Kristen Noakes-Fry, Trude Diamond Product Report 20 November 2002 Computer Security Consultants (CSCI) RecoveryPAC Business Continuity Planning Summary CSCI s RecoveryPAC in LAN/WAN or Web versions contains methodology for creating an effective business continuity plan. CSCI s RiskPAC companion product provides business impact analysis. Table of Contents Overview Analysis Pricing Competitors Strengths Limitations Insight List Of Tables Table 1: Overview: RecoveryPAC, RecoveryPAC Web and RiskPAC Table 3: System Requirements RecoveryPAC, RecoveryPAC Web and RiskPAC Table 4: Price List: RecoveryPAC Table 5: BCP Vendors Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Corporate Headquarters CSCI 590 Danbury Road Ridgefield, CT 06877, U.S.A. Tel: +1 800 925 2724 or +1 203 431 8720 Fax: +1 203 431 8165 Internet: www.csciweb.com Overview A developmental tool from Computer Security Consultants Inc. (CSCI), RecoveryPAC continuity plan builder allows the user to import data, attach other Windows application documents and customize user menus, forms, documents and database fields. Both the LAN/WAN and Web versions of RecoveryPAC allow the creation of plans that incorporate documents, reports and graphics and the Web version allows the user to transfer files via File Transfer Protocol (FTP) to a Web server for electronic storage, distribution and remote access. Recovery plan development options provide libraries of industry-standard staff and equipment requirements for business functions. Management tools include multiple security levels, audit trails, graphs and business continuity planning (BCP) project scheduling and management reporting. BCP reporting options include a customizable report writer, printable organizational charts and a Departmental Summary Report. Business impact analysis (BIA) functions are carried out through RecoveryPAC s companion product RiskPAC. Table 1: Overview: RecoveryPAC, RecoveryPAC Web and RiskPAC Release 9.2 1.0 5.0 Date August 2002 March 2002 July 2002 Announced 20 November 2002 2
Table 1: Overview: RecoveryPAC, RecoveryPAC Web and RiskPAC Types of BCP Tools Included Continuity plan builder with industrystandard tasks and procedures, plan development procedures, management tools, recovery strategies, plan testing module, enterprise complexity adaptability BCP database allowing multiple master files (plans) Continuity plan builder with industry-standard tasks and procedures, plan development procedures, management tools, recovery strategies, plan testing module, enterprise complexity adaptability BCP database BIA and risk assessment features include: Starter questionnaires Question Wizard to prompt developer through creating a question Questionnaire Designer tool allows designer to assign weights to responses Types of Plans Generated Business continuity, business recovery, business contingency, disaster recovery Business continuity, business recovery, business contingency, disaster recovery Does not apply Business Impact Analysis (BIA) Operating Systems Supported BIA available through the companion product RiskPAC Microsoft Windows 95, 98, ME, NT, 2000, XP BIA available through the companion product RiskPAC Microsoft Windows Linux kernel version 2.2, 2.4 Open Database Connectivity (ODBC)- and Java Database Connectivity (JDBC)-compliant RiskPAC is a knowledge-based system that performs risk assessment, including risk analysis and BIA Microsoft Windows 95, 98, ME, NT, 2000, XP 20 November 2002 3
Table 1: Overview: RecoveryPAC, RecoveryPAC Web and RiskPAC Database Compatibility ODBCcompliant Paradox dbase Spreadsheet/d atabase American Standard Code for Information Interchange (ASCII) files Typical databases ranging from 5MB-10MB each Interbase Typical databases ranging from 5MB-10MB each ODBC-compliant ODBC-compliant Files: Questionnaire sizes vary depending on length and complexity; typical sizes range from 0.5MB-2.0MB Target Market All sizes of enterprise, single-site through those with distributed LAN/WAN technologies All sizes of enterprise with distributed, Web-enabled technologies All sizes of enterprise Installation CD CD CD 20 November 2002 4
Database Customization Field resizing and addition of user-defined fields Accommodate smultipleplan master files Conversion from existing BCP formats Data Collection Utility collects manually entered basic planning information from remote locations into a centralized database or master file. Remote location information is imported into RecoveryPAC at the central location Import Wizard transfers large volumes of information from external application files (for example, Personnel and Hard Asset systems) directly into RecoveryPAC Field resizing and addition of user-defined fields Accommodates multiple plan master files Conversion from existing BCP formats Import Wizard transfers large volumes of information from external application files (for example, Personnel and Hard Asset systems) directly into RecoveryPAC Web Questionnaire modifications change data Survey uploading: Wizards step theuserthroughtheselectionof the questionnaires and surveys to be uploaded and the selection of a destination for the file and then displays the dialogue to attach to e-mail 20 November 2002 5
User Menu Customization Field labels in files can be modified File names and field labels in files can be modified; field order can be specified Field labels in files can be modified Forms and Documents Customization Integrates external PCbased documents from Windows applications into the plans Integrates external PC-based documents from Windows applications into the plans Questions can include multiple choice, fill-in, true/false and repeating group Response-specific branching Responder can add a Sticky Note to display a comment entry window Supports questionnaire development in any language Supports unlimited hierarchical levels of questions 20 November 2002 6
