Understanding Business Continuity and Disaster Recovery

1
Understanding Business Continuity and Disaster
Recovery
December 1, 2005
2
Randy Whitmeyer

• Partner in charge of Hutchison Mason's
  Information Technology Practice
  
• 15 years of experience providing legal counsel
  relating to information technology issues

3
Legal Liabilities Surrounding Loss of Data

• Information and Data use and access central to
  businesses of all sizes
  
• In the United States, handling of personally
  identifiable data most heavily regulated
  
• Mishandling or loss of data can result in
• Substantial fines and penalties, possibly even
  imprisonment
  
• Damages for breach of contract
• Loss of important trade secrets and other IP
• Substantial negative publicity

4
Disaster Recovery Requirements and HIPAA

• HIPAA is the Health Information Portability and
  Accountability Act. See www.hhs.gov/ocr/hipaa/
  for more information.
  
• HIPAA directly affects health care providers,
  health plans, and health data clearinghouses.
  Indirectly, it affects service providers to these
  types of companies.
• The HIPAA Security Rule requires all covered
  entities to implement a Data Backup Plan,
  Disaster Recovery Plan, and Emergency Mode
  Operations Plan. This obligation went into
  effect April 2005

5
Disaster Recovery and Sarbanes-Oxley (SOX)

• SOX applies to public companies directly, but
  also is relevant to private companies interested
  in becoming public, as well as to vendors of
  financial systems. See http//www.sec.gov/spotlig
  ht/soxcomp.htm
• Unlike HIPAA, SOX does not directly require the
  creation of a disaster recovery plan
  
• However, SOX requires each reporting company to
  include in its annual report a statement of
  management's responsibility for establishing and
  maintaining adequate internal control over
  financial reporting, as well as an assessment of
  the effectiveness of those internal controls.
• Arguably, a disaster recovery plan is an
  essential part of any larger companys system of
  internal controls

6
Disclosure of Security Breaches

• California has led a number of states (including
  NC) in implementing public disclosure
  requirements when a company experiences a
  security breach involving private information.
  See www.ncsl.org/programs/lis/CIP/priv/breach.htm
  for a list of current legislation.
• Inadequate disaster recovery planning can lead to
  security holes and possible responsibilities
  under these laws
  
• Big push for pre-emptive federal legislation, so
  that businesses can comply with only one federal
  law rather than a patchwork of 50 state laws

7
Other Legal Issues Associated with Business
Continuity Planning

• Exposure of Confidential Information can affect
  trade secret and patent protection
  
• Failure to meet contract requirements can lead to
  contract liability. Impossibility or Force
  Majeure may or may not apply.
  
• When contracting with consulting or service
  providers regarding preparing or implementing a
  DR plan, remember to
  
• Check regulatory framework for required
  contractual clauses (e.g., HIPAA)
  
• Require confidential treatment of information and
  systems
  
• Handle need to transfer third-party software
  licenses, if only temporarily
  
• Clearly define deliverables and payment terms

8
Amy Miller

• Business Advisory Services Senior Associate with
  Grant Thornton
  
• Responsible for IT related services ranging from
  IT Internal Audit Control assessments to server
  security reviews
  

9
Differences Between Business Continuity Plans and
Disaster Recovery Plans

• Area of Emphasis Business Process vs.
  Information Technology
  
• Driving Forces Business Impact vs. Time
  requirements from business units
  
• Responsibility Business Management vs. IT
  Management

10
Risk Factors Impacting DR and Business Continuity
Planning

• Scope Limitation
• Testing
• Plan Update
• Security Controls
• Communications
• Ownership

11
Importance of Corporate Ownership for DR and
Business Continuity Plans

• Management Support
• Time
• Resources
• Communications

12
Steve Siegel

• Vice President, Arsenal Digital Solutions
• ssiegel_at_arsenaldigital.com
• www.arsenaldigital.com
• 12 years of experience specializing in data
  protection, business continuity and disaster
  recovery

13
Arsenal Digital Solutions at a Glance

• Leading Storage Management Services provider
• Manages one of the largest networked storage
  environments in the world
  
• Over 900 customers spanning 5 continents
• Currently manage 5 Petabytes of data in 45
  centers in 30 cities globally
  
• Industry Business Issues
• Storage capabilities
• Remote office data protection
• Regulatory compliance
• Business continuity and Disaster Recovery

14
Historical Evidence on Impact of High Duration IT
Outage

• The WTC bombing of 1993
• 450 companies
• 147 non-recoverable
• Majority out of business by 1994
• The WTC disaster of 2001
• 800 companies
• 250 disaster declarations
• 150 out of business by 2002
• Natural Disasters
• 2004 four hurricanes in Florida
• 2005 Katrina, Rita, Wilma
• Those who plan tend to fare better than those who
  dont

15
In Reality, Most Downtime is Caused by Human Error
Source Gartner Group
16
Causes of Data Loss
40 of all SMBs will go out of business, if they
cannot get their data in the first 24 hours after
a crisis.
-- Gartner
Source Wall Street Journal
17
Lost Data is Todays News!!

• Bank of America looses a million customer
  records
  
• Tapes stolen in transit to offsite data center

• Ameritrade Loses 200,000 Client Files
• Tapes lost in transit to offsite data center

18
Data Protection Challenges

• Is your data protected securely offsite daily?

Only 33 distributed enterprises 20 SMBs
protect remote office data -Gartner

• Are your backups private and secure?

Only 23 of companies encrypt their backups Byte
and Switch

• Who monitors your backups through the night?

60 of backups fail ESG
19
A Better Approach Remote Backup and Restore

• Secure, bandwidth efficient, network-based data
  protection service
  
• Automatic daily backups for servers/PCs using
  existing network to a remote location
  
• Over-the-network restores
• Multiple point-in-time copies
• Self service web based restores

Disaster Recovery Center
Customer server(s)
WAN
Customer Firewall
ViaRemote Platform
Offsite Data Backup
20
Compelling Benefits for SMBs and Enterprises

• Guaranteed data protection for business
  continuity, disaster recovery and compliance
  
• Company-wide protection solutions for all
  server and application data including remote
  locations
  
• Reduces costs and resources no capital
  investment
  
• Removes IT burden - 24x7 monitoring and
  management
  
• Shields Technology complexity - Proven
  experience, expertise, and best practices
  
• Provides peace of mind Guaranteed SLAs and web
  based reporting

21
How Does Remote Network-BasedBackup Work?
1
Install small agent on your Server and/or PC
2
Your data is automatically backed up on a daily
basis over your existing network
3
Securely logon to your own web-based portal for
reporting or to simply recover your data
Customer server(s)
Disaster Recovery Center
WAN
Customer Firewall
Disk Platform
Offsite Data Backup
22
For Businesses that Require Server Recovery

• Provides onsite fast recovery and protection
  for
  
• OS/Patches - Networking
• Application Binaries - Application customizations

Second Site
Disaster Recovery Center
Customer server(s)
WAN
Customer Firewall
Disk Platform
23
Summary

• Data is the lifeblood of todays business
• Remote data protection will protect your data and
  your business
  
• Cost-effective solutions are now available
• More information available at
• http//www.twcbroadband.com/solutions/viaremote

24

• Questions
• More information available at
• http//www.twcbroadband.com/solutions/viaremote
• Scott Stollwerk, TWC Commercial Services
  919-573-7288
  
• http//www.hutchlaw.com
• Randy Whitmeyer, Hutchison Mason 919-829-4319
• http//granthornton.com
• Amy Miller, Grant Thornton 336-271-3943