Readings
- What would you do as an individual to be ready for an IT disaster? A real world disaster?
- What is the difference between disaster recovery and business continuity? How are they related?
- What makes this so complicated and difficult for organizations?
Activity: Your only activity this week is to complete your team’s Audit Proposal Project
Magaly Perez says
What is the difference between disaster recovery and business continuity? How are they related?
Jan’s Section:
Disaster recovery plan is a subset of the overall business continuity plan but are more specific, The DRP is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. Business continuity plan is the organizational strategy involved with ensuring the continuous operation of core business functions during and after a disaster. Overall, these plans are related because they are interdependent on each other but cover items that the other does not. The DRP comprises of preventives strategies, while BCP presents strategies that the business will use to maintain operations.
Sean Patrick Walsh says
Does the DRP really cover preventative strategies, or would restorative strategies be more appropriate? I would guess preventative strategies would be a part of a business’s risk management strategies in order to prevent and/or limit exposure to the risks associated with a potential emergency event. Whereas the DRP portion of a company’s BCP would entail the steps to take in order to recover and restore previous service functions and levels for a business.
Richard Flanagan says
Sean,
My take is that the making of backups (part of DRP) is preventative, ie its mitigating the impact if certain risks materialize. The restoration is purely corrective.
Sean Patrick Walsh says
Rich,
That makes sense when considering the aspect of backups. I suppose it comes down to the semantics of the words chosen to describe the plan, or aspects of the plan.
Neil Y. Rushi says
Great explanation Magaly – this is something we discussed in Lanter’s class and they do work with each other since BCP allows for the development of the DRP.
Ming Hu says
What is the difference between disaster recovery and business continuity? How are they related?
Business continuity is based on standards, policies, guidelines, and procedures that facilitate continuous operation regardless of the incidents. Disaster recovery (DR) is a subsection of business continuity and is concerned with data and IT systems. Although BC and DR are always used together, actually, they are two different concepts.
As the definition indicates, DR is a subsection of BCP, i.e. business continuity represents a much larger scope of maintenance than the recovery of just the data and IT infrastructure. Disaster recovery (DR) refers to having the ability to restore the data and applications that run your business once your data center, servers, or other infrastructure get damaged or destroyed. One important DR consideration is how quickly data and applications can be recovered and restored. Business continuity (BC) planning refers to a strategy that describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster, enable a business operate with minimal or no downtime or service outage.
Therefore, a disaster recovery plan is more reactive while a business continuity plan is more proactive.
Source: Computer and information security handbook
http://searchstorage.techtarget.com/definition/Business-Continuity-and-Disaster-Recovery-BCDR
Ahmed A. Alkaysi says
Very nice explanation Ming hu. I know you said “disaster recovery plan is more reactive” but I don’t completely agree. It is only reactive in a sense that you are using disaster recovery after the fact of a disaster. However, it can be more proactive by continuing to update and test the DRP. At my company, for every change we put into production, there is a specific DRP created for that change. It must be reviewed and approved by the SMEs and management. This way, we are taking a more proactive approach in the DRP. A DRP can become more proactive by considering all the possible disaster scenarios and having a good response to them, while continuing to update and test.
Richard Flanagan says
Ahmed,
Thanks for making this point. In this class we normally speak about DRP for system wide disasters. Your point about DRP being involved in good change management is a great one. You always want to be a a position to back out a failed change and restore the application to its previous operating state. Not always easy to do, but surely a goal to shoot for.
Sachin Shah says
I agree about DRP. i our change control process\change management – we have a section where the implementer or requester has to fill out what is the back out plan if the changes fail in production. This may not be enterprise leve, but may affect the business unit which can be several people or several hundred. either way the implementation or changes failed and their needs to be a backout plan or DRP in place.
Sean Patrick Walsh says
3. What makes this so complicated and difficult for organizations?
I think the answer to this question is two-fold. First, BCP and DRP implementation and planning can be a difficult task. In order to be done correctly, it requires a lot of resources, especially of personnel, in order to set up properly. Testing and updating the plans also stresses those same resources at whatever intervals a business decides to test and/or update its plans. This use of resources, both in the original and continual planning and testing, could be hard to stomach by, or justify to, top management as the costs aren’t directly associated with a commensurate increase in revenues. Even though there is an associated benefit from an efficient BCP/DRP it may still be hard for a business to okay the costs associated with the plan creation, testing, and updating.
The second point is it can be very hard to get a business’s top management to properly envision a catastrophic loss severe enough to get buy in for the plans. For example, a business along the Gulf Coast of the United States may find it easy to envision a hurricane battering their region and causing devastating damage that easily requires a BCP/DRP. Now, a business in New York City may not find that scenario as easy to envision to decide on creating BCP/DRP, and yet Hurricane Sandy a few years ago proved the fatality of such an exercise for businesses who had failed to envision such an event. So, I think the easier it is for a business’s key decision makers to envision the types of events that could require a BCP/DRP is directly related to those businesses having BCP/DRP or not.
Ahmed A. Alkaysi says
Good points Sean. Management might not want to invest in a DRP/BCP plan because it is not returning them any profits. They need to take a Risk management approach to these plans. Similar to how the business identifies a risk of pursuing a business objective, they will need to look at the plans the same way. They should think along the lines of “what is the risk if we do not have a good DRP or BCP plan in place for this business function?” By looking at it this way, it will compel them to make sure they have these plans updated and tested. Now after their analysis if they have come to a conclusion that the particular business function wouldn’t really impact the continuity of a business in case of a disaster, they might have just basic DRP/BCP plans for it and not prioritize to recover it over another function in case of a disaster. For the business, it is important for them to prioritize which functions will risk the business the most in case of a disaster, after this it might be easier to swallow the pill and invest in the resources necessary to keep DRP/BCP plans updated and tested.
Sean Patrick Walsh says
I completely agree that the idea behind a good BCP/DRP has to be driven more than likely by a well performed enterprise wide risk management approach. By fully understanding the impact at all levels by each loss of a part of a process or function gives the business the most complete understanding of the risks associated with an event that leads to the loss of that portion of a process or function. I still think though in order for that to come to fruition a business needs to really understand and envision the loss associated with events that may seem so far-fetched they need not be considered when risk planning. Even we as individuals can fall into the same trap of failing to really see the impact of an event to us. For example, I broke my dominant arm/wrist when playing basketball as a teen. I had no idea how difficult my daily life could become from being limited to one functional hand, and my non-dominant hand at that. Trying to take notes in class with your non-dominant hand or trying to button your pants and/or shirt with one hand changes everything. That’s why I think it may be very difficult for a business to fully appreciate the necessity of a well done BCP/DRP because without honestly and deeply analyzing all the risks facing a business, no matter how far-fetched, will leave it potentially vulnerable to a serious event.
