Disaster Recovery Planning: a Strategy for Data Security

Disaster recovery planning: a strategy for data security

Steve M. Hawkins Department of Decision Sciences and MIS, Miami University, Oxford, Ohio, USA David C. Yen Department of Decision Sciences and MIS, Miami University, Oxford, Ohio, USA David C. Chou Department of Business Computer Information Systems, St Cloud State University, St Cloud, Minnesota, USA

Keywords . Introduction man-made threats, such as vandalism, Disaster recovery, Data security, hackers, and sabotage; and Networks The centralized computer systems are now . human error, such as improper computer Abstract replaced with or connected to the distributed shutdown, spilling liquids on the The migration from centralized systems. Also, multiple servers are connected computer, and cigarette ash. mainframe computers to to each other on a corporate network to Disaster recovery was a term coined by distributed client/server systems balance their processing power. If one of the has created a concern on data computer vendors between 1960 and 1980 ± security. If a disaster occurs to servers in the networked environment the era of the centralized mainframe the organization that destroys a crashes, troubles will arise for both the users computer (Colraine, 1998). During that time, server or the entire network, a and the company. a disaster recovery plan was used to backup company may not be able to There are a variety of reasons that cause recover from the loss. Developing mainframe computers. systems to crash. For example, the lack of an effective disaster recovery plan A disaster recovery plan was similar to an will help an organization protect system security and employee sabotage are insurance policy that provided a protection them from data loss. the main concerns. While computer hackers from natural disasters, such as earthquakes, live outside of the company walls, this is not floods, hurricanes, and tornadoes. Disaster always the case. Although passwords and recovery plans during these years were firewalls help keep viruses and intruders typically used by organizations that have from entering the corporate systems, large mainframe computers and data sites for sometimes they are useless. Corporate daily business operations. Since data management needs to recognize the necessity recovery planning process was expensive, an for data security. alternative was to backup the data from the A disaster could cause companies an mainframe computer and store it at alternate interruption for a period of time. The locations. During the 1970s, providing backup Business Recovery Plan is the document used data services was a lucrative business. to assist an organization in recovering its According to the third annual information business functions. A Disaster Recovery Plan security survey conducted by Information (DRP), however, is a document designed to Week and Ernst & Young, nearly half of the assist an organization in recovering from more than 1,290 respondents representing data losses and restoring data assets. A DRP information systems chiefs and security should be a pro-active document, a living and managers suffered security-related financial breathing document. It does not document losses in the past two years (Panettieri, 1995). the tasks, it is an action plan that is used to Most companies hesitate to develop a identify a set of policies, procedures, and disaster recovery plan until a disaster resources that are used to monitor and occurs. According to another survey maintain corporate information technology (Patrowicz, 1998), 85 per cent of the Fortune (IT) before, during, and after the disaster. 1,000 companies have disaster recovery Possible IT disasters include (Semer, 1998): plans. Within these companies which have . natural disasters, such as fires, disaster recovery plans: earthquakes, lightning, storms, and static . 80 per cent have plans that protect their electricity; data center resources; . software malfunctions; . 50 per cent have plans that protect their . hardware or system malfunctions; networks; and . power outages; . less than 35 cent have plans that protect Information Management & . computer viruses; their data on PC LANs. Computer Security 8/5 [2000] 222±229 In an Ernst & Young/Computerworld Global The current issue and full text archive of this journal is available at # MCB University Press Information Security Survey of 4,255 IT and http://www.emerald-library.com [ISSN 0968-5227] information security managers, 84 per cent of [ 222 ] Steve M. Hawkins, them said that their senior management planning process that an organization could David C. Yen and believes that security management is follow to develop their own DRP. Finally, David C. Chou `ìmportant'' or `èxtremely important.'' Of conclusions are stated. Disaster recovery planning: a strategy for data security these respondents, over 50 per cent of them Information Management & stated that they lack a disaster recovery plan Computer Security (Anthes, 1998). However, most of the Benefits and cost of disaster 8/5 [2000] 222±229 problems stem from the lack of recovery plans communication at the corporate level. The growth of distributed systems and the Corporate decision makers must look at global business environment make corporate every aspect of a DRP before implementing it decision makers believe that having a within their organization. Listed below is a backup or recovery plan is necessary. Many culmination of the benefits and