Report Customization For project management and plan activation: Crystal Reports can create custom reports Graphic regional maps from other Windows systems can be integrated with RecoveryPAC s reports Plan activation support from the report showing the call list of recovery team members for the affected location(s) No automatic calling of recovery team members Integrated Gantt charts For project management and plan activation: Crystal Reports can create custom reports Graphic regional maps from other Windows systems can be integrated with RecoveryPAC Web reports Plan activation support from the report showing the call list of recovery team members for the affected location(s) No automatic calling of recovery team members Automatic notification via e-mail For questionnaire development and survey analysis reporting: Automatically captures and scores survey data Qualitative analysis generates statistics relative to the levels of risk within categories What-if situational modeling enabled via modified questionnaires and compared responses Graphic modeling of analysis findings 20 November 2002 7
Plan Organization Model plan is provided Hierarchical Printed Plan structure Import from a variety of sources Built-in projectscheduling module calculates time required for each item in Recovery Team task list; total time required can be compared to the Recovery Time Objectives Plantesting module Model plan is provided Hierarchical Printed Plan structure Import from all ODBC-, JDBCcompliant databases Built-in project-scheduling module calculates time required for each item in Recovery Team task list; total time required can be compared to the Recovery Time Objectives Plan testing module Does not apply Web Options Portable Document Format (PDF) and Hypertext Markup Language (HTML) conversion for document publication on the Web FTP for file loading, backup and restoring PDF and HTML conversion for document publication on the Web Does not apply 20 November 2002 8
Security Central control within existing company standards Multiple levels System, Plan, File and Field Complete audit trails Any combination of centralized security (that is, for and access to application systems) and decentralized individual user security (with each site applying their owns specific security and access rules) Central version control and integration with securitycontrolled business unit plan updating Configuration management: locks data entry files at the record level, allowing editing of the same file by more than one user at a time Permission templates for planners at all levels of security, for Security-controlled Internet and intranet access Central control within existing company standards Multiple levels System, Plan, File and Field Complete audit trails Any combination of centralized security (that is, for and access to application systems) and decentralized individual user security (with each site applying their owns specific security and access rules) Central version control and integration with securitycontrolled business unit plan updating Configuration management: locks data entry files at the record level, allowing editing of the same file by more than one user at a time Permission templates for planners at all levels of security, for user types having different access rights, to speed setup for new users Multiple levels: access is restricted at the system, questionnaire, survey and record level Complete audit trails Any combination of centralized security (that is, for and access to application systems) and decentralized individual user security (with each site applying their owns specific security and access rules) Configuration management: locks data entry files at the record level, allowing editing of the same file by more than one user at a time Permission templates for planners at all levels of security, for user types having different access rights, to speed setup for new users 20 November 2002 9
Documentatio n Documentatio n integrated with the software and with searchable files on customer s network or PC BCP glossary Hard-coded prompts are included on the displays Pop-up, cursorlocationsensitive help Fields are identified as required and recommende d Required fields are color-coded Documentation integrated with the software and with searchable filesoncustomer snetworkorpc BCP glossary Hard-coded prompts are included on the displays Pop-up, cursor-locationsensitive help Fields identified as required and recommended Required fields color-coded Online and hard copy For installation and use Recommendations Library and Help: CSCI expertise-based recommendations and help information can be modified via the libraries of the Questionnaire Designer 20 November 2002 10
Training and Support Included in the cost of the product: Training: One-day class at CSCI site or client site Phone and e- mail support 24 7 (Answering service and beeper are used outside 9 a.m.-5 p.m., EST normal business hours. Response time for off-hour requests averages 30 minutes) updates Complete risk analysis and business continuity plan development services are optionally available, if desired Included in the cost of the product: Training: Customized to meet client requirements Phone and e-mail support 24 7 (Answering service and beeper are used outside 9 a.m. -5 p.m., EST normal business hours. Response time for off-hour requests averages 30 minutes) updates Complete risk analysis and business continuity plan development services are optionally available, if desired Included in the cost of the product: Training: Customized to meet client requirements Phone and e-mail support 24 7 (Answering service and beeper are used outside 9 a.m.-5 p.m., EST normal business hours. Response time for off-hour requests averages 30 minutes) updates 12-month warranty for desktop and server installations updates 20 November 2002 11
Table 3: System Requirements RecoveryPAC, RecoveryPAC Web and RiskPAC Operating System Microsoft Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows ME, Windows XP For Web and Database Servers: Microsoft Windows XP, 2000 (Service Pack 2 [SP2]), NT 4.0 (SP6a or higher) Linux kernel version 2.2, 2.4 Certified Linux Distributions: Red Hat Linux 6.2, 7.0, 7.2 Mandrake 7.2, 8.0 SuSE Linux 7.0, 7.2 TurboLinux 6.0 Solaris 2.6, 7, 8 Windows 3.x, Windows95, Windows98, Windows NT, Windows 2000, Windows ME, Windows XP For Administrator Server and Client: Microsoft Windows 95, 98, ME, NT, 2000, XP Processor Pentium class Web Server: high-end Pentium 4 Database Server: high-end Pentium 4 Administrator Server: Pentium class Administrator Client: Pentium class Browsers Does not apply Microsoft Internet Explorer 5.0 or higher Netscape 4.5 or higher Network Any network WritteninJava Performance that is Network need not be optimized Windowscompatible Must support long file names Written in compiled Delphi for rapid performance Network need not be optimized Pentium class Does not apply Any network that is Windowscompatible Must support long file names and Universal Naming Conventions Network need not be optimized 20 November 2002 12
Table 3: System Requirements RecoveryPAC, RecoveryPAC Web and RiskPAC RAM Capacity 64MB Web Client: 128MB Web Server: 640MB Database Server: 640MB minimum Administrator Server: 256MB Administrator Client: 256MB Hard Drive Stand-alone WebServer:5MB Capacity PC: 100MB Database Server: 8MB-12MB Server: Administrator Server: 45MB- 60MB-85MB 75MB Workstation: Administrator Client: 25MB- 40MB-65MB 57MB Recommendat ion: a minimum of 50MB of free hard disk space be available after installing RecoveryPAC CD-ROM Required for Required for installation installation Graphics Video VGA or higher monitor Graphics Array (VGA) or higher video monitor Concurrent No maximum Maximum number of concurrent Users Memory number of users specified per license concurrent users applies for multiuser licenses 64MB Stand-alone PC Installation: 41MB Network Installation: 76MB Workstation Installation (common files): 28MB Additional disk space required during installation for temporary files CSCI recommends minimum of 50MB of remaining be available after installing RiskPAC Required for installation VGA or higher video monitor No maximum number of concurrent users applies for multiuser licenses Analysis Since its founding in 1984, CSCI has grown RecoveryPAC through nine versions to meet market needs and take advantage of technological advances. The first release of RecoveryPAC Web was in 2001. Users find both RecoveryPAC LAN/WAN and RecoveryPAC Web straightforward to operate, with or without advisory support from CSCI. For smaller user numbers, RecoveryPAC-LAN/WAN compares at equal or slightly lower license pricing against SunGard and Strohl BCP products. At larger numbers of users, it can be a bargain. RecoveryPAC Web offers the best pricing against all competitors in its category. However, the prospective buyer should consider all costs, since BIA is available only through 20 November 2002 13
the RiskPAC product, licensed separately, while a seemingly more expensive product may have those features embedded. Enterprise Scalability RecoveryPAC LAN/WAN and Web versions support any number of business units with all the documents they require questionnaires, plans for business units or locations, and related documents attached to plans. The database hardware and software recommended for these BCP tools easily support the space needs of documents and the response time needs of users. The products also accommodate the number of users who operate such systems, which, even in the largest companies, rarely exceeds 10 simultaneously. Data Customization Database field labels can be changed. Users can define pick-lists and fields as well. In RecoveryPAC Web, database file names can be changed and fields reordered. These capabilities allow efficient data reuse for continuity plan creation and updating. Resource Integration Existing data resources can be imported into the databases, and external documents in Windows applications can be attached to continuity plans. Both RecoveryPAC versions permit multiple master files of plans, provide an Import Wizard for dynamic field mapping to enable data import from existing BCP applications into RecoveryPAC and employ a Data Collection Utility to facilitate importation of planning information entered remotely into the central database location. Support Support services include: Telephone and e-mail support during normal business hours (9 a.m.-5 p.m., EST). Outside these hours, CSCI provides a 24 7 technical hotline with answering service and pager service (30 minutes average response time from a technician who can resolve the problem). To support clients across time zones, particularly Europe, the help desks of two experienced European distributors supplement the 24 7 on-call support. These help desks handle first-line user questions and problems, such as how-to inquiries. Training Training is available at either the vendor or the client site. Pricing Table 4: Price List: RecoveryPAC Product Description Price RecoveryPAC, LAN/WAN Desktop: single user $15,000 Unlimited concurrent user $20,000 LAN (five-mile restriction) Site license: unlimited concurrent user WAN $75,000 RecoveryPAC Web Five concurrent users $55,000 10 concurrent users $65,000 20 November 2002 14