Richard Flanagan says
Guys,
Good discussion. This is where a strong “risk culture” like what Tom was talking about comes in. If the organization has such a culture the task of convincing them to spend this money is much easier. If they don’t, it may be almost impossible.
Janet Yeomans says
Ahmed,
You’ve described a business impact analysis which is a critical component to risk management.
Sachin Shah says
i think the key issue in terms of investing is BCP/DRP is what happens in the event this occurs. We have small departments who do billing in a company and companies may see that as a BCP/DRP and invest in that department or system. yet there may be a larger system with more users but the money\economic impavt may be less substantial. Hence its the stakeholders job to identify what to invest in when it comes to BCP/DRP. usually for the systems in the second instance there is an alternative way of doing business, it may be paper or another electronic form.
Nathan A. Van Cleave says
What is the difference between disaster recovery and business continuity? How are they related?
BCP and DRP are often used synonymously when companies think about how to keep operations and data available. However, DRP is more correctly viewed as a component of BCP. A BCP’s main focus is ensuring that an organization’s services, data, operations, etc remain available and operational with as little disruption or downtime as possible. Any number of events ranging in impact can cause disruption; i.e. a down power line temporarily disrupts electricity to an organization’s site. Impactful? Yes, but not a disaster level event.
That’s where a DRP comes into play. It should focus on pandemic level events and it’s potential risks to the organizations critical system and data. Such events would include natural disasters, military/terrorist attacks, etc. The plan will take into consideration the potential for total loss of power, operations, life, etc. It’s really just the plan for when everything and anything that could go wrong all at once.
Jason Wulf says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
As an individual, I would have all my training up-to-date in compliance with corporate policies, contact my supervisor or corporate IT for guidance and next steps for follow.
In a real world disaster, I’ve been trained in weapons and close quarter combat. If needed supplies are not readily available, I know where to find them and get to them. My skills in lock picking are adequate. I’ve also had training in most natural disasters. Thanks to my job traveling, most of the vaccinations are updated with the exception of rabies. I grew up in the country and know hunting and fishing. My education in herbal studies, essential oils, and first aid may also come in handy.
2. What is the difference between disaster recovery and business continuity? How are they related?
Business continuity keeps things running during a disaster and disaster recovery involves getting things running after a disaster.
Business continuity and disaster recovery both involve people, processes, and planning centered around defenses against a disaster. Both require careful and updated planning, focus on sustaining minimal losses, communications, and prioritizing critical business functions. Both require management support to be effective.
3. What makes this so complicated and difficult for organizations?
Organizations have difficulties in identifying and prioritizing systems, justifying budgets, figuring out system interdependencies, identifying unknown risks, dealing with other “immediate priorities”, and testing systems to see if their plans actually work.
Fred Zajac says
Jason,
I enjoyed reading your post, and answer to question 1. The question, in my opinion is a fear question. Fear is a powerful motivator, making you think about how you would handle the threat of a real-world disaster. It reminds me of the terror threat level the U.S. used after 9/11.
This notification is a double edge sword. It is valuable because the professionals will offer recommendations, like evacuations and rally points. But, it can also be costly because the fear associated with the disaster cause people to panic, like buying extra food for a snow storm or gas mask from fear of a chemical attack in rural Kansas.
People need to be informed about the probabilities that go along with the threat levels. The probability of a bomb being dropped on a farm in central PA is even less likely than a bomb in Philadelphia. For everyone’s sake, let’s just hope you won’t ever have to use your hunting and fishing skills as a substitute for Giant.
Jason Wulf says
I’ve had people hold guns and knives up to me so my fear level is a little lower than most. If you want to experience an adrenalized response situation, where you get tunnel vision and auditory exclusion then I suggest a FastDefense seminar. I took it after I received my black belt in To-Shin Do.
I find fear in uncertainty and not knowing what to do. If you know how to swim, the water doesn’t scare you. If you’re equipped with the proper tools and experience everything will be fine.
In rural Kansas (which is where I’m from!), a lot of people are prepared. They have the tools (i.e. storm shelter) to whether out most storms. A few even have chemical masks. Every time it rains out there, they have a tornado watch on the news!
Folake Stella Alabede says
wow Jason, its been interesting reading about your answer to question 1, i think i will want to be around you in the event of a real world disaster (just joking)
But in response to Fred, i think fear is a natural reaction for most humans, people like Jason and others who have been in the army/navy or other forms of training might have “learnt” to “control” their fear.
There once was an explosion back in africa, and people were running helter skelter, and then people started running in one direction, and others started following the crowd, unknowingly running into a canal that the explosion opened.
One thing i’ve learnt is to never follow the crowd except i know where the crowd is going / i know the crowd is being directed by a law man or something. and thats why i think it helps in a disaster to keep a clear head and mind, even in the midst of the fear
Richard Flanagan says
Jason,
As a avid fly-fisherman, I think you should add a travel rod and several hundred flies to your preparations. They can produce a lot of food.
Jason Wulf says
Hi Richard,
I’ve always wanted to try spear fishing or fishing with a bow and arrow.
Loi Van Tran says
Jason,
I, too, enjoyed your comments for question 1. Depending on the scale of IT disaster, it may affect more than just a single business organization. Like the hacking of Wall Street, would probably cause major panic and chaos among citizens. Violence, looting, & vandalism is sure to ensue and it’s best to prepare yourself to protect what’s important to you.
Jason Wulf says
Hi Loi,
Hacking can be mitigated fairly quickly. A few well-placed EMP’s would cause greater disruption. They can be made with a disposable camera in less than 15 minutes. Not that I’m suggesting anything, but it’s a good idea to have a contingency plan and controls in place.
When I do risk assessments at work, I ensure there is more than one fuel supplier and the data centers are geologically separate in case of a disaster.
Brou Marie Joelle Alexandra Adje says
What is the difference between disaster recovery and business continuity? How are they related?