costs of companies need to process the mission- developing a DRP. critical information stored in distributed or client/server systems throughout entire Benefits of developing a DRP enterprise networks. One of the success Developing a DRP is to identify various steps factors for a company's business operations to assist an organization in recovering from is based on the continuance of these data losses and restoring data assets. This enterprise networks. Client/server systems process generates the following seven have replaced the centrally located benefits: mainframe, residing at multiple sites in a 1 Eliminating possible confusion and error. building or across a corporate WAN. By organizing the response teams to take Consequently, protecting these client/server care of specific responsibilities during a systems has become a major priority for disaster, management can focus their corporations today (Colraine, 1998). attention on other critical issues related to Distributed systems are becoming an disaster recovery. Depending on the architectural standard for networked nature and scope of the disaster, organizations. These systems have diffused managers need to handle customer mission-critical data across local area relations, company liability, vendor networks which extend corporate resources issues, additional staffing needs, and legal to remote work sites. As distributed systems issues. continue to replace the ``glass house'' 2 Reducing disruptions to corporate environment of the mainframe, the data operations. As tactical response teams or decentralization is going to increase in the qualified personnel are in place and an future (Mello, 1996). alternate site is available within a short According to a survey conducted by the amount of time, corporate operations can research group of David Michaelson & be re-established quickly with minimal Associates, the respondents stated that 43 delays. per cent of the data housed on corporate PC 3 Providing alternatives during a disastrous LANs today is mission related (Mello, 1996). event. By developing a DRP before disaster Of these respondents, 77 per cent employ a strikes, top-level management can take continuous or daily backup for their PC the time needed to consider all of the LANs, and 89 per cent of them follow some alternatives and choices for disaster kinds of backup procedures. It is a dramatic recovery. increase from a similar 1993 survey, in 4 Reducing the reliance on certain key which only 45 per cent of the organizations individuals. If the responsibilities of re- stated that they backed up their PC LANs establishing a LAN were left to the on a continuous or daily basis. As the systems administrator or network distributed system model continues to administrator, and that particular become the de facto standard in most individual was injured during the corporate networks today, companies will disaster, the corporate network would eventually learn ± either by proper have a difficult time re-establishing planning or their own unfortunate itself in the shortest amount of time. By experience ± that having a disaster delegating recovery responsibilities to recovery plan is vital for their survival in key individuals who know exactly what today's networked environment. to do in an emergency situation, the This paper identifies the importance of company can develop redundancy disaster recovery planning in the business within its corporate hierarchy so that world. The benefits and limitations of they can replace those individuals who developing a disaster recovery plan are are unavailable in the disaster. identified in the next section. An analysis 5 Protecting the data of the organization. framework for developing a disaster Data are one of the most important assets recovery plan is introduced next. It follows in an organization. Data are stored in by illustrating a step-by-step strategic many different forms, including [ 223 ] Steve M. Hawkins, databases, spreadsheets, and documents. management, the cooperation from David C. Yen and The data that are vital to the organization employees in the company, and the David C. Chou may include customer databases, availability of an inventory of all the Disaster recovery planning: a strategy for data security financial documents, mailing lists, and mission-critical resources of information Information Management & EDI forms from vendors and customers. technology. Computer Security Most of this data could be stored on If a company lacks the experience of 8/5 [2000] 222±229 magnetic media, such as tape backup or developing its DRP, outsourcing could be on hard drives in LAN servers. If a a good choice. Consultants such as IBM, company locates in an area that is Comdisco Inc., and SunGard Recovery vulnerable to floods or severe weather, its Services Inc. could provide assistance to DRP may include elevating computer all of its needs. equipment off the floor and onto wall- mounted racks where initial flooding will not damage the computer equipment. Analysis framework of DRP 6 Ensuring the safety of company personnel. When a disaster demolishes the building, Any company beginning a DRP project corporate offices need to be relocated. A should perform a risk assessment for its DRP could also include a logistical information technology. This involves support group that would provide checking their network inventory and comprehensive support to employees. identifying the resources needed to maintain 7 Helping an orderly recovery. A