CNI’s Executive Roundtable:
Risk Management and Disaster Planning
December 12, 2011
All aspects of higher education – teaching and learning, research, administration, operations, student life – are now fundamentally dependent on a very wide range of information technology-based services and digital information resources. Shifts from physical to digital resources, new research practices, outsourcing of local to remote services, or the introduction of additional international campuses or distance education, all re-arrange the profile of risks. Institutions are at varying stages of readiness, both in understanding their risks and vulnerabilities and in determining policies, services, and strategies for agile responses to disasters. While there has been considerable focus on disaster recovery, risk assessment, and business continuity planning in the context of core administrative systems (e.g. payroll) and operational systems (e.g. email, campus web site, phone systems), developments in the instructional, research and library spheres have received much less attention. In addition, institutions must take into account risk management as they develop, outsource, or contract for services and content.
Increasingly, institutions are grappling with the reality that they must have good plans in place to quickly provide access to networks, IT services, and digital content if disaster strikes. On-campus disruptions, including local violent acts or massive power outages, may precipitate the need to activate an emergency plan, or natural disasters may provide the impetus. In addition, major disruptions or outages from commercial content providers or cloud services could have negative consequences for research projects and teaching and learning activities. Outsourcing creates dependences that need to be identified, analyzed, and taken into account when managing risk. What can institutions realistically plan for, and how can they assess the risks of locally provided content, cloud services, and content provided from vendors’ own systems?
A discussion of these and other issues took place at the Coalition for Networked Information (CNI) Executive Roundtable in Arlington, VA on December 12, 2011.* Teams from 10 higher education institutions described their experiences, concerns, strategies, and future plans.
Some key perspectives from institutional participants included these observations:
- Institutions are moving to hosted or cloud solutions for some applications and they see this as one aspect of managing institutional risk. This includes moving to such services as Google Apps, OCLC WorldShare, and other integrated library systems with cloud solutions.
- In the content area, some institutions consider HATHI Trust as a backup for portions of their collections. Interestingly, there seems to be no consideration of large-scale digitization programs beyond what has already been done as part of the Google Books initiative as a means of providing backup for the main physical library collections among the participating institutions. Digitization for special collections (and museum collections) is increasingly well established as an aspect of best-practice stewardship, and many potential donors of special collections material are now asking for commitments to digitize as part of donation negotiations.
- Many institutions do not have a well-developed planning process for risk management and disaster recovery. In some cases, high level administrators do not consider such planning a priority; other campuses are getting pressure to focus on these issues due to presidential leadership, the examples of recent past disasters or increased board-level concerns about understanding risk and about business continuity. Often faculty are left out of the planning process, which focuses narrowly on physical facilities and administrative and operational IT systems.
- There are challenging problems involved in the financial aspects of risk management and mitigation. Measures (what an outages of various types would cost, or what it would cost to replace or recreate a given dataset) are poorly developed. Issues around topics like the insurance valuation of physical library or museum collections have always been problematic and are getting little attention in the digital environment.
- Some campuses have made strides in primarily operational areas of disaster planning, including developing multiple communication strategies and building out wireless infrastructure so that a large number of people can continue to get information during emergencies. The problem of wireless voice and data overload in peak use that accompanies emergency situations is very real.
- Institutions have concerns about what they should promise concerning disaster recovery. How are systems prioritized for recovery in a large-scale outage, and what are the expected recovery times? For example, faculty might expect that a learning management system (LMS) would recover from a disaster in a matter of hours while the IT professionals may find themselves assuming disaster recovery procedures that might last for a week or more. The budgetary and operational implications of restoring services in an hour or a day, instead of a week, need to be understood.
- Taking steps to mitigate risk (i.e. reducing the probability of failures) is different from business continuity planning; the latter is ultimately about resilience in the face of major disasters.
- Moving services to the cloud has budgetary implications, specifically moving capital expenses to operating expenses, and it also has staffing implications (skills and responsibilities); it shifts both the risks and the tools available to manage or mitigate those risks.
- Audit of practices at external service providers of all kinds — outsourced email and utility applications, electronic journal hosting, digital repositories, administrative services, etc. – is emerging as a very interesting problem. It is becoming clear that audit by individual customers will not scale, and that we will need mechanisms for collective audit or transparent certification of services. Institutions are using a number of resources to develop policies and strategies, including ISACA, a non-profit association working in the area of information systems audit. EDUCAUSE and the Common Solutions Group (CSG) are beginning to address this and we may also see developments in the content community. Some libraries are working on disaster planning for digital resources in a consortial context.
- There are concerns about the implications of hosting researchers’ datasets on university servers and the potential for loss or corruption of that data. Recognition is slowly emerging that, in some fields, these datasets could essentially become targets. Attacks might have a wide variety of motivations: political, criminal, national security, etc. There is also growing awareness about the risks that accompany a range of sensitive data that is part of the research programs at many institutions: industrial collaborations, sensitive national security related technology, medical and other personally identifiable data, and so forth.
- A small number of institutions are developing mobile apps specifically for disaster situations.
- One campus noted that it had already experienced several disasters with its own digitized resources, all due to human error. This is consistent with published studies done elsewhere (for example, the San Diego Supercomputer Center) that point to human error as the major source of data loss.
- Finally, a compelling and important observation from one of the roundtable participants: We tend to focus on abrupt, unpredictable, and disruptive disasters: fire, flood, earthquake, attacks, etc. Slow disasters, predictable disasters, are equally dangerous and damaging; the steady deterioration of data stored on various kinds of recording media that are not checked and refreshed for example, or deferred maintenance that eventually causes a bridge or a building to collapse. These kinds of threats must be taken into account in the risk assessment and disaster planning process.
Disruption of mission-critical university functions affecting research, teaching, and learning, are at stake when disaster strikes, or when there are significant system malfunctions. Major institutional assets, such as physical library collections, are at risk of natural disasters, and digital content collections can be compromised or lost. At the same time, network-based digital services and content can be very flexible and can provide new options in the development of disaster recovery, risk mitigation, and business continuity strategies and plans.
Addressing potential risks and developing plans to mitigate risks and to recover from disasters requires involvement of the entire campus community. Support from top administrators is needed to develop an inclusive planning process, and the planning process itself can serve an educational function within the institution. Consortia and professional associations can provide templates, checklists, and other materials that will assist many institutions. Higher education institutions will ultimately need to band together to develop a joint strategy for audits or other certification of major service providers, whether for IT or content services.
CNI will continue to feature sessions at our membership meetings that address planning efforts for risk management and disasters, as well as lessons hard-learned from experiences.
*CNI Executive Roundtables, held at CNI’s semi-annual membership meetings, bring together a group of campus partners, usually senior library and information technology leaders, to discuss a key digital information topic and its strategic implications. The Roundtables build on the theme of collaboration that is at the foundation of the Coalition; they serve as a forum for frank, unattributed intra and inter-institutional dialogue on digital information issues and their organizational and strategic implications. In addition, CNI uses Roundtable discussions to inform our ongoing program planning process.
The Coalition for Networked Information (CNI) is a joint program of the Association of Research Libraries (ARL) and EDUCAUSE that promotes the use of information technology to advance scholarship and education. Some 200 institutions representing higher education, publishing, information technology, scholarly and professional organizations, foundations, and libraries and library organizations, make up CNI’s members. Learn more at www.cni.org.