Jan’s Section:
Business Continuity and Disaster Recovery are closely related. Disaster recovery refers to specific steps taken to resume operations in the aftermath of a catastrophic natural disaster or national emergency. Business continuity describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster. The main difference is that business continuity addresses more comprehensive planning that focuses on long term or chronic challenges to organizational success
Mengxue Ni says
Nice post, Alexandra
In my opinion, business continuity is plan that would help day-to-day processes and procedures to operate during a disaster. Disaster recovery is specific step by step instruction for recovering after disasters.
Loi Van Tran says
I agree Mengxue,
But I think it’s important to mention that not all day-to-day business processes needs to be recovered during a disaster, just the most critical processes. Part of the DRP specifies recovery point objective (RPO), recovery time object (RTO), and recovery capacity objective (RCO). It may be too difficult or resource intensive to recover all processes that an organization does on a day-to-day basis.
Anthony Clayton Fecondo says
I agree with Loi’s point that not all processes are inherently necessary to continuing business operations. I think of the BRP as a plan for recovering to the minimum level of functionality necessary to keep operating. I think the BRP is first, most bare bones step in recovering from an event.
Deepali Kochhar says
1. What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery plans are generally developed as a part of the business continuity process. These are more technical plans that are developed for specific groups within an organization to allow them to recover a particular business application.
Conceptually Disaster Recovery is; “if we lost our IT services how would recover them?”
DR:
1. Aim is to minimize the effect of Disaster
2. Governance is not emphasized
4. Metrics for recovery & restoration not emphasized
Business Continuity Plan is a policy to ensure continuity of critical business operations after a disaster has struck.
By having a BCP, organizations seek to protect their mission critical services and give themselves their best chance of survival. This type of planning enables them to re-establish services to a fully functional level as quickly and smoothly as possible.
BCPs generally cover most or all of an organization’s critical business processes and operations.
Conceptually Business Continuity Plan is; “if we lost this building how would we recommence our business?”
BCP:
1. A broader approach of identification of critical business processes, assets and people
2. Essentially Under Governance-top down approach
3. Defining the Metrics for recovery MUST
BCP and DR are related as Business Continuity Planning is the process that is carried out by an organization to ensure that essential business functions continue to operate during and after a disaster.
Richard Flanagan says
Deepali,
Good definitions. My simplistic way of thinking about it is DRP is what we need to do to get back to normal, BCP is how we will continue to operated until normality is restored.
Janet Yeomans says
Deepali,
Just a comment on your point that disaster recovery doesn’t emphasize metrics for recovery and restoration: the recovery time objective and the recovery point objective for the various systems specified in the business continuity plan need to be integrated into the disaster recovery plan.
Jason Wulf says
Hi Janet,
When I do risk assessments I don’t look at metrics, I simply ask if the RTO and RPO matched the anticipated results of the test and if it was a full test.
Joseph Henofer says
2. What is the difference between disaster recovery and business continuity? How are they related?
The difference between disaster recovery and business continuity is that DR is data focused and the BC is business focused. The DR concentrates on the processes of replicating and storing data so that it can be quickly recoverable when a disaster happens. To be more specific a DR allows an organization to plan for what needs to be done immediately after a disaster to recover from the event. Now the BC concentrates on the management oversight and planning needed to ensure that the entire business can continue to operate with minimal disruption as possible during and after a disaster. While the DR and BC are different they are related as the DR is a subset of the BC. The DR focuses on a small portion of the business, specifically IT, while the BC focus is on everything else in the business like sales, manufacturing, customer support and billing.
Vaibhav Shukla says
Professor Jan Section
The BCP is complicated and difficult to many organizations because it requires
1) Time for preparation and execution-From managing the recovery infrastructure to updating disaster recovery documentation and testing the BCP to find and close potential risks, the process could be extremely exhaustive , and it can be time consuming.Usually employess due to the pressure of ordinary day-to-day duties, do not cooperate on initiating BCP
2) Management support-It is difficult to convince management to come on board on some secondary objective which may occur only in case of some unforeseen event.
3) Funding-The structured process from pre-test through test and post-test evaluation could be pretty expensive and may require a good amount of budget to be set apart
4)Updating Business Plan regularly: The BCP is not a one time process the organizations need to ensure that their business continuity plan is updated according to the changing requirements of their company.So it requires continuous monitoring and testing which may be difficult
Janet Yeomans says
Vaibhav,
Good points. Business continuity planning requires a lot of resources on an on-going basis – it’s not a one time effort but rather a continuous one. It is easy for a company to see it as an expensive distraction from other business activities . . . until something happens and it’s needed. Luckily, good auditors can be the conscience of the business in this regard.
Loi Van Tran says
Great post on the difficulty of implementing an effective BCP/DRP strategy.
Another thing I want to add is testing a BCP/DRP for effectiveness may be difficult for some organizations. How would you justify shutting down business operations to perform tests on the BCP/DRP? Professor Flanagan provided a really good post on how they tested R&H Brazil, but I would’ve liked to be in the discussion for the final approval to pull the plug.
Wen Ting Lu says
BUSINESS CONTINUITY PLANNING (BCP) – A process that organization use to plan and test the recovery of its business processes after a disruption. It also describes how an organization will continue to function under adverse conditions that may arise.
DISASTER RECOVERY PLANNING (DRP) – A process of planning and testing for recovery of information technology infrastructure after a natural or other disaster.
Both BCP and DRP are very important to IT auditor. However, BCP and DRP are not synonyms because BCP is the preemptive process put in place in preparation for the handling of a disaster (the steps to be taken to continue its key product and services). DRP addresses the procedures to be followed during and after the loss (the steps to be taken to recover post an incident).
Wen Ting Lu says
This post is for question 2: What is the difference between disaster recovery and business continuity? How are they related?
Joseph Henofer says
3. What makes this complicated and difficult for organizations?
I believe this is difficult for many companies because of the IT systems change continually, constant data growth, new applications being implemented and existing applications may be updated at frequent intervals. Due to these changes your priorities of what your company classifies as critical data may shift and if you’re not constantly reviewing or updating your BCP and DRP you may run the risk of documentation being outdated.
Sean Patrick Walsh says
Though I agree with your premise of classification of critical data being important to a business’s BCP/DRP I wouldn’t necessarily narrow the scope of difficulty in creating them to just IT systems, or IT systems’ frequency of change. I think a BCP/DRP is much more about the business being able to carry out its business in the event of an emergency as a whole. Whereas IT systems are an integral part of that process for a business they are not the only part. IT systems need personnel to initiate and operate many of them. IT systems need power and communication ability to operate. Personnel and power are not necessarily IT systems themselves, but are integral for the ability of the business to continue and recover from an event, as well as for the IT systems to play the critical roles needed in doing so.