disaster daily business operations. After analyzing recovery plan covers most of the problems the resources, they must develop a plan of that could happen during a disaster and it action. This could be a set of procedures or provides the necessary resources to solve the multiple-volume instruction manual. those problems, management can focus its After developing this plan, the company attention to other critical issues. could integrate it into its business strategies. Also, this company needs to train its Costs of developing a DRP employees about specific tasks to be done and Developing a DRP is not easy. It needs to how each employee is involved in the consume corporate resources to make it process. This implementation process should successful. It has at least the following two be reinforced by the company at least once a types of costs: year by conducting mock disaster scenarios. . Cost of DRP preparation. Corporate This process will ensure each employee management could spend a long time keeps his or her skills up-to-date in the event identifying mission-critical systems that of a disaster. must be implemented after a disaster. The DRP development involves three This project could cost a company a process stages: construction, adoption, and tremendous amount of man-hours. If a evaluation. The DRP development starts with company chooses a third party vendor to the construction process. During this develop their disaster recovery plan, the process, ideas and concepts are transformed costs could be considerably higher. The into tangible tasks and procedures. A DRP challenge to developing a DRP is to planning committee is formed to include convince top-level management that the representatives from all functional areas of plan is worth the investment. the company. This committee performs risk The New York World Trade Center analysis for each functional area of the bombing in 1993 displaced thousands of company in order to determine the workers for weeks, causing a financial consequences and potential damages caused impact on 350 firms located within the by a disaster. When the analysis is complete, trade center (Stefanac, 1998). By a plan of action is developed and presented to performing some risk analyses to top management for approval. corporate management, they may well After management's approval, a DRP is consider adopting a DRP. adopted and integrated into the company's A disaster recovery plan does not have daily business functions. This process stage to be an elaborate framework of policies, includes the activities such as employee procedures, and hardware. In fact, training and awareness, modification of job preparing a disaster recovery plan may descriptions, and integration of DRP into simply outline the procedures for normal operating procedure. performing nightly data backups to a Finally, management plays a main role in mirror site via a telephone line. The supporting the new plan by conducting minimum goal of developing a DRP is to regular evaluations. If new computers are protect the data. installed into a particular department, the . Cost of corporate resources. Implementing plan should be re-evaluated and modified to a DRP requires a strong commitment. It provide an additional security blanket to the needs the support from top-level company's assets. [ 224 ] Steve M. Hawkins, Preparing a disaster recovery plan is not a computer hardware from natural disasters, David C. Yen and solitary effort. It requires the expertise, such as flooding, tornadoes, and earthquakes. David C. Chou ingenuity, and cooperation of corporate Disaster recovery planning: a Also, a company needs to make sure that they strategy for data security employees and top-level decision makers. A have the proper coverage for all geographical Information Management & well-planned DRP requires three main areas. Computer Security functional areas (management, information 8/5 [2000] 222±229 technology, and human resources) to Organizing specialized response teams to participate and prepare themselves for execute the DRP during an emergency subjects such as employee awareness, and A DRP should be up-to-date and every team safety of computer technology and data member involved in the recovery process security. Activities and involvement of three should be familiar with it. The functional areas are discussed in the implementation of a DRP should involve following sections. specialized teams to be responsible for certain areas of expertise, including initial Management involvement and activities response team, restoration team, recovery Keeping current with IT knowledge operations team, and logistical support team The top-level decision makers may not want (Semer, 1998): to be confronted with computer technology . Initial response team. This team is the first for three reasons. First of all, they may not set of eyes to evaluate the nature and consider themselves as ``computer people,'' extent of the damage. These people will and consequently leave the computer determine whether or not business problems to either their subordinates or operations can continue on-site or should their IT staff. Second, they may want to learn be moved to an alternate location. If the more about computer technology, but are damage is severe, this team will contact overwhelmed and confused by all of the additional response teams for further literature available in bookstores or in the assistance. library. Finally, they may feel intimidated by . Restoration team. This