Wednesday, January 30, 2019

Disaster Recovery Planning: IT Work Areas

“Data data everywhere,
but not a place to sit.”

Business continuity and disaster recovery personnel in the Information Technology field are laser-focused on saving what matters most: DATA.  We design our systems to be resilient and redundant, ensuring high availability for the business units we serve. We select disaster recovery sites based on a strict set of criteria to limit data loss and operational disruption.

We plan, test and conduct exercises until we’re satisfied our disaster recovery plans can withstand the next impending apocalypse on the horizon. When disruptions happen, we initiate our protocols, and (if fortune favors us) everything goes mostly according to plan. Business continuity is maintained, availability of the data is confirmed, and we congratulate ourselves on a job well done without ever realizing we’ve missed a critical component: an adequate work area for our IT staff.

Data recovery without people to utilize it is useless, and a mindset that believes “we’ll fit them where we can when and if bad things happen” just doesn’t cut it. We’ve got to make sure key personnel can function in a work area that’s conducive to the highest levels of performance possible. This holds especially true in wide-area regional disasters, during which our preparedness allows us to remain operational, while our less prepared competitors remain off the grid indefinitely.

For those IT managers who focus exclusively on the data center and believe the work area is someone else’s responsibility, understand this statistically relevant fact: work areas are, and will continue to be, more prone to disasters than any data center (not built on an active volcano).

If you realize an IT Work Area Recovery Plan is as critical as the Data Recovery Plan, but didn’t minor in “structural engineering and seating arrangements” at your university, here are a few tips to make your life easier, and your staffs’ activities more productive.

1) Allocate 70 to 80 Square Feet per Person

WHAT?!  It’s true. This space takes into account team members working during the recovery effort, and common areas – such as bathrooms, break rooms, meeting rooms and storage areas – as well. Structural engineers much brighter than I will ever be came up with this formula, and my experience over the years has demonstrated it works.

2) Logically Co-Locate Staff and Departments

A secondary recovery site will always be short on space and squeezed under pressure like a diamond. Minimizing foot traffic increases efficiency and productivity, while at the same time minimizing the opportunity for least privileged staff to walk through areas performing sensitive, “need to know” operations for the business unit. Placing signage EVERYWHERE to identify department work areas will help to enforce these invisible partitions.

3) Designate Work Surfaces 36” W x 24” Deep

That’s ample room for a laptop, phone, and other items needed to perform critical functions. Everyone wants to have a larger desk, but a recovery site isn’t the place for it. For those seeking better office quarters, I suggest pursuing a promotion at the primary business location.

4) Adhere to Building Codes and Occupancy Limits

A business disruption is no excuse to forego fire codes and structural limits. If you don’t believe that, wait for a Fire Department or OSHA Inspector to visit during the crisis and bring the truth to your doorstep. There are better (and safer) ways to fit more people into the recovery site, as you’ll see in the next point.

5) Rotate Shifts to Maximize Space and Business Functionality

The math is rather basic and universally true: a recovery site that seats 30 people can seat 90 people over 3 shifts. Personnel critical to the business function work during business hours. Key support staff can work the next rotation. Personnel performing sensitive functions requiring privacy – such as Legal, Accounts Payable or Human Resources – can work overnight. Members of the IT Department that frequently perform critical, support, and sensitive functions can accept the reality they’ll be working around the clock until notified otherwise.  

On a final note, the layout of the recovery site work area is a team effort, and IT Managers would be well served including key personnel from other critical departments in their planning sessions. This holds especially true as Information Technology is so intrinsically linked to virtually every critical business function, it can’t be considered in isolation. The middle of a crisis is not the time to discover people outside of IT consider themselves to be equally important. 

It’s an even worse time to discover they're correct.

Certified Disaster Recovery Engineer

March 11-14, 2019

About the Author
Michael I. Kaplan is a certified Cyber Security Instructor and a Corporate Information Security Consultant with over 21 years of experience in the security industry.  His areas of expertise are Business Continuity and Disaster Recovery, IT Risk Management and Audit, and Incident Response Planning.  Click HERE to view his Cyber Security Training Calendar.

No comments:

Post a Comment