Richard Flanagan says
Sean,
Well said. How do you test the company being completely shut down? We were just getting started with BCP when Dow Chemical bought us. We had performed only one test. To do it we had Rohm and Haas Brazil prepare and review their BCP plan and then for one weekend (light business load), we turned off their access to all our systems. They had to run the business without systems according to their plan. Its easy to think about taking orders on paper but how do you print labels for drums of chemicals produced, find things in the warehouse, perform credit checks, etc. On Sunday afternoon we restored access and gave them extra help to re-enter all the transactions they had performed during the blackout. We learned a lot about the “gotchas” that had never been imagined and were able to help others build them into their plans.
Imagine the governance discussion with the heads of the Latin American Region and R&H Brazil. “Don’t worry, all we want to do is turn off everything and see how you do.” I was not part of this discussion but I wish I had been there to see it. Getting people to agree to tests like this is one of the most difficult parts of BCP. If you can’t really test it, how do you know it works?
Loi Van Tran says
Professor Flanagan,
Thank you for the insight. I thought you brought up a really interesting question; Is it really practical to conduct a thorough test of a BCP? How would you justify pulling the plug on critical systems? I know that there are different methods of testing, ranging from hypothetical to full tests, but wouldn’t it be difficult to assess effectiveness of the overall BCP unless you test it in its entirety? I guess if you broke it down by components and set clear objectives for each test, you can infer the effectiveness of the BCP/DRP. Do you think that organizations thoroughly test there BCP like what you did with R&H Brazil?
Richard Flanagan says
Loi,
It is very hard to justify. I think doing one or two limited tests a year is probably all an organization could afford. Maybe you only do one plant or one office. Its still very limited but the reality of shutting down is very different from the theoretical. Using this approach you could do different sites every year and maybe get the lessons out.
Richard Flanagan says
Joseph,
Good point about the constancy of change that an IT organization faces. I think most good IT organizations try to deal with this by annual or semi-annual recovery tests where they attempt to restore their business applications according the the DRP, paying particular attention to areas of major change like different data classifications. These test are often frustrating. I remember us being ready to update all of SAP but the pre change test of our recovery process indicated that a backup had corrupted a week of our database changes (although the job completed successfully). Just imagine if we had not tested, nearly $200MM dollars worth of transactions lost to the system. A new back backup was taken, recovery retested, and then the change made successfully.
Wenlin Zhou says
What is the difference between disaster recovery and business continuity? How are they related?
Business continuity (BC) refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood, epidemic illness or a malicious attack across the Internet. A BC plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.
Many people think a disaster recovery plan is the same as a business continuity plan, but a DR plan focuses mainly on restoring IT infrastructure and operations after a crisis. It’s actually just one part of a complete business continuity plan, as a BC plan looks at the continuity of the entire organization. Do you have a way to get HR, manufacturing, and sales and support functionally up and running so the company can continue to make money right after a disaster?
For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? Companies such as SunGard sell access to cubicles that include a desk, phone and computer in their recovery centers, along with server- and device-based DR services.
http://www.cio.com/article/2381021/best-practices/how-to-create-an-effective-business-continuity-plan.html
Ahmed A. Alkaysi says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
On company premises for an IT disaster, I would make sure I know the policies and procedures that describe what to do during the disaster. I would avoid using a computer, even if some parts of it is functional. Who knows what further damage would be done. I talk with my manager on the next steps.
Outside the company, I would make sure all my most important data is backed up on multiple storage media. I would have both a PC and a laptop, in case the disaster is only affecting one of them I can use the other. If it is a networking disaster, I would contact my ISP and see what the issue is.
For a real world disaster, I would make sure I have enough non-perishable and canned food that could last me months. I would have tons of water and some gas saved up as well. Weapons would be another thing I would have, who knows what kind of disaster this is. I would only save the most integral data.
Mengxue Ni says
Ahmed,
Very nice post! You talked what you will do in three situations. I like the idea of not using computers at all before you find proper solutions during an IT disaster. If necessary, you can shut down all the devices. But I think take no move until you find the best solution at the moment is the best choice.
Mengxue Ni says
3. What makes this so complicated and difficult for organizations?
I think the answer for this question is some things are unpredictable. Organizations try to predict and prepare for every disaster that may happen to them. However, the weather is changing every day, human resource of the organization is changing every day, technology is also changing frequently. In order to prepare to recover from all the disasters, large initial investment is required for infrastructure, but most of them sits idle waiting for something to go wrong. Moving applications to a recovery location with traditional methods is very complex, time consuming and more likely to fail than succeed, for example, traditional tape recovery is immobile and lost or damaged tapes can make a full recovery impossible. Although disaster recovery is very expensive, organizations have to invest in it because they cannot afford a one-time loss from any disaster. Chance favors only the prepared mind.
Fred Zajac says
Mengxue,
Great point about business not being able to afford a one-time “Super Storm Sandy” disaster. The whole things revolves around what management is comfortable with. Accept, Avoid, or Mitigate. In my experience, management is aware of the risks, but decide to do the most cost effective solution, over the most efficient solution.
They see no value in paying for these services, until they are in a canoe looking for client documents.
Janet Yeomans says
Fred,
A good business impact analysis can focus management’s attention on the potential severity of consequences if they choose to remain unprepared.
Mengxue Ni says
Fred,
It makes sense that executives will choose the most cost effective solution instead of the most efficient solution. Since most DR plans’ cost cannot be useful in most case, they would rather spend less. However, if a disaster happens, a full-prepared plan will be definitely better than a 75% prepared plan.
Sachin Shah says
I agree Management understands the risks but in the end of the day its cost that determines the decision. Not because they are cheap with their money, they have a budget to oversee. Spending a lot of money on disaster recovery may lead to less hardware\computers that are not optimal or maybe even less money in yearly raises. These things are what management need to take account for when making decisions.
Xiaodi Ji says
Mengxue,
It is an interesting point that unpredictable make thing complex. People like some unpredictable thing, such as getting beautiful toys in our birthday. However, even some little bad thing are good for people’s life because everyday doing the same thing will make life so boring. Some unpredictable things can make it fun. It is same to the company. Employees need some unpredictable thing to encourage them. However, when company faces to a terrible unpredictable IT disaster, it is not a good news for the company. They cannot follow the original plan to solve it, or they do not know what they should do to deal with this disaster.
