he responsibility for a system includes the ability to deal with a lack of availability of the system," says Dave Kennedy, CISSP, director of research for the Carlisle, Pa.-based National Computer Security Association. Data centers and the data stored within them can become unavailable due to a natural disaster, fire or other disruptive act. Regular data backups and redundant storage are a necessity. The Environmental Protection Agency, for example, stores its backups in a secure, waterproof, fireproof facility. But, notes Capt. Casey Ajalat, information systems flight commander at Dover Air Force Base, "we need backups of the system and also backup systems for the system; that is, backups for both the software and the hardware."
Disaster recovery plans are essential, especially for mission-critical computer systems. Some agencies deal with this on their own, maintaining an alternate computing facility at a separate location that mirrors the data processing taking place at the primary location. Others contract out for recovery services.
In the event of a disaster, vendors may either provide the use of their own facility (called a "hot site"), or they may travel to the client site to assemble a replacement data center. Hot sites, available across the country, are equipped with backup tape libraries, computers and telecommunications equipment.
Agencies are advised to test their disaster recovery plans several times a year (including on a nonworking day). The EPA is required by its administrator to bring its critical systems back to operation within seven days, says Robert D. Lewis, CPP, the EPA's chief of security staff in Research Triangle Park, N.C. To be prepared, "two to three times a year, we go off-site, bring the system up and process a few applications such as payroll," Lewis says.
Companies offering disaster recovery services include Comdisco Disaster Recovery Services, IBM Business Recovery Services and SunGard Recovery Services. Hot-site subscriptions can cost from less than a thousand dollars to several hundred thousand dollars a month, depending on an organization's needs.