Professional Documents
Culture Documents
Ashrafi Alkindi 2022 A Framework For Is It Disaster Recovery Planning
Ashrafi Alkindi 2022 A Framework For Is It Disaster Recovery Planning
Ashrafi Alkindi 2022 A Framework For Is It Disaster Recovery Planning
1, 2022 1
Rafi Ashrafi*
Information Systems Department,
College of Economics and Political Science,
Sultan Qaboos University,
P.O. Box 20, PC 123, Muscat, Oman
Email: rafi@squ.edu.om
Email: Rafi.ashrafi@gmail.com
*Corresponding author
Haitham AlKindi
Muscat Clearing and Depository,
P.O. Box 952, PC 112, Ruwi,
Muscat, Oman
Email: hah9111@gmail.com
Haitham AlKindi received his BSc and MSc in Information Systems from
Sultan Qaboos University, Oman. Currently, he is working as the Deputy IT
Manager at Muscat Clearing and Depository, leading a number of IT projects.
As an IT professional, he is passionate in adapting and practicing standards and
frameworks such as ITIL, COBIT5, ISO 27000 series and NIST Cybersecurity
Framework.
1 Introduction
As organisations increasingly rely on data, information, and technology, they are exposed
to various risks that may cause disruption to some or all of their operations (Barbara,
2006). Due to the impact of risk events that have happened within the past few years in
the economic, political and technological environments of organisations, they have now
realised the importance of IT business continuity (BC) and disaster recovery (DR)
(Nelson, 2006). Organisations and enterprises can no longer afford the havoc and chaos
that occur when they are hit by a disaster (Chow and Ha, 2009). Therefore, it is
imperative for organisations to protect their data, information, and technology, the most
important assets of an organisation in the digital age of today. As a result, IT DRP has
become a top concern for IT executives (Kappleman et al., 2013), and many
organisations have made DR as one of their major priorities (Lewis et al., 2003).
Table 1 List of acronyms used in the study
BC Business continuity
BCM Business continuity management
BCP Business continuity plan
BIA Business impact analysis
CEO Chief executive officer
CIO Chief information officer
CSF Critical success factor
DR Disaster recovery
DRP Disaster recovery planning/plan
IS Information systems
IT Information technology
MADT Maximum allowable downtime
MTPD Maximum tolerable period of disruption
RPO Recovery point objective
RTO Recovery time objective
SOX Sarbanes-Oxley act
TOE Technology, organisation and environment
A framework for IS/IT disaster recovery planning 3
The main purpose of IT disaster recovery planning (DRP) is to make sure that when a
disaster occurs, all IT systems and functions, and especially all critical functions, are back
in operation with the most critical data restored within a reasonable time. Since most
organisations rely on data, technology, and information, they spend a huge amount of
money to protect these assets. Organisations have become aware of the risks of losing
their valuable assets, and have therefore realised the importance of having a DR Plan in
place (Statewide Disaster Recovery Planning for Information Technology Systems,
2010). A global benchmark survey conducted by The State of Global Disaster Recovery
Preparedness (2014) showed that 73% of companies worldwide do not have a DR
strategy and have not taken adequate steps to protect their IT systems and data. Studies
have shown that corporations with a BC/DR plan in place before the September 11th,
2001 attacks in the USA recovered more efficiently and faster than those that did not
(Castillo, 2004; Barbara, 2006). A number of studies reported on the importance and need
of IT DR planning (El‐Temtamy et al., 2016; Haji, 2016; Yang et al., 2015; Cook, 2015;
Nair, 2014; Costello, 2012; Karim, 2011; Lewis et al., 2003; Perna, 2014). This study
builds on the previous research and focuses on developing a framework for IT DRP.
Table 1 provide list of acronyms used in this study.
Thus, in order to answer the above questions, the following objectives are set:
1 To identify a set of CSFs from literature for DR planning.
2 To develop a framework for effective DR planning.
This study contributes to the knowledge area of DR Planning by conducting a
comprehensive review of literature on CSFs in IT DR Planning. Via the literature review,
this study selects 10 critical success factors (CSFs) based on the criteria of being reported
by three or more research studies. The study also develops a framework for IT DRP
based on the Technology, Organization and Environment (TOE) framework (DePietro
et al., 1990). Furthermore, the study defines the effectiveness of DRP, develops
measurements for effectiveness, and finally proposes a model to investigate the
cause‐effect relationship between CSFs and their effectiveness. This study will help
organisations in improving their DRP by focusing on the identified CSFs.
