Risks in IT are a result of vulnerabilities and their resulting threats. Vulnerabilities are basically the weaknesses in a system or in the infrastructure. For example, not having adequate backup of data and information is vulnerability because in the event of hardware or software failure, important data could be lost. Similarly, not using the latest virus scanners is vulnerability. Threats are understood as a source or event that has the potential to accidentally trigger a misuse of IT systems or intentionally exploit a specific vulnerability. For example, stealing of passwords by hackers, viruses, worms, spam emails, etc. are threats. Threat also includes natural events such as storms, electric outages, high-voltage surge due to lightning, flood, fire, earthquake, etc. IT systems are vulnerable also to natural threats.
Vulnerabilities and threats in IT can be successfully handled and mitigated by developing a comprehensive disaster recovery management plan for the organization. Therefore, risk in IT is a function of threat and its potential vulnerability which always results in adverse impact for the organization. To avoid negative impact, risk management must be commensurate with the organization’s strategic objectives and focus on securing data and systems (hardware and software). IT risks can be managed effectively by security planning as well as disaster recovery (DR) planning.
DR plans will implement policies, procedures and actions to minimize disruptions to business in the event of a disaster and in order to ensure business continuity. The very first step in DR planning is to establish processes for business impact analysis (BIA). BIA processes helps to identifying specific risks and analyzes the impact of all IT enabled business processes. Using BIA as the key, other important elements to consider while developing a DR plan will include,
- Clarity in organizational responsibilities: Many organizations fall short in determining roles and responsibilities in terms of DR. DR is more than just restoring data on servers or replicating databases, instead DR plan will ensure the applications and systems are able to support business functions. Here the participation of non-IT members is needed to understand the impact to business units while developing DR plans.
- Define application recovery service levels: Application recovery services can be catalogued based on different levels of recovery provided by BIA. DR offers the insurance for protecting data and critical information however, efficiency in application recovery is also important. Aligning applications according to the levels of recovery obtained from BIA and restoring them with business functions according to their importance must be included in DR plan. For instance, restoring data related to product features immediately after a disaster is important for sales and marketing units.
- Apply a cost model for DR: It is important to note that IT service levels are highly influenced by cost. The cost model can include items such as hardware, software maintenance, support, personnel and facilities. A carefully developed cost model can significantly result in continued IT services efficiently. Cost models are a must when business organizations hire IT services from data centers. Data centers provide different cost models based on business requirements.
- Establish secondary facilities and involve experts: Many organizations consider the option of having an additional back-up facility in case the primary facility will experience a disaster. People with skills and capabilities for restoring IT services are needed to assist business users in restoring their data, applications and services without disruptions.
- Establish standardized procedures: In the absence of DR planning, day to day operations can be disrupted to result in heavy losses for the organization. There are instances where organizations have compromised their mission critical data during a disaster. The need for adequate documentation to highlight risk analysis for key IT enabled business processes cannot be overlooked. Many organizations have embraced and implemented standard frameworks for security such as ITIL to significantly improve their chances of mitigating risks due to disasters (man-made or natural).
Large organizations that are dependent on IT cannot tolerate downtime of their business critical applications. DR plans help organizations to restore applications and data efficiently. In DR plans, provisioning IT services is done in order to ensure business continuity quickly without long disruptions. The objective of implementing DR is to mitigate threats, but it should be noted that DR plans once implemented does not provide all the protection required from new type of threats or attacks. DR plans are dynamic and must be updated and validated regularly whenever new types of threats arise.