Biz Continuity Not Always a Disaster

ORLANDO, Fla. -- Storage Networking World -- Effective disaster recovery and business continuity can't be patched together, storage administrators said at a panel here today.

Business continuity has to be thought of from the start,” said Al Todd, SVP of IT services at Pacific Capital Bancorp (PCB) in Santa Barbara, Calif. “You have to think about how you can recover your system if you need to.”

John Gideon, business continuity manager of Rent-A-Center in Plano, Texas, added: “You have to bring business continuity in from the beginning. How are you going to back it up, and when?”

As for the roadblocks, there’s always the issues of money and vendor compatibility. Hal Weiss, senior systems engineer of Memphis, Tenn.-based Baptist Memorial Healthcare Corp., says the financial restrictions are sometimes out of his organization’s control.

“We’re constrained in how much money we get, because we don’t know how much programs like Medicaid and Medicare are going to pay us,” he said, adding that applications are purchased according to staff needs. "Sometimes applications we use don’t lend themselves to a disaster recovery strategy. If we have two SANs from separate vendors, and the switches won’t talk to each other, we need two separate disaster recovery systems.”But support -- financial or otherwise -- remains a sticking point. When queried by the wireless clickers in the J.W. Marriott ballroom, most of the audience said they received little support. Some 35 percent responded they get “Lip service only,” and 17 percent responded, “What support?”

The panel agreed on certain basics of disaster recovery: The backup site should be far enough away from the data center so a disaster doesn’t affect both; and disaster recovery tests on the remote site should be conducted at least once a year on every system that would have to be restored.

Even that might not be frequent enough. Dale Frantz, CIO of Auto Warehousing Co. of Tacoma, Wash., said he does at least one test a month at one of his company’s facilities.

Encryption and data retention policies are among the issues the panel members said they grapple with in implementing business continuity.

While a recent spate of lost tapes brings encryption to the forefront of a disaster recovery policy, members on the panel said they were coming to grips with which data needs encryption and how to best go about it.Todd of Pacific Capital Bancorp is in an industry especially sensitive to the perils of lost tape, especially after Bank of America and CitiGroup were forced to disclose the loss of private customer information on tape earlier this year.

“People drive our tapes offsite, that’s a concern,” he said. Yet Todd says PCB doesn’t encrypt everything. “Our enterprise security policy mandates what we need to protect. We don’t encrypt all of our data yet."

Baptist Memorial's Weiss said encryption is a good idea but he isn’t rushing into it. “We’re planning on it,” Weiss said of encryption. “The question is, which one do I implement. They all have some kind of impact on backups and restores. Also, how do you protect the [decryption] key?”

Frantz said his company does not encrypt because, as a private company, “our data doesn’t fall into that category.”

As for deletion policies, the panel members agreed they were both limited and guided by federal regulations.“We’re dealing with that now,” Todd said. Some of PCB's users say they want data deleted after 30 days if it's not accessed, some say to keep it three to five years, others advocate seven-year retention plans. "Meanwhile, we’re keeping everything."

Gideon said his company is trying to figure out what data it can get by without. “We keep everything for seven years, but we’re looking at what we can delete in less than that."

As a healthcare company, Baptist Memorial has state, local, and federal regulations to follow. The hospital has to keep a child’s records until the person is 19 years and 8 months old. Most adult records have to be retained for five, seven, or nine years, and mammograms must be kept forever.

Weiss said a recent hurricane taught his industry another valuable lesson about disaster recovery -- prepare for the unexpected.

“Katrina was a huge wakeup call for the healthcare industry,” he said. “One or two hospitals in our area still can’t retrieve any of their data. You have plenty of time to prepare for severe weather. But they didn’t think the levees were going to break.”— Dave Raffo, Senior Editor, Byte and Switch

Organizations mentioned in this article: