What are disaster recovery plans for anyway?

A disaster recovery plan is useless if you're just doing it to pass your audit

This is something that really really bugs me.  A company will come under the gun for an audit and start putting things into place just for the sake of that audit.

I know a company that recently failed an audit because it had no enterprise disaster recovery plans archived, so it went around to the different groups and had them fill out a disaster recovery form pulled from the Internet. This form had a ton of stuff that was outside the scope of these groups, and the disaster recovery manager told them to just put something down anyway. What he got was a bunch of forms filled with complete nonsense.

[ Cut straight to the key news for technology development and IT management with our once-a-day summary of the top tech news. Subscribe to the InfoWorld Daily newsletter. ]

Listen, I get that you need to have a disaster recovery plan, but it also has to mean something. If your plan doesn't actually mean anything, then you're missing the point of the entire audit. It does make me wonder, though: If the auditor knew the docs were invalid, would they still pass? It's hard to say because the control only says a disaster recovery plan needs to be in place, but it doesn't have to be valid.

And that's another thing -- I think I blogged on this a few years ago, but one of the last big companies I worked for came under the SAS-70 gun and needed to prove a disaster recovery plan. The IT manager had one of the helpdesk guys print up all the application and DB code for all of our servers and put them into binders. Without exaggeration, these binders reached to the ceiling in four or five columns. It was ridiculous.

I remember very clearly asking him what he thought he was accomplishing with that. He said, these auditors are accountants and accountants love paper. They'll love this. I told him there was no way that you could get anybody to sit in there in any reasonable time and re-create all of our apps and DBs from those binders. He said, Oh I know, but that's not the point. This is just for the auditors. Personally, I thought he was an idiot, and any auditor who thinks this is a valid disaster recovery plan is an idiot as well.

Do you wanna know the worst part? I was in there when he showed the auditors those binders and they loved them. They thought this was the most complete disaster recovery plan they had ever seen. Kill me now.

While there's no accounting for taste or practicality, you can do your best to make sure that your disastery recovery plan is actually something you can use. Don't do what your boss or your company says just because they tell you to do it. You're the professional -- they hired you for a reason. Give your advice and try to make them listen to reason. If they want to do something stupid, at least convince them to let you make a real plan as well.

I know that contradicts what I've said in the past: that you're not there to do a good job, but to please your boss. But you've gotta draw the line somewhere and if he wants to put in a useless plan for the audits, that's fine. Now he has to answer the tough question: What do we do if we really have a disaster? This plan we just made is crap for the following reasons. Now do you want this to be the only doc we rely on or do you want to put something real in place? Ultimately, it's his call, but if he decides that the fake one is good enough, just make sure you get it in e-mail so you can CYA.

I kinda got off topic there, but here's what I'm trying to say: It doesn't fill me with much confidence when companies do just the minimum for the audits because it shows they don't get what the audits are all about. They're here to help protect you and everyone else from mistakes. And with the finance markets of this country being in such disarray, it doesn't fill me with confidence that those audits will be met with honest efforts, either. It's like when you were a kid and spent more time shoving all your toys under the bed and in the closet than  you would have just putting them away -- anything to buck the system.

And Oprah.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform