As a member of the IT team for Reed Exhibitions United States for the past five years, starting as a help desk analyst and now, a security analyst, I have regularly participated in business continuity/disaster recovery drills.
Although run by the IT department, I have come to learn that the robust yearly exercises and more frequent smaller scale testing involves extensive input from many people in various departments within the business, analytical thought about critical business functions and hinges on our partnerships with external vendors such as our data center provider and BC/DR consultants.
Building the internal team
The first step in our planning involves selecting representatives from each major internal department to build the core BC/DR team. It is these people who will not only provide information about their critical tasks and system needs, but they will also serve as testers during our drills and utilize contact trees to disseminate pertinent information to and from the personnel in their department, when necessary.
Among the internal team are all members of the IT staff. As overseers of the infrastructure, systems and software, it is essential that we are informed about the critical tasks required by all departments in the event of a disaster as well as understand the ancillary systems needed that many users may not be aware exist. This includes file and storage services, backend databases and other integrations.
Building the external team
To refine the plan, we work with external BC/DR Consultants. In addition to being subject matter experts and providing best practices, they review our proposed plan and order of events to ensure they are feasible.
Additionally, one of the most important services they provide is assisting in the creation of metrics specific to the BC/DR process. This includes Recovery Point Objectives (RPO), Recovery Time Objectives (RTO) and other Key Performance Indicators (KPIs) which give us benchmarks that are clear and understandable.
The data center provider and other external vendors
Our relationships with our offsite data center provider, telecommunications companies, VPN provider and others are just as important to the process as our internal coordination.
Although we work tirelessly to ensure we have redundancies and safeguards within our own environment first, when a real disaster is upon us, we know who to call for outside assistance.
In particular, the relationship with our data center provider is one that is managed very closely. We provide them with knowledge about our BC/DR plan so they know our expectations and obligations to our business. There are frequent visits by the IT team to maintain redundant infrastructure that we manage within their facility.
Conversely, the data center personnel provide information to the IT team regarding upgrades and changes within the items they manage.
Testing the plan
Once all the input is gathered, IT has come up with their order of operations and the tasks are set to measurable metrics, the final plan is reviewed by senior management for their approval.
At least once a year, there is a company-wide, multi-day, BC/DR exercise conducted. The IT Team simulates a network failure or other disaster and the BC/DR plan is put into action.
The BC/DR plan, which is an amalgamation of everyone’s input, is followed and we meticulously observe and note how well the plan is performing. There are people from every part of the business conducting tests to ensure their critical software, hardware and other tools are working effectively so we are certain they would be able to work productively in the event this was not a test.
How BC/DR has changed over time
In just the last half-decade of participating in BC/DR exercises, I have seen many changes. The most prevalent would have to be the move of business critical infrastructure to the cloud. Although this may provide some respite for the IT team in respect to conducting these tests, it does require the additional overhead of ensuring the third party vendor handling email or another part of your infrastructure has sound BC/DR practices of their own so as to not cause undue outages to the business.
Conclusion
What I have learned is that BC/DR planning goals have remain unchanged throughout time. The purpose is to reduce the cost and downtime to the business in the event of a large disaster or infrastructure failure. The need to frequently review your business risks and ensure your BC/DR plan is aligned to those risks also remains unchanged.
I have, however, noted that the methods of maintaining availability have changed as technology has advanced. Infrastructure, software and services have been gradually moving to the cloud and virtualized environments.
Many believe this provides internal IT teams relief, but on the contrary, it heightens the need to work more closely with third party providers to ensure their BC/DR plans align with the expectations and requirements to keep the business up and running in the event of an untimely eventuality, either man-made or natural disaster.
Taharka Beamon is a New York native and CISSP who has spent the last 5 years of his career at Reed Exhibitions USA, where he is currently a Security Analyst. He specializes in working with global teams to facilitate third party vendor security assessments, vulnerability management and security awareness. Taharka is currently pursuing a Cybersecurity Graduate Certificate from Harvard Extension School.