At the Emerson AdaptiveXchange conference in Baltimore last week, disaster recovery consultant Pablo Gonzalez with Miami-based Crisis Management gave attendees advice on detecting vulnerabilities and assessing risks in their data centers. Gonzalez’s background is in emergency and terrorist response (he was part of the team sent to manage and mitigate the first recorded anthrax attacks against the U.S.

Cookie-cutter disaster planning

One of the biggest problems that Gonzalez sees is what he called “cookie-cutter planning.” This refers to copying a plan or using a template developed by someone else for a specific organization. “People will copy someone else’s plan, make some minor changes to adapt it and integrate it into their planning.”

He described an incident with one of his former clients. Part of the way through reviewing their disaster recovery plan he realized that it was the exact same plan that he had written for a different client, under different circumstances and unique issues. He said that each situation is almost always to unique for this type of planning. For example, access to airports, distances to infrastructure service providers, on-site employees, distance to recovery site are all going to be specific to each facility.

Prioritizing: Risk assessment measures

It might be tempting to identify everything in the data center as being critical or serving critical functions, but properly assessing the criticality and risk levels of equipment as it pertains to the business function is a crucial part of disaster recovery planning.

Gonzalez advocates using a couple different assessments schemes. CARVER is an old scheme dating back to World War II and stands for criticality, accessibility, recoverability, vulnerability, effect, recognizability. The idea is to list as many assets with descriptions as possible and rank them one to five in each point to help you determine the vulnerability of your data center as a system. This research from American Security International Corp. outlines how to apply CARVER to your disaster recovery planning.

What I found to be the beauty of the CARVER method is its scalability — you could assess each server or piece of equipment as its own system to determine its vulnerability in relation to the rest of the computing environment.

Gonzalez also discussed FEMA’s risk assessment worksheet. Disaster planning folks list their assets and rank each, one to five, based on probability, human impact, property impact, business impact, internal resources and external resources. The advantage of this method is that it forces planners to look more broadly at how the hazards affect operations, as opposed to CARVER’s straight-up analysis.

Response triggers

All the charts and worksheets in the world won’t help unless disaster recovery planners outline response triggers. This term refers to the events that enact the plan. Gonzalez gives the example of a fire starting. If there is no alarm that prompts people to move to the exits, go for the extinguishers, etc., then all of the plans that describe those procedures are moot. If a hurricane is making its way to your data center, someone needs to be charged with disseminating information and getting the plan enacted.

Don’t worry, there is help

Worrying about having the budget to develop a DR plan should not be an excuse. Gonalez said at the end of his presentation that free resources are available, especially for data centers whose criticality fall within federal jurisdiction, i.e. telecom and power companies. Though these resources may not take the form of money, FEMA and other DR-related agencies in the government can provide training for your data center folks and that the best way to access these resources is to contact local government offices and just ask.