Virtualization brings the potential to deliver dramatic savings in terms of server count, footprint, power consumption and cooling requirements for data centers. Data center virtualization encompasses a range of virtualization activities aimed at cr (more)
Virtualization brings the potential to deliver dramatic savings in terms of server count, footprint, power consumption and cooling requirements for data centers. Data center virtualization encompasses a range of virtualization activities aimed at creating a virtualized computing environment, such as for use in cloud computing, within a data center. Here are some tips to ensure a successful data center virtualization (less)
Slide 1: Article Title | Article Author Voice of Information Security ISSA The Global
ISSA Journal | March 2007
A Holistic Approach to Continuity Planning
By Dave Austin
Business Continuity, Disaster Recovery, Contingency Planning, Crisis Management and Incident Management are all terms we hear, but they are often used with inexact meanings and interchangeably.
B
usiness Continuity, Disaster Recovery, Contingency Planning, Crisis Management and Incident Management are all terms we hear, but they are often used with inexact meanings and interchangeably. What do these terms really mean and how do they relate to each other? In this article I aim to explain how the disciplines of Crisis and Incident Management, Business Continuity, IT Continuity and Disaster Recovery link together into one coherent approach to assuring your organization’s resilience.
How it began
A little bit of history may help to explain why there is such a plethora of different terms apparently with the same meaning. Those of us old enough to remember will have been involved in something called Contingency Planning, and in all likelihood we picked this up from our days in the mainframe IT department. As computerization spread there was concern that an organizations’ key information might become unavailable. This concern – coupled with frequent computer crashes – made contingency planning a part of everyday operation. Most of us relied on the giant IBM mainframes, and as we came into contact with those planning for more extreme events, such as hurricanes, there was a growing realization that such things applied to us as well. So the concept of disaster recovery planning took hold. It was a natural extension to our contingency planning, but it focussed on rather large and less predictable events. I can remember the development of disaster recovery plans for the main data center of a bank with the prospect of disruption over a long period, plans which at the time relied on tape backups being physically moved to an alternate site 400 miles away. As IT planning evolved, it became increasingly apparent that this subject was not one that could be determined by the IT Department. This was a business issue needing a business-management focus. A 30
Most of us relied on the giant IBM mainframes, and as we came into contact with those planning for more extreme events, such as hurricanes, there was a growing realization that such things applied to us as well.
new term was coined to describe this wider discipline: Business Continuity. This was an attempt to encapsulate the contingency planning required by a business to deal with unforeseen events that might damage it or even drive it out of business, crucially emphasising that this was a business-oriented process and not an IT job. By the time the IRA started to target the City of London, business continuity had become a recognized term, though still in infancy. It has taken some time for it to become widely recognized as a key business management discipline. What of these other terms then? Disaster Recovery is generally used to describe an IT Department’s recovery plans, though other terms have emerged as well. As businesses became increasingly dependent on IT – no longer an added extra but core to the running of the business – it became apparent that loss of service, followed by an extended recovery, was no longer a viable approach to incidents. What was required was continuous, or near continuous, service which allowed users and customers some form of continuous operation. Systems developed that allowed for geographically dispersed data and processing. Even the mainframe world, through Geographically Dispersed Parallel Sysplex, sought to achieve true IT Continuity. And a new term was born.
Slide 2: A Holistic Approach to Continuity Planning | Dave Austin
ISSA Journal | March 2007
The IT continuity plan is now driven entirely by business priorities.
Incident Management emerged from a variety of sources, and in truth is still used to describe a large number of rather different events. In IT, an incident might be any failure that results in a call to the Help Desk – from a printer failing in the office to a complete failure of the organizations main computer capability. ITIL and related standards development have led to the adoption of widely recognized approaches. But these are different from how police, fire services or a local authority would use incident management to describe something as major as evacuating a town to deal with unexploded bombs. Health and Safety, Security and others use this term in a recognizably similar way to the IT Department but will have their own twists on it. In business continuity, the term Crisis Management took hold. This reflected a perception that a material difference existed between the printer going down and the very existence of the organization being threatened by the loss of the data center. Crisis management plans were written and crisis management teams were formed. This reflected a need for top-level management to respond rapidly and in a coordinated way, taking into account the public perception of their organization, the needs of staff, the strategic goals of the organization and the need to provide authority to those dealing with the issues on the ground. However, many organizations subsequently recognized the pejorative nature of this term – crisis management
seemed to imply that a problem had run out of control – and have turned once again to using the term incident management, though now defining this to mean a continuum of events ranging from our printer breakdown to pandemic influenza with carefully defined criteria to determine the incident’s management level. The new British Standard BS25999-1 recognizes this evolution and has used the term incident management while continuing to acknowledge the widespread use of the term crisis management.
So where does this leave us today?
Business continuity describes the strategic and tactical capability of an organization to plan for and respond to incidents in order to continue business operations at an acceptable pre-defined level. For this to be effective a clear incident management structure must be in effect to ensure that personnel can confirm the nature and extent of an incident, take control of the situation, contain the incident and communicate with stakeholders. The subsequent response, however, depends on the effectiveness of the management team in flexibly executing their plans for people, premises, technology, information, supplies and stakeholders. While the IT department may be key in many organizations, it is only one part of a whole organization: incident response and execution of disaster recovery – the IT continuity plan – is now driven entirely by business priorities.
About the Author
Dave Austin, head of continuity services, Siemens Insight Consulting. He can be reached at dave.austin@siemens.com.
31
