Disaster Recovery Plan. Are you prepared?

Getting Disaster Recovery Right

Disaster recovery was first thrust into the IT spotlight as Y2K approached. It re-appeared after the terrorist

attacks of Sept. 11, 2001. Those who still didn't take it seriously got a reminder during the Gulf Coast hurricane

season of 2005.

With Gulf Coast devastation fresh in their minds, storage managers and CIOs are hopefully scurrying around taking

ample precautions. Donna Scott, an analyst at Gartner, notes a far greater boardroom awareness of disaster recovery

since the Sept. 11 attacks.

"Every major disaster -- including the recent blackouts and Katrina -- raises awareness of how important IT availability

is to the continuing health of any business," says Scott.

Yet according to Lenny Monsour, director of product management at SunGard Availability Services in Wayne, Penn.,

greater awareness does not necessarily translate into firm disaster recovery commitment. He reports that after a hurricane,

or any other regional disaster, his company typically sees an upsurge in interest, which often doesn't result in

new sales or contracts.

"For most companies, the notion seems to be that 'this won't happen to me,'" Monsour says. "It is critical that businesses

in high-risk regions take the appropriate precautions before a hurricane hits."

Monsour recommends that businesses in high-risk regions first outline their business processes to understand how

they rely on various technology systems. Sales processes, delivery process, finance process, human resources

process, and other elements of the business should all be reviewed in order to develop an appropriate plan to help a

business recover should its primary office be significantly damaged by a hurricane.

"Documents such as a Business Impact Analysis and a tested Business Continuity Plan help a company ensure they

can respond to a hurricane," he says. "They specify how critical applications can be recovered in minutes and how

less critical systems will be brought back online at a slower rate. Additionally, companies should have a place for

employees to go to recover and continue working."

Site Selection Looms Large

That location, though, had better be chosen wisely. Stephen Foskett, director of strategy services at GlassHouse

Technologies, discovered that a lot of companies in New Orleans had their data off-site -- but still in the path of the

storm. Thus site selection means being far enough away to be outside the disaster zone yet close enough that staff

can reach it.

"Also, make sure that there are systems (such as servers, networks, and other facilities) there to use the data when

it is needed," says Foskett. "I know of one bank that had their data replicated off-site but still couldn't bring their

systems up because they lacked the right servers at their remote data center."

Scott believes it unlikely, during some types of disasters, that people with family within the affected area would be

willing to travel away from their loved ones. She suggests, therefore, that large organizations operate two data centers

-- for example, one in Houston and another in Dallas -- and split IT and storage resources between both sites.

Perhaps half the production load is done at each location and backed up to the other data center. Alternatively,

smaller companies can bring in remote consulting resources as part of the DR plan. People who are grooved in on

the company's IT needs and are available to function during an emergency.

"You need these resources to be involved in DR testing and possibly sitting in on weekly meetings," says Scott. "It's

too late to think about calling SunGard once disaster strikes."

Keeping Costs In Line

Being fully prepared can, of course, result in staggering expenditures. So is there a way to cut costs?

"It takes big money to become windproof/waterproof, have a sturdy stand-by power supply, and be able to mirror

Getting Disaster Recovery Right

applications to a remote site," says Clive Longbottom, an analyst

at U.K.-based Quocirca. "As only the largest companies can

afford it, hosting is frequently used to reduce the bill."

He notes that outside services almost always have better disaster

recovery plans, more durable facilities, all the back-up power

they need, and multiple sites that can mirror each other. They

also tend to be in old nuclear bunkers, bank vaults, or specially

built units that can withstand most of what nature can throw at

them.

Another way companies attempt to reduce costs is to forgo the

expense of the latest technologies and make do with recovery

from tape. Tape can be invaluable in cases of data corruption,

and are certainly a lot cheaper than online copies (replication).

But it can take days or even weeks to recover systems from

tape.

"Don't rely on tape backup alone for DR protection," says

Foskett. "There are some serious limitations to relying on tape.

