Bill Clebsch from Stanford is coordinating a session on Business Continuity and Disaster Recovery
Full results of survey are up on the web at http://www.stonesoup.org/Meeting.next/mtg.pres/clebsch2.htm
Bill asks how many of us are ready for a disaster – at Stanford they say ready is being documented and drilled. Most of us are prepared for major events, maybe better than we are for smaller events (like one that would just take out the data center). Stanford estimates that they could function for around sixty days without financials – beyond that the big driver is being able to make payments to the federal government.
If you only have excel and word, you dont have a business continuity tool
Drilled means exercised quarterly – any less often means it likely won’t work.
Scope is focused around enterprise computing – Bill really worries about departmental systems. The future is in arranging partnerships with other institutions.
Lessons from Hurricane Katrina – ECAR research bulletin – Catherine Lewis from Xavier.
There’s a role-playing discussion of disaster recovery. Shel asks about whether people are worried about the NIH and NSF regulations around access to data any time during the grant. One opinion expressed is that researchers aren’t worried about that compliance, while another is that non-compliance is another risk that must be managed. One person says that any institution that pushes these compliance issues ahead of their peer institutions risks losing their faculty to other institutions that won’t push compliance as strongly.
Shel says that he’s achieving some success by brokering a connection between Risk Management and Sponsored Programs, so that it’s not IT pushing the issue with researchers.
Texas is in the process of cataloging every computer on campus – they’ve developed a tool that’s being used across campus to catalog data in three categories. Everyone is obliged to report what kinds of data are on each computer, from faculty desktops to the mainframe. This is a huge process, which has created some happiness among faculty.
It’s mentioned that there are faculty that insist that the data is theirs and that the institution does not have any role to play in poking its nose in, whether for backup or other purposes.
Bill suggests that IT is not the group in the position to suggest value of various risks of loss of data or operations. Phil Long says that there are people with that expertise in the financial sector who could be brought in. Cliff agrees that this is properly framed as a risk management issue, but that in the last few decades many campuses someone has wandered through and said they need to place a value on the campus library, in the context of risk management and self-insurance, not in terms of business continuity. They’ve had terrific trouble with that, because some of the material is very replaceable, and that’s the stuff they know what to do with in valuation, but other stuff is rare, and is more like museum treasures – irreplaceable and highly valued, but they end up coming to the conclusion that there’s no point in taking out higher insurance values, but better to invest in its protection with better environmental controls, security, etc.
Ken points out that NYU’s experience through 9/11 is that the ability to continue to communicate with the community is absolutely essential in any disaster.
Mike Pickett notes in the back channel that “Duke did a university-wide risk assessment last year and set the level for making it onto the “risk list” as multi-million $ impact.”