Disaster Recovery and

Business Continuity
with E-Commerce
Businesses
Eric Palmer
IS 8300 Disaster Recovery/Business Continuity Planning
Summer 2012

Abstract:

Disaster Recovery and Business Continuity Planning has been an important part of business
survival ever since the mid 70’s. The problem with e-commerce businesses is that plans are often
insufficient to the demands of today. In this research paper, Disaster Recovery and Business
Continuity with E-Commerce is examined through analyzing how top management helps with
planning, the methods that are used in planning, and how to ensure business continuity. This
research details that without planning for disasters or business continuity; a company might be
permanently crippled and might not survive. E-commerce must have disaster recovery and
business continuity plans to comply with regulations, mandates, laws, and to ensure that the
company will continue to prosper.
Introduction:

Plan making is essential for every aspect of the world. Sun Tzu wrote “The Art of War” and he
describes Laying Plans to be “a matter of life and death, a road either to safety or to ruin… a
subject that cannot be neglected”. Just like in Sun Tzu’s emphasis on planning for war,
Businesses must plan as well. E-commerce businesses are becoming very popular and plans are
necessary for their survival. An e-commerce business must know how to run their business and
also how to protect their business. Some reasons why an e-commerce business would need to
protect themselves are from a number of incidents and disasters ranging from hacks to natural
disasters. E-commerce businesses must know what to do when these incidents happen.
Businesses in Japan would not have been able to repair themselves as quickly if they didn’t have
a disaster recovery plan entailing what to do when a disaster occurred. Beyond knowing what to
do if a disaster happens, is knowing what should be done to resume normal business operations.
This planning is known as Business Continuity Planning.

This research paper will examine how important Disaster Recovery and Business Continuity
Planning are to E-Commerce Businesses. It will discuss how plans came to be by discussing its
history, how top management is necessary, the seven tiers of disaster recovery, planning
regulations, threat of business discontinuity, ensure business continuity, importance of a good
team, and the cyclic approach to planning.

History of Disaster Recovery and Business Continuity:

The history of Disaster Recovery and Business Continuity started way back into the mid-70s. It
was a long road to where Disaster Recovery Planning and Business Continuity planning are
today. The history can be described in four phases. The Emerging legislation phase, the emerging
standards phase, post 9/11 phase, and the internationalization phase.

The emerging legislation phase was the time between the mid-70s to the mid-90s. It was the time
when the legislation of healthcare, government, and finance sectors of the economy. One of the
legislations pasted during this time was the US Foreign Corrupt Practices Act. The FCPA was a
legislation that was enacted to prevent and prosecute bribery of foreign officials and required the
protection of important company records from being destroyed (Herbane, 2010). This act dealt
with interaction during a crisis from error or an illegal act that could hurt the organization.

The emerging standards phase was between the 1990s and 2001. It saw the development of
COBIT 4.0. It was developed by the IT Governance Institution and the Information Systems
Audit and Control Association, and was a standard of practices and guidelines to ensure
continuous services to an organization. This was when Business Continuity Management was
determined to be a solution (Herbane, 2010). The National Fire Protection Association’s 1600
standard dealt with the management and business continuity for fires. It developed code
standards, procedures, and training, for international and U.S. organizations (Herbane, 2010).
This phase had two characteristics, standards could be revised and modernized, and standards
transformed into international standards through the development of the ISO/IEC (Herbane,
2010).
The post 911 phase was the time after the terrorist attacks on the world trade center on
September 2001. It was one of the worst crises that governments, businesses, and organizations
faced due to the casualties, denial of access to building, and not being able to communicate with
information systems (Herbane, 2010). 9/11 impacted financial services, government agencies,
utility providers, media, business services, and aviation (Herbane, 2010). In the aftermath,
business continuity and disaster planning included preparedness to includes human losses,
psychological impacts, and vulnerabilities from multi-function sites (Herbane, 2010).

Year 2006 to 2010 marked the internationalization phase. It started the standards and guidelines
that went beyond the nation or industry, but to other countries. Standards and guidelines emerged
in this phase to recognize that collaborations between organizations in a crisis are important in
keeping up with the quality and standard practices that are required in an internationalization
market (Herbane, 2010).

