One of the first companies in India to offer ethical hacking as a service, it recently received $100 million as technology funding from Singapore based IT holdings company Planet One. The company's customer portfolio has includes names like GE Capital International Services, Hathway, Hughes Telecom, Infosys Technologies, Larsen & Toubro Infotech Ltd, Spice Telecom, Vysya Bank, Pepsi, Shoppers Stop, and Bharati. Paul Ranjan, Head Security Research, Net ProActive Services, discusses some aspects of disaster management. Excerpts:

How crucial you think it is for companies today to have a disaster recovery solution in place?
The criticality and nature of the disaster recovery solution for a company depends on the nature of the business it is in, customer expectations and acceptable losses.

What according to you does disaster recovery really means to companies nowadays?
Today, any business continuity plan aims to provide clear guidelines for handling loss of information, loss of access to information and facilities, and loss of people.

What is Net ProActive Services' expertise in disaster recovery planning?
We have have designed recovery plans incorporating business processes and technology solutions to ensure continuity of business with acceptable down times and costs.

Who all are your major clients in this area, both nationally and internationally?
We have helped set up disaster recovery plan for a large ISP in the country. However, due to confidentiality agreements signed with them clients, we can't disclose their names.

Can you share some details about your crisis management process, such as how the plans are documented, how the staff is prepared, for anything that would affect any of client's facilities specifically?
A good approach to developing a disaster recovery plan would primarily include four things. One, to start with risk assessment, this includes: identification of various locations; study of the applications, systems and processes at different locations; zeroing on threats and vulnerabilities; an assessment of potential impact, this exercise helps in identifying the critical components and losses associated with disasters.

Two is business continuity strategy. During the formulation of this different stages are identified, evaluated and selected. Activities comprise: critical business processes, systems and applications and data; different disasters applicable and their classifications; acceptable time to restore in case of disasters; evaluating levels of redundancy in terms of systems, infrastructure, people, hot site, cold site, etc; identifying alternate locations and the redundancy in these locations and assets; backup solutions; cost-benefit analysis; business continuity plan development; BCP organization definition including the executive team, technical team, audit team and recovery coordinators; verify disaster and recovery scenarios.

Three, define BCP processes (response, recovery, resumption, restoration and returns) including BCP roles and responsibilities. This consists finalizing technology controls; recovery site finalization; recovery site activation; inter-site logistics and communications; data preparation; production control; end-user liaison;

Fourth is training the users, this comprises: Explaining clearly BCP methodology; plan, scope and limitations; roles/ responsibilities of every employee; scenario walk-throughs; establishing BCP testing review and maintenance; establishing BCP evaluation procedures; establish BCP test plans with scenarios; BCP mock drills (exercises); Identifying change control procedures; and publishing maintenance guidelines.

How expensive is disaster recovery and business continuity planning?
The cost of designing a business continuity plan varies from organization to organization. Some of the factors affecting cost are: the nature of company's business; the number of locations to be considered; acceptable losses to the organization; nature of application and systems; and also the existing business processes.