Do you have a plan? Most new businesses do when they are starting out. It keeps the team focused. Established businesses often have an implicit rather than explicit business plan. Plans are important in information technology as well. In fact they are often more important in technology than in a general business. Why? Technology is a volatile animal. Everything about it changes at a furious pace — processors get faster, storage bigger, hardware cheaper, operating systems and applications more complex.

But at its foundation, technology is just a set of tools enabling you and your staff to manage information about your business. While the tools make things easier, the tools themselves are complex to configure and run.

A prudent business owner or manager will have a general plan for technology going about two years out. Any less than that would be just reacting — not a plan. Anything more than two years becomes speculation.

Print this story Email this story Post a Comment ADVERTISEMENT

From a management view, a technology plan should be somewhat strategic with clear business goals and cost objectives relating to the derived technical requirements it will take to meet those goals and objectives. That is the basic requirement of the Sarbanes-Oxley Act for publicly traded businesses so they at least think about it.

At a lower level, your business should have clear technology plans relating to incident management and business continuity of operations. Sound complicated? It really isn’t.

An incident management plan lays out what to do about important events and how to react to them. For example, it should be clear to employees that when a virus is discovered on a PC, they need to do these things:

• Disconnect the system from the network

• Note the time and what system message they saw

• Call security (be sure to include the phone number in the plan)

The incident should kick off a timer about how long to wait for resolution of the event. For a virus, security should begin a diagnostic of the disconnected system with a scanning tool while also ensuring the rest of the PCs on the network are checked for the infection. The plan might give security two hours to resolve the issue. If more infections or other problems are found and not under control in two hours, higher-up management needs to be informed.

A continuity of operations plan should outline which data and systems are most critical and have detailed procedures for what to do about recovering data or systems in the event of a problem. The plan should cover the most likely problems, but since no one can think of every contingency, it should also include a general philosophy for how to deal with general classes of problems. Again, the plan should have clear instructions for what to do first and how to do it.

Finally, planning is good but it isn’t enough. Like piano, baseball, and almost anything you’re good at in life, you and your staff need to practice. It is hard enough to take the time to plan and it is even harder to actually practice your plans for recovery and incident management, but that is where the payoff really is.

If you plan without practice, you’ll discover the flaws in your plan on the day of your disaster and that is really not the time for self-discovery. If you practice back-ups and especially recoveries, then your staff will flush out the inconsistencies and problems in your documentation. Your staff will become more confident with the tools and processes and won’t second-guess themselves.

In the end, you and your staff will know what to do and how to do it. Then the big event won’t be such a big deal after all and you will still have a business.

Contact Lee LeClair, a founder and chief technology officer of Ephibian, through the company’s website www.ephibian.com or (520) 917-4747. Ephibian, headquartered at 3180 N. Swan Road, provides software development, data integration and Web design services. LeClair’s Tech Talk column appears the third week of each month in Inside Tucson Business.