Business
Continuity Planning
Personnel security; defending against terrorism,
preventing theft; and objectives, methods, and procedures for testing and
maintaining business continuity plans are all key in the business continuity planning
process.
Personnel security is everything involving employees,
hiring, training, monitoring, and sometimes handling their departure. Statistics show that the most common
perpetrators of significant computer crime are those people who have
legitimate
access, or had recent access. Managing
people with privileged access is an important part of a good security plan.
There are two groups of perpetrators. The
first is comprised of people who
unwittingly aid in the incidents of security violations by not following
standard procedures, forgetting, or not understanding what they are doing. The second group includes individuals
who knowingly and
unknowingly contribute to your security problems; these are most often
your own
users.
To mitigate these problems could take volumes, so
we will summarize some of the more prevalent mitigation
techniques:
Background
checks at the least check all references given and also determine reasons for
leaving, determine dates, and check gaps in records. Stories abound of gaps claimed as independent consultants, when
the applicant was in prison. Check
claims of educational achievement and certification, stories abound of
applicants graduating from prestigious universities or universities with
degrees from PO boxes. For intensive
investigations do drug checks, hire an investigative agency, get a criminal
record check, and check credit files.
Ask the applicant to obtain bonding for this position. You need to inform applicants of intensive
investigations and obtain approval.
Most problem candidates will walk away.
You do not need to do these checks for all employees but for those of
trust or privileged access. This
includes maintenance and cleaning personnel.
Initial
Training fundamental training for all employees on security policy, e.g.,
procedures for password selection and use, physical access to computers, backup
procedures, dial-in policies and policies for divulging information over the
phone. Executives of companies should
be included, security consciousness flows form the top down not bottom up.
Ongoing
Training Awareness periodically users should be trained and refreshed on
information security and policies. You
wish to employ various methods of good practice by having periodic messages of
the day with tips and reminders or other events to keep security from fading
into the background.
Performance
Reviews and Monitoring Performance of staff should be reviewed periodically
and given credit and rewarded for professional growth and good practice. Avoid situations where staff feels overworked. Overtime must be the exception and not the
rule and adequate vacation and holiday time should be give to critical
positions.
Auditing
Access ensure auditing to equipment and data is enabled. Many instances of computer abuses are
spontaneous and a malefactor might be discouraged.
Least
Privilege & Separation of Duties this time tested technique should be
employed wherever practicable in your organization.
o The
least privilege principle states that you give each person the minimum access necessary
to do his or her job. This restriction
is both for logical (access to accounts, networks, programs) and physical
(access to computers, backup tapes, and other peripherals).
o Separation of duties this principle states
that you should separate duties so that people involved in checking for
inappropriate use are not also capable of making such inappropriate use. Having all the security functions and audit
responsibilities reside in the same person is dangerous.
Outside
visitors/contractors someone with temporary access should fall under the same
scrutiny and be accompanied while working, and at the least not allowed
unrestricted physical access to your computer and network equipment.
Departures
When key people leave, a set of actions or a policy needs to be carried out
in shutting down accounts, changing passwords, forwarding e-mail, removing
phone numbers and access to systems, etc.
In the financial services industries the departure may be sudden with the
locks and passwords changed and a security waiting with a box containing
everything in the person's desk.
Computers are small and valuable and are easily
stolen and sold. You should protect
your computer investment with physical measures such as locks and bolts or
secure rooms and closets. If your
computer is stolen the information it contains will be available to the new
owners. They may read it, sell sensitive
information, use it to compromise other computers, or it may be used for
blackmail.
Hardware theft is also a common problem especially at
universities, which have suffered a rash of RAM and CPU thefts, which are
easily sold on the open market. They
are untraceable. Thieves may
steal only
some of the RAM inside a computer and months may pass before the theft is
noticed.
The real expense is the theft of corporate
information, secrets and plans that may help your competitors. You can never make something impossible to
steal, but you can make the stolen information useless by encrypting it,
therefore sensitive information should be encrypted using an encryption system
that is difficult to break.
