Higher Education Institution
Our client is a red-brick university with a world class reputation for teaching, research and enterprise with approximately 17,000 students and ranked in the top 1% of universities in the world.
An internal audit identified that documentation surrounding DR and resilience needed to be improved to meet good practice. The client recognised that less than effective DR could impact student experience which in turn could affect its reputation.
Although reasonably confident that solutions were effective, the client was aware there was significant reliance on specialist individuals being available to manage the recovery. There was also some uncertainty whether current preparedness satisfied the requirements of academic schools and university departments.
The challenge for the client was how to validate what was in place and ensure this satisfied business expectations without becoming caught up in a myriad of convoluted scenarios and overly complex processes.
Recognising the value of bringing in specialist expertise, the client engaged Teed to undertake an independent review of current preparedness and a business impact analysis in order to:
- Determine the achievable required recovery time objectives (RTOs) and recovery point objectives (RPOs) for core IT services in the event of appropriate defined scenarios
- Identify improvements to recovery strategies, risk mitigation, documentation and processes
Initially our DR specialist, David Teed, met with key representatives to agree the approach and outcome for the project. David then facilitated separate discussions with individual technical areas (servers, networks, websites, etc.), to drill down into the detail, understand how risks were managed and what recovery capability was in place based on current preparedness to manage a DR situation.
Once this information was to hand, David facilitated IT focused business impact analysis (BIA) discussions with IT service owners within departments and schools who had sufficient understanding of priorities in the business to know recovery time expectations, data loss tolerance and feasible workarounds. Particular emphasis was given to understanding expectations at critical times in the academic year, for example, registration, examinations, clearing.
David’s experience from similar projects allowed him to help the client take a step back and take a considered approach to identifying where potential improvements to recovery strategies, risk controls and DR planning could be made to allow business expectations and good practice to be satisfied. For example, instead of developing recovery strategies for a number of different scenarios resulting in complex and overly detailed processes, David worked with the client to define a worst case scenario which ensured focused efforts on risk mitigation and recovery solutions for one scenario, making it easier to pull together effective documents.
The findings from the DR review and BIA were presented to the client showing the implications of an incident based on current preparedness and prioritised actions of what needed to be done to keep impacts within acceptable levels.
The university now has a clear understanding of what would be required by schools and departments to enable them to manage critical activities following a disruptive incident. Gaps in current capability have been identified together with actions that need to be taken to ensure these are addressed.
The client is now taking forward a schedule of DR activity with backing from management and the confidence of knowing that this will shore up DR and resilience measures within the university.
In bringing Teed’s specialist input and experience to this project, the client was able to improve its DR capability, use resource wisely and make sufficient progress with DR documentation to satisfy the auditor.