What are disaster recovery plans for anyway?
A disaster recovery plan is useless if you're just doing it to pass your audit
Follow @infoworldThis is something that really really bugs me. A company will come under the gun for an audit and start putting things into place just for the sake of that audit.
I know a company that recently failed an audit because it had no enterprise disaster recovery plans archived, so it went around to the different groups and had them fill out a disaster recovery form pulled from the Internet. This form had a ton of stuff that was outside the scope of these groups, and the disaster recovery manager told them to just put something down anyway. What he got was a bunch of forms filled with complete nonsense.
[ Cut straight to the key news for technology development and IT management with our once-a-day summary of the top tech news. Subscribe to the InfoWorld Daily newsletter. ]
Listen, I get that you need to have a disaster recovery plan, but it also has to mean something. If your plan doesn't actually mean anything, then you're missing the point of the entire audit. It does make me wonder, though: If the auditor knew the docs were invalid, would they still pass? It's hard to say because the control only says a disaster recovery plan needs to be in place, but it doesn't have to be valid.
And that's another thing -- I think I blogged on this a few years ago, but one of the last big companies I worked for came under the SAS-70 gun and needed to prove a disaster recovery plan. The IT manager had one of the helpdesk guys print up all the application and DB code for all of our servers and put them into binders. Without exaggeration, these binders reached to the ceiling in four or five columns. It was ridiculous.
I remember very clearly asking him what he thought he was accomplishing with that. He said, these auditors are accountants and accountants love paper. They'll love this. I told him there was no way that you could get anybody to sit in there in any reasonable time and re-create all of our apps and DBs from those binders. He said, Oh I know, but that's not the point. This is just for the auditors. Personally, I thought he was an idiot, and any auditor who thinks this is a valid disaster recovery plan is an idiot as well.
Do you wanna know the worst part? I was in there when he showed the auditors those binders and they loved them. They thought this was the most complete disaster recovery plan they had ever seen. Kill me now.
While there's no accounting for taste or practicality, you can do your best to make sure that your disastery recovery plan is actually something you can use. Don't do what your boss or your company says just because they tell you to do it. You're the professional -- they hired you for a reason. Give your advice and try to make them listen to reason. If they want to do something stupid, at least convince them to let you make a real plan as well.