If your business is located in a region with
political strife or may be prone to terrorism, you may want to consider
additional structural protection for the computer room or devise a system of
hot backups and mirrored disks and servers.
With a fast network you can arrange for files stored on your system to
be simultaneously copied to another system in another part of the world. A tank or suicide bomber may destroy your
computer center but your data will be safely protected.
A plan may change over time due to business
environmental changes or business practice and personnel changes. Key members of the BCP may change jobs, new
products and processes may be introduced and government regulations may require
it. All these impact the BCP.
The main purpose of testing is to verify that your
BCP works, be assured that all the right people are involved, and to determine
if incremental changes in the business environment have been properly
incorporated into the BCP.
Participants to include are the disaster recovery
administrator, coordinator, team managers and alternates and other people
critical to the disaster recovery process.
Testing should be done at least on an annual basis,
and more often depending on changes in law or your business environment.
Testing the plan may be accomplished by a variety of
methods, which include:
Checklist
Testing The recovery teams determine if key components that should be current
and available, e.g., adequate supplies, telephone numbers are current, manuals
and operational procedures are available etc.
Walk-Through
Testing The recovery team actually goes through the steps identified in the
BCP.
Simulation
Testing- The disaster recovery team simulates a disaster after business hours
and rehearses.
Parallel
Testing May be performed at the same time as Checklist or Simulation testing.
In parallel testing backups at hot
sites are activated and brought current and checked with actual data produced
by live site for that day.
Full-Interruption
Testing Activates the total BCP and is disruptive to the business. Various disaster scenarios may be planned
before hand and rehearsed during this testing.
Evaluation of people responsible to perform various disaster recovery
procedures may be measured and evaluated.
The basic elements of a good business continuity plan
have been agreed internationally between UK and US by the ten certification
standards as described by the Business Continuity Institute:
1.Project initiation and management
2. Risk evaluation and control
3. Business impact analysis
4. Developing business continuity strategies
5. Emergency response and operations
6. Developing and implementing business continuity
plans
7. Awareness and training programs
8. Maintaining and exercising business
continuity plans
9. Public relations and crisis co-ordination
10. Co-ordination with public authorities
1) Project initiation Management
Forming the initial teams with support from upper
management in the Disaster Recovery Planning, as covered in your text in the
first few chapters, begins the initial phase.
2) Risk evaluation and control
Determining the risks associated with various threats
and how management decides to control these risks with fixes, mitigation
techniques, etc.
3) Business Impact Analysis
Determining which critical business processes are
affected by the risks identified in item two and developing a priority list or
category of business processes to protect.
4) Developing Business Continuity
Strategies
In the process of developing strategies
for business continuity we must consider the following:
What are the available alternatives,
their advantages, disadvantages, and cost ranges? (hot site, cold site, rental,
purchase, rebuild, do without)
Identify viable recovery strategies with
business functional areas.
Consolidate strategies.
Identify off-site storage requirements
and alternative facilities.
Develop business unit consensus.
Present strategies to management to
obtain commitment.
5) Emergency Response and Operations
Develop and
implement procedures for responding to and stabilizing the situation following
an incident or event, including establishing and managing an emergency
operations center to be used as a command center during the emergency. Some things you need to do:
Identify potential types of emergencies
(e.g., prolonged power outages, fire, flood, hazardous materials leak) and the
responses needed.
Identify the existence of appropriate
emergency response procedures.
Recommend the development of emergency
procedures where none exist.
Integrate disaster recovery / business
continuity procedures with emergency response procedures.
Identify the command and control
requirements of managing an emergency.
Recommend the development of command and
control procedures to define roles, authority, and communications processes for
managing an emergency.
Ensure emergency response procedures are
integrated with requirements of public authorities.
6) Developing and Implementing Business
Continuity Plans
This step is to design, develop, and
implement the business continuity plan that provides recovery within the
recovery time objective. While
sometimes this step may seam like a daunting task, it is not as difficult as it
seems. It just takes the first step and the rest will follow build it and they
will come.
Identify the components of the planning
process.
Control the planning process and produce
the plan.
