Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Dust Off ' Or Whip Up ' Your Disaster Recovery Contracts and Security Procedures

By Marie Flores
August 23, 2003

Events such as Sept. 11 and the war with Iraq have brought issues such as disaster recovery and IT security measures to the forefront of the business world.

Optimize Research surveyed 165 business technology professionals. The results showed that ' two-thirds consider[ed] business contingency planning to be extremely important to their company as a direct result of ' terrorist attacks,' technology and business writer John Eckhouse reported in the article 'What's Your Plan?' for Optimize Magazine.

Companies and individuals can protect themselves by taking steps to ensure that proper contingency measures and security procedures are in place should a disaster occur. First, a proper contingency plan is a two-step process. But a detailed contingency plan is only the first step. The second step is having a detailed written agreement defining terms of any disaster recovery agreement. Entities can also protect themselves from internal and external threats by having security procedures in place to protect IT infrastructures.

What Is a Contingency Plan?

A contingency plan is a list of detailed procedures that enable a business to recover quickly following a service disruption or disaster. Elizabeth B. Lennon, editor of the Information Technology Laboratory for the National Institute of Standards and Technology, lists essential parts of an effective contingency plan in the bulletin Contingency Planning Guide for Information Technology Systems. Her list contains the following:

A contingency planning policy statement ' defines the agency's overall contingency objective, including organizational framework with defined roles and responsibilities for contingency planning.

A business impact analysis (BIA) ' identifies specific system components and links them with the critical services they provide. The analysis defines consequences of any disruption to such systems and lists allowable outage times, as well as the recovery priorities.

Preventive controls ' a list of preventive methods to reduce necessity for recovering a system after disruption. Such controls consist of off-site data storage, and fire and smoke detectors.

Recovery strategies ' provide the means to restore operations quickly and effectively following any type of disaster.

IT contingency plan ' details roles and responsibilities associated with restoring any IT system.

Planned testing and training ' exercises that help identify plan deficiencies and address them. Training addresses ability of the recovery staff to implement the plan quickly and effectively.

Planned maintenance ' to be effective, a disaster recovery plan must be maintained in a ready state that accurately reflects the system, structure, polices and procedures the organization uses. It is essential that the plan be updated regularly as business processes change.

Key Points in Disaster Recovery Service Contracts

Many companies enter into contracts with vendors specifically to deliver hardware or supplies in case of disaster. This helps firms avoid being caught without a way to secure these supplies when demand is great and supply is low. Delivery of duplicate copies of critical software applications, off-site copies of data and use of facilities are some examples of disaster recovery services frequently included in such contracts. Key provisions that should be addressed in these types of contracts are:

  • What defines or triggers the vendor's required performance;
  • A clear and detailed list of services the vendor has agreed to provide and for how long;
  • A specified response time in which the vendor must perform; and
  • A provision addressing how the vendor will distribute reso- urces should multiple customers request service simultaneously.

Being able to locate pertinent information quickly is priceless in an emergency. If agreements are properly written, then pertinent information such as that listed above will be easily and quickly ascertainable and procured.

Security Procedures

Every company should have security procedures in place to reduce risk of intrusion by unauthorized individuals. A list of topics to be addressed in any security procedure follows:

  • Evaluation of staff. Personnel with access to electronic sources should be screened and undergo background checks.
  • Review of external service providers. External providers should be thoroughly examined to ensure they have proper security measures in place at their facilities. They should be required to report any security breach.
  • IT audits. Security audits should be conducted to assess and address any security weaknesses.
  • Current security measures. All systems should be updated with the latest security software including virus-protection offerings. Security practices should be updated as new or improved methods are released.

Why Contingency Plans and Security Are Important

Many e-businesses make contractual commitments to their customers and sometimes to their business partners to provide some basic level of service. These commitments often require businesses to ensure services are not down for more than a specified amount of time. Failure to meet such a threshold may lead to a breach of contractual commitments to customers and business partners.

Legal liability is just one of many reasons why contingency plans and security procedures are important to e-business. Other reasons include prevention of business loss and retention of customer trust ' which, of course, are no small matters.

Concerns regarding security are not going to diminish. They continue becoming a more intricate part of doing business in a world increasingly dependent on e-commerce. These days, it's essential for businesses to plan ahead, in anticipation of problems, rather than being reactive regarding disaster recovery efforts and security measures. CNET News.com author Lisa Brown notes that 'even the largest companies are surprisingly ignorant of security threats' and says firms must implement security and privacy-risk plans ' consulting 'security experts and attorneys long before a breach happens.'

E-commerce should follow the example of the construction sector, which is accustomed to dealing with a phalanx of partners and works under a heavy net of security and safety regulations, Brown notes.

Turbulent times call for preventive measures. Don't be one of the many businesses that find out too late how important risk-mitigation procedures are. The instant tragedy strikes is not the time to dust off contingency plans, disaster recovery contracts and security procedures.


