Getting started with outsourcing disaster recovery sites
Disaster recovery outsourcing can save you money, but follow these tips before you sign on the dotted line.
What you will learn in this tip: If you are considering disaster recovery outsourcing, there's a lot you need to know. What will the disaster recovery site include and what will you get? Use this tip as a short checklist as you get started with outsourcing disaster recovery .
Equipment and technology
The basic underlying concept of disaster recovery is to have a secondary data center available and operational when an incident occurs. To that end, the vendor you choose for disaster recovery outsourcing should have an operational platform (mainframe, client server, Unix, etc.) similar to your own. When time is critical, such as after an incident, one of your concerns should not be how to tailor hardware to correspond to your application or vice versa. The disaster recovery site should have equipment ready. Depending upon your strategy and financial arrangement, you will have already determined if the site is ahot, warm or cold site.
Remember that even as an outsourced data center, the disaster recovery site may need to have additional equipment configured and installed at the site should a disaster strike. In some cases, you may decide to have only your critical systems as hot standby. This would be fine as long as the interruption does not cross the timing threshold of your recovery requirements. That is, if a noncritical application is needed after 48 hours, 40 hours into the incident you want to start building an environment to run the additional applications you will need. You don't want to begin looking for hardware or connectivity for the additional applications. Additionally, keep in mind that the recovery site may be your sole location for some time. Make sure you get this in writing in your service-level agreement (SLA) with the company you choose. Some vendors may work with you to “virtualize” your environment. If so, take the time to review what criteria will be used to combine servers, etc. Use a business impact assessment as a starting point. Applications designated as critical should be available first, others could follow. Do not use storage or capacity as the main criteria of virtualization. Doing so may combine non-critical applications and processes with critical applications, thus misusing resources. Whatever configuration is selected, hardware and software compatibility is a key factor. In the middle of a recovery, you do not want to be debugging software or running into hardware compatibility issues. You will most assuredly be busy enough.
Availability
Make sure the outsourcing disaster recovery site can recover your data within your expected recovery window in the event of an incident. As with regular disaster recovery, you need to decide how the communication will take place, and who makes the notification to engage the site. There should be a list of individuals, kept up to date, on who can initiate the process. Consider various possibilities that can go awry, such as a terminated or disgruntled employee calling the site and initiating a recovery. Do not leave the initiation to the CIO, or another single individual, because perhaps they are on vacation or in a different time zone, and cannot be reached. Should a disaster occur, and your disaster recovery outsource site now becomes your primary site, will your staff require physical access? Will the disaster recovery site be capable of handling your normal production load for an extended period of time?
Maintenance and the disaster recovery site
You have decided to outsource your disaster recovery to a third party, so think about any maintenance issues that may arise. What will the process be for implementing software updates (patches), or updates to your applications? What procedures will be required and set up with the vendor for routine application maintenance? Only you are aware of how often your applications are modified. What if you need to make an emergency modification to the software? Does the vendor have specific times for allowing updates to customer/client data? This should be worked out beforehand.
Your DR provider’s DR
You have selected this vendor to provide disaster recovery support for you, but what are the vendor’s disaster recovery plans and how can they affect you? A SAS 70 audit will address some issues, but what happens if there is some type of incident which will affect the vendor site? What are the vendor’s continuity plans? Again these should be addressed as part of the SLA or contract.
Knowledge transfer
When you outsource a function you allow someone else to perform the task for you. Consider that they need to be trained in how you handle various situations. If you have a particular methodology or format, make sure the vendor is as aware of, and adept at, delivery of this service as your current staff. You may have reports or logs that are needed for audits or operational requirements. The recovery location will now need to generate these logs; it would be beneficial if the staff knew in advance what to do. Work with your vendor, so they fully understand the particular terminology and naming convention you have. Provide them with easy-to-follow instructions or scripts. The vendor should have knowledge of your organization in the event they must forward questions to the proper people and departments. Enter into a formal training program with your vendor, and monitor that training.
Operational instructions
Does your technology require a particular expertise to operate your hardware or software? If so, does your outsourced disaster recovery staff have that particular expertise? Most disaster recovery vendors have sufficient expertise on operating the hardware and network infrastructure, but perhaps need familiarization with your applications. Explain to your vendor what expertise will be required to meet your needs and see that it is available at all times. Put this in writing in the SLA.
Staffing
One factor you no doubt considered as part of the outsource agreement was staff savings. What you have done is put your applications in the hands of staff over which you have little or no control. At your location, you may have rules about terminated employees and access but what about your vendor? Do they have any steps in place dealing with a threatening employee or workplace violence? It is a good idea to have these policies in place.
Outsourcing disaster recovery and cost
One of the reasons you are looking at the possibility of outsourcing is to save money. Think about all the issues that may arise, some of which I have outlined within this document, and determine if it's an acceptable option and saving. Pricing for disaster recovery outsourcing will mainly depend on the type of service you require.
To ensure peace of mind when outsourcing disaster recovery, make sure you compare at least three vendors and know exactly what type of disaster recovery services you require.
Harvey Betan is a certified business continuity planning consultant with experience in disaster recovery in both technology and business functions. He migrated to business continuity after the restoration of a large insurance company with a major presence in the World Trade Center on Sept. 11. His career has spanned a dozen years in business continuity after a 15-year career as a senior manager in information technology for the financial, insurance and nonprofit sectors.