I recently led a team conducting a data center assessment (network, server/virtualization/storage, security, facilities) for an organization that delivers a vital service to a lot of customers. One aspect entailed looking at the organization’s Disaster recovery (DR) and Continuity of operations (COOP) plans.
Their plans were pretty good. However, this got me thinking about the DR and COOP plans I’d seen over the years.
A disaster recovery plan details how an organization will recover IT functionality when a calamity of some kind happens. DR planning usually revolves around an alternative site with backup or replicated data, where critical IT applications and functions can be run. Continuity of operations is, as the name implies, about the broader topic of maintaining operations in various situations. COOP encompasses topics such as worksites becoming unavailable, travel restrictions, loss of senior managers, and more.
One common problem with COOP is what to do with employees when it’s impossible to get to the office. Some large firms or organizations that have planned more thoroughly lease or reserve office space for “critical” staff.
Some such organizations might have a bit of a time-card mindset: they provide space, phone, desktop computer, and expect people working from the office. Implied: perhaps keeping an eye on the work ethic? But today’s workers are often judged more on their actual work output than on the hours they’re in the office, so should that “office centric mindset” still apply to more than perhaps the management team, who indeed might need frequent face-to-face meetings in a crisis?
Another aspect of this: I always wonder about “critical” staff, applications, etc. – how accurate is the classification? With one recent customer, my question was: If you can continue operations for at least a couple of weeks with 300 people, why do you still employ 700+ others? What will you do if the COOP event lasts 3-6 months? The answer was activate other space, likely further away.
A related consideration is where you’re going to put the critical staff. If they’ll be in leased office space of your own, you should be fine. But some companies’ COOP plans include leasing office space with a contract clause that requires them to share space with other organizations that have been affected by the same event that precipitated activating the COOP plan. So if you’re in such a space, and if that event is even mildly regional in scope, then the space available may not be enough for all of your critical employees. If you were planning on shifts of 100, and can only put 25 onsite at a time instead, how does that affect your plans? Your own leased office at least guarantees you the number of seats and desks you’ll need.
For a while now, I’ve considered a “mobility denial event” as part of the mix of things that I think need to be considered. We do have to plan for big events such as a terrorist strike, but smaller events might be more likely. We’ve had two brushes with possible lock-down quarantines in the last 10 years (think swine flu), for example.
What if there’s a broad quarantine for three to six months? What if a truck accident brings down a bridge that is part of a key highway resulting in months of traffic gridlock (DC, NYC, LA in particular)? (For example, the major highway bridge collapse in Minneapolis not too long ago.) Or something badly affects mass transit? In such a situation, people cannot move around very readily. In particular, they might not be able to do shifts at a designated COOP location. In a quarantine, IT people might be allowed one-time travel to a worksite, but it would be unwise for them to go home again. That’s another whole planning topic: housing them, etc.
So with the background set, here’s the idea…
If you change your thinking, as some sites are doing, another approach is possible. We’ve all read too much about BYOD (Bring Your Own Device to work). I’m calling this THOC (“Take Home Our Computer”).
The basic idea is that if staff use laptops, and take them home, and work from home some of the time, you have the elements of a great workforce COOP strategy right there. A firm might actually want a corporate-controlled laptop, with provisions for the user to also use it in segmented or otherwise controlled fashion for personal use as well. OK, that last part just scared some security people, and I won’t deny security of the personal use has to be considered. The difference here is that the laptop is under corporate control. It is standardized, as compared to BYOD. (Maybe the THOC mechanism is actually BYOD where the company adds security measures to the employee’s own device. It’s basically the same idea.)
If the laptop is set up for remote access (limited VPN or Citrix or whatever), and if people actually use it from home occasionally, that means it should be ready for a COOP event, and staff will know how to use it.
If people use the laptop for personal stuff (with local backup?), then they’ll have an incentive to take the laptop home. It sure doesn’t do much good sitting in the office when a COOP event hits. Alternatively: issue a separate laptop for home use only. Keeping it patched and updated might be more of an issue with that approach. But people wouldn’t have to lug the laptop back and forth to work. The challenge might be getting them to use the laptop at all. If it is not used, it probably won’t work when needed! (Or having to wait through catching up on six months of security patches under slow network conditions?)
The impact of this is (a) the company needs to lease less COOP office space, and doesn’t have to buy or lease the usual office appurtenances (phone, computer, furniture), and (b) assuming the Internet is up, the entire staff can work from home.
For a deeper conversation about how to protect the security of your network while ensuring ongoing operations in the wake of a disaster, just reach out.
Comments
Comments are welcome, both in agreement or informative disagreement with the above! Thanks in advance!
Twitter: @pjwelcher