The first section of this paper provides a background on IT DR Planning and its
importance. The second section provides a literature review on IT DR Planning with the
view to identify the most important CSFs for DRP. The third section develops a
conceptual framework for DR Planning, and defines ‘effectiveness’ for DR Planning. The
final section contains the conclusion and the recommendations along with the limitations
of the study and suggestions for future research.
2 Literature review
man‐made disaster in order to ensure the stability and continuity of business operations
and functions. DRP establishes how an organisation will bring back its IT systems and
services once they have been interrupted (Omar et al., 2011).
In this paper, we define IT DR Planning as a process that focuses on a few of the
most important factors, called CSFs, so that an organisation can recover from a disaster
and is able to restore its most critical functions and data within a reasonable time.
Definition of CSFs
Rockart (1979) defines CSFs as those few key areas of activity in which favourable
results are absolutely necessary for a particular manager to reach his or her goals.
Barbara (2006) defined CSFs as performance measures which must be achieved
satisfactorily and paid attention to, in order to ensure a successful and competitive
performance by the organisation. Wali et al. (2003) define CSFs as essential areas which
must perform well to meet the objectives and goals of the organisation.
In our view, CSFs are the few most important factors that an organisation must focus
on in order to achieve its objectives.
Literature review
DRP has become a priority for organisations. Lack of DR Planning may lead to loss of
reputation and market share, decreased customer service and business process failure,
regulatory liability and increased resuming and restoring times (Sahebjamnia et al.,
2015). The main objective of DR Planning is to protect enterprise information technology
resources and as well as business functions through reducing the impact of disaster. This
is done by following and executing proper recovery procedures (Omar et al., 2011).
Several studies have reported on DR Planning CSFs. However, some of these studies
have used non‐business entities such as libraries, museums, academic computing centres,
academic institutions, healthcare, and telecommunications regulatory agencies which
make it difficult to generalise the conclusions of these studies in a business environment
(El‐Temtamy et al., 2016). There are also very few studies that report empirical evidence
in support of the effectiveness of the DR Planning CSFs, and they lack of implementation
models for BCM/DRP. Further research is needed to guide the proper selection of the
CSFs, to have a framework to guide its implementation from an organisational
perspective, and to assess the effectiveness of these CSFs and framework.
Chow (2000) surveyed the literature and identified 17 success factors for DRP based
on a survey of 98 respondents from banking, manufacturing, trading, and hotel industry
sectors in Hong Kong. However, their study did not develop or suggest a framework.
Later, in a follow‐up study, Chow and Ha (2009) identified 14 DRP CSFs for IS
functions. A list of their success factors is mentioned in Table 3.
Barbara (2006) examined whether the ranking of CSFs for implementing BC/DR
programs has changed from previous research, specifically after the events of
September 11, 2001. Barbara (2006) used a multi‐method approach, a qualitative analysis
of 11 interviews and quantitative analysis of 52 respondents through a survey in Canada.
Their study used the 17 CSFs found by Chow (2000), and added three themselves.
Finally, they ranked the top five CSFs and compared them with Chow’s (2000) top five
CSFs. Barbara (2006) reported two sets of top 5 CSFs, one based on interviews, and
another one based on the survey. Three factors were common in both sets: business
impact analysis (BIA), maintenance of BCP/DRP, and periodical testing of BCP/DRP.
Training of recovery personnel and engagement of external consultants were included in
the interview top 5 CSFs, and top management support and alignment of BC/DR
objectives with company goals were included in the top 5 survey CSFs. Their results
show that the top five ranked CSFs have changed since Chow’s study.
Hoong and Marthandan (2011) reviewed literature on DRP and BCM, identified
factors, and developed a framework for DRP and BCM implementation. In another paper,
Hoong and Marthandan (2014) reported critical dimensions of DRP that impact DRP
procedures, and contribute to a successful DRP to minimise the impacts of IT service
outages. Their study used TOE (DePietro et al., 1990) to explore the adoption of DRP
processes on the financial Industry in Malaysia. They identified 8 critical dimensions:
external pressures to adopt DRP; top management support; staff competency; business
environment; roles and responsibilities; perceived BC benefits; technology competence;
and IT availability and reliability.
A framework for IS/IT disaster recovery planning 7
El‐Temtamy et al. (2016) reviewed IT DRP practices in public companies listed in the
Abu Dhabi/UAE security exchange. They found the main factors in DR Planning to be:
top management support, BIA, resources utilised in developing DRP, DRP
documentation, employee preparedness and awareness, risks and threats, controls and
recovery strategies, and exercising testing.
