“Future Perfect”

C Kajwadkar, Senior Vice-president, NSE.IT, lists data protection and archiving, as well as drawing up a business continuity plan, as a CIO’s most important priorities.

Planning for IT which is mapped to the growth of an organisation is one of the most important functions of any CIO. CIOs must ensure that their IT plans support the organisation’s business plans. To ensure this, they should put certain measures into place in order to check potential losses.

Among the measures that CIOs use to ensure the present and future continuity of business, prominent ones include data protection, archiving, and plans for business continuity.

Safeguarding Data

Data protection is an integral part of the Business Continuity Planning (BCP) process. It involves aspects such as policies for data access, various encryption mechanisms, and destruction of data after a stipulated period.

Currently, there are no data protection laws in India. Companies have their own strategies for protecting data. Thus, when Indian companies attempt to do business with countries with data protection law, they may encounter legal problems.

Making Amends

In the absence of data protection laws, CIOs need to define their organisations’ IT policies to comply with regulatory guidelines that apply to their industry vertical, and policies implemented by peers worldwide. In order to amend the situation, CIOs need to work with organisations which advise the government on making appropriate laws. It is only when laws are framed correctly that organisations can adhere to them. Thus, pragmatic law formation with respect to data protection and destruction needs to be on top of the mind of CIOs and CTOs.

Look Out

There are many pitfalls in the journey towards data protection relating to policies, strategies and implementation. Of these, the greatest number are found in the implementation stage.

The cost of protecting data is an important reason why this activity is often kept on the back-burner. The cost tends to rise with time because of ever-increasing volumes of data, and the increased cost of technology support to maintain the systems which will be able to read back the data in the future.

Data Archiving

To ensure a secure future for an organisation, CIOs must make effective plans for data archiving. Archiving involves storage of data in accordance with policies. With the rapid expansion of technology, archiving has extended much beyond data and data sets.

Today, e-mail is a widely accepted form of communication. It is important to have safe and secure archiving strategies and processes for mail archiving. Archiving issues need to be examined from a legal perspective as well.

Business Continuity Planning

The objective of BCP is to ensure that an organisation’s business continues smoothly and profitably.

In the first stage, possible threats from areas such as technology, customers, employees and changing regulations need to be analysed. These threats should be validated from a practical standpoint, and risk mitigation mechanisms should be adopted along with an appropriate implementation plan.

There are several steps involved for successful BCP:

• Business impact analysis
• Strategy selection
• DR planning
• BCP planning
• Test and drill
• Managing and maintaining the BCP.

E-Threats

BCP is not confined to disaster recovery. It now extends to protection against lawsuits as well. Since technology forms only a subset of BCP, it is not enough to ensure a foolproof technology framework. For example, an organisation might have to shut down because of lawsuits filed against it for the improper use of e-mail.

Therefore, along with data protection and data archiving, it is absolutely essential to ensure that employees are aware of policies regarding the correct use of e-mail.

Measuring BCP

There are no standard mechanisms for measuring the effectiveness of BCP across organisations. My organisation is in the process of designing a scorecard which will enable us to determine the areas which need improvement.

A scorecard is a widely accepted tool for measuring the effectiveness of BCP. However, developing a scorecard is a complex task because quite a few parameters of BCP are subjective, and thus difficult to measure.

The CIO’s Role in BCP

CIOs play a very important role in BCP because they have the ability to combine business objectives with the IT support needed for overcoming business challenges. It is also the duty of the CIO to draw and implement a proper archiving policy and to ensure that all employees are aware of policies, particularly those related to e-mail use.

Indian CIOs are attempting to fulfill the duties required of them for implementing BCP. However, some business users and entities in India are not fully aware of all the aspects of BCP. What’s more, there are several business constraints which restrain budget allocation to BCP. Most corporate boards focus primarily on business issues, and as a result, the business continuity plan is sidelined.

According to the Infrastructure Strategies 2005 survey, 65 percent of the companies that have invested in DR, have carried out an Impact Analysis

Climbing Mount BCP

CIOs need to communicate to the board of directors that business continuity should be one of the prime objectives on their agenda. Some organisations have begun to realise that IT operations consume a considerable portion of a CIO’s time, and therefore the latter isn’t always able to pay attention to important strategic issues. They have therefore started to develop two separate roles: CIO and CTO, with specific key performance areas for each.

Continuity of trade is an important business objective in most organisations. A CIO should therefore make effective plans to ensure protection against possible threats in the future. Data protection, archiving and BCP have often been discussed within an Indian context, but unfortunately little has been done in these areas.

Keeping in mind the steadily growing markets, and the addition of risks this involves, CIOs should definitely make BCP an urgent priority on their agenda.

As told to Newly Paul