Importance of Planning with Top Management and I.S. Managers:

Disasters occur all around the world, claiming lives, destroying homes, and crippling businesses.
Hurricanes, floods, fire, earthquakes, are examples of disasters that a company might face. These
disasters destroy company information systems which often resulted in the termination of
business operations (Wong, 1994). Small to midsized companies are threatened by disasters and
a large percentage of these companies never resume operations in the event of a serious
catastrophe (Wong, 1994). Larger companies can be weakened so badly that permanent damage
results in permanent closure within in a few years after an event. Companies need to realize that
Disaster Recovery Planning is critical for their survival. Top Management and Information
System Managers must actively participate in the development of a Disaster Recovery Plan.

When making a Disaster Recovery Plan, it is important that Top Management in a company are
committed. Top Management is vital to success of any disaster recovery plan (Wong, 1994). It is
the role of IS managers to make sure that Top Management is committed from the get-go and
addressing the potential costs of avoiding a Disaster Recovery Plan (Wong, 1994).

A Disaster Response coordinator is chosen and is responsible for strategic development of

recovery processes and plan testing. The Disaster Recovery Coordinator then must make a
planning committee the represents the department throughout the company (Wong, 1994). Each
committee member is given the responsibility for developing emergency procedures within their
department.

Risk Assessment and Impact Analysis is the next step in developing a Disaster Recovery Plan. A
planning committee will determine how long a company can operate without computer support
(Wong, 1994). In the Assessment, all factors such as hardware, software, human errors, are taken
into account along with natural disasters. The Impact Analysis is formed through interviews with
management of each functional area of a company (Wong, 1994). This Analysis details what
segments are prone to disaster, costs to protect, and impact on each (Wong, 1994).

The Coordinator must rank Information Systems application by need for recovery if a disaster
occurs. All applications should be classified into levels of tolerance such as, “Critical”, “Vital”,
“Sensitive”, and “Noncritical” (Wong, 1994). After everything is prioritized, the decision of
what type of Disaster Recovery Plan to use, needs to be decided upon. The company needs to
decide on the plan and what trade-off is necessary for the company, for example, balancing
reducing risk and not spending an excessive amount on a Disaster Recovery Plan.

Vendors need to be selected and contracts developed once the recovery plan is selected (Wong,
1994). A vender needs to be chosen considering which one has the best reputation, reliability,
flexibility, and offering. A good vendor will be able to support current applications and allow for
growth (Wong, 1994). Getting a good vendor is necessary so that processing can be taken over in
the event of a disaster. Contracts need to be clear, stating what is the duration, termination
condition, testing issues, system procedures, service levels, costs, and other issues to an
agreement (Wong, 1994).

Top Management, planning committee, venders, and end users, are then involved in developing
and implementing the plan. Communication is extremely important in this phase and must be
channeled efficiently through all departments of a company. After the Plan is completed it must
be tested or it is essentially of no value to the company (Wong, 1994). Testing procedures and
review processes must be followed to correct any problems and add improvements. Last, the plan
must be continually updated and tested to meet the demands of developing technology and
current laws.

Seven Tiers of Disaster Recovery:

Disaster Recovery Planning can be a very costly process and many companies strive to have the
highest level of coverage with the lowest possible cost. In 1992, The SHARE user group and
IBM defined the Disaster Recovery Tier Levels (Warrick, 2003). The purpose was to quantify
different methodologies for successful Disaster Recovery Planning Implementations. It is
extremely useful for describing Disaster Recovery Capabilities and only need to be updated to
meet specific Disaster Recovery technologies (Warrick, 2003). The Seven Tiers define the
current service level, current risk, and the target service level and target environment (Warrick,
2003).

Tier 0 represents no off-site data. This Tier includes businesses that have no disaster recovery
plan. In an e-commerce business with Tier 0, no information is saved, no documentation is saved,
there are no backup hardware, and no contingency plan of any sorts. With an e-commerce
business it’s almost impossible for a business to have a tier 0 because of various laws and
regulations. In the event of a disaster, the recovery time is unknown and may not be able to
recover in an event (Warrick, 2003).

