The pressures on CIOs to manage all the information resources of an organisation continue to grow. Establishing policies centrally, to be implemented across all systems is the classic first step.

And while these can be applied to data within the main data centres, the challenge arises when distributed offices and mobile workers are taken into account. For many of the users located around the organisation, one of their key concerns is that data is available and applications run without a hitch. In other words, day-to-day operational concerns.

Even as data protection practices are considered as providing a fall-back in case of system or application failure, the recovery time becomes of concern as the organisations dependence on IT systems is reinforced in many ways. This also means that disaster recovery processes must be effective in time of need. But the ongoing insurance policy may mean that the investment here is trimmed wisely, or otherwise.

Data in distributed offices and on mobile devices
If there are two or more data centres in an organisation, why cannot these be used to provide that disaster recovery coverage? The challenge relates to how the disaster recovery strategy has been formulated – for a system environment, for a business process or for an application.

Then there is the challenge of all the distributed offices and mobile workforce. The back-up systems may be basic or even non-existent. The risks are also different. The volume of data in distributed locations is often equal to that in the data centre. And sensitive data on mobile devices encompasses laptops, PDAs and now telephones.

With the risk of these devices being stolen or lost, the need to protect this data is critical. It will be the unexpected event that will cause the greatest concern or embarrassment to any one person or organisation.

There is an increasing view that this data must be managed centrally. Suppliers are suggesting that this is achieved by using back-up systems which span the distributed and mobile workers with offers from Symantec, Asigra and Tivoli. An alternative approach is wide area data services from companies such as Riverbed, Tacit, Cisco and their respective partners.

These services provide high speed links back to a central location, knowing where files are located to give the best service to a remote office. However, they do not support the mobile environment without falling back to a more traditional approach.

Security in the form of access passwords and data encryption must also be considered. Passwords enable a first level of security. The challenge then arises when data is moved between locations or onto other systems.

Network traffic can be encrypted, but accessing encrypted data on disks brings overheads to system operations that can significantly impact response times. This also manifests itself as an issues as to whether data on laptops or other mobile devices should be encrypted. But more and more companies are recognising that data stored on tapes, a removable media, should be encrypted. This is in response to improving information governance practices and securing storage that might be mislaid or lost.

Evaluating the risk
Technology offers a rich choice. The challenge is how to evaluate the risk and assess which are the most appropriate technologies and processes to implement. Whether viewed from the data centre or responding to potential loss of sensitive information in branch offices, CIOs must demonstrate that they are managing the organisations’ information securely.

Involving an ongoing risk assessment, the role and responsibilities of all managers and users of information must be reviewed. Knowing what data is located where and how it is protected and secured will enable an information security strategy to evolve. Recognising what the key requirements for a disaster recovery strategy are, spanning all aspects of the business, will enable cost effective decisions on the computing infrastructure to be made.

Hamish E Macarthur
Macarthur Stroud International
T: 020 8240 6000