Table 4: Price List: RecoveryPAC Product Description Price 20 concurrent users $75,000 RiskPAC Desktop: single user $10,000 Unlimited concurrent user LAN (five-mile restriction) $12,500 Support (Includes customer support, training and software updates) GSA Pricing No. Competitors Site license: unlimited concurrent user WAN Maintenance fee Support and updates Training $50,000 After one year, 15 percent of subsequent years list price After the warranty period, the maintenance contract fee for support and updates is 15 percent of subsequent years list price Consulting services are available for $1,500/day plus expenses Training at the client site costs $1,500/day plus expenses Other training services available on request CSCI s clients benefit from CSCI s methodology experts, who provide criteria and logistics for risk analysis and comprehensive libraries of information and templates for continuity plans. These features and their flexibility through user customization provide a valuable resource for any size company whose IT infrastructure is entirely Windows-compatible. Competing BCP vendors permit greater diversity in the platforms they support for the same sizes of companies. Table 5: BCP Vendors Business Planning Continuity System (BCPS) RSM McGladrey Living Disaster Recovery Planning System (LDRPS) Strohl Systems RSM McGladrey is a division of H&R Block, with offices in every state of the U.S. and a total of more than 600 offices in 75 countries, focusing all services on midsize, owner-managed businesses. Includes BIA capabilities, a continuity plan builder and BCP database. The BIA tool is included as part of the BCPS product. A product suite for medium- to large-enterprise continuity planning that integrates three toolsets standard for BCP with an enterprise resource-compatible database and collaborative planning. Strohl Systems BCP software serves a client base of more than 1,000 organizations in more than 60 countries. Strohl s BIA Professional product, sold separately, can perform the preliminary business impact analysis. 20 November 2002 15
Table 5: BCP Vendors PreCovery SunGard Availability Services Integrates BIA, continuity plan building, BCP database and collaborative planning. SunGard provides IT solutions and e-processing services, with more than 20,000 clients in over 50 countries. Its BCP software has recently expanded with the acquisition of the business continuity assets portion of former competitor Comdisco. BIA features are included as part of PreCovery. Strengths Ease of Use Wizards prompt users through tasks. Context (field)-sensitive help and searchable online documentation enable users to find answers to their questions quickly and accurately. Documentation Usability and Flexibility The RecoveryPAC documentation includes development wizards and expert advice libraries. When RiskPAC is used as a front end, the questions in the Question Library have help text where necessary to assist survey responders to understand the question s intent. RiskPAC users who develop new questions can create help text for their questions as well. ODBC Database Compliance Adherence to this industry standard enables importing of data from other BCP applications and from corporate databases such as personnel and hard assets. Data Customization and Integration Users can modify field labels. In addition, users can define fields to conform to corporate data and reporting requirements. Competitive Pricing RecoveryPAC-LAN/WAN is priced favorably against larger competitors, most markedly at higher numbers of seat licenses or site licensing. RecoveryPAC Web offers the best pricing against all competitors in its category. Limitations Single Platform The stand-alone RecoveryPAC operates only in Windows environments. The system s ODBC compliance does permit data import from other database platforms. In addition to the Windows environments, RecoveryPAC Web can use two versions of the Linux kernel operating system for Web and database servers. No Automatic Database Updating from External Corporate Resources RecoveryPAC does not poll corporate databases to capture updates on an automated schedule for such dynamic information as hard assets and BCP team employee contact numbers. These internal databases must be updated by a manually triggered import from the external corporate resource, or the new information must be keyed directly into RecoveryPAC forms that update the databases. No Automatic Call-List Notification 20 November 2002 16
Unlike many other full-featured BCP software suites, RecoveryPAC systems do not read the employees numbers automatically and generate a notification message to them although the employee call list for an affected location can be accessed rapidly to a screen or sent to a printer. RecoveryPAC Web includes the ability to generate a notification message and send it automatically via e-mail to employees. Insight CSCI satisfies its diverse, worldwide clientele with products and services using a no-nonsense approach to enable a streamlined BCP development process for its users. RecoveryPAC makes the development process understandable and manageable. One can build a comprehensive and useful plan based on sound impact analysis from the RiskPAC tool. In both the BIA and BCP planning tools, the expert guidelines and templates alone ensure that all bases are covered, and user customization can tailor the plans to use existing data and to support corporate business units or locations. Although plan maintenance may require more manual intervention than that required by more complex and expensive BCP systems, the ease of initial development and budget considerations make the CSCI products serious contenders for a broad range of corporate sizes and industries. 20 November 2002 17