Tier 1 represents Data Backup with no Hot Site. Businesses in this tier have all their data backed
up to an off-site location. The effectiveness of this Tier is determined by how often backups are
made and the number of days business can lose data. This Tier has backups but no way to restore
(Warrick, 2003).

Tier 2 represents Data Backup with a hot site. This Tier has regular backups on tape and
combined with an off-site location and infrastructure called a hot site. A hot site is where systems
can be restored from tapes in case of the event of a disaster. The recovery time in this Tier is less
unpredictable, but will result in several hours of time recreating data (Warrick, 2003).

Tier 3 involves Electronic Vaulting. This Tier uses Tier 2 solutions and adds mission critical data
that is electronically vaulted (Warrick, 2003). Electronically Vaulted data is more current and
results in less data recreation after the event of a disaster (Warrick, 2003).

Tier 4 is Point-In Time copies. This Tier is necessary for businesses that demand faster recovery
and greater data currency. It incorporates disk based solutions instead of tape like in the lower
Tiers. It’s easier to make point-in time copies then tape based solutions. Several hours of data
reproduction still may be required (Warrick, 2003).

Tier 5 involves Transaction integrity. This Tier is necessary for businesses that need data
consistency between production and recovery data centers. There is hardly any data loss in this
tier (Warrick, 2003).

Tier 6 is when there is none or little data loss. This tier has the highest level of data currency and
is used by businesses with little tolerance for data lose and needs to restore data frequently.

Tier 7 is solutions with highly automated, business integrated solutions. This Tier includes all the
components of Tier 6 with the addition of automation. It automatically recovers applications
which allow restoration of systems to be must faster and reliable (Warrick, 2003).

Regulating disaster recovery:

Disaster Recovery and Business Continuity Planning was once optional. Today new regulations
and mandates have made the costs for not having a plan more costly (Dimartini, 1997). Most
companies associate Disaster Recovery Planning with Natural Disasters; operations being
disrupted by acts of nature. Many auditors fail to realize that neglecting a good plan could be just
as costly and as damaging as the damage from a storm itself. Auditors are also often now aware
of what might result from non-compliance with laws and regulations that govern disaster
recovery planning. Companies might face lawsuits and fines for negligence if a solid plan was
never put in place (Dimartini, 1997). Besides Internal factors, there are external factors besides
the law. Disaster Recovery planning is important in doing business with others; many
associations require accreditation to maintain contingency plans and has become a common item
that business partners look for.

There are different requirements for Disaster Recovery determining on the industry that a
business is in. An e-commerce business would have different laws and mandates from a banking
or healthcare industry. However, due to the fact that online transactions involve the information
of customers and other business partners, there are some regulations. The Consumer Credit
Protection Acts address electronic funds transfers and covers industries that use point of sale
transfers, automated teller machines, and funds transferred by telephone (Dimartini, 1997). E-
commerce would fall into this because it facilitates an electronic payment that results in a debit
or credit to a consumer account. The regulation makes sure that e-commerce businesses use due
diligence to mitigate the effects of a disaster on critical business operations (Dimartini, 1997).
Information Security is an important part of Disaster Recovery. Increased attention in European
organizations follows the Code of Practice for Information Security Management. This serves to
measure the practice in establishing a secure information environment (Dimartini, 1997).

The other regulations affect the liability on executives for missed opportunities when dealings
with business partners. The Foreign Corrupt Practices Act of 1977 makes sure shareholders are
assured that company assets, records, are properly maintained and protected (Dimartini, 1997).
These record keeping requirements incudes information such as important records and
intellectual capital that can affects market share and “good will” (Dimartini, 1997). Failure to
company with these regulations may result in prosecution due to any prolonged business
interruption. Managers may face fines up to $10,000, and corporate fines of up to $1,000,000. In
some cases there is a maximum prison term up to five years (Dimartini, 1997).

