DISASTER RECOVERY PLAN

Disaster Recovery Plan



Disaster Recovery Plan

Introduction

Disaster recovery planning is a relatively new concept in the larger field of computer security and controls. In an atmosphere where quantifiable return-on-investment is a pervasive tool to judge performance and new projects, the intangible nature of the returns from disaster recovery planning, combined with the time required and the cost of securing backup services, has contributed to the relatively slow adoption of this concept by American business. However, with every new investment by a company in data processing, the operations of the firm become more computers dependent and the risks multiply. In a 1980 Computer Decisions article, Louis Scoma, Jr., President of Data Processing Security, Dallas, Texas, described the gap this way, "While millions of dollars are being spent on fourth-generation hardware, many companies are still using first-generation protection and security procedures for their major asset".

Realization of the impact which destruction of most or all automated data processing functions would have upon the viability of the organization is a strong impetus for the development of a recovery strategy. A study conducted in Minneapolis-St. Paul found that "a majority of firms would be forced to cease all or most of their daily operations within one week of a total data center loss" and, even more alarmingly, concluded that most computer dependent firms could survive only seven to thirty days after such a disaster. Insurance mitigates the financial loss but does nothing to regain lost data - or customers.

Pressures for the development of a recovery strategy are being brought to bear from outside the organizations as well. The General Accounting Office (GAO) recently reviewed preparedness at federal agencies and found it insufficient. Financial institutions subject to examination by the Comptroller of the Currency are required to plan for backup. Industry in general is impacted by the Foreign Corrupt Practices Act (FCP A) of 1977, which has been interpreted to mean that the government and the stockholders can hold executive officers personally liable for the loss of inadequately protected corporate assets. Fueled by the FCPA and its like, internal and external auditors are pressing for assessment of risks and planning for loss contingencies.

Although attention has been paid in the literature to the functional aspects of disaster recovery planning, such as risk analysis and critical applications identification, relatively little research has been reported quantifying how many businesses have actually followed through with such planning.

A landmark study, previously mentioned, which was done by a group of University of Minnesota graduate students in 1978, could uncover no comprehensive research relevant to the subject; the scope of the Minnesota project itself was limited to analyzing the exposure of 37 companies in the Twin Cities area.

A second report was prepared in 1978 by the Information Systems Group of Arthur D. Little, Inc. (ADL), the Cambridge, Massachusetts, and consulting firm. This frequently cited study surveyed only 49 major U.S. corporations. Given the size and complexity of the American business milieu, this is certainly too small a ...