Karim (2011) presented a conceptual model for measuring the factors of BCP and
Business Disaster Preparedness through the use of statistical indicators. Their paper
concludes that there is a significant effect on the successful preparedness to a disaster of:
strategic management, business risk analysis, training and awareness, and information
life cycle management.
Tu et al. (2018) conducted a CSF analysis of strategic vale alignment for information
security management. They found the top CSFs to be business alignment, top
management support, organisational awareness of security risks and control, and
performance evaluation.
Bakar et al. (2015) conducted a comprehensive review of the literature on BCM CSFs
and selected four broad factors: management support, external requirements,
organisational preparedness, and embeddedness of continuity practices. They proposed a
model that investigated the impact of these factors on the financial and non‐financial
performance of an organisation.
Haji (2016) reviewed BC practices in the airline industry and proposed solutions for
IT DR sites. Although Haji’s 2016 study is related to the airline industry, he has
identified the following critical factors: top management support, alignment of BC/DR
strategy with organisational goals, BIA, IT DR site, DR procedures, periodic testing of
applications, communication with staff, standard recovery framework, and ongoing
improvement of recovery strategy. These factors are equally applicable to other
industries.
Jarvelainen (2013) reported results of a survey of 84 IT Managers and CIOs on IT
incidents and business impact in large public and private organisations in Finland. She
developed and validated a framework for BC management in information systems. Her
results suggest that top management support is the key factor, and embeddedness of
continuity practices, organisational alertness and preparedness, and external requirements
have perceived business impacts.
The Disaster Recovery Preparedness Council (2014) in their annual report on the state
of global DR preparedness found that 73% of organisations failed in terms of disaster
readiness, and the incidence and costs of outages remain a major challenge for many
organisations. The main reasons for the losses were lack of DRP, testing, and resources.
The Council suggested having a detailed DR plan, defining DR metrics for RTOs and
RPOs, allocating adequate resources and budget, training DR staff, identification of
critical applications, preparation of a DR backup site, and frequent testing of critical
applications to validate recovery within defined RTOs/RPOs.
Cook (2015) examined 105 articles published during the last 20 years and developed
a six‐stage framework that includes not only technology, but also people and processes.
He conducted 21 semi‐structured interviews of senior IT managers from various industry
sectors in the USA to validate the framework’s applicability in real life settings. His
six‐stage BC/DR Planning cycle includes governance structure, plan initiation, BIA and
risk assessment, design\updating of the plan, testing/training, and maintenance. Important
elements of his framework include upper management support, strategic goals, list of
critical processes, BIA and risk assessment, specific time data for critical processes (e.g.,
A framework for IS/IT disaster recovery planning 9
RTOs and RPOs), data storage, designing BC/DRP, testing and training, maintenance and
update of BC/DR Plan, budget, and back up.
Many studies have emphasised that the key to successful IT DR Planning depends on
several factors. For example, top management support is an essential element to ensure
ongoing funding and necessary resources (Chow, 2000; Nelson, 2006; Jarvelainen, 2013).
A number of researchers indicate that the periodic testing of DR Plans is to make sure
that the plan is up‐to‐date and is workable (Castillo, 2004; Enshasy, 2009; Chow and Ha,
2009; Mohamed, 2014). Other factors identified include: objective of DR Plan and its
alignment with organisation’s objectives (Chow, 2000; Barbara, 2006; Al-Hazmi and
Malaiya, 2013), conducting risk assessment and impact analysis (Wold, 2006), up‐to‐date
DR Plan document (Chow and Ha, 2009; Hoong and Marthandan, 2014), and
maintaining a backup site (Barbara, 2006; Chow and Ha, 2009).
Table 3 summarises various CSFs that were identified by researchers during the last
20 years.
Sahebjamnia et al. (2015) quoting Galindo and Batta (2013) reported that most of the
research gaps highlighted by Altay and Green (2006) have remained without any drastic
changes. This study attempts to fill that gap by identifying a set of the most important
CSFs, and developing a framework based on the TOE model. Based on the literature
review, we selected 10 CSFs that have been identified by 3 or more studies. It has been
found that there is a lack of research on assessing the effectiveness of DR Planning CSFs
(El‐Temtamy et al., 2016; Hoong and Marthandan, 2014; Sawalha, 2011). This study
attempts to fill this gap as well.
The following section discusses in more detail each CSF identified as important in the
literature review.
IT/IS DR planning CSFs.
2.3 DR committee
Since the functions within the organisation will be affected by the development of DR
Plann, it is essential that the top management appoint a formal DR committee to
coordinate all the functional units in the organisation (Cook, 2015; Blokdijk, 2008;
Chow, 2000).
The purpose of appointing a formal DR committee is to perform risk analysis for all
functional areas throughout the organisation so that all the potential damage can be
minimised and plans for fast recovery are in place (Cook, 2015; Hawkins et al., 2000).
immediately after a disaster occurs (Haji, 2016; Barbara, 2006). Hence, the off‐site
location should be placed at a fair distance from the organisation’s location so that if a
disaster strikes the organisation, the off‐site location will not be impacted (Chow and Ha,
2009). There are different options for an off‐site backup strategy. The first of these
options is a ‘hot‐site’ where there are redundant systems, applications, and infrastructure
that are identical to the distantly‐located production site, and where staff can be relocated
immediately. A ‘warm‐site’ is the second backup strategy, the difference between
‘warm‐’ and ‘hot‐site’ being that ‘warm‐site’ requires little configuration (Peterson,
2009). The third option is a ‘cold‐site’, which is typically an empty office with minimum
requirements of infrastructure (Peterson, 2009). Only a slight disruption in the processes
of the organisation can have a significant impact on its survival. A ‘hot‐site’ might be the
only alternative where data is being duplicated through standby mode.
walkthrough, and even simulation (Barbara, 2006). Moreover, training the staff will
minimise the potential for operational errors during a real disaster (Chow and Ha, 2009).
Thus, proper training is essential to ensure that DRP procedures are achieved as planned.
A number of studies have identified the need of suitable frameworks for IT DR
Planning and business continuity. Jarvelainen (2013) reported that no frameworks for
information system continuity management have yet been validated. They proposed a
framework and validated it in a survey of IT managers in large private organisations and
public organisations in Finland. Sahebjamnia et al. (2015) found that DR Planning for
business still lacks a methodological direction.
In the next section, we develop a framework for DRP that consists of the identified
DRP CSFs and is based on the TOE framework.
3 Framework development
Crises and disaster preparedness has become an important function in organisations of all
types, whether they are financial, engineering, telecommunications, banking or health
service providers (Wrobel, 2008). Crises and emergencies can happen at any time in any
organisation. Therefore, through proper planning for unexpected catastrophic events,
organisations can be better prepared to handle these unforeseen events.
Successful crises and DR management incorporates organisational programs and
awareness; for example, DRP, BCP, and crises management. Furthermore, DRP requires
all the organisation’s departments to work together in order to reach the ultimate goal of
having successful and effective DRP (Lockwood, 2005). An effective DR Plan should be
a comprehensive document covering management, technical, operational, and regulatory
aspects, so that roles and responsibilities are clear and it is easy to implement.
IT DR planning framework
In this section we propose a framework based on the above identified CSFs for DR
Planning and DR Plan effectiveness. This framework is based on the TOE framework.
The TOE framework was developed by DePietro et al. (1990) and it uses three contexts
to influence IT adoption: TOE. The ‘environment context’ refers to the outside influences
that affect the organisation such as stockholders, government compliance and regulators,
competitors, and customers. The ‘organisation context’ refers to the characteristics and
structure of the organisation, the methods used within it, the decision‐making flow, the
internal communication, and the boundary with external communication. The
‘technology context’ refers to the technology competence the organisation has and its
technology solution implementation, technical skills, and technology infrastructure
resources (Scott, 2007; Angeles, 2014). Next, we provide details of the proposed
framework for effective IT DR Planning.
3.2 Organisation
In the organisation perspective, we consider management and operational perspective
separately for clarity and due to their nature.
organisation. With an obsolete plan, recovering from a disaster will be difficult or, in the
worst‐case scenario, impossible. Therefore, the reviewing and updating of the DRP on an
ongoing basis is a vital process that must be carried out carefully.
Based on the above discussion, the following factors are categorised from an
organisation – operational perspective: DRP committee, DR Plan update, the
participation of organisational representatives, and the training of recovery personal.
Planning is a process, and thus it is necessary that all roles and responsibilities of both
managers and employees are clearly documented (Hoong and Marthandan, 2014). DR
Plan testing can therefore be linked directly with the legal and regulatory perspective.
Table 4 summarises all the above categorised factors in line with TOE framework.
Table 4 TOE framework – categorisation of CSFs
Thus, based on the above discussion, to measure the effectiveness of the DR plan
within an organisation the best metrics used are RTO and RPO, where these two factors
should not be greater than the MADT or MTPD.
