White Papers for Sarbanes-Oxley (SOX)

Beyond Disaster Recovery: Using Configuration Audit and Control to Develop an Effective BCP

Tripwire

One of the most significant events involving lost data since the beginning of the information technology
age was the result of the terrorist attacks on Sept. 11, 2001. Of the 131 technology sites affected, only two
performed a successful “failover” to a redundant system. Of the 129 sites that failed, 70% of data was recovered after 120 hours, but 30% was lost forever. This means $3.1 billion worth of technology did not work as expected.
Why weren’t these organizations’ disaster recovery efforts more successful? First, the event was beyond the
scope of most existing disaster recovery plans—no one expected an occurrence of such magnitude. Second,
the complexity of the affected IT environments made testing and verification impractical if not impossible,
as they were multi-vendor environments consisting of heterogeneous interdependent applications (no universal view of data), unknown application software dependencies, and vendor- and product-specific scripts
(only 5% of scripts ran cleanly during the actual outage1). There was also a lack of process automation, and
instead a reliance on manual intervention with no enterprise-wide best practices.
As a result, for many companies the big technology issue was not “How do we recover?” but “How do we
rebuild?”
Unfortunately, this challenge is not unique to this event, and could impact virtually any company. Why?
A disaster recovery plan is geared to taking action when a disaster occurs. On the other hand, a business
continuity plan (BCP) includes IT processes with built-in contingencies that prevent a severe business interruption despite a disaster, whether caused by a 9/11 attack, a Hurricane Katrina or a hacker’s exploits.

View the White Paper

Share or bookmarklet this web page at: