Be cautious when reducing costs in the disaster recovery area. Many companies interviewed said that disaster recovery and security are areas in which they would not look for cost reduction due to the vulnerability and risk to the organization. Match the disaster recovery solution to the business risk tolerance for that service. Not every system requires the same level of disaster recovery investment. Develop a tiered structure for your applications. Tier 1 would include the most critical applications which help make other decisions, such as redundancy and recovery. Let the business determine the application rating within the various tiers.
Review the business impact analysis by application to determine if you are able to reduce services and costs. Review business recovery objectives to determine if objectives are too stringent based on costs. Match the disaster recovery solution to the business need. Potentially, this allows you to scale back your overall disaster recovery and realize cost savings. For example, one company was able to adjust from mirrored sites to a 48-hour recovery model to save $200,000 per year.
Complete a full cost-benefit analysis to compare external disaster recovery options to internal options. Consider using other sites, locations, or divisions if you have other data centers and are able to reduce costs by backing up each other. Consider reducing the number and frequency of business continuity tests as each test costs the organization money. Determine if you are able to reduce costs by decreasing the requirements for access to backup tapes. One company saved time shuffling and shuttling tapes by moving to disk backups rather than tape backups.
Security Management
Reduce support costs and significant costly vulnerabilities by having securely configured PCs and servers as well as coordinated deployment of software, updates, and patches. Having knowledge and visibility of compliance status of all assets across the company can help manage risk and prioritize remediation efforts. Be sure you support security processes with proper tools and technology, such as firewalls, monitoring software, web filters, virus detection, spam protection, key fobs, and encryption to protect against attacks. Make sure you review security reports and act upon issues. Have clear steps in place for handling security breaches. It is important to balance the costs of providing security against the value of the information that you are protecting. If you have too much protection, reduce it in order to balance with the business risk if it also allows you to reduce costs.
All areas of the organization must follow up-to-date and accurate security procedures and processes. Ensure there is a focal point in the organization that is responsible for controlling and monitoring security and audit compliance, plans, and procedures. Audit security processes to ensure you delete security access for terminated employees on a timely basis. External audits, scans, and risk assessments are very helpful to ensure your security processes are complete, and the environment is secure.
Automated Password Reset
A key cost reduction strategy is to decrease staff time spent on repetitive tasks that you are able to automate, such as password resets. Various industry reports on help desk costs show that 25 to 40 percent of calls are typically password resets with each reset taking 6 to 15 minutes, and each help desk call costing $25 to $50. Depending on the number of requests you receive for password resets, companies have realized significant savings by implementing tools to automate password reset. Some companies interviewed have experienced a 25 percent decrease in calls through automated password reset capabilities. Companies have also reduced password resets by implementing software to provide single-sign-on capabilities or software to synchronize passwords so the user has to remember fewer passwords. As mentioned in Chapter 3, one company reduced password resets to one-third of the previous amount by simply altering the password change window from 30 to 90 days. This was a simple change resulting in a significant reduction in calls while still meeting compliance requirements and remaining within an acceptable risk level.
No comments:
Post a Comment