the opportunity for least privileged staff to walk through areas performing sensitive, “need to know” operations for the business unit. Placing signage EVERYWHERE to identify department work areas will help to enforce these invisible partitions.

3) Designate Work Surfaces 36” W x 24” Deep

That’s ample room for a laptop, phone, and other items needed to perform critical functions. Everyone wants to have a larger desk, but a recovery site isn’t the place for it. For those seeking better office quarters, I suggest pursuing a promotion at the primary business location.

4) Adhere to Building Codes and Occupancy Limits

A business disruption is no excuse to forego fire codes and structural limits. If you don’t believe that, wait for a Fire Department or OSHA Inspector to visit during the crisis and bring the truth to your doorstep. There are better (and safer) ways to fit more people into the recovery site, as you’ll see in the next point.

5) Rotate Shifts to Maximize Space and Business Functionality

The math is rather basic and universally true: a recovery site that seats 30 people can seat 90 people over 3 shifts. Personnel critical to the business function work during business hours. Key support staff can work the next rotation. Personnel performing sensitive functions requiring privacy – such as Legal, Accounts Payable or Human Resources – can work overnight. Members of the IT Department that frequently perform critical, support, and sensitive functions can accept the reality they’ll be working around the clock until notified otherwise.  

On a final note, the layout of the recovery site work area is a team effort, and IT Managers would be well served including key personnel from other critical departments in their planning sessions. This holds especially true as Information Technology is so intrinsically linked to virtually every critical business function, it can’t be considered in isolation. The middle of a crisis is not the time to discover people outside of IT consider themselves to be equally important. 

It’s an even worse time to discover they're correct.



REGISTER FOR OUR NEXT
Certified Disaster Recovery Engineer
CYBER SECURITY COURSE

March 11-14, 2019



About the Author
Michael I. Kaplan is a certified Cyber Security Instructor and a Corporate Information Security Consultant with over 21 years of experience in the security industry.  His areas of expertise are Business Continuity and Disaster Recovery, IT Risk Management and Audit, and Incident Response Planning.  Click HERE to view his Cyber Security Training Calendar.