Portions of this post originally appeared in the March 2009 Issue of the ISSA Journal.
We just got our first severe weather scare of the year in Texas. A tornado was reported less than five miles from my house by spotters on February 11th. Some of my customers have facilities in Tornado Alley and have heavily fortified their data centers to take a direct hit by a tornado. Usually, the secondary data center is also in Tornado Alley.
Why would you put two data centers in harms way? When you run the probability calculations, the likelihood of both being destroyed is about the same as an intersection in Montana having a Starbucks on every corner ((OK, I’m going out on a limb here… if I’m wrong, just disregard the analogy and pretend like this would never happen.)).
Other parts of the world have different types of concerns like earthquakes, cyclones, and monsoons. Any of these events could easily damage or wipe out a company’s operations. Companies that still believe it won’t happen to them will be dealt a swift lesson in humility should an event catch them unprepared (see this post for another look at the same problem.).
The events of September 11th reminded us of an aspect of BCP/DR that we often overlook. What do we do with all the items that are not destroyed in a catastrophic event? Nature does strange things. Who would have imagined that a data theft could occur from papers flying around Manhattan after the towers came down?
Here are some of the things you need to think about when working on your BCP/DR plan.
Set up your recovery site appropriately. If your business is such that you can survive well without a particular site for a few days, then a hot site setup is not required. If you do need a hot site, then you must consider the physical and electronic security implications of synchronizing data.
Secure the backup site. If you choose to use a hot site for immediate failover, you must treat the hot site the same as your primary site. You should ensure the same level of physical security exists there to prevent burglary or theft, and that you have secured the data in transit between the sites to prevent electronic theft. Hot sites without live processing present so many challenges that several of our customers prefer to load balance between sites instead of having a primary and failover.
Reduce or eliminate risk to physical assets. If your location is in a disaster zone and sustains damage, looters will not be far behind. This means that whatever walls you depended on to keep your location secure may be damaged or destroyed. If someone is wading through a parking lot and happens to notice some nice computer equipment ready for the taking, he may be motivated to take it. Depending on where it ends up, that could easily spell a breach! Any physical asset that is at your location could be stolen. Don’t leave those mounds of paper records lying around for the taking.
Make sure your communications hub is on alert. HAM radio operators will tell you that when all else fails, amateur radio will get through ((I am also guilty of saying this and chasing an occasional storm or two.)). Depending on your requirements, it might be a good idea to have a scanner tuned to local emergency response and amateur radio frequencies (including Skywarn) for a localized disaster. You may even decide to invest in GMRS equipment to keep your emergency personnel in touch in a localized area if your cell phone fails.
Have supplies! Katrina devastated New Orleans. But during the crisis, one Internet provider stayed alive, and the guy in charge blogged about it. Read about his adventure and you will get an idea about what kinds of supplies you might need.
Remember that in times of economic crisis, small incidents are magnified. Is your company well positioned to survive a disaster caused by nature? If not, now is a good time to revisit and make sure your board has all the information they need in order to make the best decision for the business.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini