Strategies for information system implementation and management

¶ … Information System Recovery

In the Age of Information, organizations of all types and sizes are increasingly relying on sophisticated information technology system to support and drive their enterprises. Although Moore's Law continues to hold true and computer processing speeds continue to double approximately every 18 months, Murphy's Law is also a factor to consider because these information systems can and will fail for a wide variety of reasons, including manmade and natural disasters. In order to respond in a timely fashion to such information technology disasters, organizations must have a viable information system recovery plan in place before such events take place. To this end, this paper provides a step-by-step plan for organizations for creating strategies for restoration of information system operations in the event of an attack or failure and for the recovery of data that may be stolen, altered, or destroyed. An analysis of the respective strengths and weaknesses of current approaches and technologies that are designed to protect information systems and data is followed by a summary of the research and important findings in the conclusion.

Review and Analysis

Information systems can fail for a number of reasons, including the vagaries of the weather. In this regard, Reagan (2006) emphasizes that the incidence of weather-related information system failures has increased in recent years. "In the past year," Reagan advises, "the U.S. has experienced some of the most devastating storms in our history, resulting in catastrophic telecommunications failures. These disasters have highlighted the importance of enterprises planning for recovery in the event of network outages" (p. 60). Likewise, the terrorist attacks of September 11, 2001 made it abundantly clear that companies of all sizes and types are vulnerable to unexpected manmade disasters as well and it is apparent that when it comes to information systems, "prior planning prevents poor performance." For instance, according to Cohen (2004), "Businesses are not ultimately interested in backups per se; they are more concerned with having their mission critical data available or easily retrievable when disaster strikes. Do not look at data protection from the backup perspective; turn the idea on its head and think about planning for data recovery" (p. 3).

The first step in developing a viable information system recovery plan is to take stock of existing information systems and determine the major applications and system that host the organization's mission-critical documents and data files (Cohen, 2004). Such documents and data files will include, of course, financial records and accounting information, but should also include correspondence and email exchanges that have an impact on the organization's performance. Some of these documents and data files will inevitably be in different storage formats that may require different types of data backup approaches. The strength associated with this step is relates to the ability of an organization to take a "snapshot" of what information is relies upon at a given point in time in order to better respond to the unexpected; however, a clear weakness involved in this step is the need to take such "snapshots" on a regular -- and frequent -- basis in order to maintain a timely list of such information because this will inevitably change on a day-to-day basis.

The second step in developing an effective information system recovery plan is to record what type of data files and documents are mission critical to the organization in a separate spreadsheet with extra copies being stored off-site. According to Cohen, organizations should include which computers the information are stored on and what type of format they use. Different data files and documents will require different types of backups (Cohen, 2004). Although data backup approaches may vary, the bottom-line consideration for any organization is to ensure that additional copies of this mission-critical data is maintained off-site where it is readily accessible in the event of the unexpected. In this regard, Cohen advises, "Data protection ultimately boils down to making sure you have accessible copies of your data in different places, so that if one system fails you can switch over to another quickly. Data protection is a cascading series of file and system copies. Each copy is further away and harder to retrieve, but it is still available for disaster recovery" (p. 4). The strength associated with this approach is ensuring that an organization has access to its mission-critical data in the event of a disaster, with the concomitant weakness being the relatively modest costs involved.

The next step in developing the organization's information system recover plan is to take stock of existing hardware. As Cohen emphasizes, "If you have been hosting your company's Web site on an office computer, it is time to stop. For the cost of a cup of coffee per day, a Web-hosting center can fully protect your site off-site, where it will not tie up your company's bandwidth" (p. 3). This approach to maintaining important contacts with customers and an organization's intranet has several strengths over an organization's hosting the Web site in-house. For instance, Reagan (2006) notes that, "A hosted solution provides an organization with the flexibility of deploying an IP-enabled system without the maintenance costs involved in a self-maintained model. Network upgrades, enhancements and, most importantly, the scaling of bandwidth and phone lines are all handled by the provider" (p. 61). Here again, the primary strength involved in this step relates to the ability of an organization to continue operations in the event of the unexpected with a relatively modest cost being the corresponding weakness.

After the organization has identified its mission-critical important systems, the next step concerns determining how best to replace them in the event of loss. In this regard, Cohen (2004) emphasizes that, "If a critical system fails how long could you do without it before it would negatively affect your business? Think carefully, because the answers will have a major impact on how you will protect your systems and how much you will spend to gain that protection. If your business absolutely, positively, cannot afford to be off-line for more than a few hours, you might think about moving your systems to a hosted data center" (p. 4). Hosted data centers and so-called "third-party hot-sites" are becoming increasingly commonplace and the cost is low compared to the potential savings that can be realized in the event of a disaster. As Reagan (2006) points out, "The third-party hot-site is currently the most attractive option for many organizations that wish to implement a disaster recovery plan. These sites offer attractive pricing on the storage and real-time back-up of an organization's critical information systems, and typically offer cubicles or work stations on a per-seat basis" (p. 61).