Things To Look For Disaster Recovery Plan Provider

Hong Kong, 2008: An entire server went missing, impacting 159, 000 HSBC customers.

Virgin Media, 2008: Virgin Media lost bank details of 3000 customers written on unencrypted CD.

What is common between these incidents? The answer is the absence of a robust disaster recovery plan. The plan could have helped save HSBC some embarrassment, and the real-estate firm, some money.  These firms could have easily avoided their fate if they, (just like Withum Smith+Brown, an NJ based accounting firm), had invested in a cloud-based recovery that helped them survive hurricane Sandy.

Disaster recovery is not just a mere safeguard, but also an imperative need in the current times. In light of numerous events, companies, both big and mid-sized, have started investing in disaster recovery. It could be done in-house or through outsourcing. The cost involved to implement an efficient in-house disaster recovery system can sometimes be too great for a mid-size firm. Therefore, companies have started outsourcing their disaster-recovery needs. That were DRSP come in. As the acronym suggests, DRSP means Disaster Recovery Service Providers.

Choosing a DRSP requires a comprehensive research of the needs of the organisation and the study of provider’s expertise. Why an organisation cannot just pick a DRSP with good customer rating? That is because one does not always need an army to handle a petty theft. Cost is a huge concern for some mid-level companies, who cannot afford to spend like Google.

For choosing an appropriate DRSP, companies should do a comprehensive analysis of their internal requirements, which then determines the nature and level of service that they require of a DRSP. This analysis is achieved through Business Impact Analysis (BIA). The results of BIA help them fashion a Service Level Agreement (SLA) that they expect the DRSP to sign off.

The organisations should then evaluate the DRSPs on ten different criteria.

We will go through them one by one.

1) Support: As mentioned earlier, disaster recovery is a specialized skill that requires a staff, which is seasoned with many years of experience behind them. Disaster recovery is also a time-critical task. Therefore, it requires efficient processes and planning. The easiest way to ascertain the efficiency of a DRSP is asking them whether they have the following certifications:

i)   SSAE 16 – This report assesses the controls, design and operating efficiency of data centers, in context of financial reporting.

ii)  SOC 1 – This report measures the financial reporting needs of a company that uses hosting services.

iii) SOC 2 – These measures control specifically related to IT and data center service providers.

iv) SOC 3 – This states the auditor’s opinion of SOC 2 components in addition to the verification needed to ensure that you are hosting with an audited and compliant data center.

 2) Testing – It would be most undesirable for disaster recovery to fail when disaster strikes. So what is the best way to ensure it does not happen? The answer is testing. The plan needs to be run through various possible scenarios before it is put in the field of action. DRSP should permit testing of everything in the contract — all servers, platforms, applications, and any other items to ensure the business continuity plan works.  

 3) Ability to Handle Recovery – Consider a hurricane-prone area. The office is half-submerged in water. Chances are that a regular employee would have trouble accessing this particular area. Therefore, organizations should consider a DRSP that has the ability to furnish expert staff so that they can access such an area to start the recovery.

4) Handling Multiple Customers – Should a disaster strike the bay area, home to thousands of mid-level firms, you wouldn’t want your DRSP to say that they’re short-staffed and can’t handle the DR request at the moment. DRSPs typically serve multiple customers at the same time. The DRSP should have an adequate number of experienced staff who can prioritize the requirements for each customer so that they restore their customer’s most important applications first and get other applications up and running within the appropriate timeframe.

5) Separate handling of Production and Disaster sites – All businesses are constantly finding ways to optimize and reduce cost. It is important to understand that DRSP is a business too. In addition, one of the ways they might be optimizing is by handling production and DR on the same equipment. It is most desirable for businesses to ensure that their provider is not doing this. DRSP should have maximum resources at their disposal in case of a disaster and this kind of optimization would prevent that.

6) Remote Access for Recovery – As mentioned earlier, Withum Smith+Brown were only able to perform disaster recovery because they had made used of cloud-based technology. DRSPs should provide an alternative to the in-person recovery that is usually performed by the organization’s staff at a DRSP site. For organizations with hot backups, the DRSP should be able to deliver remote access over the Internet.

7) An Internal Disaster Recovery Plan – This is somewhat self-explanatory. You would not want a war-physician to get hurt. The DRSP needs its own disaster recovery plan. DRSP’s SAS 70, which shows their control activities and processes to customers and customers’ auditors, should be looked at by the firm’s seeking disaster recovery.

8) Consistent Internal Processes – DRSP should be ISO certified. This just means that their internal processes should ensure a consistent level of service across all their customers.

9) Data Center Considerations –

•Is the data center equipped with good security and control of access to the facility?

• Are the centers in the potential disaster-prone area? Have adequate precautions been put into place to manage these risks?

• Does the data center employ redundant networks, communications links, and power supplies?

• Do data centers have fire suppression mechanisms?

10) Expertise – Finally, the firm seeking data recovery services should also research DRSP’s record of accomplishment. Their performances during different kind of disasters could be looked at, along with their ability to handle companies of different sizes. Their CMM level is also a good indicator of their ability.

Finally:

Disasters are common and most of them cannot be avoided. What can be done, however, is to ensure that the effects of these disasters are not catastrophic. The best way to recover from the disaster of a rampaging hurricane or ingenious hacking is to hire the services of the specialists knows as the DRSP.