There is more to security than disaster recovery - much, much more and not all of it with such viciously negative connotations. Disaster recovery is a reactive approach implemented when a disruption has already occurred at your business. Business continuance, on the other hand, is a proactive measure to ensure that a business will be able to continue its critical services regardless of any attacks. It's a measure of a business's capability to operate, and to do so in a way that it can withstand a disruption.
In helping customers achieve business continuity, service providers should remember that business continuance is not a formal plan or statement, it is a cultural habit. We do it subconsciously every day when we lock the door as we leave the house. It's a process implemented because we have deemed that the risk to our contents is too great and we, as humans, have a cultural habit of ensuring that the things we value are protected. Business planning follows the same principles - the way one governs and manages one's business reflects the value that one gives it.
However, because of the complexity of today's business and the technology that's being used to support the operational processes, business continuance has been extracted from the realm of the subconscious and transformed into a formalised process. It has become a requirement of auditors and shareholders. The trick to implementing sound business continuance policies is to very clearly understand the base line of what a business does and how it does it. Developing such a plan starts with asking some very simple questions. For instance, if there was a particular outage or impact on a business for X number of hours what financial impact would it have? What impact would it have on the company's reputation? How would the company's suppliers and customers react to the disruption?
This is, in effect, a business impact analysis, the uncovering of the critical impacts in terms of finance, reputation, future growth, future revenue, asset loss, regulatory liability and supplier issues. As businesses put more and more priority on 24x7x365 operations, enabled to a large degree by technology, the pressure and requirement for proactive capability increases. It's exceptionally important for businesses to go through a business analysis because subconscious decisions, while done in good faith, often misinterpret the big picture. And, because technology plays such an enormous part in the business process, service providers are well placed to assist customers in ascertaining risk, not just in a technology sense but from a business continuity standpoint.
While the project may be sparked at a technical level (via the organisation's CTO or MIS) it must be driven from the very top to be successful.
Business continuance competency levels
1. Operational skills and documentation. How good are the people in the organisation and how well is it documented? Is there standardised code for writing files and good change-control regimes when adjustments are made to IT infrastructure?
2. Management. How well a business is managed is representative of how well it can operate in a crisis. In a technology sense this includes storage management, cluster management and monitoring tools.
3. Backup and recovery. This includes the management of multi-platforms and being aware of regulatory responsibilities. Backup recovery policy must align itself with the expectation of the business to recover.
4. Replicate before the fail-over. In business this means centralised business operations, buddy systems and multi-skilling, ensuring that no one person is totally indispensable. In technology it's about clustering, data replication, mirroring and hosting services.
5. Immediate fail-over. It is in this area that most existing technology sits - things like dual redundant paths in networks, the ability of the server to partition itself, redundant power supply in SANs, and error correction code in transmissions.
6. Having business continuity planned. This stage is arrived at when the company has gone through the entire process of understanding what it does, how well it wants to protect itself and putting in an agreed strategy to do so.