Some New Orleans companies found out too late that their 'offsite'

tapes were stranded in the same city, surrounded by flood

water for weeks."

Foskett suggests a DR plan designed around techniques like

long-distance replication and clustering. These, however, are

seriously expensive technologies, so DR planners must try to

limit the amount of data that is afforded maximum protection.

Scott recommends organizations interested in replication take a

closer look at the different ways replication can be achieved --

storage controller-based replication and host-based replication

are just two possibilities, she says.

But replication and clustering are far from the only technologies

required. Monsour adds vaulting technologies to the list of technologies

needed to get businesses back up and running fast.

Longbottom includes back-up power, closed system air conditioning

(very expensive), water pumps, and air-lock entrance systems

(to maintain standard pressure within the building).

Scott also touts the virtues of virtualization as a way to keep DR

simple and the budget under control, particularly on Windowsbased

system.

"Virtualization helps you abstract the hardware and software so it

doesn't matter if you are shifting data from Dell to HP boxes, for

example," she says.

How Far Away is Far Enough?

New Orleans domain name and hosting provider Directnic.com

Getting Disaster Recovery Right

Applied Research conducted its Disaster

Recovery/Business Continuity Survey in December 2005

by polling 500 IT/IS managers. The goal was to paint a

picture of the state of business continuity among today's

enterprises.

Although figures and data points abound, one stands out

for the astonishing lack of preparedness on the part of a

sizable number of organizations.

When asked if they had a business continuity plan in

place, nearly half, 46 percent, answered no. Moreover, 27

percent of those saw no need to take such precautions,

though 33 percent did admit to simply lacking

resources. Another 20 percent cited complexity for the

shortfall, while a 12 percent minority pointed to cost.

Commenting on why only 54 percent of IT managers in

the survey had a complete disaster recovery plan in

place, Peter McKellar, group product manager, Symantec

Corporation, pointed to a big shortcoming for some businesses.

"Recovering data without making provisions for recovering

applications is a lot like having the sheet music but

no instruments, musicians, concert hall or conductor to

play the symphony. It's just not going to get the job

done," says McKellar.

After a crash, though, cost can become a big factor. For

most, recovery costs nothing (26 percent) or less than

$10,000 (29 percent). For 8 percent of IT shops, however,

the price tag can balloon to over $100,000.

And the bottom line looms large over future disaster preparedness

plans. Twenty-three percent cited cost as the

biggest challenge in that regard, while recovery time,

natural disasters and viruses also ranked high.

Luckily, the majority of respondents seem to be able to

recover rather quickly after a system outage, with 67

percent reporting that it usually takes hours (as opposed

to days) to get back on their feet. Some (14 percent) are

back up and running in a matter of minutes. Seventy-six

percent of those that responded felt that those times

were acceptable for their business.

--Pedro Hernandez, Enterprise IT Planet

adopted an interesting strategy during Hurricanes Katrina and Rita -- dig in and grind it out. Situated in a high rise in

the central business district, IT staff and its crisis manager battled through winds, floods, looting, army raids, power

cuts, diesel shortages, water shut-offs, and more to keep the data center running.

"We made sure that our critical infrastructure, which supports 400,000 Internet clients around the world, did not go

down," says Sig Solares, CEO of Intercosmos Media Group, the company that operates Directnic.com.

While the company made it despite facing hell and high water, it's no surprise that management is now talking about

implementing additional backup and disaster recovery options outside of New Orleans. But how far away should

alternate sites be located to be safe?

Imagine a company from New Orleans with a backup data center in the vicinity of Houston or Galveston. Such a

business would have been in severe jeopardy due to recent events.

"You have to be far enough away to be beyond the immediate threat you are planning for," says Jim Grogan, vice

president of consulting product development at SunGard Availability Services in Philadelphia. "At the same time, you

have to be close enough for it to be practical to get to the remote facility rapidly, preferably by car."

