BCM Basics: The BC Professional’s Role in Data Protection

This post is part of BCM Basics, a series of occasional, entry-level blogs on some of the key concepts in business continuity management. 

Data is a critical asset for almost every organization today. Business continuity professionals have a vital role to play in making sure their companies implement appropriate data protection strategies and policies. 

The Importance of Data Protection 

The importance of data to contemporary organizations can hardly be overstated. Having ready access to its proprietary data, and keeping that data secure and uncorrupted, is key to the ability of just about every company, nonprofit, and government agency to carry out its mission-critical activities. 

At the same time, the threats to organizations’ data are greater than ever. These include the threat of theft, deletion, or destruction, by internal or external forces, either maliciously or by accident. 

Data loss or corruption is the most likely and frequent continuity-impacting event. 

For these reasons, every organization needs to develop a robust data protection stance. But how should that goal should be accomplished and who should be in charge? 

A Common Misconception 

A common misconception among people new to business continuity management (BCM) is that data protection and recovery will be taken care of by the IT department. (This is also a common misconception among people who are not new to BCM.) 

Leaving the matter solely in the hands of IT is a good way of arriving at a collection of data protection strategies that don’t necessarily meet the business requirements.  

When this happens, it’s usually not the fault of IT. It can happen even when the IT department is skilled and dedicated.  

The fact is, the IT department is unequipped to implement the best strategies on its own because it lacks certain necessary information. This information is in the possession of the business departments.  

Devising appropriate data protection strategies requires a dialog between the business departments and IT.  

This is where the BCM office comes in.  

BCM’s role is to facilitate this dialog—and help the two teams jointly arrive at a collection of data protection strategies that make sense for the organization overall. 

The BC department has a vital role to play in the organization’s effort to develop and implement sound data protection strategies. 

The Role of the BC Office 

Let’s look more closely at the BC office’s role in helping the organization develop an appropriate data protection program. 

Mentioned above was certain critical information which the IT department needs to have in order to come up with sound data protection strategies. 

The information includes a priority ranking of all of the company’s critical business processes and applications that identifies which ones need to be restored the soonest in order to minimize the impact of an outage on the organization. The processes should be divided into groups based on the time frames in which they need to be recovered to keep the impact within acceptable levels (e.g., within four hours, within 24 hours, within three days, etc.). 

The technical terms for this type of information are recovery point objectives (RPOs) and recovery point objectives (RTO). 

Here’s how those terms are defined in MHA’s recently published glossary of key BCM terms: 

  • Recovery point objective — The maximum amount of data that can be permanently lost after an outage before a process is materially impacted, measured in terms of time. The RPO helps in determining an appropriate data protection strategy for the underlying application. 
  • Recovery time objective — The time window within which a business process and its associated applications must be restored after an outage in order to prevent serious impact to the organization. 

This information is important because it gives the IT something to go on in developing data protection strategies. Now instead of guessing what should be restored first—and the level of data loss that is acceptable or can be recreated—IT has objective, vetted information on this topic developed with the input of the business departments.  

With this information in hand, IT can make sure the data protection strategies it develops truly support the needs of the organization. 

Who helps the business units work out the RTOs and RPOs—and who mediates between them and IT on this subject? The BCM office. (The starting point for this process is the business impact analysis or BIA.) 

Far from being a minor player in the development of a sound data protection program, the BCM office is the hub of the wheel.  

Things the BC Staff Should Know 

Let’s look at a few other things the BCM staff need to be aware of to perform their role: 

  • There are two main data protection strategies: traditional data backup and data replication. Restoring from a data backup is slower and less expensive. Recovering via data replication (which involves keeping a complete, always-on copy of the data in another location) is faster but costlier. 
  • Choosing data protection strategies requires navigating tradeoffs between dream solutions, critical needs, and budgetary constraints. 
  • The business departments might have sweeping, pie-in-the-sky expectations. The BC might have to educate them about the hard realities of data protection expense (as passed along by IT) to get them to be more realistic. 
  • The BC office should work with IT to make sure the strategies they develop are truly aligned with the data protection needs of the organization overall. 
  • Sometimes IT is able to surpass the business department’s requirements and stay in budget.  
  • The goal is a Goldilocks-type solution, neither too much protection (wastes money) nor too little (leaves exposure).  
  • BC should make sure that IT has implemented an immutable backup. This is a backup that can’t be modified, accessed, or corrupted without some level of specific access. It provides protection against hackers. 
  • The BC office should be familiar with the organization’s data loss protection (DLP) policies. These are typically handled by IT security, compliance, or risk management. They address matters pertaining to who can access what data and how data can be shared. Many such policies are implemented automatically. In the event of an outage, automatic implementation will not function. The BC staff might need to include measures to uphold DLP policies in their manual workaround plans.  

Meeting the Organization’s Critical Needs 

The ability of almost every organization to carry out its mission depends on its ability to access and protect its data. Meanwhile, organizational data is facing numerous threats, internal and external, accidental and malicious. It is incumbent on every organization that cares about its future to develop and implement sound data protection strategies. 

The BCM office has a vital role to play in this effort. It supervises the assessments that help the business units prioritize their processes and applications. It then communicates this information to IT and mediates between IT and the business units in developing data protection strategies that are aligned with the organization’s critical needs.  

Further Reading on Data Protection

For more information on data protection and recovery, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
risk assessmentresiliency consulting