As the author of "The Ultimate Guide to the SDLC," I am somewhat of an expert with the System Development Life Cycle (SDLC). Business profitably is driven by a balance of margin, sales and net profit. The success of an IT organization to deliver high business value is driven by the three-legged stool of IT Governance, the Project/Program Management Method and the Systems Development Life Cycle. The three are inextricably linked and together form a trilogy that are foundational to IT success and the business value IT provides.
Business Continuity and Disaster Recovery are areas that most SDLCs neglect. Perhaps neglect is too strong a word, since purposefulness is implied when something is neglected, omitted might be better. Why is it then that many SDLCs omit BCP/DR? This is my opinion. I have no hard facts, but I believe most organizations don't implement BCP/DR processes until something bad happens.
Look at the photo on the right. On March 19, 2008, a fire destroyed 75 servers, routers and switches in the data center at Camera Corner/Connecting Point, a Green Bay, Wisconsin business offering IT services and web site hosting. It took 10 days to get customer web sites back online, indicating the company had no live backup plan. That was a problem for one customer, the Green Bay Blizzard arena football team, which was counting on selling tickets online for their home opener. Camera Corner/Connecting Point CEO Rick Chernick insisted the company had thought a lot about disaster recovery:
As part of your plan: Where are you going to go? Where are you going to set up? Where are you going to put phones in?” Chernick said. “We had all that planned out so we knew where we were going to go…if we had a fire.
And yet customer web sites were offline for at least 10 days. The local media didn’t ask tougher questions about whether that was adequate.
Don't Think, Do!
Thinking a lot about disaster recovery is not the same as actually having documented, exercised plans and a hot, warm, or even cold backup site ready to go. UConn's University Information Technology Services (UITS) group had no documented plans. The data center is located in the Math Science Building (MSB). It is old, outdated, and there's a high risk that it could be shut down due to water penetration. Plenum cabling is run under the flooring as it is with many older data centers. Water filled HVAC piping runs in the drop ceiling above all the production IT equipment. During my engagement, a heating pipe leaked. Fortunately, the leak happened in an area that is used for storage. No damage occurred to the production hardware. Of greater concern is the fact that the fire suppression system is water based. While the likelihood is remote that a fire would occur like the one in Green Bay, if just one wisp of smoke from a blown capacitor triggers the fire suppression system, UConn's data center is toast. We all know how well water and electronic equipment mix.
SDLC New Project Integration
The Project Management Office (PMO) is now integrating the development of a Business Impact Analysis and Information System Contingency Plan into the planning phase of their SDLC for all new projects going forward. The goal is that no project will roll into production until both of these processes are complete. This is really a BIG deal for UITS. There has never been a Business Impact Analysis done for any of their supported systems, let alone contingency plans. Not only did I have to build the templates, but I had to build enough information into the planning documentation to teach people how to use them.
Cost is always a consideration for BCP/DR. Hot sites are expensive. They usually duplicate production and can function as a load balanced, automatic fail over site if something happens to take out the primary data center. Warm sites are less expensive, cold sites are the least expensive. The less you pay up front, the more the work required to get the site up and running in a disaster situation. You need to determine the proper cost/benefit ratio for your organization, but having something in place, anything in place, is better than having nothing at all.
Technorati Tags: Business Continuity, Disaster Recovery, UConn, University of Connecticut, SDLC, Best Practice, Business Transformation