Now, with the development of the IT technology, it is quit hard for people to study them as soon as possible. In this case, more and more unpredictable thing happen. Security personnels do not know what will happen next time, how serious it is. On the other hand, even we spend much money in it, it is still unpredictable that whether it will happen again and whether we still keep our information in our hands.
Therefore, it is real hard not only for the company because they not spend much money and hire many employees in it, but it also hard for security personnels because they have to learn new technology everyday to keep touch with the security world and better than most of hackers.
Priya Prasad Pataskar says
Q. What is the difference between disaster recovery and business continuity? How are they related?
A. BCP stands for the planning of Business Continuity and DR is actions taken to recover form a disastrous event to bring business back to continuity after an event of calamity or failure. BCP leads to DR.
Business Continuity Planning is a blueprint of a plan if an incident occurs. It identifies the parameters of DR. It defines a plan in advance, the critical business activities that will be continued, the process that must be followed in case of an event, who must be informed , what is the time duration within which event occurrence must be reported, who will be the critical resources who will continue with the activities during and after event, what is the timeline for disaster recovery, what level of disaster recovery plan is in place
BCP consists of 1. BC Strategy 2. BC Plan 3. Impact Analysis 4. Recovery plan stages 5. How information of Incident will be communicated to all
ex. BCP of a XYZ project will specify that the normal activities if halted, only critical activities like monitoring servers will be continued. BCP will identity the critical resources who will continue to work in case of any BCP event.
Disaster Recovery defines the steps and procedures towards resuming the critical and normal activities after a calamity has occurred. DR defines steps to be followed immediately after an incident. DR is how to recover get back if a failure has occurred. DR consists of incident response, emergency response, damage assessment, evacuation plans.
DR identifies 1. Backup Strategy 2. Risk Management 3. Emergency Response Team 4. DRP activation plan 5. DR plan for specific infrastructure ex. Media, internet, and remote connectivity.
DR- ex. DR will specify that in case of incident at location A, location B resources will take over. The resources from location B will connect via the VPN to the backed up data located at located at client site.
Alexander B Olubajo says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
The only way to be ready for something is to prepare for it. Now, when dealing with disasters and in the context of IT it doesn’t just stop short of preparations, you also have to execute whatever plans they have prepared (if any), as in a simulation to be able to create a real world IT disaster scenario and go through the documented actions the business will undergo in order to recover for it. Preparing for IT disasters shouldn’t just be theoretical, but should as well be practical in order to give the business every possible chance of recovering with the most minimum loss and disruption to its business(es) should that disaster eventually occur.
With all that said, for each IT function I am responsible for within my organization (e.g Database administration, application maintenance etc.), I will ensure myself and my team captures and documents every possible event that is likely to occur and result into a disaster, as well as the resulting outcome/effect that disaster is likely to have on the business (i.e IT disaster impact to business) – for example, loss. After which, we put together a disaster recovery action plan for each of the identified disastrous event/outcome for that IT function. Lastly, we will put the plan into action/practice (i.e execute) to test the success rate of that disaster recovery action plan. For example, intentionally sabotage a database staging server that has production data stored on it and see how fast we can successfully recover it, following and using the action plan that was created.
Note that as these scenarios are being played out to test/execute the action plan, I will iterate certain aspects of the action plan as I assess it’s viability. – A good practice to keep for the preparation of an IT disaster.
Alexander B Olubajo says
Just to add to my post on what to do as an individual to be ready for an IT disaster, a major way to prepare or be ready for a disaster is to ensure that my data centers have at least two backups. I will ensure data is backed up in another remote location, either stored internally or with an external service provider.
Secondly, I will facilitate a virtual standby server that mirrors my critical applications so that business can continue and all of the critical applications are accessible in a timely manner following an outage or disaster.
Thirdly, going back to my earlier stated point, I will constantly test and verify that backup systems and functional and operational as I will not want to wait until an actual disaster to find out whether or not my backups work
Xiaodi Ji says
Alexander,
I agree with your idea that plan help us go through the problems. We feel nervous when we face something without any plans. For example, when we began learning how to write C program, the most terrible thing was system show us errors because as that time we had no idea how to solve these errors. However, when we learned a lot and write many programs, we had some plan to deal with these errors. At this time, we felt comfortable to see the errors.
Things always complex. Even we have plan, some special situation still can destroy us. In this case, first of all, we need design more than one plan for all of those problems. Then, security personnel should improve their
basic skill to cover most problems.
As an individual, I think we should do it too. Reading more material and learning more skills, which can give us diverse methods to solve the problem or find a good methods to solve them.
Fred Zajac says
What makes this so complicated and difficult for organizations?
In my opinion, the reason DR and BC are so complicated and difficult for organizations is two fold. The first is identifying the systems, data, and personnel directly involved in the day-to-day business operations. The information that is essential to running the business would be classified as High Impact, and the other information would be considered Medium or Low. This process takes time, teamwork, and money to complete. Leading into the other thing I believe makes DR and BC complicated. The Return On Investment.
Business leaders refer to ROI in the same way doctors refer to Tylenol. Every financial business decision includes an estimated ROI. BC & DR are difficult to show any type of ROI. Unless something goes wrong, a company could be paying a monthly fee anywhere between $2,000 for the low end and as high at $10,000+ or $24,000 – $120,000 a year. These situations are, in my opinion the reason it is complicated.
Sean Patrick Walsh says
Your ROI argument is great. The concept is easily illustrated in say vehicle full coverage insurance or renters insurance. Both cost a monthly fee, and can be draining for somebody with limited income who wants the protection the insurance provides. They have the option to forego both types of insurance, but if an event comes to pass where they need either they quickly see the follow in their decision to refrain from investing in those protections.
Alexander B Olubajo says
2. What is the difference between disaster recovery and business continuity? How are they related?
Disaster Recovery (DR) refers to having the ability to restore the data and applications that runs your business should your data centers, servers, or other infrastructure get damaged or destroyed. It is the process of getting all important IT infrastructure and operations up and running following an outage and/or disaster. The keyword here when considering DR is “Data”, and how quickly it can be recovered and restored, as well as the applications that rely on them.
Business Continuity (BC) refers to the planning of a strategy that allows a business operate with minimal or no downtime or service outage. Business continuity defers from disaster recovery in that it is the process of getting the business back to full functionality after a crisis.
