Vol. 10, No. 6, Page 11

team to describe what would happen to its overall administrative and production operations if its computer system encountered either a natural or man-made failure and ceased to function.

"The results we compiled from these interviews are frightening", admits Informatikk's project manager, Mr Trond Pedersen. He added that the report was compiled at the same time as the Norwegian Consumer Administration Ministry was promoting its campaign among small-, medium- and large-sized companies and management, urging greater security measures against illegal access and system failure.

"We found that contingency plans to counter system failure were non-existent in practically all the companies contacted. Not one of the 50 companies in the survey had an emergency plan in the case of fire or other natural disasters. We found that management had turned down proposals emanating from either middle management or from computer departments to introduce new security measures, despite recommendations from insurance companies, finance departments and even suppliers", said Pedersen. "Most of the companies knew they were vulnerable but simply did nothing about it". he added.

The most common reason given for the lack of corporate thinking on the development of contingency plans involved differing views on the importance of emergency mechanisms at senior and lower managerial levels. Lower management personnel took the computer department's line that a contingency plan would benefit overall efficiency, but getting this message across to top management was "the biggest obstacle in many cases", states the report.

"Most of the companies surveyed by the investigation are totally dependent on their computer systems for administrative and customer communications, and other functions. If the computer system failed, then the company would in a matter of time grind to a halt as well (a fact of life they still have to recognize), which would cost them dearly in lost revenues and productivity", said Informatikk general manager Bjorn Fosli. "The main fact to emerge from the research is that contingency plans have little to do with computers but, rather with whether or not the lack of such a plan can affect a company's ability to survive during a system failure. The final responsibility for this lies with top management", said Fosli.

Gerard O'Dwyer, Finland

AUSTRALIAN BANK Australia, as yet, has no legislation requiring financial SELLS COMPUTER institutions to operate a computer disaster recovery plan. Some DISASTER RECOVERY risk management consultants estimate that less than 2% have any SERVICE form of adequate protection. According to the Australian

Financial Review, most company managements are unaware of the financial and legal aspects of losing their data processing capabilities if a computer should fail or malfunction.

o 1988 Elsevier Science Publishers B.V.. Amsterdam./tW/$O.OO + 2.20

COMPUTER FRAUD & No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any

SECURITY BULLETIN means. electronic. mechanical, photocopying. recording or otherwse. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 10, No. 6, Page 12

To meet this need, and to offset its own high costs of data processing, the State Bank of New South Wales is offering customers the use of its new computer disaster recovery centre, located in Sydney's central business district, at a cost of between 1% and 2% of their annual data processing budget. The Bank says the centre gives access to almost a complete duplication of service.

Frank Rees, Melbourne, Australia

MAINTAINING AND A comprehensive disaster recovery plan can only be completed TESTING A DISASTER at considerable expense and effort to the organization concerned. RECOVERY PLAN The continually changing business and computing environment will

dictate that, to maintain the viability of the plan, updating procedures must be in place. The consequences of omitted or out-of-date information within the plan are correctly considered to be the failure of part of, or at worst, all of the recovery capability.

The overall effectiveness of the recovery plan will be severely impacted by changes in the operational environment which the plan was originally created to protect. Major factors which would affect the plan include the introduction of new equipment, departmental and staff organizational changes, and the introduction of new applications.

Procedures must be in place to ensure that all changes which could impact the plan are systematically recorded and passed to a central point where plan amendment is carried out. This can only be achieved by way of established procedures. It is essential that there is regular feedback both from those who are introducing the changes, in the form of improved systems, etc., and from those who can recognize that changes have evolved, e.g. changes in personnel, suppliers, etc.

The person responsible for the plan and its implementation when needed, is unlikely, except in the smallest installations, to be aware of all amendments as they occur. Assistance from those with a vested interest in the plan will be required in the majority of cases.

The updating procedure could be organized in the following way. The Recovery Team Leaders should communicate all changes to their relevant areas, e.g. operations, data communications, facilities, hardware etc., to a central point. It may be that the post of Recovery Plan Manager is a full-time one, in which case all changes would be presented to, and approved, by him.

Alternatively, it may be decided to assign a portion of the task (e.g. the assembly and distribution of plan updates) to a member of staff, as a purely administrative role. The leader of the recovery process, often referred to as the Recovery co-ordinator, would have the final responsibility, in addition to his everyday duties, of approving the amendment prior to authorizing its distribution.

@ 1988 Elsevier Science Publishers B.V.. Amsterdam./88/$0.00 + 2.20

COMPUTER FRAUD & No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any

SECURITY BULLETIN means, electronic. mechanical, photocopying, recording or otherwise, without the prior permissmn of the pubhshers (Readers in the U.S.A. - please see special regulations listed on back cover.)