Dave Falldien, senior systems administrator at Dalhousie State University
Let’s start with this tidbit: Within two years after Hurricane Andrew struck in 1992, 80% of the affected companies that lacked a business-continuity plan failed, according to FEMA.
The campus card system is an important and intricate part of campus life. It facilitates campus security, access control and payments. Thus, lost transactions or down time have a direct impact on the entire campus, whether it’s a student being locked out of a residence or lost sales at retail locations. These impacts are financial and affect overall trust in the system.
Disaster recovery is the misunderstood, undervalued ugly duckling of the card service industry. It’s a dirty little secret that IT folks keep wrapped up to shelter clients from the realization that something bad can, and likely will, happen.
Though seldom discussed, everyone in the IT field has stories of lost email, documents, or even entire systems. The key is not loss, but rather the recovery.
Devise a plan
There are three basic parts to any disaster recovery plan: 1) build a business impact analysis; 2) define the scope of your new disaster recovery plan, including recovery times and individual responsibilities; and 3) create a communication strategy that includes who should be informed in each different failure state and who is responsible for sending out communication.
Though it seems simple, it is surprising how few people, departments and campuses actually implement the process.
The business impact analysis often moves beyond the scope of IT and should be considered a required part of any successful operation. It doesn’t take long to realize that if a POS system is offline across campus, transactions are not being processed and sales is being lost. Not only are you losing the transactions, you are also paying idle staff. These costs add up quickly and have a direct impact on your bottom line.
As the person responsible for the financial side of the card system, you should be able to see your disaster recovery plan at any time. If the person who maintains your card system infrastructure does not reside in your department, you should have ongoing dialog including how the last disaster recovery test went.
Business impact is the easy part of any new disaster recovery plan. The meat of the plan is in the definition of scope. It is also the most difficult part of the plan, but the reward time well spent pays off rapidly in the event of an outage.
The scope section should clearly define the situations addressed by the disaster recovery plan. This should be a comprehensive list, including everything from natural disasters to server-level crashes, lost hardware and anything in between.
In simple terms, the scope includes everything you are going to include in your disaster recovery plan.
What about me?
Perhaps as important as knowing what’s in scope is knowing what lies outside of it. This tends to be the touchier subject.
The unfortunate truth for some users is that their immediate needs might not align with what the institution constitutes an emergency.
The best way to get a full list of what you would like covered is to conduct a business impact analysis as part of an overall risk assessment of the system. This is ultimately a simple and clear cut way to ensure that everyone is on the same page when it comes to what services will be covered.