One Rule of Thumb

Take the case of a company where the biggest threat is tornadoes. Any recovery site would obviously be located

outside of that weather pattern. Similarly in California, you don't want your DR site located on the same fault zone.

"You have to be far enough apart to make sure that conditions in one place are not likely to be duplicated in the

other," says Mike Karp, an analyst with Enterprise Management Associates of Boulder, Colo. "A useful rule of thumb

might be a minimum of about 50 km, the length of a MAN (Metropolitan Area Network), though the other side of the

continent might be necessary to play it safe."

He tells of one major corporate IT room in a midwestern city whose "remote" site is literally two city blocks away

from the company's primary location. While they have little to fear from hurricanes, floods, or earthquakes, the entire

IT operation and much of the shareholder value might evaporate in case of an unforeseen local disaster.

And that's the whole point about disasters -- you never know what you are going to get. Certainly with catastrophic

situations such as double hurricanes or 14-state power outages, you have to be able to think pretty big to anticipate

a threat of that magnitude, but who knows what to expect when the extremes of Mother Nature and outrageous fortune

collide?

"These kind of watershed events change how DR planning is done," says Grogan. "Most people think smaller than

these types of events."

A Post-9/11 Guideline

So how far away is far enough? An interagency white paper by the SEC, Federal Reserve, and other agencies that

came out after Sept. 11 suggested a 200-mile plus separation between the primary and secondary facilities.

However, industry response was that this wasn't practical since the technology didn't exist to support synchronous

updates of large-scale transactional databases and other applications without a large performance hit. As a result,

the final draft called for a more lenient "geographical dispersal." That means don't be in the same weather pattern or

fault line or serviced by the same power grid and telecommunications and utility providers.

"It is vital to consider the risk events that the company is protecting itself against," says Chip Nickolett, a DR consultant

for Comprehensive Solutions of Brookfield, Wisc. "Take into account fault lines in some areas, and potential

hurricane paths in others -- i.e., how far a Category 5 hurricane could potentially come inland."

Getting Disaster Recovery Right

Karp agrees. He recommends positioning a remote site in a geologically uninteresting place such as South Dakota

or Montana rather than Silicon Valley.

Another important factor is ease of access. How easy, for example, would it be for the recovery teams to get to the

site, and how feasible is it from that location to gain access to the necessary network and telecommunications infrastructure?

A truly isolated site might look wonderful on paper. But if it takes 24 hours after a disaster is declared to

staff it, and the telecom provider treats it as a low priority rural area for services, you might struggle to get systems

online quickly enough to keep the business afloat.

If you decide to go with a hot site provider such as SunGard or IBM, the assigned recovery site is often determined

by factors such as equipment requirements, capacity within the site, and the number of other customers from that

region. As a result, there might not be much of a choice regarding how close or how far the recovery site is in these

scenarios.

"In these cases, it is especially important that a company have definitions of what constitutes a disaster, and has

clearly defined who has authority to declare a disaster and what that procedure is," says Nickolett. "It may be very

important to declare a disaster quickly in order to secure the necessary resources, as these companies may have to

utilize a 'first come, first served' approach due to high demand."

For Katrina and Rita, this did not prove problematic for SunGard. The company claims a 100% recovery rate for its

affected customers, who made use of disaster recovery sites in Texas, Georgia, Philadelphia, and other areas.

Grogan reports 24 disaster declarations for Rita, of which 14 have now returned to normal service delivery at the

main office. For Katrina, 30 disasters were declared, and 17 continue to use SunGard hot site services.

"Because of the nature of the outages, these customers are not in a position to tell how long their stay with us may

be," says Grogan. "The customers that have returned home are mainly those located on the edge of the worst

affected zones."

Be Prepared

The motto for disasters is to be prepared. Directnic.com, for example, has a Gulf War veteran crisis manager on

hand who secured the building and took care of basic survival elements such as drinking water and hygiene despite

having no city water available. Between those safeguards and IT staff who knew what they were doing, the business

hardly skipped a beat. That sort of result was no accident.

