ITS 4350 - Disaster Recovery

Chapter 3, Contingency Strategies for IR/DR/BC, part 2


This lesson is about the second half of chapter 3. The chapter is divided into two parts, each with its own objective. Objectives important to this lesson:

  1. Data and application resumption
  2. Site resumption
Chapter 3, part 2

Picking up again in the chapter on page 110, the text addresses the topic of alternate locations for your company's operations. Earlier in the chapter, the author referred to using cold, warm, or hot sites as our temporary bases, but there was not explanation of what he meant. He enlightens us here.

The text addresses only the computing needs of your organization, since it has no idea what actual business your organization may doing. Even so, it offers several plans that may meet your needs. The first four are grouped together as exclusive site strategies. These are solutions "under the exclusive control of responding organization". This generally means that you will control what happens at such a site.

In the image above (from a vendor's site; the image links to it) cost increases from left to right, but time decreases from bottom to top. Solutions that are higher in the graph are operational sooner, and solutions farther to the right cost more. So an ideal best solution, least cost and least time to restore service, would be at the upper left in the graph. As you can see, there is no such solution in this representation of the options. Solution that perform better typically cost more.

  • hot sites - A hot site is easiest to understand, and the most expensive option the text presents. It is a site that is not the usual operations site, but it must have all the features that the usual site provided when the situation was normal. In the table on page 110, we see that it has the full hardware and telecommunications features associated with your regular location.
    For the hot site to work, it needs to be equipped with your operational data, software, networking assets, and other IT features found in your regular location. The data requirement is extreme, meaning that your organization must be using the hot site as a live repository of its business data. It would make a lot of sense for the hot site to be an actual operational site. For example, you could have two primary operations centers, each having the capacity to operate as the only one if the other experiences a disaster that keeps it from functioning. This removes the immediate need to bring up the hot site, to move staff to it, and to make it functional when the primary site goes dark. If this option is not possible, your organization may need to consider others in this list. The text has a graphic representing a hot site on page 111, and others on the following pages representing warm and cold sites. They look like doll houses, each with less furniture than the last. They do not illustrate anything further, since the artist did not know what your sites must include.
  • warm sites - A warm site is a compromise. It has some of the hardware and telecommunications features that your normal site has (had?), but the text observes that it may not have software, software may not be installed or configured, and it may have to load data from backups instead of having immediate access to live data. The time it takes to make your warm site functional depends on how much money you spent on your backups, your spare computers, and your ready-to-use alternate location. You may have to arrange to have some equipment shipped to the new location from other sites you operate, or from a vendor you use regularly.
  • cold sites - A cold site has no toys in the doll house. It would have no equipment to process data, may not have phone or data service set up, and may not be ready to use when your disaster occurs. Imagine an empty office suite with no staff or computers in it. This one takes more time to equip, to staff, to set up, and to use unless you take advantage of an idea I have mentioned in class. More on that in the next bullet..
  • mobile sites (and other options) - Some organizations, such as FEMA, operate at remote locations when those locations have a crisis. They are mobile by nature. The use mobile offices and mobile equipment regularly. The Red Cross is another organization like that. They both have regular headquarters sites, but the nature of their work is to go where they are needed, and to operate as mobile crisis centers.

    Now, about that note in the cold bullet. Many people who work for the State of Michigan (as I do) are equipped with laptops as their primary computers. Many of those, like me, are IT staff who take their laptops with them when they leave the office. We can function remotely when there is heavy snow before the next work day, when there is a power outage at our regular work site, or if there should be a health related crisis at our work site that would suggest we should stay away from those sites. In the past, I have worked at other state offices where I could borrow space, at home when I did not need my work phone, or where I happened to be when I needed to do something right away. This kind of preparedness can flex with the situation, maintaining productivity when the current situation would otherwise not allow it. An advantage is that I have my computer, and whatever apps and data are stored on it. If I can connect to the state network, which I can do remotely, I have access to the standard assets I am used to using. This is fine during a regular work day, and can be useful in a crisis, depending on its nature.
On page 113, the text turns to three shared site strategies. These options are not under the exclusive control of the organizations that may use them.
  • time-share - This is a site that is available to more than one organization. It is available to any of the organizations who are sharing its cost, but it is probably not large enough to be used by all of them at the same time. Since it may be used by any of the organizations, it is probably necessary to load data and applications before any of them can use it. Because of this concern, it is more likely to be operated like a cold or warm site than like a hot site.
  • service bureaus - This one means that you have contract with a company that provides emergency space to its clients who are experiencing a need for alternate work space. The nature of the contract dictates what you get, what you pay, and whether your cost is based on use or not. You may pay the same rate for the service regardless of having to use it.
  • mutual agreements - This is like a mutual assistance treaty, typically between different sites of a larger organization. Two or more sites agree to provide workspace, services, and assets as needed for a site that has a problem, such as a flood or a power failure. It is less common to find this kind of sharing in an IT disaster, since the disasters of this type may affect the whole organization. This only works if each organization/site in such an agreement has extra capacity in its resources, and is unaffected or less affected by the disaster.

Page 114 provides some typical elements that should be in a Memo of Understanding, which is the formal agreement that is referenced and followed in this kind of strategy. It may also be called a Memo of Agreement or a Service Level Agreement. Here are some highlights

  • activation and duration - What conditions will allow an organization to request assistance, and how long may the organization needing assistance expect that assistance to last?
  • cost and fees - Who pays the costs of the elements that are being provided?
  • security requirements - This may refer to the requirements of the host organization, the requesting organization, or both.
  • list and description of services - What will actually be provided, at what level of service, and what will be considered acceptable use?
  • hardware, software, and networking requirements - What will be provided, and how will it be different from what either party normally expects to use?
  • any other items or costs - Typically, there will be some unexpected cost or service that needs to be negotiated. Procedures for such a negotiation, and resolution of disagreements, should be spelled out.

Related to the document on page 114, page 115 begins several pages about Service Agreements, which are agreements between the entity providing a service and the entity paying for it. They are not very different from Memos of Understanding, but they are generally part of the legal contract you will have with an entity outside your own organizational structure. Inside your organization, such an agreement is less common, but more likely to exist the larger your organization is. Some elements that are more likely to appear in an agreement with an entity that is not part of your organization:

  • nondisclosure agreement - This is an agreement not to disclose any of the agreement or any of the assets belonging to the client with any other parties.
  • noncompetitive agreement - This is an agreement on the part of the provider not to use anything it learns about the client to compete with the client in the client's business.

A sample service agreement begins on page 117, and continues for the remainder of the chapter.



The assignment for this week has not yet been determined.