Business Continuity Planning: The Effects of Sarbanes-Oxley

In his book Business Continuity Planning for Data Centers and Systems: A Strategic Implementation Guide, Ronald H. Bowman describes the impact recent events and legislation (such as Sarbanes-Oxley) have had on the business continuity industry in general, and on planning data centers in particular:

Establishing and implementing unique criteria for data center selection is not a new idea. The idea for a mission-critical facility has grown more exacting over the past ten years and even more so over the past three years. In the northeastern United States, the financial capital of the world, the data center and business continuity site often was located within 10 miles of headquarters or the primary site. The proximity was established largely to be close to synchronous encryption to the critical data within 26 route kilometers (18 miles) and to be close enough so the managers or business heads could oversee implementation and maintenance effectively.

It was rare that the primary data center was geographically remote from a second site or that a business continuity site would truly be remote (over 80 miles away). Currently there are over 40 business (active/active) continuity sites in Jersey City, New Jersey, just 1.5 Euclidean miles from lower Manhattan and 6 to 8 Euclidean miles from midtown Manhattan, where the primary data centers and headquarters are located. What we witnessed from the events of September 11, 2001, other than the catastrophic loss of life, is that commercial transportation on bridges, tunnels, and most waterways were effectively stopped, unless escorted by official vehicles. Companies received police escorts to various sites for fuel and temporary generator distribution. If possible at all, it was extraordinary to get a human or critical human infrastructure to a second site or a primary site (“under anger”) under these conditions, and time-sensitive executions were delayed. I personally drove a truck for two days to expedite the provisioning process; I was able to do this because I had security clearance at bridges, tunnels, and the tenant’s highly secure space.

Few official documents specify where to site data centers. This information is not provided in Securities and Exchange Commission (SEC) white papers of October 12, 2007, and April 7, 2003; the National Association of Securities Dealers rules of 3510 and 3520; sections 302 and 404 of the Sarbanes-Oxley Act 2002; or the Public Company Accounting Oversight Board’s Standard No. 2 or Statement of Accounting Standards 70, to name a few. Collectively they provide a few suggestions and guidelines. In essence,they tell companies to:

  • Have a brief continuity plan.
  • Update and document the plan if significant changes occur in the company or process.
  • Test the plan annually.

These laws and bodies did put information technology (IT) in “the game” but the teeth were still missing!

[...]What are looming large are the tiered designations of Tier 1 and Tier 2 and their accountability to the private sector. The SEC applies these tier designations to users, recognizing that not all companies have or should have the resources to comply on all levels:

  • Tier 1 Designation. Two-hour recovery time objective.
  • Tier 2 Designation. Four-hour recovery time objective (everyone else).

Furthermore, the SEC has cited a $75 million market capitalization as a threshold for the size of operation designation of tiers. Effectively, the U.S. government told businesses to comply with Sarbanes-Oxley as of June 15, 2004. About $75 million is the total market capitalization exposure in the market; that generally means a greater capital expense to build greater operating expenses to SEC reporting companies. This was their attempt that one size of compliance and documentation did “not” fit all.

When we think of Sarbanes-Oxley, we think of the “bad guys.” We think about large companies taking money from hardworking investors and manipulating the books so when investors reach retirement, there is little or nothing left. However, the concentric circles of Sarbanes-Oxley have drifted into business continuity planning, document retention, and corporate governance. The difference between recent legislation and Sarbanes-Oxley is that negative consequences now have teeth. In other words, if there is noncompliance by the chief executive officer or the chief financial officer, jail time is possible, if not likely. Again, this was structured for the bad guys.


From Business Continuity Planning for Data Centers and Systems: A Strategic Implementation Guide by Ronald H. Bowman. Copyright 2008 John Wiley & Sons, Inc. All Rights Reserved. Used by arrangement with John Wiley & Sons, Inc.