"To be ready for disaster, you have to plan for it and thoroughly test the plan with a variety of drills," says Grogan.

Just how many firms in the New Orleans area were unprepared, hadn't drawn up a realistic plan, and hadn't drilled it

to the point where staff could function? For some of them, it is already too late. For the rest of us, though, there is

an opportunity to learn from the experience and take action now.

"As you look at the news of the hurricane aftermath, imagine what you would do if you were in charge of disaster

preparedness for a site in the area affected by Katrina," says Karp. "If you don't have a list of disaster instructions,

including a hierarchy of whom to call when things get rough, this is a really good time for some self-examination.

Ask yourself how long can your company's IT operations remain offline."

Is Your Recovery Plan Good Enough to Save You?

Not all organizations realize the critical need to internalize planning and may figure they will let the government help

them if the time comes. What they don't realize is that even if a disaster strikes, there may not be aid. They must

take care to preserve their own business continuity.

Organizations simply must take control of their own recovery plans.

Getting Disaster Recovery Right

In September of 2005, Wisconsin was struck by 27 tornados that damaged 400 homes. Their request to be

declared a federal disaster area to get government assistance was denied.

Can You Gamble on Getting Assistance?

Despite living in a city that was below sea level, many in New Orleans did not have flood insurance, yet were covered

for hurricanes -- or so they thought. Heated debate and lawsuits are arising from carriers declining claims

based on arguments that the property damage was not caused by the hurricane directly, which would be covered.

Some claim the storm surge and subsequent flooding is what caused the damage and that would not be covered

by insurance policies.

The issue is that flooding requires a separate rider that many did not buy. If those families and businesses do not get

reimbursed from insurance, how will they fair? Have you checked your insurance policies lately against your most

likely risks to make sure you have the appropriate coverage to ensure that recovery is possible?

To worsen many already dire situations, some organizations in New Orleans dutifully sent their backup media to offsite

storage sites located around the city. Not only did some groups lose their on-site data, but the offsite data was

destroyed, as well.

Given your most likely risks, do you have a backup process that safeguards your data from regional incidents? Do

you need to guard against regional disasters, and if so, how far away must the backups travel?

The Need for Planning

With just these few examples in mind, when was the last time you and your team sat down and ran through the

most likely scenarios that threaten your organization? The careful review should move beyond abstracted risks and

focus on layered situations. Move past ''what if we lose power?'' and instead focus on realistic matters such as

''what if lightning takes out both the primary and secondary grids that feed our facility?''

The power company's communication structure is in disarray and an estimated time to recover is not even available.

What must be done immediately? What do we do 30 minutes into the outage? What do we do an hour in? At what

time do we begin powering down systems and in what order? How do we inform employees?

The idea is to use realistic situations to foster dialogue and to capture and formalize ideas that are scattered through

the team. The end result must be a disaster recovery plan that covers the most likely scenarios. Whether there are

three, five or 20 scenarios, the exact count will depend on the organization and the risks that confront it.

The goal is to plan to the level that management feels is adequate.

Whenever a disaster strikes, even a small one, take the time to review lessons learned. Determine what worked well,

what did not and revise plans accordingly.

Business Continuity

Moving beyond disaster recovery is the idea of business continuity.

How will you keep the business running during some kind of disaster? If disaster recovery is concerned about

restoring a given service back into production, business continuity planning is concerned with the holistic issues surrounding

keeping the business running or getting back up and running as quickly as possible to minimize impacts.

Some organizations get hit by a disaster and disappear. We, of course, don't want that to happen to us. If we return

to our power example from above, think about what business processes are most critical to our ability to stay operating.

What is needed to operate? If the automated systems are down, can they run manually?