We suggest that all of the 10 identified CSFs can be modelled on the TOE framework
and represent independent factors. Figure 1 presents the suggested framework for DR
Planning, and shows the 10 identified CSFs in this study represented as the independent
factors while DRP effectiveness is the dependent factor. In addition, Figure 1 shows that
each CSF is within its perspective of TOE framework as identified in this study.
Technology
Prioritisation of Application
and Services
Organisation
Management
Operational
DRP
Disaster Recovery Committee Effectiveness
Training of DR Team
Environment
Legal and Regulatory
DRP Documentation
DRP Testing
A framework for IS/IT disaster recovery planning 17
4 Conclusions
Acknowledgements
The authors would like to thank Sultan Qaboos University for providing excellent
research facilities. Thanks to Amy Torre for her work in editing the paper. Also, the
authors would like to thank the reviewers for their valuable comments to improve the
paper.
18 R. Ashrafi and H. AlKindi
References
Al-Hazmi, O. and Malaiya, Y. (2013) ‘Evaluating disaster recovery plans using the cloud.
Reliability and Maintainability Symposium (RAMS)’, IEEE Proceedings‐Annual, pp.1–6,
Orlando, Florida, USA.
Altay, N. and Green, W.G. (2006) ‘OR/MS research in disaster operations management’, European
Journal of Operational Research, Vol. 175, No. 1, pp.475–493.
Angeles, R. (2014) ‘Using the technology‐organization‐environment framework for analyzing
Nike’s ‘considered index’ green initiative, a decision support system‐driven system’, Journal
of Management and Sustainability, Vol. 4, No. 1, pp.96–113.
Asgary, A., Anjum, M. and Azimi, N. (2012) ‘Disaster recovery and business continuity after the
2010 flood in Pakistan: case of small businesses’, International Journal of Disaster Risk
Reduction, Vol. 2, No. 1, pp.46–56.
Baham, C., Hirschheim, R., Calderon, A. and Kisekka, V. (2017) ‘An agile methodology for the
disaster recovery of information systems under catastrophic scenarios’, Journal of
Management Information Systems, Vol. 34, No. 3, p.633, DOI: 10.1080/07421222.2017
.1372996.
Bakar, Z.A., Yaacob, N.A. and Udin, Z.M. (2015) ‘The effect of business continuity management
factors on organizational performance: a conceptual framework’, International Journal of
Economics and Financial Issues, Vol. 5, No. 5, Special issue, pp.128–134 [online]
https://www.econjournals.com/index.php/ijefi/article/view/1379/pdf (accessed 4 November
2020).
Barbara, M. (2006) Determining the Critical Success Factors of an effective Business
Continuity/Disaster Recovery Program in a Post 9/11 World: A Multi‐Method Approach,
Master’s thesis, Concordia University, Canada [online] https://spectrum.library.concordia.ca/
9033/ (accessed 4 November 2020).
BCMPedia (n.d.) MADT and MTPD defined in BCMpedia [online] http://www.bcmpedia.org
/wiki/Maximum_Allowable_Downtime_(MAD) (accessed 20 December 2016).
Blokdijk, G. (2008) Disaster Recovery 100 Success Secrets: IT Business Continuity, Disaster
Recovery Planning and Services, Emereo Publishing. Newstead, Queensland, Australia.
Botha, J. and von Solms, R. (2004) ‘A cyclic approach to business continuity planning’,
Information Management & Computer Security, Vol. 12, No. 4, pp.328–337.
Business Continuity Disaster Recovery Plan Steps (n.d) In Disaster Recovery Organization [online]
http://www.disasterrecovery.org/plan_steps.html (accessed 20 May 2015).
Business Continuity Planning (2015) Federal Financial Institutions Examination Council [online]
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf
(accessed 20 September 2015).
Castillo, C. (2004) ‘Disaster preparedness and business continuity planning at boeing: an integrated
model’, Journal of Facilities Management, Vol. 3, No. 1, pp.8–26.
Catania, P. (n.d) Are you Prepared? – How to Accomplish Disaster Recovery and Business
Continuity Planning, Disaster Resource Guide [online] http://www.disaster‐resource.com/
index.php?option=com_content&view=article&id=1615 (accessed 27 June 2015).
Chow, W. (2000) ‘Success factors for IS disaster recovery planning in Hong Kong’, Information
Management & Computer Security, Vol. 8, No. 2, pp.80–87 [online] http://130.18.86.27/
faculty/warkentin/SecurityPapers/Robert/Others/Chow2000_IMCS8_2_DisasterRecoveryHon
gKong.pdf (accessed 4 November 2020).