Risk of Business Discontinuity:

Most people think of computer break downs, terrorist attacks, or natural disasters when
associated with Disaster Recovery or Business Continuity. Those only scrape the surface and
many don’t think about what will happen if normal business operations are discontinued.

In 2005, Hurricane Katrina crippled businesses and universities in New Orleans, Louisiana. Most
of the problems came from the fact that many had poor disaster recovery plans (Omar, 2011). A
number of businesses lost important records and information from years of being in business.
New Disaster Recovery plans needed to be developed along with business continuity planning to
make sure that if a disaster with the magnitude of Hurricane Katrina occurred, businesses would
still be able to operate (Omar, 2011). Small business were made up most of the economy in New
Orleans and due to local stores being destroyed, many started up their own e-commerce solutions.
E-commerce business was one of the main businesses that survived the disaster but still had a
hard time staying in business (Kwun, 2010).

There is strategic value in e-commerce. The value of e-commerce after the disaster showed a
number of potential benefits, which includes increase in customers, better service, and increase
in profits (Kwun, 2010). The benefits of a e-commerce business is that it is driven by four factors;
transaction efficiency, complementarities, lock-in, and novelty (Kwun, 2010). E-commerce in
New Orleans was a solution to the disaster recovery, but the issue was now with Business
Continuity, and that required an entirely different set of planning (Kwun, 2010).

Business continuity has developed a lot in the days when contingency planning was focused on
recovery of computer systems. Now, Business continuity planning grew out of the recognition
that Disaster Recovery Planning would be ineffective without the other (Kubitscheck, 2001,
2001). Business continuity is important for a company to cope with specific incidents, and ensure
the company’s survival. However, Business Continuity Management falls short of considering
risks that impact the status of a business (Kubitscheck, 2001).

Most professionals and regulators believe that the traditional approach to business continuity is
not good enough to adequately protect a business. All plans, despite having a good framework,
require to updated and maintained on a regular basis. Complex business structures and risks from
different business practices have led businesses to consider buying Business Continuity Services
(Kubitscheck, 2001). Some of the reasons that company’s buy Business Continuity Services are,
dependence on e-business, failure of data backups, risk of software or hardware failure, data
security, and virus attacks (Kubitscheck, 2001). In the 21 century, the scale and speed at which
risks can happen has changed. For example, an e-commerce site can get a virus which
compromises a customer database resulting in failure to deliver products.

Information is the main part of any e-commerce business. Information includes intellectual data,
patents, designs, and the system in which the company assets run on (Kubitscheck, 2001).
Protecting core assets is a given but many organizations neglected security due to incompetence
or new business prospects. With e-commerce, threats from Cyber Crime are just one of the many
threats a company must face. Organizations also run the risk of losing important information
when employees leave a company. In the past an employee would have to smuggle sensitive
information on a copy, now with the web, important information can be spread a lot easier by the
internet. New controls for monitoring information transfer on the internet are required along with
other controls such as contractual agreements (Kubitscheck, 2001).

The 21 century has seen a rise in outsourcing relating to the IT industry. A popular type of
activity often outsourced is, payment systems and other specialized areas (Kubitscheck, 2001).
According to Business Continuity Systems Consultants, the most common cause of business
disruption is from contracts. Few organizations require contractors with safety procedures.
Outsourcing needs to be thought through carefully and included in a Business Continuity
Planning.

Good news spreads fast but bad news spreads much faster. It is important to have BCP to ensure
business is operational and that there is no downtime. The goal is to make sure no one outside of
the company notices any issues that a company may have faced. Reputation risk is high on the
agenda of traditional business continuity management (Kubitscheck, 2001). Businesses must
keep a close eye on the temperament of their key stakeholders to maintain continuity of the
business (Kubitscheck, 2001). If stakeholder confidences is lost, a company might be on a path
of great financial loses. External risks must be determined and a company must be able to
continue operations after managing major incidents on a short notice. Vulnerabilities need to be
assessed and tested for to ensure a quick recovery.

Business Continuity Planning Keeps You In Business:

The global market has created new forms of business operations and organizations are starting to
recognize and address their vulnerabilities. Business Continuity should not be confused with
disaster response planning, they sound similar but they are greatly different.