Disaster recovery and business continuity are both related in that they are solutions, when implemented hand-in-hand, can be designed to balance a company’s/organization’s tolerance for time to restore full function against the budget available to fund protection.
Said Ouedraogo says
What is the difference between disaster recovery and business continuity? How are they related?
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. In other words, it provides detailed strategies on the steps that employees must follow during, and immediately after, a disaster.
The business continuity plan (BCP) takes the disaster recovery plan one step further. It is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.
These plans are interdependent but cover items that the other does not. In fact, DRP includes preventives strategies, whereas BCP introduces strategies that the business will use to maintain operations. We can also say that DRP is part of BCP to the extent BCP covers the overall recovery strategy plan.
Mansi Paun says
BCP refers to the response strategy that kicks in, in the event of a Disaster. It involves alternate planning of employee staffing, network availability, physical resources such as office space, desktops, and power in case of a disaster. BCP are the steps taken to ensure that business continues to deliver the expectations in face of single or multiple disasters.
Disaster Recovery Plan : are the actions to be taken or steps to be performed to recover the state of IT systems to the same state as before the disaster, onto same or remote sites depending on the disaster. It includes the planned actions for restoration of data and IT systems in the event of disasters like server crash or physical harm to equipment or data centre.
BCP comprises of the actions that need to be kicked-off immediately, while Disaster Recovery may still be underway or may not have even been kicked off. BCP provides the process to be followed as soon as a disaster occurs – it is the first response while DRP provides the process to be followed after the disaster has occurred and Business continuity is established.
Since BCP also covers availability of employees, it is possible that an incident can occur which would require only the BCP to be triggered and not both BCP and DRP eg: Staff being unable to travel to office due to political strikes or riots and staff located in other city filling in for unavailable personnel to ensure business continuity.
BCP and DR are related in that they are both activities required to be performed in the event of a major incident affecting operations in an organization. Each addresses specific needs that the other does not. They are inter-related but rarely overlapping.
Binu Anna Eapen says
What is the difference between disaster recovery and business continuity? How are they related?
The main purpose of Business continuity Planning/ Disaster recovery planning is to enable a business to continue offering the critical services in an event of disaster or an interruption in service.Business Continuity Plan and Disaster Recovery plan are often used interchangeably but they have different meaning.
DRP is a subcomponent of the BCP which includes processes used to restore the computer systems, communications, applications and their data. DRP’s may be included in the BCP or they can also be written separately depending on the business needs.
Business continuity plan is business centric and people centric and it focuses on management oversight and plans to make sure that the entire business can continue to operate effectively with as little disruptions as possible during and after the event of disaster. It involves rigorous planning and commitment of resources to plan for the recovery. BC plan includes all department and defines steps to be followed. It ensures that employees are aware of what needs to be done and where to go in case of a disaster. Example: Fire drills, emergency contact numbers etc. BCP includes both DRP recovering a facility rendered inoperable and the restoration plan which is used to return operations to normality.
Disaster recovery plan is a part of Business continuity plan. It is data centric i.e. it is concerned about the process of replicating and storing data so that it can be quickly recovered when disaster occurs. It ensures that the data will be easily accessible so that the down time to restore operation is minimum and it won’t affect the daily operation of the business. Having a backup in different location or mirroring of datacenters, properly defined restore points all come under DRP
BCP and DRP both are corrective controls and depends on other controls being effective, incident management and back up and recovery solutions.
Paul Linkchorst says
Professor Yeoman’s Section
What is the difference between disaster recovery and business continuity? How are they related?
While Business Continuity Plans and Disaster Recovery Plans might sound alike, they are in fact two different areas. One can see this by looking more closely as the names of each plan. For Business Continuity, the plan is to continue the business operations through events such as natural disaster without any “hiccups”. This plan essentially outlines multiple steps an employee should take for a variety of events such as fires, natural disasters, building collapse, etc. In my experience when I did an Internal Audit internship, our BCP included the names, telephone number, and addresses of all the members of my department as well as include where the designated backup meeting spot was (at a hotel down the road) and telephone numbers of other important staff. The key focus on the business continuity plan is to have the business continue its operations through its personnel during a disastrous event.
Disaster Recovery Plans are different and as the name implies, is a plan to recover after a disaster has occurred. These plans usually revolve around maintaining or recovering data and IT infrastructure after a disaster has occurred, but can also encompass recovering business processes as well. This plan essentially outlines how if a business were to experience a disaster, what would be it steps to go back to pre-disaster or new desired conditions? With that being said, one of the key areas of disaster recovery is the protection and use of data within a company. Since many businesses run off of data or online communication, is it crucial that a Disaster Recovery Plan include some form of data backup policy and how that data will be recovered into the system. The key focus on the disaster recovery plan is to recover back business processes and information after a disaster has occurred.
Yu Ming Keung says
Prof. Yeoman’s section
What is the difference between disaster recovery and business continuity? How are they related?
According to ISACA, a business continuity plan (BCP) refers to plans about how a business should plan for continuing in case of a disaster. It allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered at a predefined level.
A disaster recovery planning (DRP) refers to how the IT should recover in case of a disaster. It allows a business to plan what needs to be done immediately after a disaster to recover from the event. In daily practice, Disaster Recovery plan often refers to major disruption rush as flooded building, fire or earthquake disrupting an entire installation, and data branch to an organization.
Overall, business continuity represents a much larger scope of planning and maintenance than recovery plan. Disaster recovery build the foundation to support all the other elements of the business continuity plan.
BCP can do the followings:
• Activities required to ensure the continuation of critical business processes in an organization
• Alternate personnel, equipment, and facilities
• Often includes non-IT aspects of business
DRP can do the followings:
• Assessment, salvage, repair, and eventual restoration of damaged facilities and systems
• Often focuses on IT systems
Mengxue Ni says
Nice explanation, Yu Ming!
Based on the list of things of BCP and DRP, I can tell that BCP is more specific and detailed than DRP. DRP is focus on overall preparation for the whole organization’s recovery after disaster.
Yulun Song says
Q2: What is the difference between disaster recovery and business continuity? How are they related?
Business continuity plan and disaster recovery plan are different even they are both related practices that describe an organization’s preparation for unforeseen risks and continued operations.
Business continuity plan is to minimize service interruption, keep critical system online during recovery process, prioritize and cut scope and consider paper-based emergency alternatives.
