C Kajwadkar, Senior Vice-president, NSE.IT, lists
data protection and archiving, as well as drawing up a business continuity plan,
as a CIOs most important priorities.
for IT which is mapped to the growth of an organisation is one of the most important
functions of any CIO. CIOs must ensure that their IT plans support the organisations
business plans. To ensure this, they should put certain measures into place
in order to check potential losses.
Among the measures that CIOs use to ensure the present and future continuity
of business, prominent ones include data protection, archiving, and plans for
Data protection is an integral part of the Business Continuity Planning (BCP)
process. It involves aspects such as policies for data access, various encryption
mechanisms, and destruction of data after a stipulated period.
Currently, there are no data protection laws in India. Companies have their
own strategies for protecting data. Thus, when Indian companies attempt to do
business with countries with data protection law, they may encounter legal problems.
In the absence of data protection laws, CIOs need to define their organisations
IT policies to comply with regulatory guidelines that apply to their industry
vertical, and policies implemented by peers worldwide. In order to amend the
situation, CIOs need to work with organisations which advise the government
on making appropriate laws. It is only when laws are framed correctly that organisations
can adhere to them. Thus, pragmatic law formation with respect to data protection
and destruction needs to be on top of the mind of CIOs and CTOs.
There are many pitfalls in the journey towards data protection relating to policies,
strategies and implementation. Of these, the greatest number are found in the
The cost of protecting data is an important reason why this activity is often
kept on the back-burner. The cost tends to rise with time because of ever-increasing
volumes of data, and the increased cost of technology support to maintain the
systems which will be able to read back the data in the future.
To ensure a secure future for an organisation, CIOs must make effective plans
for data archiving. Archiving involves storage of data in accordance with policies.
With the rapid expansion of technology, archiving has extended much beyond data
and data sets.
Today, e-mail is a widely accepted form of communication. It is important to
have safe and secure archiving strategies and processes for mail archiving.
Archiving issues need to be examined from a legal perspective as well.
Business Continuity Planning
The objective of BCP is to ensure that an organisations business continues
smoothly and profitably.
In the first stage, possible threats from areas such as technology, customers,
employees and changing regulations need to be analysed. These threats should
be validated from a practical standpoint, and risk mitigation mechanisms should
be adopted along with an appropriate implementation plan.
There are several steps involved for successful BCP:
- Business impact analysis
- Strategy selection
- DR planning
- BCP planning
- Test and drill
- Managing and maintaining the BCP.
BCP is not confined to disaster recovery. It now extends to protection against
lawsuits as well. Since technology forms only a subset of BCP, it is not enough
to ensure a foolproof technology framework. For example, an organisation might
have to shut down because of lawsuits filed against it for the improper use
Therefore, along with data protection and data archiving, it is absolutely essential
to ensure that employees are aware of policies regarding the correct use of
There are no standard mechanisms for measuring the effectiveness of BCP across
organisations. My organisation is in the process of designing a scorecard which
will enable us to determine the areas which need improvement.
A scorecard is a widely accepted tool for measuring the effectiveness of BCP.
However, developing a scorecard is a complex task because quite a few parameters
of BCP are subjective, and thus difficult to measure.
The CIOs Role in BCP
CIOs play a very important role in BCP because they have the ability to combine
business objectives with the IT support needed for overcoming business challenges.
It is also the duty of the CIO to draw and implement a proper archiving policy
and to ensure that all employees are aware of policies, particularly those related
to e-mail use.
Indian CIOs are attempting to fulfill the duties required
of them for implementing BCP. However, some business users and entities in India
are not fully aware of all the aspects of BCP. Whats more, there are several
business constraints which restrain budget allocation to BCP. Most corporate
boards focus primarily on business issues, and as a result, the business continuity
plan is sidelined.
According to the Infrastructure Strategies 2005 survey,
65 percent of the companies that have invested in DR, have carried out
an Impact Analysis
Climbing Mount BCP
CIOs need to communicate to the board of directors that business continuity
should be one of the prime objectives on their agenda. Some organisations have
begun to realise that IT operations consume a considerable portion of a CIOs
time, and therefore the latter isnt always able to pay attention to important
strategic issues. They have therefore started to develop two separate roles:
CIO and CTO, with specific key performance areas for each.
Continuity of trade is an important business objective in most organisations.
A CIO should therefore make effective plans to ensure protection against possible
threats in the future. Data protection, archiving and BCP have often been discussed
within an Indian context, but unfortunately little has been done in these areas.
Keeping in mind the steadily growing markets, and the addition of risks this
involves, CIOs should definitely make BCP an urgent priority on their agenda.
As told to Newly Paul