Article: Disaster recovery compliance -- You're not alone

Disaster recovery compliance: You're not alone

The rapidly changing and evolving regulatory climate in Canada has put pressure on businesses to comply and be properly positioned to manage through a disaster.
The story is similar in the U.S., where the drive to protect data and mitigate recovery risk has become a high priority in recent years, according to Laurie Elliott, Director, Recovery Solutions, with Pennsylvania-based SunGard Availability Services. SunGard is a wholly-owned subsidiary of SunGard Data Systems Inc. one of the world's leading software and technology services companies.

"There are so many regulations and they change so quickly, it puts entities who are regulated at risk for financial penalties" as a result of non-compliance, Elliott explained in a recent interview. SunGard, which has a large recovery centre in Mississauga, has been working with Allstream in implementing disaster recovery plans across Canada. Elliott says the market for such services has grown rapidly here in recent years due to businesses' better understanding their cost of downtime, in addition to the growing regulatory requirements.

Bandwidth matters
"When you combine our services with Allstream's, they provide an end-to-end solution for the customer, because exceptional network capability is foundational to a successful recovery," Elliott says. "Because Allstream understands network bandwidth, it makes it easy to work with customers and architect the optimum solution to provide them offsite data protection, data security and connectivity to the recovery site in the event of a disaster."
A growing business need for improved data security, Elliott notes, is due to more and more businesses dealing with outages and needing to transfer data copies offsite for recovery purposes. In the past, the top causes of outages were due to power interruptions, hardware failures and natural disasters, specifically those due to weather. In the past few years, there has been a rapid growth in outages due to Cyber Crime. To protect their business data, businesses are changing data security requirements to not only apply to data in transit, but also data at rest at the local site and the remote site.

Understand the business
Elliott says her first step when beginning to work with a business is to establish or improve their disaster recovery plan is to gain a thorough comprehensive understanding of the entire business, and not restricted to IT.
"We need to know:

(i) what their business goals are,
(ii) how IT contributes to their business currently and how they expect to use it in the future,
(iii) what the threats are to their business,
(iv) the impact of daily business losses,
(v) what kind of financial penalties they could face for non-compliance," Elliott says.
Once that analysis is complete, she explains, she "tiers" business functions in descending order beginning with most urgent. So, for example, the applications needed to get products out the door may be more urgent than human resources or payroll, which may require less immediate attention. "A lot of companies treat everything equally, but it is far better and more important to put together the right recovery process," Elliott explains.

Why now?
SunGard has identified four reasons why companies have to rework or enhance their disaster recovery plans.
One common scenario is the arrival of a new executive, perhaps a CEO or CFO, who is dissatisfied with the program they have inherited. "They recognize the need to be more financially smart; understanding the business returns on investing to keep the business running," Elliott notes.
In the second scenario, the previous Chief Information Officer failed the recovery audit and since there are often "fines and business impacts for those transgressions, executives will sometimes replace personnel with a candidate that may have a better understanding of regulations, their penalties and of the technologies, procedures and processes to comply with them," she says.
The third reason Elliott cites is when a business has had an "event" and was unable to facilitate a successful recovery, either because they were lacking in people and skill sets, or adequate procedures and equipment. Recovery extends far beyond restoring the data you backup every day. A successful recovery is having the right procedures to restore the data, the systems, the connections between systems to support the interdependencies of the applications in a business process and re-establishing the end user connection to those business processes.
The fourth case is where a business did not have proper compliance. As mentioned, compliance standards are changing frequently, such as the requirement that a business backup or recovery location needs to be far beyond their immediate geographical area. "It's no good going from one building to the next," Elliott explains. "They would have the same power, could be hit by the same flooding, and so on. In some cases it can be a few blocks away, but some regulations require as much as 300 kilometres away."

Changing regulations
Monitoring regulations can be time consuming and risky, Elliott notes. For example, Canadian companies doing business in the U.S. may need to understand and implement rules for individual states.
"When we work to help businesses comply with regulations, one of the things we provide is best practices for implementing industry leading technologies, procedures designed to ISO standards and recovery expertise," Elliott says. "With SunGard as the second site for their backup and recovery, they know we maintain high security standards and have a breadth of system capacity and capabilities that enables us to adapt quickly to changes in their system configurations and requirements to allow them a faster time to market for new projects."
There are many challenges for those businesses that try to take on disaster recovery planning on their own, she added. These include buying or leasing a second building, staffing that location, and maintaining it. With SunGard leveraging Allstream's network, clients can reduce or eliminate capital expenses for recovery site equipment and facilities,reducing recovery costs by as much as 70%¹, Elliott points out.