Disaster plan is to protect assets to provide enormous business values. It is required by law. Some companies think that backing up is a disaster plan, however, backups are just part of a larger disaster plan, and it only protects data. In addition, backups must be sent offsite. On the other hand, IT departments have the greatest insight into company, but every other department must contribute to the disaster plan as well, because disaster planning is a business issue, not an IT issue. Disaster recovery plan should outline how a company prepares for disaster, reacts to disaster and recovers from disaster, and roles must be assigned rehearsed and revised.
https://www.youtube.com/watch?v=qfjWhAmWYL8
Fangzhou Hou says
Jan’s section
1. What is the difference between disaster recovery and business continuity? How are they related?
Generally, business continuity is a bigger concept includes the disaster recovery plan and many other concepts like backup plan etc. The disaster recovery is more specific focus on dealing the scenario that what if the attacks or natural disasters actually occurred, how to ensure the systems back to work as soon as possible to maintain the business keep running. For example, if a company established its datacenter or core servers near the ocean, and unfortunately the tsunami occurred, which totally destroy the IT infrastructures, the disaster recovery plan can help company quickly back to the business and mitigate the loss.
Besides DRP, there are many other ways to maintain the business continuity like the backup plan. After company classify the data, the most important data like master data and confidential data could be backup couple times a day to ensure even if the cyberattacks happened, the important data would not loss, and the business can keep running.
Fangzhou Hou says
This answer was for question #2
Abhay V Kshirsagar says
What is the difference between disaster recovery and business continuity? How are they related?
Disaster Recovery outlines how a company prepares for a disaster, what the company’s response will be in an event of the disaster and what steps will the company take to make sure the operations will be restored. It is essential that disaster recovery plan is accessible across the organization so that all stakeholders know their role defined in the plan and can take over their respective roles and also the roles of their teammates (in case they aren’t able to perform their duties).
Business Continuity is a plan that outlines steps an organization must take to minimize the effects of service interruptions. For instance, Hospitals have generators to ensure that their patients still get the required treatment (service) even if in a case of power outage (interruption). Business Continuity planning is all about sustaining an organization’s business processes during and after a disruption. Disaster recovery is a subset of business continuity planning.
Abhay V Kshirsagar says
Prof Jan’s section
Kevin Blankenship says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
If there was to be an IT disaster, I would ensure my data is back up locally and remotely. I would be sure to have good written documentation on vital systems or files, and how to restore them to a working state. If this situation was for my home network, I would probably want to have money set aside to purchase replacement equipment if needed.
To honest, I am not prepared much at all for a real world disaster. I’ve got some fishing skills, and can make a basic booby-trap, but other than that my survival skills have faded a lot since my Boy Scout days. Realistically, I would be stocking up on canned and non-perishable foods, bottled water, and a gun. Then I’ll lock my doors a wait for it all to blow over.
Kevin Blankenship says
2. What is the difference between disaster recovery and business continuity? How are they related?
Disaster Recovery is how a company plans to restore full functionality and service following a crisis. Much of this is IT based, and structured around data and infrastructure restoration. This includes data replication, infrastructure built for disasters, and clear roles and responsibilities among IT and business entities. A DRP is a subset of the larger Business Continuity Plan.
A BCP is how a company will maintain it’s operation through the crisis event. A proper BCP has the end goal of returning to full functionality, however it is focused on making sure the business is able to always operate, even at a reduced level.
These two are very interconnected, as DRP contains elements that help the BCP take place. If a DRP does not do a proper job of maintaining data, for example, it will be harder for the business to continue, having lost that data.
Alexander B Olubajo says
Hi Kevin,
I like the point you’ve made on how connected/related DRP and BCP are. You really did hit the nail on the head with how they complement each other, and your example of how they do so is really spot on. It helps better understand how both solutions work together from a risk and incident response perspective.
Folake Stella Alabede says
2. What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery refers to specific steps taken to resume operations in the aftermath of a catastrophic natural disaster or national emergency. In information technology, such steps may include restoring servers or mainframes with backups, re-establishing private branch exchanges (PBX) or provisioning local area networks (LANs) to meet immediate business needs.
Business continuity describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster. In this sense, the concept is interchangeable with disaster recovery plan (DRP). Business continuity, however, also addresses more comprehensive planning that focuses on long term or chronic challenges to organizational success. Potential business continuity problems may include the illness or departure of key team members, supply chain breakdowns, catastrophic failures or critical malware infections.
Business Continuity and Disaster Recovery are closely related practices that describe an organization’s preparation for unforeseen risks to continued operations. The trend of combining business continuity and disaster recovery into a single term has resulted from a growing recognition that both business executives and technology executives need to be collaborating closely instead of developing plans in isolation.
Joseph Henofer says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
I would make sure that my BCP an DRP have been tested and updated according to the business and IT infrastructure. I would also setup the following; do a table top exercise monthly, a structure walk through quarterly, a simulation bi-annually and finally a full interruption annually.
As far as real world disaster, I would make arrangements to have a safe place below the surface. Once this place is created I would verify that all the utilities and water are working every three months. Then every year I would spend a week in the underground shelter for extensive testing.
Anthony Clayton Fecondo says
Joseph, you emphasized being prepared with documentation, but ALSO testing those plans. I think many people overlook the importance of testing recovery plans. It’s all good and well to have a nice, well-written plan for disasters, but if it isn’t battle-tested, then there’s no guarantee that the plans will work. Plans need to be tested in order to locate any flaws and to familiarize personnel with the process to ensure it runs smoothly and quickly.
Loi Van Tran says
Question 2: What is the difference between disaster recovery and business continuity? How are they related?
Business Continuity: provides procedures for sustaining mission/business operations while recovering from a significant business disruption. Disruptions may come natural or human-induced disaster. The BCP is developed to assure the organization’s ability to maintain, resume and recover the business. A BCP may include many plans; such as continuity of operations, disaster recovery, business resumption, crisis communications, incident response, evacuation, emergency relocation, among others.
Disaster Recovery Plan: is a subcategory of a BCP, and provides detailed procedures to recover critical IT processes and functions during a disaster. This plan specifies topics such as primary facility recovery and backup sites, People, hardware, software, data, communication to different entities after a disaster, security of information assets, legal responsibilities, and employee’s responsibilities to families.
BCP and DRP, together, provides the organization with assurance about what needs to be done during a business disruption.