team coordinates IT counterparts who know and understand the damage control, restoration, and something that they cannot understand. As executives, they may feel intimidated by reactivation of network resources, which their lack of understanding and avoid the include data files, software, network issue altogether. If, however, they take the infrastructure, and communication lines. initiative to learn how computer technology . Recovery operations team. If the initial can help them make better decisions and response team determines that operations protect their data, they will become better need to be re-established at an alternate managers and be able to communicate with location, the recovery operations team their IT counterparts. will set up and run the operations at the new location. Their responsibilities Employing qualified professionals to develop and maintain the company's DRP include re-establishing the distributed network infrastructures, retrieving Individuals who are certified can prove their value and knowledge. Certifications such as backup files, setting up hardware and the Microsoft Computer Systems Engineer communication lines, and other related (MCSE) for Windows NT or the Certified activities. Novell Engineer (CNE) for Novell networks . Logistical support team. During the are examples. If a company's future plans transfer of operations to an alternate site, involve an enterprise network that will the logistical support team provides include hubs, routers, and bridges, it might logistical support by ensuring that also consider employing Cisco trained employees can access alternate offices and professionals with Cisco Certified Network facilities. They also provide personal Associate (CCNA) or Cisco Certified support for employees, which includes Internetwork Engineer (CCIE) certifications. travel and relocation assistance, cash Employing MCSEs, CNEs, and CCIEs to run a advances for emergency expenses, crisis company's network also saves time and counseling, and employee family money on IT training. assistance. Similarly, there is training and certification available for disaster recovery. Information technology involvement and An organization such as the Disaster activities Recovery Institute offers training and Developing a detailed network blueprint certification on disaster recovery. When a disaster destroys most or all of the Ensuring insurance coverage for LAN building, the network will have to be rebuilt. A comprehensive insurance policy may The blueprint of the company's network cover data restoration, business architecture will allow the IT staff to rebuild interruption, recovery costs, and damage to the network quickly. [ 225 ] Steve M. Hawkins, Gaining management's support to the backup and recovery procedures. Any failure David C. Yen and disaster recovery plan of backing up these applications may David C. Chou complicate the recovery process and the Disaster recovery planning: a Senior management is recognizing the strategy for data security outcomes of losing corporate data. An integrity of data and system. Information Management & effective CIO could understand both IT and Using redundant array of independent Computer Security management needs, thereby translating the 8/5 [2000] 222±229 disks (RAID) technology to capture on-line schematics of the technology into transaction activity management's language. RAID provides mirrored copies of data on Monitoring employees' Internet accesses multiple disk drives that create up-to-date While the Internet provides the worldwide copies of data files. RAID also provides information at a moment's notice, it also capability of fault tolerance, providing brings with it the threat of sabotage from accessibility to data in the event of a partial hackers and viruses. Many of the security disk failure. concerns regarding the Internet stem from Preventing LAN from viruses' attack the design of the Internet itself, making it Choosing the right anti-virus software for the difficult to identify and trace where data are LAN is imperative for protecting the data. coming from or where they are going After selecting suitable programs, system (Garfield and McKeown, 1997). Consequently, the best way IT can protect their administrators should make regular sweeps organization from hackers and viruses is to of the LAN to ensure system integrity at all monitor employees' Internet accesses times. through firewalls. This will greatly reduce Protecting hardware from environmental the dangers from hackers outside the damage company. Make sure that surge protector and anti- Standardizing hardware and software static mats are installed on all LAN servers Any organization having heterogeneous in order to protect them from static hardware and software will create electricity. According to a report, computer difficulties of rebuilding the network. For users in the Midwest and North Central USA example, if some departments are using suffer the most data loss due to static Macintosh computers while others are using electricity during the winter dry air (Sutton, PCs, the rebuilding process will take even 1998). longer. Therefore, having a homogeneous Connecting uninterruptable power supplies enterprise system can reduce the complexity (UPS) to key servers and equipment of rebuilding the network. The power-related problem is one of the Securing support from IT vendors major causes of losing data. If a server Implementing a DRP needs to secure support suddenly loses its power, there