Jon Toigo of Toigo Partners International looked at "The state of DR in 2010," and Business Continuity Institute board member Paul Kirvan instructed attendees on "How to prepare for a disaster recovery plan audit."
Toigo attributed most disasters to software failures, hardware failures and staffing reductions that haven't left enough people to adequately manage and maintain the systems. He said only 5% of outages are "smoke and rubble" (natural disasters) such as hurricanes and earthquakes.
He said software failures are caused by added complexity from factors such as hypervisors and frequent patching, while most hardware problems come from controller issues.
"The more complexity you have, the more propensity for failure," he said.
He said that disaster recovery planning needs to focus on business processes more than technology. It requires establishing service levels that fit recovery requirements and business restraints. He emphasized a need for championing data management archiving, "because recovery is, at the end of the day, all about the data."
The three key steps to recovery, he said, are to re-host the applications, connect to a valid copy of data and re-connect users to the data. There are highly redundant processes to reduce data recovery time, such as multi-hop mirroring between at least two arrays and a recovery site. However, these are costly.
"The time to [recover] your data decreases depending on how redundant your facility is, and the cost increases depending on how redundant your facility is," he said.
Toigo said advances in density are making tape backup and recovery relevant again in despite advances in disk-based backup such as virtual tape libraries and data deduplication. He said there is room for disk and tape in disaster recovery, and dismissed cloud disaster recovery as "a simple and horrible means to back up data."
Disaster recovery audits require careful planning, documentation
Kirvan gave tips for passing disaster recovery audits, which mostly comes down to making a solid disaster recovery plan that adheres to best practices and being able to document the plan. Some things that can get overlooked include identifying preventive controls (alternative power sources, for example); defining the technology you'll need at an alternative site to recover from a disaster; and staffing responsibilities – including how you will contact team members and management in case of a disaster.
"You also have to determine who in your organization is authorized to declare a disaster," he said.
Kirvan said a disaster recovery plan for larger organizations should include how to communicate with the media, and businesses should also coordinate with first responders such as local police and fire departments about how they will operate during a crisis.
"The worst thing you can have is a first responder show up at your door and order you out of the building, no questions asked, and you're not ready to go yet," he said. "If you know them in advance, you'll know what they'll be doing and how you can respond."