Disaster Recovery Planning and Business Continuity Planning

This one-hour podcast was recorded at the EDUCAUSE 2007 Southeast Regional Conference. This keynote panel discussion, entitled “Weathering the Storm – Preparing for, Responding to, and Recovering from Emergencies,” features Betty Hawkins, program manager at the University of South Carolina, David Sliman, directory of technology at the University of Southern Mississippi, and Frank O’Quinn, deputy policy and IT disaster recovery officer at Louisiana State University. Using examples from their own institutional experiences, they share real advice for emergency preparedness and response, answering the question, “How can we plan and prepare in a way that is realistic and meaningful?”

Summary: Weathering the Storm -- Preparing for, Responding to, and Recovering from Emergencies

This session was recorded for podcast.

General Session
Tuesday, June 12, 2007
Atlanta, Georgia

Session moderator:
Kathryn F. Gates, Chief Information Officer, University of Mississippi
Panel:
Betty Hawkins, Program Manager II, University of South Carolina
David J. Sliman, Director of Technology-Gulf Coast, University of Southern Mississippi
Frank O'Quinn, Deputy Policy and IT Disaster Recovery Officer, Louisiana State University

EDUCAUSE has identified links concerning business continuity that may be useful to the higher education community on the new Business Continuity Planning resource page, including EDUCAUSE Review and EDUCAUSE Quarterly articles, federal government policies, and university resources.

The latest EDUCAUSE Center for Applied Research (ECAR) study, “Shelter from the Storm: IT and Business Continuity in Higher Education,” looks at IT unit readiness to foster and support the functioning of colleges and universities that are challenged by disruption. Responding to a well-documented increase of interest in business continuity and disaster recovery issues among higher education chief information officers (CIOs), ECAR designed the study to inform executives about how institutions approach continuity issues and to identify practices that are associated with good business continuity outcomes.

The study methodology included a literature review; consultation with a select group of CIOs and business continuity experts for the purpose of identifying and validating research questions; a quantitative survey of IT administrators (mostly CIOs) at 340 higher education institutions; postsurvey interviews with 15 executives and IT staff members involved in business continuity; a quantitative survey of institutional business officers (mostly CBOs/CFOs) at 247 member institutions of the National Association of College and University Business Officers (NACUBO); and four case studies looking at business continuity planning and operations Florida State University, New York University, Pace University, UC Davis, and UCLA.

Business continuity and disaster recovery planning is becoming an increasing priority for higher education institutions. To facilitate this planning, many are exploring the use of business continuity planning tools, which establish a planning framework, offer direction in the planning process, and provide a common platform for the various campus groups involved. In this free February 27 EDUCAUSE Live! Web seminar, speakers from three institutions will discuss the business continuity planning tool selection process at their institutions, focusing on the criteria used and lessons learned. Those unable to tune in can visit the archives after the event.

In the recent article "Learning the Hard Way" (EDUCAUSE Quarterly, Volume 29, Number 4, 2006), Security Task Force Co-Chair Joy R. Hughes and co-author Keith R. Bushey discuss strategic improvements in George Mason University's emergency response.

Tune in Sept. 6 to hear from David G. Swartz about how The George Washington University's business continuity program has evolved from a focus on IT recovery from failure and disaster to a proactive program focused on fault-tolerant continuous modes of operations. Unable to tune in? Visit the archives.

• Are our off-sites conveniently (and perhaps tragically) close?   If so, perhaps they should not be.
• Do we have arrangements to get key services restored at a distance? What’s critical to the operation of our institutions?  Web, email, financial/HR, etc.

• People are our most key resource – but expect them to be burdened with other priorities
• Knowing what we’ll need to do and having it organized is more important than knowing all about “how” we’ll do it when we get there.

• The value of a flexible and capable staff is paramount.  But we have to remember that they are dealing with unimaginable demands. How do we prepare them?   How can we support them in times of crisis?
• Is there a stock of equipment to set up a large support operation, perhaps in another location, in short order?
• How will we do our DR/BCP on top of our normal jobs, as campus life resumes and student enrollment increases?
• How ready is our campus administration to take on the role of disaster response center?  They may not have a choice.  Will we be working side-by-side with them?  Everything is affected by IT and its support.  Will we be sitting at the “big” table?
• Having a good stock of networking equipment and mobile and desktop computing available can be helpful in supporting not only our own institution but other DR teams that set up support programs at the institution. 
• Having strong relationships with key vendors can be helpful in times of crisis.
• Architectures count in DR/BCP.  How divisible are the components of your systems? What’s removable as a component and what’s too tightly integrated?
• Be prepared to be flexible: adapt, improvise, and overcome.  And remember that we can’t have thin-skin in times of crisis.  Keep your friends close.  Don’t have enemies.
• Everything we’ve been saying about the strategic value of IT is valid:  IT enables everything in the 21st century.  Does our administration understand this and understand that DR/BCP is not a luxury?

• Work on a basic nimble document
• Address the 3 disaster levels
• Request funding (and seed it with funding from your own budget)

• Rather than relying upon hastily assembled one, constructing a “permanent” EOC  [LSU’s cost $150K]
• LSU Chancellor put out a call for DR BCP plans across key campus units.  They met with EOC commander to review plans and coordinate preparation
• Changed the location of their server backups from Port Allen to higher ground farther away.
• The organization focus on DR/BCP created an IT officer with IT policy responsibility
• Started to update disaster plans (from 1984)
• Provided for payroll contingency – able to continue salary payments
• Moved long distance offsite storage to another location
• Working on the security of tapes with breach notification law
• Established LSU rapid recovery site 100+ miles away  (not south)
• Increased stand-by presence
• Formal hot –site contract for mainframe support
• Email emergency service contract implemented.

• Conduct a risk evaluation and business impact analysis
• Define and prioritize your mission critical systems.
• Decide what must be up within 24 hrs
• Identify your backup/recovery site
• Vendors might be able to provide offsite storage of mission critical backup tapes, remote data centers, and temporary office locations
• Consider co-sourcing or reciprocal agreements with other regional higher education institutions for facility and equipment use
• Develop a plan with your key hardware vendors to readily replace any damaged hardware/communication systems.
• Develop and document a communication and contact plan
• Be wary of wireless – cellular circuits can quickly become overloaded and unavailable during a regional or national incident.
• At your centralized command/communication center use a variety of communications links such as web, cell, fax, landline, radio, sitckynote bulletin board, etc, with the hope that some of them will still work during and after the incident.
• Don’t forget about the people-side of your institution.
• Finally document and distribute your plan

• Web site – back up in 4 hrs
• Email – back in12 hrs
• Produce payroll – within 24 hrs

• Hardware and facilities can be replaced in the periods following a disaster
• Data is the primary focus of what you need to be prepared to restore and the basis of continuity
• People are your most key asset

• earthquake, tsunami, terrorist, accident, pandemic

Brian Voss has posted his presentation slides to http://www.educause.edu/upload/presentations/ENT06/SESS13/ENT06%20BCPPKE.bdv.ppt

This 42 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Crisis Averted: Disaster Recovery and Business Continuance Programs at Purdue.

This 49 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled It Was a Dark and Stormy . . . Eight Weeks! Maintaining Critical IT Services During the 2004 Hurricane Season.