Chow, W. and Ha, W. (2009) ‘Determinants of the critical success factor of disaster recovery
planning for information systems’, Information Management & Computer Security, Vol. 17,
No. 3, pp.248–275.
Cook, J. (2015) ‘A six‐stage business continuity and disaster recovery planning cycle’,
SAM Advanced Management Journal, Vol. 80, No. 3, pp.23–34 [online]
https://search.proquest.com/docview/1725174951/abstract/1C5777E6EECB4D69PQ/1?accoun
tid=27575 (accessed 4 November 2020)
A framework for IS/IT disaster recovery planning 19
Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A. (2015) ‘Integrated business continuity and
disaster recovery planning: towards organizational resilience’, European Journal of
Operational Research, Vol. 242, No. 1, pp.261–273.
Sakel, K (2011) Sony PlayStation Network Hack Is Just the Beginning of Giant Data Thefts:
Experts [online] http://www.huffingtonpost.com/2011/05/06/playstation‐theft‐sony‐hack
_n_858355.html (accessed 15 October 2015).
Sarbanes‐Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements
(2009) United States Securities and Exchange Commission [online] https://www.sec.gov/news
/studies/2009/sox‐404_study.pdf (accessed 20 September 2015).
Sawalha, I.H. (2011) Business Continuity Management and Strategic Planning: The Case of
Jordan, Doctoral dissertation, University of Huddersfield, UK [online]
http://eprints.hud.ac.uk/id/eprint/10172/ (accessed 4 November 2020).
Scott, J. (2007) ‘An e‐transformation study using the technology‐organization‐environment
framework’, 20th Bled eConference eMergence: Merging and Emerging Technologies,
Processes, and Institutions, pp.50–61, Bled, Slovenia [online] https://core.ac.uk/download/
pdf/301359173.pdf (accessed 4 November 2020).
Snedaker, S. (2013) Business Continuity and Disaster Recovery Planning for IT Professionals,
2nd ed., Syngress, Rockland.
Statewide Disaster Recovery Planning for Information Technology Systems (2010) The Montana
Legislature [online] http://leg.mt.gov/content/Publications/Audit/Report/10DP‐01.pdf
(accessed 20 May 2015).
The DR Preparation Council (2014) [online] https://www.unitrends.com/wp-content/uploads/
ANNUAL_REPORT-DRPBenchmark_Survey_Results_2014_report.pdf (accessed 9
November 2020).
The State of Global Disaster Recovery Preparedness (2014) Disaster Recovery Preparedness
Council [online] http://drbenchmark.org/wp-content/uploads/2014/02/ANNUAL_
REPORTDRPBenchmark_Survey_Results_2014_report.pdf (accessed 19 February 2015).
Thordarson, T.B. (2014) Use of Funds in a Nonprofit Organization as Predictor of
Organizational Effectiveness and Efficiency, Dissertations, Paper 730 [online]
https://digitalcommons.andrews.edu/cgi/viewcontent.cgi?article=1729&context=dissertations
(accessed 4 November 2020).
Tu, C.Z., Yuan, Y., Archer, N. and Connelly, C.E. (2018) ‘Strategic value alignment for
information security management: a critical success factor analysis’, Information & Computer
Security, Vol. 26, No. 2, pp.150–170.
Wali, A., Deshmukh, S. and Gupta, A. (2003) ‘Critical success factors of TQM: a select study of
Indian organizations’, Production, Planning and Control, Vol. 14, No. 1, pp.3–14.
Wold, G. (2006) ‘Disaster recovery planning process’, Disaster Recovery Journal, Vol. 5, No. 1,
part 1 of 3 [online] file:///Users/rafiashrafi/Downloads/disater%20recovery%20Part%
20I%20of%20III%20(1).pdf (accessed 4 November 2020).
Wong, B., Monaco, J. and Sellaro, C. (1994) ‘Disaster recovery planning: Suggestions to top
management and information systems managers’, Journal of Systems Management, Vol. 45,
No. 5, pp.28–33.
Wrobel, L. (2008) Business Resumption Planning, 2nd ed., CRC Press, Boca Raton, Florida, USA.
Yang, C-L., Yuan, B. and Huang, C‐Y. (2015) ‘Key determinant derivations for information
technology disaster recovery site selection by the multi‐criterion decision making method’,
Sustainability, Vol. 7, No. 5, pp.6149–6188.