Disaster Response planning is a response to a specific event, for example an earthquake. This
type of plan is considered “Tactical” (Morganti, 2002). Disaster Planning and Emergency
response planning are also very similar. Disaster Planning is usually the preparation of incidents
such as storms, earthquakes and floods. Emergency Response Planning often deals with specific
incidents such as fires or explosions or power outages (Morganti, 2002). The Tactical, Disaster
Response Plans and Emergency Response Plans, are very different from the, Strategic, Business
Continuity Plans.

The Business Continuity Plans are plans to keeps a business up and running after it has been
damaged (Morganti, 2002). The entire point of Business Continuity is to prepare for the worst
case scenario in e-commerce, which is damage to the site itself. Damage could be from small
errors in the system, human mistakes, or natural hazards (Morganti, 2002). The halt of operations
from a scenario, even if it is brief might cripple an e-commerce business. The physical damage is
not the main issue, but the halt of product flow. This is why a good plan must be in place to
ensure a quick recovery.

The first step of a Business Continuity Plan is the Planning phase. This phase is the most time
consuming and difficult and involves a number of steps. A organization needs to have realistic
goals and objectives and the best place to start is by asking the Chief Information Officer or the
Chief Financial Officer what their tolerance for loss in dollars and their tolerance for allowable
downtime (Morganti, 2002). The leader of a Business Continuity Plan will serve as a facilitator
in a plans but must assign responsibilities for all key functions of a e-commerce site. All plans
need to be reviewed frequently and Back Up plans developed.

Assess risk and threats by available information through a firm’s property insurance carrier or
risk management service company or by loss prevention engineering products (Morganti, 2002).
Key functions in an e-commerce site needs to be identified to better focus on the Business
Continuity Plan. A Business Impact Analysis needs to be conducted; it is difficult and time
consuming, but important. A Business Impact Analysis can be done through a company’s
property insurance carrier or risk management firm (Morganti, 2002). The last parts of the
planning phase is to determine budget requirements, create the plans, and determine, the training,
testing, and auditing schedules (Morganti, 2002).

The phase after determining risks and threats is the prevention and control phase. This phase
serves to make sure that all possibility of threats is reduced through prevention, control, and
mitigation (Morganti, 2002). This phase is often not given as much attention as needed; a
Business Continuity Plan needs to identify hazards to operations and giving a ranking to the
severity and probability of such an incident happening.

In the Preparation Phase, the response teams, command centers, aid agreements, are established.
This is also when “Hot Sites”, the place where computer data and programs are transferred and
run when a company lost their own computers, is tested and audited to ensure its effectiveness.
The last part is to make sure that the BCP is always kept current; one of the most serious
problems is that organizations will spend too much money on developing a BCP and then allow
it to become outdated making it essentially useless.

In the event that an incident occurs, go directly to the response phase. Make sure that someone
has the authority to initiate the Business Continuity Phase, so that time is not wasted determining
who has to get permission to go forward. Communication is important and a succession plan
needs to be established in case key manager happen to not be present during an incident. Many
organizations manage their response activities through an Incident Command System (Morganti,
2002). This system helps allocate resources and coordinates in effectively by monitoring a single
incident command official (Morganti, 2002). The final stage is the Restoration Phase; it looks at
continuing operations, rebuilding, labor requirements, and more issues.

The Business Continuity Team:

Employees are an asset and the Business Continuity Team is very important in carrying out a
Business Continuity Plan. There are six steps in building a team; identify stakeholders, form
team, clarify and agree on objectives, define roles and responsibilities with a work plan, identify
engagement processes, and update business continuity policy (Lam, 2002).

An e-commerce team is made up of five key groups of stakeholders. Executives are stakeholders
who must know why e-commerce is important in order to get key resources such as money and
employees. Marketing stakeholders will deal with organization branding and B2B e commerce
marketing (Lam, 2002). Sales are stakeholder groups that ensure that the site accurately reflects
sales arrangements offered to customers. IT stakeholders are important because they play a role
in making sure e-commerce systems integrate properly with ERP and Back-End Systems (Lam,
2002). The last stakeholder that is important is Operations. Operations make sure that a e-
commerce business will be efficient and watch out for obstacles (Lam, 2002).

