Just how well is your company’s technology and key component infrastructure prepared for the worst? Does your company have a disaster recovery plan in case of a disaster, attack, theft or fire?
How well a company is prepared for disaster can be critical in recovering as efficiently as possible.
Kristine A. Danley, claims manager for Ross & Yerger, Inc., Jackson , said that businesses should have a written procedure and a back-up plan in place for all types of disaster, including the worst case scenario.
“I think preparation is the key here. Prepare, today!” Danley recommends. “Make sure that ALL employees are fully aware of these procedures. This should be included in the employee manual, and brought up at monthly or quarterly meetings. Testing the procedure more than once is a must. Whether it’s a result of tornados, hurricanes, terrorists, etc., our businesses and lives will be changed dramatically. Therefore, the more prepared we are, the less the exposure is.”
Danley said companies should analyze their own surroundings to know what type of program they really need, and customize it to fit their needs. Brainstorming with groups of employees is important because the same program will not work across the board for every business.
She recommends assigning someone to be in charge of this program, and having that person delegate others to assist depending on the size of the business. If your office building is no longer there, Danley said there should be plans for employees to work in a makeshift office or another location. In addition to backups for your computer system, she recommends a paper trail as well, and making sure you have offsite access to phone services.
Redundancy is key to a disaster recovery plan, says Mike Argo, Information Technology Security (ITS) and compliance officer for Mississippi State University (MSU).
“We get audited each year by the State Auditor’s office, and they view a disaster recovery plan or business continuity program as very important,” Argo said “Basically we have two different systems comparable to the main administrative system. If we had problems with the main Network Operations Center (NOC), then we could go and recover at the alternative, backup NOC site within a few days. Sometimes it could be in a few hours, but my goal was to be back up within 48 hours. We have to be good stewards of our data, and exercise due diligence in maintaining data integrity and availability.”
The university has restrictions on how money can be spent. Lost files would mean an inability to properly account for funds. Another critical factor is the ability to meet payroll. The university is obligated to pay people on time, and has a payroll disaster recovery plan to make sure people would continue to get paid in the event of a disaster.
“It is important during a crisis that individual people are harmed as little as possible,” Argo said. “If you have a crisis and bills to pay, you don’t want to hear you aren’t going to get paid for three months. So we have a plan in place to get those checks produced in a short time frame. That’s just good business practice.”
Ideally backup NOCs would be offsite. In the interests of saving money, the backup facilities at MSU are located on campus. Another precaution is that monthly backups are stored off campus.
Argo said MSU is in the process of making changes in the wake of 9-11 including looking at additional security measures in terms of access to key facilities including alarm systems, surveillance cameras and tighter management. Also, people who work at the campus are much more alert as to what is going on.
But, Argo said one lesson from the recent events is that no matter how secure you feel you are, there is always someone who can get by it.
“The idea of being secure is really a misnomer in that you never really are,” he said. “So you know you have certain vulnerabilities, and you weigh that against the ease of access for users and the cost factors involved. What you end up doing is managing the risk.”
For technology infrastructure, he said it is important to have a good handle on infrastructures and methodology, and keep up with security issues associated with those environments. Try patches very prudently because not all patches apply.
“We might have certain rules in our firewall that other people would not,” Argo said. “It depends on the use of the network. The entire Internet environment is very fragile, in a way. It doesn’t take much to make the Internet non- usable. Most people don’t realize that. It is a fragile environment, and we have become most dependent on it. People need to be vigilant to stay on top of new issues and new technologies.
“Anti-virus software is very key. You have to have good software and make sure everyone is up to date to keep viruses from propagating in the network. And the best way to keep a computer secure is to never plug it into the Internet. In addition to all that, educating users about vulnerability, problems with networks, is a positive thing to do. People using machines need to know about viruses and using passwords, etc. All of that enhances the security environment.”
Education helps avoid internal threats within an organization and intrusion detection software should be used to monitor external threats. But a balance has to be made so that staff resources aren’t overloaded because it takes time for people to look and determine whether a real intrusion has occurred.
Terrance Flyntz, president of Delta Security Technologies (DST) at Stennis Space Center, said interest by private businesses in security services has greatly increased since Sept. 11 with respect to identifying security vulnerabilities and risks and formulating potential countermeasures. The company’s Sentinel Computer Security System is specifically designed to counter security attacks from unsuspected intruders within an organization including foreign agents, criminals, disgruntled employees and terrorists.
Flyntz said his company uses the same principals of backup, protection and dispersion of critical information that they advocate in the plans prepared for their customers.
“We have developed disaster recovery plans and related contingency plans and continuity of operations plans for various agencies of the federal government,” Flyntz said. “All of these plans are developed in accordance with guidelines defined in Federal Information Processing Standards (FIPS) defined by the National Institute for Standards and Technology (NIST). NIST is the organization within the Department of Commerce that addresses IT Disaster Recovery Guidelines for the Federal Government.”
Flyntz said most disaster recovery, contingency or continuity of operations plans will evaluate the vulnerability of an organization and facility along with the likely threats. A risk assessment is then performed and possible countermeasures are defined for each threat based on the perceived vulnerability and the risks associated with the vulnerability. Countermeasures include both security systems and security procedures that can address the identified risks.
Contact MBJ staff writer Becky Gillette at firstname.lastname@example.org or (228) 872-3457.