Marie Flores, J.D., is assistant vice president and contracts department manager at Southwest Bank of Texas, N.A., in Houston.

Events such as Sept. 11 and the war with Iraq have brought issues such as disaster recovery and IT security measures to the forefront of the business world.

Optimize Research surveyed 165 business technology professionals. The results showed that ' two-thirds consider[ed] business contingency planning to be extremely important to their company as a direct result of ' terrorist attacks,' technology and business writer John Eckhouse reported in the article 'What's Your Plan?' for Optimize Magazine.

Companies and individuals can protect themselves by taking steps to ensure that proper contingency measures and security procedures are in place should a disaster occur. First, a proper contingency plan is a two-step process. But a detailed contingency plan is only the first step. The second step is having a detailed written agreement defining terms of any disaster recovery agreement. Entities can also protect themselves from internal and external threats by having security procedures in place to protect IT infrastructures.

What Is a Contingency Plan?

A contingency plan is a list of detailed procedures that enable a business to recover quickly following a service disruption or disaster. Elizabeth B. Lennon, editor of the Information Technology Laboratory for the National Institute of Standards and Technology, lists essential parts of an effective contingency plan in the bulletin Contingency Planning Guide for Information Technology Systems. Her list contains the following:

A contingency planning policy statement ' defines the agency's overall contingency objective, including organizational framework with defined roles and responsibilities for contingency planning.

A business impact analysis (BIA) ' identifies specific system components and links them with the critical services they provide. The analysis defines consequences of any disruption to such systems and lists allowable outage times, as well as the recovery priorities.

Preventive controls ' a list of preventive methods to reduce necessity for recovering a system after disruption. Such controls consist of off-site data storage, and fire and smoke detectors.

Recovery strategies ' provide the means to restore operations quickly and effectively following any type of disaster.

IT contingency plan ' details roles and responsibilities associated with restoring any IT system.

Planned testing and training ' exercises that help identify plan deficiencies and address them. Training addresses ability of the recovery staff to implement the plan quickly and effectively.

Planned maintenance ' to be effective, a disaster recovery plan must be maintained in a ready state that accurately reflects the system, structure, polices and procedures the organization uses. It is essential that the plan be updated regularly as business processes change.

Key Points in Disaster Recovery Service Contracts

Many companies enter into contracts with vendors specifically to deliver hardware or supplies in case of disaster. This helps firms avoid being caught without a way to secure these supplies when demand is great and supply is low. Delivery of duplicate copies of critical software applications, off-site copies of data and use of facilities are some examples of disaster recovery services frequently included in such contracts. Key provisions that should be addressed in these types of contracts are:

  • What defines or triggers the vendor's required performance;
  • A clear and detailed list of services the vendor has agreed to provide and for how long;
  • A specified response time in which the vendor must perform; and
  • A provision addressing how the vendor will distribute reso- urces should multiple customers request service simultaneously.

Being able to locate pertinent information quickly is priceless in an emergency. If agreements are properly written, then pertinent information such as that listed above will be easily and quickly ascertainable and procured.

Security Procedures

Every company should have security procedures in place to reduce risk of intrusion by unauthorized individuals. A list of topics to be addressed in any security procedure follows:

  • Evaluation of staff. Personnel with access to electronic sources should be screened and undergo background checks.
  • Review of external service providers. External providers should be thoroughly examined to ensure they have proper security measures in place at their facilities. They should be required to report any security breach.
  • IT audits. Security audits should be conducted to assess and address any security weaknesses.
  • Current security measures. All systems should be updated with the latest security software including virus-protection offerings. Security practices should be updated as new or improved methods are released.

Why Contingency Plans and Security Are Important

Many e-businesses make contractual commitments to their customers and sometimes to their business partners to provide some basic level of service. These commitments often require businesses to ensure services are not down for more than a specified amount of time. Failure to meet such a threshold may lead to a breach of contractual commitments to customers and business partners.

Legal liability is just one of many reasons why contingency plans and security procedures are important to e-business. Other reasons include prevention of business loss and retention of customer trust ' which, of course, are no small matters.

Concerns regarding security are not going to diminish. They continue becoming a more intricate part of doing business in a world increasingly dependent on e-commerce. These days, it's essential for businesses to plan ahead, in anticipation of problems, rather than being reactive regarding disaster recovery efforts and security measures. CNET News.com author Lisa Brown notes that 'even the largest companies are surprisingly ignorant of security threats' and says firms must implement security and privacy-risk plans ' consulting 'security experts and attorneys long before a breach happens.'

E-commerce should follow the example of the construction sector, which is accustomed to dealing with a phalanx of partners and works under a heavy net of security and safety regulations, Brown notes.

Turbulent times call for preventive measures. Don't be one of the many businesses that find out too late how important risk-mitigation procedures are. The instant tragedy strikes is not the time to dust off contingency plans, disaster recovery contracts and security procedures.


Marie Flores, J.D., is assistant vice president and contracts department manager at Southwest Bank of Texas, N.A., in Houston.

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.