Preventative Measures: Outsourcing Your Proprietary Data

Calgary, AB (June 8, 2006) – In this post 9/11 culture, businesses and government agencies are taking extreme preventative measures to protect critical proprietary and customer-related data. The survival of businesses today necessitates protection from more than just natural disasters, such as earthquakes, fires, hurricanes and storms. Business operations also need protection from other potential dangers, including riots, strikes, terrorist actions and cyberspace hackers.

A disaster can affect the availability, integrity, and confidentiality of critical business resources and leave an organization unable to function. Therefore, it is mission critical for businesses to have a Disaster Recovery (DR) plan set in stone. For businesses that can’t afford even a second of down time, building a DR system in-house is vital. These businesses include large banks and financial institutions, web-based service providers, and –. For enterprises that can afford some down time, outsourcing data to a DR Service provider is recommended.

Entrusting critical data to a third party DR Service provider requires risk avoidance and careful selection. Therefore, it is important to invest in proper business impact analysis and research before choosing a DR Service provider. According to The Data Center Journal article entitled “Disaster Recovery Provider Checklist,” the following issues must be evaluated when seeking contract services for disaster recovery:

1. Service provider’s focus on the DR business
   The service provider should be dedicated to Disaster Recovery services. Enterprises entrust their business survival to their DR services partner. If the service provider is distracted by other business priorities, it will be difficult to retain the level of dedicated support required.
2. World-class infrastructure
   The DR Service provider should have world-class infrastructure. It includes a robust data center, power distribution system; FM-200 based fire-suppression system; precision air conditioning, etc. The data center should have multiple Internet gateways and basic operator exchanges co-located in the premises. This would ensure that hosted applications are available on a 24×7 basis.
3. Quality accreditation
   It is desirable that the service provider, and in particular their disaster recovery business, be certified for quality. International quality accreditations certify that the service provider will deliver international standard services. It is also important that the service provider takes steps to keep abreast of developments in the industry.
4. Experience
   Service providers should have the expertise to manage ‘live’ disasters. The critical things to look out for are the years they have been in business, recovery tests performed annually, ‘live’ disaster cases successfully managed, satisfactory reference sites, etc. It is very important that the service provider has the necessary skill-sets to understand mission-critical applications. They should genuinely understand the technology involved in maintaining and restoring vital documents and equipment. There are instances where many businesses have lost critical capacity and data through the naïve efforts of office-cleaning companies masquerading as salvage services.
5. Scope of service
   Service providers should understand and fulfill the full range of an enterprise’s critical service requirements, e.g. different operating platforms, communication services, integrated applications, etc. Remember, it is not just replication of software or storage of data; Service providers should have the capability to converge the entire infrastructure to an alternate site.
6. Stability
   It is important to understand the business objectives of the service provider before choosing the partner. A service provider may drop DR from their portfolio of services if business objectives are not being met. One should be careful to choose a partner who is financially stable.
7. Growth
   In a dynamic environment, enterprises are constantly evolving to keep pace with the market and stay competitive. It is imperative that the service provider grows with them and is able to support changing technologies. Enterprises should assess their investment plans and their continuing ability to support older systems, software etc., which may be critical to their operations.
8. Fire drillsAn untested recovery plan is useless. The service provider should have a proper plan to do fire drills and test resources under conditions that meet an enterprise’s recovery planning requirements.
9. Human capital
   The service provider should maintain a dedicated support team who understand their role in the recovery process. The support team should have proper understanding of their client’s business.
10. Security at the data center Service providers should have proper security arrangements where the critical servers and applications are hosted. The security should be at two levels, physical, which includes surveillance cameras, biometrics, etc, and the network level, which includes firewall and IDS, monitoring all incoming data on the network, password protected server access, etc.
11. Location of the DR site
    The location of the alternate site is crucial for efficient recovery. While it should not be at a remote place, enterprises should ensure that the service provider isn’t likely to be exposed to the same risk as them. e.g., a service provider in the same building as the enterprise will be of little use if the premises are destroyed by fire.
12. Client references
    This is a sensible but often altruistic test. Enterprises should perform the due diligence of doing a reference check to determine the quality of the DR partner’s service levels.
13. SLA
    The service level agreement (SLA) should be read carefully. It is important that expectations in terms of RPO and RTO are defined clearly and stated in non-ambiguous terms. The penalty for non-conformance should also be outlined clearly. The contract should reflect clearly those services to be sub-contracted. It is important that service providers share their contracts with third parties.
14. Price
    Price is the most important component of any decision making process and the most negotiated one. However, a word of caution: Do not buy on price alone, but rather, seek value for money. Disaster Recovery services are not cheap. Enterprises should look realistically at the cost of people, equipment, environment, maintenance, power, software licenses, communications, etc. A decision based solely on price will have implications on the vitality of the disaster recovery plan.

Not all businesses need a full service DR provider. Some businesses may only need to protect specific company data. These businesses can select from a range of Web-based application service providers (ASP). Companies can outsource their back-end applications and have the ASP vendor develop, build, distribute, and maintain custom applications and databases for client use. At a typical price of only $50 to $100 per user per month, the ASP is an affordable recovery alternative.

Disasters can occur at any given time. It is important to take preventative measures.

Reference

Staff writer (2004, August 16). Disaster Recovery Provider Checklist. The Data Center Journal.

###

About the Author
Raj Narayanaswamy is the co-founder and co-CEO of Replicon, Inc. (https://www.replicon.com/), the industry leader of web-based time and expense management solutions. Founded in 1996, Replicon, Inc. powers companies, of all sizes, to maximize profitability and productivity. Clients include Ernst & Young, Sony Music Entertainment, Charles Schwab, and Volvo. Replicon is based in Calgary, Alberta, Canada.