Getting Disaster Recovery Right

Experience a utopian world of storage. Visit hp.com/go/storageutopia7

1-888-367-1949

1. Dual-Core is a new technology designed to improve performance of multithreaded software products and hardware-aware multitasking operating systems and may require appropriate

operating system software for full benefit; check with software provider to determine suitability; not all customers or software applications will necessarily benefit from use of this technology.

Intel’s numbering is not a measurement of higher performance. Intel, Intel logo, Intel Inside, Intel Inside logo and Intel Xeon are trademarks or registered trademarks of Intel Corporation

or its subsidiaries in the United States and other countries. L.P. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.

Technology for better business outcomes.

Imagine a storage environment that’s simple, straightforward

and virtually effortless. The HP StorageWorks 1200 All-in-One

Storage System lets you manage your ever-growing data

using a simple Windows® application, in a language you

already know. Call it utopia, nirvana, or just plain easy.

Storage utopia

is not a myth.

Alternative Thinking About Storage:

These questions are aimed at understanding the organization's requirements and then layering IT's capabilities in to

support the business. Organizations must review their risks and then develop options to mitigate continuity risks.

For details, there are many resources on the Web that have been quietly evolving. There is a wealth of recommended

practices out there to aid in your planning, including recommendations in ITIL and ISO 17799. Furthermore, discuss

matters with your team and industry association to get started.

There are many avenues to consider. Groups that haven't dusted off their disaster recovery and business continuity

plans since Y2K should get them out and run through them, thinking about the disasters most likely to strike. The

scenarios should be detailed enough that responses are gauged, corrective actions defined and investments

approved.

Organizations can't take their responses for granted. If they do, they might be faced with the day when planning

would have made the difference between being in or out of business.

Proving Your Disaster Recovery Plan Works

There is an increasing emphasis by top management and government regulators on asking disaster planners to

demonstrate that their plans will actually work.

For an organization with even a limited amount of complexity this "show me" requirement can seem overwhelming --

in terms of cost, disruption, and time expended. However, by dividing the task into four levels of increasing difficulty,

it is possible to meet that requirement while minimizing disruption.

Basically, there are four kinds of tests available for a contingency or disaster recovery plan: 1) the blink test; 2) audit

assessments and structured walk-throughs by "independent experts"; 3) component tests; and 4) "pull-the-plug"

exercises.

Blink Test

This is often linked with the disaster recovery training cycle. Each task within the plan is first assigned to a specified

employee who is then asked to sign a statement saying that they have read and understood the plan as it applies to

them and that they are able to carry out their assigned roles within the plan, noting any limitations they may have in

carrying them out.

At that point, we've discovered that people begin to speak up and say, "Wait a minute. I'm not authorized for that,"

or "I don't retain that information," or even "I have family commitments that preclude that." The response has to be,

"What do we change in the plan to get you to sign the statement?"

Audit Assessments/Structured Walk-Throughs

Both internal and external experts next review the plan. Internal experts can include personnel from outside departments

who are familiar with how the areas under evaluation operate. These employees are asked to walk through

the various scenarios covered by the plan and to provide independent comments, based on their expertise and

familiarity with the daily ebb and flow of the specific operations.

To obtain reviews from external experts, representatives of the planning team should be participating in, and to the

extent possible, presenting their plan components at region-wide contingency management organizations such as

NEDRIX (New England Disaster Recovery Information Exchange), the Business Recovery Managers Association in

California, the Business Continuity Planners Association in the Midwest, or others.

Component Tests

Disaster recovery plans involve many components that can be tested independently. Of course, when the disaster

Getting Disaster Recovery Right

strikes, these components must all work together, but if independent components can be shown to work by themselves,

they can be counted on to do their part when the crisis occurs.

Among the specific components that can be independently tested are the recovery and re-installation of backup

files; after-hours emergency notification of employees and suppliers; emergency generator operation; and building

evacuation procedures.

Component testing also includes simulating a disaster at a single site for organizations that have many locations. By

taking one small office offline or relocating it temporarily to its backup site, the department could flush out many

problem areas in the transition from normal to crisis-mode and back to normal again. Later on, the plan could be

further tested at larger offices.

"Pull-the-Plug" Exercises

Finally, it is necessary to resolve the question of whether or not all the various plan components can actually work

together when they have to. This basically requires a "pull-the-plug" test, in which the entire organization is taken

down and then re-opened and operated at alternate sites.

For most organizations, this is simply too disruptive to actually carry out. However, real life often intervenes to make

it happen anyway. In those cases, when a mini-disaster happens, planners need to document the events in detail as

if it were a test so that afterwards they can assess the following issues:

• Exactly what happened to cause the crisis

• What damages occurred as the crisis unfolded, following the causing event

• What had been the planned responses to the situation

• What actions were actually taken by the personnel affected and the responding personnel

• With the benefit of hindsight, what should have been the responses of the personnel affected and the responding

personnel

• What was learned for the future - what worked and what didn't

• How should the disaster plan be modified

• How should the disaster plan modifications be communicated to all personnel

It is crucial to remember that this testing process is always a work in progress. It needs to be repeated on a regular,

ongoing basis, with continual documentation and feedback to all involved.

Disaster Recovery vs. Business Continuity

Many IT departments think disaster recovery (DR) and business continuity (BC) are the same thing. As a result, they

tend to take a largely technology focus on the subjects.

And that's a problem, according to Michael Croy, director of business continuity at Forsythe Technology Inc., a

Chicago-based IT consultancy and infrastructure firm specializing in business continuity and risk management.

"Many people are still confused by the terms DR and BC," says Croy. "It is critically important that the DR plan is

based on a solid BC plan that has taken into account the reality of the business requirements for recovery. If the DR

plan cannot meet the requirements of the business units, it is of no value."

Croy says business continuity plans touch all functions of a business -- from personnel to facilities to IT. In terms of a

hierarchical view, business continuity is at the top. Below it is the disaster recovery plan. And under that come technologies,

such as enterprise backup, recovery, and restoration.

But true disaster recovery extends much more broadly than back-up processes by using mirrored sites and replicat-

Getting Disaster Recovery Right

ed data to respond to an event. Similarly, business continuity

goes well beyond disaster recovery by encompassing every

aspect of company operations that could be impacted by a situation.

Human resources, power supply maintenance or backup,

transportation, food, health, and safety issues all fall within business

continuity.

The IT department with its disaster recovery plan is one element

of a larger business continuity scenario.

John Glenn, a certified business continuity planner based in

Clearwater, Fla., agrees that IT administrators need to take a

wider view.

"Most people, especially MIS/IT folks, think BC is just a new

name for DR," says Glenn. "The difference is that DR for IT focuses

solely on IT, and what IT perceives as the business unit's

requirements. BC, on the other hand, should focus on the business

units and, by extension, all the resources required by the

business unit."

Industry observers say it's clear that disaster recovery is one element

of business continuity. While IT is junior to BC as a whole,

the IT organization plays a central role in business continuity.

"It's a big mistake to think the IT department is the only department

needed to develop, test, and recover the business," says

Gartner analyst Roberta Witty. "It is advisable to form a business

continuity program with a dedicated team of people with a senior

management sponsor."

IT, though, would provide one representative to the core BC committee.

According to Witty, the committee would be comprised of anywhere

from two to five members, depending on the size of the

organization. This group would take a wide view of potential disasters.

For example, consider employee health and welfare during an

event. In a regional outage, you can't expect personnel to show

up for business recovery if they are having serious problems at

home related to the event. You must support them and help

employees be better prepared at home for disastrous events. The

American Red Cross, she says, can be brought in for this kind of

training and awareness building.

Michael Gruth, head of system and network support at Deutsche

Borse AG, the German exchange for stocks and derivates, says

the IT staff tends to find it easier to relate to the hardware, software,

and networking components of DR. He has assembled an

Alphaserver/OpenVMS cluster over two sites 5 km apart. In the

Getting Disaster Recovery Right

Expeditious recovery in the event of a disaster that

impacts the processing and access of business critical

data and financial systems should be the top priority of

any organization. Furthermore, this is a never-ending

priority project, because as our IT systems evolve and

grow, our recovery plans must keep pace.

The first step any reasonably sized company should

take is to take create a full-time Disaster Recovery

Manager position. This position should be filled by a

seasoned IT veteran and report directly to the CIO as

well as having an open door to the CEO and senior

business operations executives. A Disaster Recovery

Manager that meets this criterion and has the ear of the

higher-ups will be sure to develop and maintain an airtight

recovery plan for the business.

The next step is to identify a steering team of business

process owners and information technology infrastructure

and system owners. This team, based on the direction

of business operations, will determine what systems

and in what order they will be recovered in the

event of a catastrophe.

Now the grunt work begins, and depending on the size

of the business and the magnitude of the information

technology systems, the planning will require a tremendous

amount of foresight, investigation, and documentation.

Most businesses have gravitated away from single

mainframe processing to client/server and distributed

systems architectures. This being the case, a myriad

of system and hardware dependencies must be documented

and accounted for in any disaster recovery

plan.

By this time, the application support and infrastructure

teams should have determined what applications and

hardware platforms must be recovered as well as the

network connectivity to those platforms. Now is the

time to determine where the recovery will occur.

Depending on the size of the company, this could be

another company-owned data center at another location.

However, in most cases, a third-party company

that specializes in disaster recovery must be contracted

with.

--Jerry Hodgen, Enterprise IT Planet

process, he discovered there is a lot more to DR than additional Alphas and switches.

"Do not forget things like having an office at your mirror site for remote management," says Gruth. "Also, don't forget

the human factor. While it may sound harsh to think about having additional employees to recommence business

in the event of a tragedy, this is the reality we live in since 9/11."

To help IT come to terms with a broader scope than disaster recovery, some IT organizations are dropping the term

in favor of business continuity.

"We have gotten away from the term 'DR' as it assumes the facility is not available," says Jeff Russell, CIO of The

Members Group, an Iowa-based company that provides card processing and mortgage services to credit unions.

"BC, on the other hand, deals with how we continue despite business interruption."

State-of-the-Art Pencils

Disaster recovery projects can easily run aground or fail to be funded if they are done in isolation. Glenn says it is

essential to begin every initiative from the business continuity perspective in order to give technology its correct business

context.

"Every organization I know about puts BC/DR under the IT umbrella," says Glenn. "My preference is to put BC -- of

which DR is a subset -- under the CFO, CEO, COO… someone with some real clout.'"

To make his point about business continuity not being a matter of technology, Glenn enters the debate about what

is the best platform for disaster recovery, or what technological elements are most critical. Should you use

OpenVMS or UNIX, mirroring or disk-to-disk backup, SAN or NAS, or all of them? Glenn cuts through the complexity

and vendor hype with a simple answer.

"My number one DR or BC technology is pencil and paper,'' he says. ''Seriously, it's not about platforms or technologies."

This content was adapted from internet.com's ServerWatch and Enterprise IT Planet Web sites, and EarthWeb's

Enterprise Storage Forum Web site. Contributors: Drew Robb, Steven Lewis, and George Spafford. Copyright 2006

Jupitermedia Corp.

9

Getting Disaster Recovery Right

JupiterWeb eBooks bring together the best in technical information, ideas and coverage of important IT trends

that help technology professionals build their knowledge and shape the future of their IT organizations. For more

information and resources on storage, visit any of our category-leading sites:

www.Enteprisestorageforum.com

www.internetnews.com/storage

www.linuxtoday.com/storage

www.databasejournal.com

http://news.earthweb.com/storage

www.internet.com/sections/it/

For the latest live and on-demand Webcasts on storage, visit: www.jupiterwebcasts.com/storage/