Folake Stella Alabede says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
For an IT disaster, as an individual I think the most important thing right now would be to have a back up of all my important data (and importance could be relevant)
I recently had my data backed up on my brothers PC because I was having some issues with my computer; after fixing the issue, I went to my brother’s computer to get my backed up information and saw that he had also formatted his system, and I couldn’t get my data back, needless to say- I was devastated
So now, I try to have a back up of a back up of a back up at any point in time T.
About a real world disaster, hmnnn, if its an indoor disaster (like a snow blizzard) I think I would just try to have necessary essentials at hand (thanks to advanced forecasts), extra food, extra water, heating options, candles, lots of ready made food, clean blankets, etc
If its an outdoor real world disaster, I’m not quite sure, they say necessity is the mother of inventions, you sometimes never know how you will react to an event/disaster till its actually happening.i think I will really try to keep a clear head and mind, be as prepared as possible, and take it as it comes
Anthony Clayton Fecondo says
What is the difference between disaster recovery and business continuity? How are they related?
While both of these terms are related to recovering from an event, the difference is the extent of the recovery. Business continuity is only concerned with restoring the bare essential functionality to resume business operations. On the other hand, disaster recovery is about restoring the business to the same state it was in prior to the event. DRPs are more about long term recovery and BCPs are more about immediate core functionality recovery.
Anthony Clayton Fecondo says
3. What makes this so complicated and difficult for organizations?
I think planning for disasters is hard for a number of reasons. Other class mates have talked about how its difficult to simulate a company shutdown and practice recovering from this emulated incident. Another problem is that you don’t necessarily know what problems to prepare for (other than the more common problems like a fire). There are unlimited numbers of risks that threaten companies. Identifying, evaluating, and prioritizing risks is time consuming and not always an exact science. I’ve seen comments mentioning Hurricane Sandy and how many people weren’t prepared to recover from the damage it caused. These unprepared parties probably weighed the likelihood of such an event and deemed it unnecessary to prepare for such an event. I’m not saying whether they were right or wrong to make this decision, but to point out that companies are faced with hundreds of these decisions and they can’t prepare for everything. However, even the most unlikely event could occur and you might not be prepared for it.
Xiaodi Ji says
What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery means the ability or action that company take to recover from the IT disaster. It is talking about what company should so since the IT disaster happen or how much time do they spend to recovery their system.
Business continuity is talking about how to make company continue. Through the IT disaster, company may lose the sensitive information or need update some equipment. What they should do after IT disaster to make business as normal and how they can ensure that in the future, the same kind of disaster do not happen again.
They are all describing what company should do after the IT disaster. However, disaster recovery more care about back to the state before the disaster. Business continuity cares about the future defense and making business continue.
Xiaodi Ji says
What would you do as an individual to be ready for an IT disaster? A real world disaster?
For the IT disaster, I will make sure back up my our important documents. For less important documents, every month, I check my backup hard driver make sure all documents are the latest one. For the high level documents, each time after I modified them, I save them into my backup hard driver. On the other hand, printing some documents and storing them in home.
For the real world disaster, first of all I will make sure that emergency access and the way get it clear all the time. Then, Putting everything back after using them, which can help me find them when I lose the light. Next, I buy some different toolbox and first-aid kit to make sure that I have enough medical to heal myself and enough equipment to help me get out. Finally, buying enough food in the home and make sure that basement has backup water source and power machine.
Xiaodi Ji says
What makes this so complicated and difficult for organizations?
First of all , company need restore huge numbers of datas and make sure all of users’ information exist. This process not only spend a lot of time in it, but it also need community with vendors. Now, more and more companies choose third-party company to provide IT function. Thus, after the IT disaster, they need community with them. However, in this process, problems will appear. They need more time to discuss the problem and find out the solutions.
Then, it is hard to make sure that whether hacker put something in it. Once our system is hacked by hackers, we cannot know what they do after an emergency recover. We need spend time in checking log and finding them. Even that, we cannot make sure. We sometime need stop the server to check it but business does not allow it because it will lose a lot. However, if we do not find bad program which stay in out server, it would make more serious problem.
Finally, users loss confidence. Now, because of many serious cyber security problem, users become frightened birds. Once they heard there is gun’s or hunter’s voice. They will leave this forest as soon as possible. In this case, company will lose many users and benefits.
Sheena L. Thomas says
1.What would you do as an individual to be ready for an IT disaster? A real world disaster?
I have several back up of important information and pictures.. I do have hard copies of important items stored in a fire and water proof case.
For a real world disaster we have survival kits that is slated to last us for a few days. Depending on the disaster we have designated meeting places.
Sheena L. Thomas says
What is the difference between disaster recovery and business continuity? How are they related?
“The key difference between the two is in their scope. Disaster recovery is the process of getting all important IT infrastructure and operations up and running following an outage.
Business continuity differs in that it is the process of getting the entire business back to full functionality after a crisis.”
Source: http://www.disys.com/the-difference-between-disaster-recovery-and-business-continuity-and-why-it-matters-for-both/
Anthony Clayton Fecondo says
I think your summation of the difference is on point and very succinct. The biggest difference is without a doubt the degree to which they aim to recover operations
Sachin Shah says
1. What would you do as an individual to be ready for an IT disaster? A real world disaster?
For a real world disaster I would make sure I have milk, eggs, bread and plenty on canned foods or other foods that wont perish like crackers and bottled water. I will make sure that I can do without heat with plenty of sweaters and thick socks. I will also make sure I have candles and other toiletires that I will not have to shop for like napkins, garbage bags, soap and especially toilet paper.
for personal IT disaster I always save my work and back it up to a junk\pen drive or external drive. At work I would make sure my email and important documents are saved to my network share that is housed in a top-notch facility hosted in Newrk Delaware by the company CSC. we pay CSC as their state of the art network center prevents us from losing data in situations such as hurricanes or power loss.
Alexander B Olubajo says
3. What makes this so complicated and difficult for organizations?
It is generally hard/complicated to plan for something you necessarily cannot predict and I think this is one of the complicated issues most organizations face when trying to prepare/plan for disasters. Another factor/reason that make preparations for disasters complicated and difficult for organizations are determining and deciding which of their assets are the most valuable or more valuable that the other to warrant securing in terms of having a backup on standby in case the worst of the worst kinds of disasters hit them. I think the issue they face here sometimes could be politically related, in the sense that different aspects/functions of the business may suggest that their systems (i.e assets) are more valuable than others, thus should be protected/secured as opposed to others. Note that organizations cannot possibly secure every single aspect of their business in preparations for potential disasters.