Once an agency has developed a business continuity plan, though, it's tempting to stick it on a shelf and forget about it, and that could lead to serious problems.
"That's pretty much a sure sign for disaster because just because it's written down in a plan doesn't mean it will work that way," Morrow said, citing an example from his past involving back-up tapes. "Quite often, you'd talk to the guys and say, 'Let's go get the back ups and put them on the system.' You'd get the tapes, put them up or they'd be blank. Or they wouldn't work. Or the tapes were made on hardware that didn't exist anymore, and the old tapes were no longer usable. The devil is in the details in business continuity planning."
Technical details are crucial, and agencies should also pay attention to less obvious details of their defense against a crisis or emergency, said Randy Witt, CIO of Miami-Dade County.
"You have to look at the second and third layer deep in your infrastructure to see problems," he said. "I've had cases in which major communications circuits run diversely out of the enterprise and found out that [the local telephone company] has run them both back through [one] central office. If they lose ... a central office or have a major disruption, you're out of luck."
Witt said his department does its bit to ensure the county's various networks are redundant and the data center is protected, but he lets departments devise their own business continuity plans.
"I try to sponsor activities which will complement departments and help them with reliability and maintainable systems, but if a building burns down, the computers in it aren't going to be worth much," he said. "Whether the department has an alternate facility to go to, that's their business. If they do have one, we'll try to help with making sure the infrastructure is in position there."
Witt said Y2K played an important role in BCP in Miami-Dade County as well.
"We got a lot of value ... out of doing planning for Y2K," he said.
One thing the county is looking at from a centralized point of view is its 911 call center, Witt added.
"We have an alternate 911 center," he said. "We've assessed that really that's not a good enough plan, so we've included a redundant 911 center as an option in an RFP we have out on the street now for a computer-aided dispatch system."
The Right Role
Perhaps the greatest threat to BCP surrounds which business unit of an organization is charged with the responsibility of drafting a business continuity plan, EDS' Morrow said.
"One of the things that I see in IT security and business continuity is that both of them are dependent on the amount of attention you give to them," he said. "We see a lot of problems when we run across an organization that buries the function that worries about these two things."
The problem is that a person or department that has important things to say to the management of an organization about BCP doesn't have sufficient visibility to issue warnings about what needs to be done.
"Security and BCP is a management problem, not a technical problem," he said. "Managers need to be concerned about it as a management problem and have a lot of visibility on that. Quite often, they need to look at their organization to make sure that the department that does this type of planning isn't so low down in the organization or buried so deeply that managers don't hear about a problem until it's too late."