is a chance from both routine vendors and specialized that the data on the hard drive will be lost. By vendors. Routine vendors are suppliers who installing UPS and/or a backup power supply provide daily services, such as hardware and on the entire LAN servers could maintain the software support, e-commerce support, and integrity of the data on the server. telecommunications service. Specialized vendors are companies that provide specific Human resources services disaster recovery services. Their services Providing employee-training programs on include data salvage and restoration, computer uses and computer ethics alternate office space, alternate backup sites, Any employee could carry viruses from his/ and emergent lease of hardware and her home computers to work computers, equipment. which can destroy the integrity of corporate network. Human resources departments Performing routine backups need to alert employees to this risk by A backup procedure should be performed in educating them to keep their home PC order to ensure that all mission-critical applications off their work computers. systems are stored on LAN servers instead of Therefore, virus attacks could be kept at a users' workstations, floppy disks, or ZIP minimum level. disks, which are not subject to system Some disasters may be caused by unethical backups. This ensures that the data are practices. Practicing proper ethics on the centrally located in one place to facilitate computer is also becoming an issue within backup and recovery procedures. many organizations today. In an era where Ensuring smooth interface between client/ computers have become an integral part of server and mainframe systems society, many organizations discovered that Interface applications that allow data to be employees who use their computers exchanged between mainframe and networks inappropriately could cause companies a will need to be identified and included in the significant loss in information, time, and [ 226 ] Steve M. Hawkins, money. As a result, many organizations are this assessment provide a blueprint of risk David C. Yen and implementing corporate codes of ethics as assessment. David C. Chou part of their employee agreement. In many cases, departmental managers are Disaster recovery planning: a familiar with their department's day-to-day strategy for data security Promoting employee safety awareness operations and, therefore, they are in a better Information Management & programs Computer Security position to decide how their mission-critical A DRP can cover a broad range of scenarios, 8/5 [2000] 222±229 resources should be restored. from a corrupted LAN server to complete destruction of a corporate building. Identifying possible vulnerabilities Depending on the location of the Monitoring the vulnerability will prevent a organization, management should implement problem before it occurs. For the most safety awareness programs into their DRP in companies, the main areas of vulnerability order to train employees on how to take care may include (Rothstein, 1998): of himself or herself during a natural . backup storage locations for data; disaster, such as an earthquake, tornado, or . security; hurricane. These programs might include . physical security; classes in CPR and first aid training that can . the room or building that is housing the benefit employees inside and outside the computers, company. Other types of training may . electrical power; include fire drills, using a fire extinguisher, . fire detection and suppression; and locating safe shelter during a disaster. . depending upon one person for While many organizations may view a DRP information; as an insurance policy of their corporate . management controls; and assets, it is a good idea to include one of the . reliability of telecommunication services. most important company assets, that is, their Other areas of vulnerability include employees. employee resignation, repairing a roof leak in the computer room, computer virus infection, and so on. Development strategies for DRP Developing a disaster recovery plan could be Developing a plan of action a simple set of procedures describing how to One way of developing a disaster recovery backup a server to a tape drive, or a multiple- plan is to conduct a brainstorming session volume instruction manual describing for management and corporate employees. Each department could develop their own procedures for earthquake damage. recovery plan that provides directions on Companies need to identify certain suitable how to quickly resolve a site crisis. The plan development strategies for DRP. The should include phone numbers of people who procedures and strategies for developing a must be notified immediately after a disaster disaster recovery plan are discussed as occurs, all of the vendor contact names and follows: phone numbers, and the location of an alternate site. The plan should include but Performing a risk assessment not be limited to the following possible This process begins by checking inventory of scenarios (Jackson, 1997): the organization and identifying the systems . employees can access the building but the and resources that are most critical to their computer systems are down; and business operations. The two methods which . employees cannot access the building and can be used to identify these resources are must drive to an alternate site. ``Business impact analysis'' and ``Risk assessment analysis'' (Semer, 1998). Choosing an alternate recovery site Business impact analysis identifies the If the cause of the disaster was due to a flood, mission-critical resources in the company ± tornado, or fire, travelling to an alternate site the resources that are absolutely essential for may be required. Mission-critical resources keeping the organization running every day. should also be considered when relocating Once these resources have been identified, business functions to an alternate site the next challenge is to estimate how long the (Rothstein, 1998). Possible recovery strategies company can continue their business are discussed as follows: operations after suffering major losses. . Vendor maintenance agreement. This is an After identifying the mission-critical essential strategy, particularly for resources, it needs to analyze the potential organizations having computer networks risks to these resources. Risk assessment of small size. Under vendor maintenance analysis identifies corporate resources agreement, computer hardware vendors development, including the infrastructure of are responsible for equipment recovery, the network. The statistics gathered from repair, and replacement. If a standard [ 227 ] Steve M. Hawkins, agreement could not cover damages security and the computer vendors is David C. Yen and caused by external factors such as a fire or required in order to ensure safe and David C. Chou flood, a supplemental agreement may be timely delivery. Also, the replacement Disaster recovery planning: a strategy for data security necessary to cover these expenses. equipment may take several hours to . Information Management & Quick shipping program. The deliver, which may result in an increase Computer Security maintenance contract could ask vendors of the system downtime (Leary, 1998; 8/5 [2000] 222±229 to deliver hardware replacement to Rothstein, 1998). original site or alternate site within three . Mobile recovery facilities. This recovery to five days. This quick shipping program site is a self-contained mobile trailer that works well for companies that can afford houses all of the computer equipment. to have networks down for a week or Most of these trailers are equipped with longer. Also, the maintenance costs would backup power generators, and can be be as low as $300 a month (Rothstein, equipped with all of the necessary 1998). computer equipment as needed. Although . Hot sites. A hot site is provided and it may vary, the usual recovery time for a supported by a disaster recovery plan mobile recovery facility is typically a vendor. It is a fully equipped facility week or more (Rothstein, 1998). furnished with the computer resources . Mirrored site. Similar to a hot site, a required by the organization, including mirrored site is equipped with all of the FAX, computer hardware and software, hardware and communications telecommunications, office supplies, and equipment needed to assume immediate other needed peripherals. A hot site operations. Since the company usually provides a ready-to-go computer system in owns these sites, data are transmitted a prepared location with a minimizing concurrently to these sites as they are network downtime (Rothstein, 1998). A hot being processed at main facility, so they site is usually located within 30 miles of a can be ready to go at a moment's notice. client site to facilitate employees' travel Some companies send their nightly (Patrowicz, 1998). Since the site could be a backup tapes to their mirrored site so that distance away from many employees, it recovery will only involve the current also provides living amenities including day's transactions. Whether data are sleeping areas, showers, and cafeteria mirrored or sent to the site, the startup (Leary, 1998). time is usually on the same day An additional function for a hot site is to (Rothstein, 1998). provide a practice model for training . Winging it. This choice involves no personnel during corporate disaster alternative site location or a backup plan recovery planning (Semer, 1998). for the organization. Organizations that Management could practice their disaster use this method usually fail more than recovery plan in a setting that will not they succeed in rebuilding their computer disrupt normal business operations. By systems. practicing a disaster scenario on a regular basis, management and employees would Selecting a backup strategy be prepared for any disaster that could Selecting a backup strategy could speed up occur in the future. the process of disaster recovery. There are . Cold sites. A cold site is simply an empty two backup strategies that are currently used building that is wired, air-conditioned and today, including the in-house backup and the computer ready (Patrowicz, 1998). Because offsite backup. of the time factor involved with setting up 1 In-house backup systems. These are the equipment and becoming fully backup servers strategically at different functional, cold sites should only be locations inside the organization. Using considered if the organization is not in-house hardware to remove the pressed for time (Semer, 1998). dependence toward outside vendors could The cost of leasing a cold site ranges from save the company a lot of expenses on $500 to $1,500 a month, depending on the leasing equipment. If the backup servers complexity of the computer system. Many are used for other purposes, however, companies use their cafeterias as an on- special procedures should be included in site cold site or use a company-owned the disaster recovery plan for relocating warehouse as an off-site cold site. If any these systems (Semer, 1998). disaster damages their facilities, a 2 Offsite backup systems with data company would choose a vendor-provided encryption. Data are encrypted and backed cold site as their alternative (Leary, 1998). up to a remote site for offsite backup However, choosing a cold site encounters system. Since the communications to the a few disadvantages. Since computer backup site are on the leased line, the data equipment has to be shipped to the site, a transmission is virtually secure. close coordination between the company Organizations that use this backup [ 228 ] Steve M. Hawkins, method include financial institutions, the also causes extra expenses and requires David C. Yen and military, hospitals, large corporations, manpower. Despite the questions that arise David C. Chou and the FBI (Sutton, 1998). when considering a DRP, companies should Disaster recovery planning: a strategy for data security focus on the most important commodity: Information Management & Conducting a verbal walk-through company data. Depending on the importance Computer Security Those employees involved in the recovery of the data, developing a DRP can be more 8/5 [2000] 222±229 plan need to participate in a verbal walk- economical than replacing the lost data. through process, in which they talk through As corporations become increasingly ``what if'' scenarios and outline individual dependent on computers and the Internet for tasks and responsibilities. This will provide their daily activities, the data generated from each employee with a working knowledge of their work are becoming critical. Companies the plan, rather than simply reading it on that rely on their computer systems and paper (Jackson, 1997). networks to do their business can suddenly lose everything if their computer systems go Testing the plan on a regular basis to off-line or are corrupted by a virus. In this ensure its integrity electronic age where computers are Companies need to update their disaster enhancing the talents and skills of people, the recovery plan on a regular basis. As the data are now filling the seats of executive company grows, so does its data. If a DRP is boardrooms and corporate offices. At one not updated to keep up with the growing moment in our country's history, the battle needs of the company, the company may soon cry used to be ``survival of the fittest.'' Today, discover that it will not be capable of as computer technology and data are recovery operations. becoming the important commodities of the Also, as the company grows, it eventually future millennium, the new battle cry is needs more computers, hubs, and routers, ``survival of the data.'' Consequently, data are among other things. The new need requires protected from corruption and it is one of the some modifications to the disaster recovery major functions of top-level management and plan. Companies need to modify their IT professionals today. disaster recovery plan on a regular basis, especially if the company is growing at an References accelerated pace (Leary, 1998). Anthes, G.H. (1998), ``Lots talk, little walk'', Computerworld, Vol. 32 No. 38, pp. 70-1. Colraine, R. (1998), ``Protect more, recover faster Conclusion is the rule'', Computing Canada, Vol. 24 No. 30, p. 35. A disaster causes an event that halts the Garfield, M.J. and McKeown, P.G. (1997), critical business functions within an ``Planning for Internet security'', Information organization. It can be as simple as a power Systems Management, Vol. 14 No. 1, pp. 41-6. disruption to a data server or as serious as a Jackson, J. (1997), ``Give your LAN a hand'', threat to the entire building. Disaster Security Management, Vol. 41 No. 8, pp. 44-52. recovery is the process of correcting the Leary, M.F. (1998), `À resource plan for your problem and getting the critical business LAN'', Security Management, Vol. 42 No. 3, functions back online. A disaster recovery pp. 53-60. plan is, therefore, a predetermined set of Mello, J.P. Jr (1996), ``Taking a crack at backup'', instructions that describes the process of Software Magazine, Vol. 16 No. 10, pp. 85-8. disaster recovery. Panettieri, J.C. (1995), ``Security'', Information Developing a DRP needs some hard work Week, 27 November, pp. 32-40. such as planning, brainstorming, and Patrowicz, L.J. (1998), at http://www.cio.com/ cooperation from both corporate archive/040198_disaster_content.html management and employees. The plan can be Rothstein, P.J. (1998), ``Disaster recovery in the line of fire'', Managing Office Technology, as simple as describing how to back up a Vol. 43 No. 4, pp. 26-30. server, or as complicated as describing what Semer, L.J. (1998), ``Disaster recovery planning to do after a hurricane destroys the building. for the distributed environment'', Internal The main source of developing a DRP is to Auditor, Vol. 55 No. 6, pp. 41-7. understand the particular needs of the Stefanac, R. (1998), ``When it comes to disaster, it's organization. pay now or later'', Computing Canada, Vol. 24 There are advantages and costs of having a No. 30, p. 35. DRP. Some of the advantages are the Sutton, G. (1998), ``Backing up onsite or online: 25 reduction in data loss, minimizing the need smart ways to protect your PC from disaster'', of decision-making process during a disaster, Computer Technology Review, Vol. 18 No. 2, and the protection of company employees. It pp. 38 and 42.

[ 229 ]