Once the key stakeholders have been identified in an e-commerce business, the Business
Continuity Team needs to be developed. The Team must be ready to manage an incident and to
commence any business continuity plan that is in place (Lam, 2002). There are several roles that
are common in a team and they should be made up of individuals who have held existing roles of
responsibility so that they are familiar with the business and Information Technology practices
(Lam, 2002).

The business continuity manager is the first contact who manages an incident, initiates a business
continuity plan, gets the team mobilized, and discuss with business owners. All key decisions
about how to handle the incidents is done by the business owner. The Technical service manager
manages issues with infrastructure, initiates continuity arrangements and talk to business
continuity providers (Lam, 2002). A estate manager manages incidents related to the
environment that the e-commerce business is surrounded in such as offices and buildings (law).
The business operations and customer services manager deals with business operations and
customer services, and keeps customers informed in there is a noticeable impact that customers
should be informed of and also arranges with business continuity service providers (Lam, 2002).
The last role is the recovery manager and this role involves guiding the business from the
recovery state to normal business operations (Lam, 2002).

Cyclic Approach to Implementing a Business Continuity Planning:

In a traditional plan, a company must consider all planning phases whether a company is large or
small (Botha, 2004). There are seven phases that an e-commerce company must do. The Project
Planning phase incorporates all actives that will make sure a Business Continuity Plan Project is
planned properly (Botha, 2004). The Business Impact Analysis phases determine important
business processes and then they are analyzed determining impact that various disasters may
have (Botha, 2004). The Business Continuity Strategies phase identifies the strategies that focus
on business continuity and recovery. The Continuity Strategies Implementation phase is when
each strategy is defined and details functional plans that correspond to different scenarios (Botha,
2004). The last three phases are the Continuity Training, Testing, and Maintenance phases.

The phases that are part of the seven phased continuity planning methodology can be partially or
entirely implemented. Many small to medium sized companies have a hard time affording the
time and money that goes into these cycles so there is a differed implementation methodology
that can be used called the “Cyclic Approach”. This approach is good to use when a project is
large but there is limited workforce and funding (Botha, 2004). By dividing into four different
cycles, it is able to implement a BCP. The Cyclic approach is made up of four cycles, the backup
cycle, disaster recovery cycle, contingency planning cycle, and the business continuity planning
cycle. Each stage is separated from the next phase (Botha, 2004).

The backup cycle is lays the foundation for recovery for a e-commerce business. It is often
almost impossible to recover if an organization lost assess to their data after a disaster (Botha,
2004). All project planning activities need to be carried out, given that this is the first cycle. BIA
activities follow the project planning. All analysis activities must be performed during the
backup cycles to ensure that critical data is identified and is continually available (Botha, 2004).
Data is continually available by having regular backups and off-site storage (Botha, 2004).
Teams must be determined and then training and testing must be carried out.

The Disaster Recovery Cycle’s main objective is to make sure that IT can recover efficiently
after a disaster. Project Planning activities are included in the cycle and it is important that
management commitment is obtained (Botha, 2004). Employees and people working on the plan
need to be made away of the disaster recovery cycle concepts, schedules, and milestones. The
BIA must be conducted again for this cycle; making sure all process and supporting resources are
identified and prioritized (Botha, 2004). Recovery strategies and Recovery time frames are
identified along with emergency response procedures. Last part of the cycle is training, testing,
and maintenance.

The Contingency planning cycle concentrates on the continuity of each business process. Many
steps here are the same as the Disaster Recovery Cycle, it starts with planning. Management
must support decisions have meetings to make sure what parts of the cycles project participants
must be a part of (Botha, 2004). The BIA review is done again in this cycle along with strategy
implementation, process continuity procedures, and team identification. Training, Testing, and
Maintenance is done lastly.

The continuity planning cycle. At this point the Business Continuity Plan should almost be
completed, and the cycle concentration on recovery and business process continuation as a whole
(Botha, 2004). Planning is completed once again, and management is required to commit to
decision. A final orientation meeting is required to discuss cycle prospects and schedules (Botha,
2004). Activities need to be completed such as insurance coverage review, public relations
preparation, and emergency resource identification. The remaining group of teams for activities
needs to be identified, and last, training, testing, and maintenance (Botha, 2004).
Conclusion:

E-commerce is the form of business that will replace the traditional mom and pop retail stores of
the past. E-commerce may be easier to set up then a traditional store or business, but it must be
protected by in depth planning. Planning for disasters and how to keep a business running must
be done, or business failure is imminent. It’s not that a disaster won’t happen, it’s a matter of
when it will happen, and a good plan will mean survival or death. This paper discussed how
current planning came to be from various developments starting back into the 70s. The tiers of
disaster recovery discussed the different tiers a business falls under determined by its level of
protection and planning. New laws and mandates state that planning might have been optional in
the past, but for e-commerce sites, there are requirements that every e-commerce business must
follow. Operations discoinuity talked about how businesses may be permanently damaged
determining how long operations cease, and often times never recover. Cooperation with Top
Management is necessary in the planning process to make sure everything runs smoothly. The
Development of good team for developing and acting out on plans is extremely important and
necessary part of Disaster Recovery and Business Continuity. The cyclic approach to planning
discus that there are other more efficient ways of planning that many be a better option for
smaller business. This research paper’s goal was to discuss why e-commerce is important and
how planning is necessary. Just like the sayings of Sun Tzu, e-commerce businesses must know
that there is nothing more valuable than a well-made plan.
Resources:

Botha, J., & Rossouw, V. S. (2004). A cyclic approach to business continuity

planning. Information Management & Computer Security, 12(4), 328-337. Retrieved

from http://search.proquest.com/docview/212336533?accountid=11824

Dimartini, W., & McNally, P. (1997). Regulating disaster recovery. The Internal Auditor, 54(6),

42-52. Retrieved from http://search.proquest.com/docview/202733832?accountid=11824

Herbane, Brahim. "The Evolution Of Business Continuity Management: A Historical Review of

Practices And Drivers." Business History 52.6 (2010): 978-1002. Business Source

Complete. Web. 10 July 2012.

Kubitscheck, V. (2001). Business discontinuity--a risk too far. Balance Sheet, 9(3), 33-38.

Retrieved from http://search.proquest.com/docview/204694871?accountid=11824

Savage, M. (2002). Business continuity planning. Work Study, 51(4), 254-254. Retrieved

from http://search.proquest.com/docview/218379547?accountid=11824

Kwun, O., Nickels, D., Alijani, G. S., & Omar, A. (2010). The perceived strategic value of E-

commerce in the face of natural disaster: E-commerce adoption by small businesses in

post-katrina new orleans. International Journal of Entrepreneurship, 14, 71-84. Retrieved

from http://search.proquest.com/docview/763150980?accountid=11824

Lam, W. (2002). Ensuring business continuity. IT Professional Magazine, 4(3), 19-25.

doi:10.1109/MITP.2002.1008533

Morganti, M. (2002). A business continuity plan keeps you in business. Professional

Safety, 47(1), 19-19,56+. Retrieved from

http://search.proquest.com/docview/200407883?accountid=11824

Omar, A., Alijani, D., & Mason, R. (2011). Information technology disaster recovery plan: Case

study. Academy of Strategic Management Journal, 10(2), 127-141. Retrieved from

http://search.proquest.com/docview/886538620?accountid=11824
Warrick, Cathy. "Seven Tiers of Disaster Recovery." IBM Redbooks. N.p., 16 Dec. 2003. Web. 10

July 2012. <http://www.redbooks.ibm.com/abstracts/tips0340.html>.

Wong, B. K., Monaco, J. A., & Sellaro, C. L. (1994). Disaster recovery planning: Suggestions to

top management and information systems managers. Journal of Systems

Management, 45(5), 28-28. Retrieved from

http://search.proquest.com/docview/199819765?accountid=11824