From Implementation to Testing:

Information Technology Disaster Recovery Planning for Universities

Cheryl Barkby and Ed GregoryInformation ServicesDePaul University

Copyright Ed Gregory, Cheryl Barkby, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Today’s Agenda

Background information Overview of DePaul’s Information

Technology(IT) Disaster Recovery Plan Selecting a hotsite vendor How to secure funding Importance of exercising/testing DePaul University’s response to September 11th

Importance of Disaster Recovery Disaster Recovery Journal has reported:

“94% of companies that experience a catastrophic data loss go out of business within two years.”

Source: Yatish Mishra, “Can Your Company be Liable for not Implementing DR Plans?”, Disaster Recovery Journal, Summer 2002.

“97% of respondents reported that their specific plans needed to be altered in light of the new realities of Sept. 11 attacks, and about half of those said that the needed alterations had to be complete or significant.”

Source: Robert Chandler, Ph.D., J.D. Wallace, Ph.D., “What Disaster Recovery Experts Were Thinking Just After the Attacks”, Pgs. 28-31, Disaster Recovery Journal, Winter 2002.

DePaul University: Who we are Founded in 1898

Largest Catholic university in the U.S.

8th largest private university in the U.S.

Over 23,000 students

Over 4,000 faculty and staff

Total of seven campuses: two within the city of Chicago, five in the surrounding suburbs

Overall Map of DePaul

Map of Downtown Campus

Previous disaster recovery efforts were minimal

Original plan designed for mainframe operations

Plan then updated for Y2K compliance Contracted for hotsite No exercising/testing was planned or done

IT Plan Review for New System In August of 2001, review was necessary due to the

university’s transition from a mainframe computer system to PeopleSoft.

Events of September 11, 2001 forced further scrutiny.

Steps necessary to update plan Revise DRP team Produced walllet-sized cards Verify mission critical business applications Update processes and procedures Perform data, hardware, and software inventory

IT Disaster Recovery Planning Process

Determine end-userneeds and requireddata, software, and

hardware

Determine hotsiteoptions and costs

Review for possiblenetworkingimplications

Plan and optionsreviewed by

directors and VP ofIT

Executives reviewand decide on

options and costs

Hotsite optionsoperationalized

Create a draftdisaster recovery

plan

Plan finalizedbased on

Executive, VP,and director input

Planoperationalized

Developing HotSiteOptions

DevelopingDisaster

RecoveryPlan

Selecting a HotSite Vendor

DePaul analysisAnalyzed three hotsite vendors, including current

provider.Selection criteria

Number of sites available Distance from site Equipment Cost Contract

Selected SunGard as sole vendor

Securing Funding DePaul’s method for securing funding

Received executive support Created proposals detailing:

Hot-site services Emergency communication tools Off-site storage Back-up web presence Back-up Internet connection

Suggestions for acquiring executive support Scare the executives Stakeholder support Solid proposal:

Cost of not having recovery plan Possible disaster scenarios Keep it simple

Exercising/Testing

Preparation for exercise Review of exercise for IT mission critical systems Exercise outcomes

Problems identified Software and hardware changes Updated procedures

Demonstrated need for additional funding Post-exercise meeting

Overall University Response to September 11 Chaotic response/evacuation on September 11th

Further response to events: Performed external audit of disaster recovery plans for key areas.

Discovered numerous areas that lacked a plan or required major updating.

Overall guidance and cross-divisional collaboration were not in place.

Began updating university-wide disaster recovery plans including: Communication processes (e-mail, back-up phone system,

pagers) Evacuation and emergency procedures Began to develop a comprehensive university plan.

Overall Timeline

1/1/028/1/01 5/1/02

September 11, 2001

IT DRP AnalysisUniversity-Wide DRP Analysis

4/01/02Univ. Audit Completed

3/27/02First DRP Exercise for IT

9/30/01Univ. Crisis Mgnt. Team Formed

11/15/01Contracted with HotSite Vendor

3/1/02Table-top IT DRP exercise

Final Recommendations

Testing/Exercising is key: IT, evacuation, communications

Collaboration with other university departments, especially business units

Perform Business Impact Analysis (BIA) Analyze all hotsite options: outsourcing, internal, mobile Obtain certification Make use of consultants/experts Network with other universities about their experiences

Vendor and Website Information Vendors:

Strohl Systems, www.strohlsystems.com Contact: Matt Ott, 1-800-634-2016

SunGard, www.sungard.com

Iron Mountain, www.ironmountain.com Useful Websites:

Disaster Recovery International Institute: www.drii.org

Disaster Recovery Journal: www.drj.com

Contingency Planning Management:www.contingencyplanning.com

Continuity Insights:www.continuityinsights.com

Contact Information Ed Gregory

Manager of Data Center, Information Services

312-362-5374 egregory@depaul.edu

Cheryl Barkby DRP Analyst, Information Services 312-362-6419 cbarkby@depaul.edu

Questions?