ITS 4350 - Disaster Recovery
Chapter 3, Contingency Strategies for IR/DR/BC, part 2
This lesson is about the second half of chapter 3. The chapter is divided
into two parts, each with its own objective. Objectives important to
- Data and application resumption
- Site resumption
Chapter 3, part 2
Picking up again in the chapter on page 110, the text addresses the topic
of alternate locations for your company's operations. Earlier in the chapter,
the author referred to using cold, warm, or hot sites as our temporary
bases, but there was not explanation of what he meant. He enlightens us
The text addresses only the computing needs of your organization, since
it has no idea what actual business your organization may doing. Even
so, it offers several plans that may meet your needs. The first four are
grouped together as exclusive site strategies.
These are solutions "under the exclusive control of responding organization".
This generally means that you
will control what happens at such a site.
In the image above (from a vendor's
site; the image links to it) cost increases from left to right,
but time decreases from bottom to top. Solutions that are higher
in the graph are operational sooner, and solutions farther
to the right cost more. So an ideal best solution, least cost
and least time to restore service, would be at the upper left in the graph.
As you can see, there is no such solution in this representation of the
options. Solution that perform better typically cost more.
On page 113, the text turns to three shared
site strategies. These options are not
under the exclusive control of the organizations that may use them.
sites - A hot site is easiest to understand, and the most
expensive option the text presents. It is a site that is not
the usual operations site, but it must have all the features that the
usual site provided when the situation was normal. In the table on page
110, we see that it has the full hardware and telecommunications features
associated with your regular location.
For the hot site to work, it needs to be equipped with your operational
data, software, networking assets, and other IT features found in your
regular location. The data requirement is extreme, meaning that your
organization must be using the hot site as a live repository of its
business data. It would make a lot of sense for the hot site to be
an actual operational site. For example, you could have two
primary operations centers, each having the capacity to operate as the
only one if the other experiences a disaster that keeps it from functioning.
This removes the immediate need to bring up the hot site, to move staff
to it, and to make it functional when the primary site goes dark. If
this option is not possible, your organization may need to consider
others in this list. The text has a graphic representing a hot site
on page 111, and others on the following pages representing warm and
cold sites. They look like doll houses, each with less furniture than
the last. They do not illustrate anything further, since the artist
did not know what your sites must include.
sites - A warm site is a compromise. It has some of the hardware and
telecommunications features that your normal site has (had?), but the
text observes that it may not have software, software may not be installed
or configured, and it may have to load data from backups instead of
having immediate access to live data. The time it takes to make your
warm site functional depends on how much money you spent on your backups,
your spare computers, and your ready-to-use alternate location. You
may have to arrange to have some equipment shipped to the new location
from other sites you operate, or from a vendor you use regularly.
sites - A cold site has no toys in the doll house. It would have no
equipment to process data, may not have phone or data service set up,
and may not be ready to use when your disaster occurs. Imagine an empty
office suite with no staff or computers in it. This one takes more time
to equip, to staff, to set up, and to use unless you take advantage
of an idea I have mentioned in class. More on that in the next bullet..
- mobile sites
(and other options) - Some organizations, such as FEMA,
operate at remote locations when those locations have a crisis. They
are mobile by nature. The use mobile offices and mobile equipment regularly.
Cross is another organization like that. They both have regular
headquarters sites, but the nature of their work is to go where they
are needed, and to operate as mobile crisis centers.
Now, about that note in the cold bullet. Many people who work for the
State of Michigan (as I do) are equipped with laptops as their primary
computers. Many of those, like me, are IT staff who take their laptops
with them when they leave the office. We can function remotely when
there is heavy snow before the next work day, when there is a power
outage at our regular work site, or if there should be a health related
crisis at our work site that would suggest we should stay away from
those sites. In the past, I have worked at other state offices
where I could borrow space, at home when I did not need my work
phone, or where I happened to be when I needed to do something
right away. This kind of preparedness can flex with the situation, maintaining
productivity when the current situation would otherwise not allow it.
An advantage is that I have my computer, and whatever apps and
data are stored on it. If I can connect to the state network, which
I can do remotely, I have access to the standard assets I am used to
using. This is fine during a regular work day, and can be useful in
a crisis, depending on its nature.
- time-share - This is a site
that is available to more than one organization. It is available to
any of the organizations who are sharing its cost, but
it is probably not large enough to be used by all of them at
the same time. Since it may be used by any of the organizations, it
is probably necessary to load data and applications before any of them
can use it. Because of this concern, it is more likely to be operated
like a cold or warm site than like a hot site.
- service bureaus - This one
means that you have contract with a company that provides
emergency space to its clients who are experiencing a need for alternate
work space. The nature of the contract dictates what you get, what you
pay, and whether your cost is based on use or not. You may pay the same
rate for the service regardless of having to use it.
- mutual agreements - This is like a mutual assistance treaty,
typically between different sites of a larger organization. Two
or more sites agree to provide workspace, services, and assets as needed
for a site that has a problem, such as a flood or a power failure. It
is less common to find this kind of sharing in an IT disaster, since
the disasters of this type may affect the whole organization. This only
works if each organization/site in such an agreement has extra capacity
in its resources, and is unaffected or less affected by the disaster.
Page 114 provides some typical elements that should be in a Memo of
Understanding, which is the formal agreement that is referenced and
followed in this kind of strategy. It may also be called a Memo of
Agreement or a Service Level Agreement. Here are some highlights
- activation and duration - What conditions will allow an organization
to request assistance, and how long may the organization needing assistance
expect that assistance to last?
- cost and fees - Who pays the costs of the elements that are being
- security requirements - This may refer to the requirements of the
host organization, the requesting organization, or both.
- list and description of services - What will actually be provided,
at what level of service, and what will be considered acceptable use?
- hardware, software, and networking requirements - What will be provided,
and how will it be different from what either party normally expects
- any other items or costs - Typically, there will be some unexpected
cost or service that needs to be negotiated. Procedures for such a negotiation,
and resolution of disagreements, should be spelled out.
Related to the document on page 114, page 115 begins several pages about
Service Agreements, which are agreements between the entity providing
a service and the entity paying for it. They are not very different
from Memos of Understanding, but they are generally part of the legal
contract you will have with an entity outside your own organizational
structure. Inside your organization, such an agreement is less common,
but more likely to exist the larger your organization is. Some elements
that are more likely to appear in an agreement with an entity that is
not part of your organization:
- nondisclosure agreement - This is an agreement not to disclose any
of the agreement or any of the assets belonging to the client with any
- noncompetitive agreement - This is an agreement on the part of the
provider not to use anything it learns about the client to compete with
the client in the client's business.
A sample service agreement begins on page 117, and continues for the
remainder of the chapter.