Implement the plan. (As the Nike
commercial says, just do it!)
Test the plan. (This is critical, without testing the
plan it is not worthy of the paper it is written on. Expect to fail at first. This is normal! The point is to identify all the issues that
caused failure. The important task here is to remedy the problems and test
again! It may take two are three
attempts before having a successful test.)
Maintain the plan.
(Maintenance is also crucial to continual success. Even if you have had a successful test in
the past it is critical to update continually the plan and maintain at least one
test annually, two tests per year is better.
Technology and software changes very rapidly so the more often you test
the more likely you will be able to incorporate these changes and be prepared
in the unlikely event a disaster should strike!))
7) Awareness and Training programs
Preparing a program to create corporate
awareness and enhance the skills required to develop, implement, maintain, and
execute the business continuity plan is also half of the battle. You may have a business continuity plan,
however, if no one knows about it or knows what to do in case of an emergency
then the best-laid plans have no one to execute him or her. Training programs are essential for recovery
processes to flow smoothly and gain support of all affected departments. Some things you can do:
Establish objectives and components of
the training program.
Identify functional training
requirements.
Develop training methodology.
Develop awareness program.
Acquire or develop training aids.
Identify external training opportunities.
Identify vehicles for corporate awareness.
8) Maintaining and Exercising Business
Continuity Plans (BCP)
Environmental changes, new products, policies, new
procedures, personnel may forget, lose interest in critical parts of the plan
or may depart from the company may make a BCP obsolete or in need or
revisions. Periodic testing of the BCP
is required for verification and validation purposes.
This stage is to pre-plan and coordinate plan
exercises. It is also to evaluate and
document plan exercise results. Develop processes to maintain the currency of
continuity capabilities and the plan document in accordance with the
organizations strategic direction. Verify that the plan will prove effective by
comparison with a suitable standard, and report results in a clear and concise
manner. Tasks to perform:
Pre-plan the exercises.
Co-ordinate the exercises.
Evaluate the exercise plans.
Exercise the plans.
Document the results.
Evaluate the results.
Report results / evaluation to
management.
Understand strategic directions of the
business.
Attend strategic planning meetings.
Co-ordinate plan maintenance.
Assist in establishing audit program for
the business continuity plan.
9) Public Relation and Crisis
Coordination
This step is to coordinate, evaluate and exercise
plans to handle the media during crisis situations. One must consider trauma
counseling for employees and their families, key customers, critical suppliers,
owners/stockholders, and corporate management during a crisis. Priests, ministers, counselors and
psychologists may be hired to help families in the grieving process that have
lost loved ones in a disaster. Ensure
all stakeholders are kept informed on an as-needed basis. Law firms may need to be hired to protect
your company's assets against undue liabilities etc.
Tasks to be performed include:
Establish public relations program for
proactive crisis management.
Establish necessary crisis co-ordination
with external agencies.
Establish essential crisis communications
with relevant stakeholder groups.
Establish and test media handling plans
for the organization and its business units.
It is important that all members of your company know who to refer the
press to for information. A single
consistent source for company updates will help to streamline status
situations.
10) Coordination with Public Authorities
It is helpful to establish applicable
procedures and policies for coordinating continuity and restoration activities
with local authorities while ensuring compliance with applicable statutes or regulations.
Tasks to help aid in this endeavor are as follows:
Co-ordinate emergency preparations,
response, recovery, resumption, and restoration procedures with public
authorities.
Establish liason procedures for
emergency / disaster scenarios.
Maintain current knowledge of laws and
regulations concerning emergency procedures.
Developing and maintaining a Business Continuity Plan
is essential to provide complete management of IT. Neglecting to provide BCP is legal negligence. BCP can be
performed even within a very small company that may use only one computer. It is not the size or complexity of IT that
dictates the need for BCP, it is the need to survive loss of electronic data
and access to that data. BCP may be as
simple as coping your home computer files on a floppy or as extensive as
developing hot sites.The
essential
thing is that a recovery plan is made and tested one way or the other.
As mentioned in the previous previously, most large
organizations have a two-level disaster recovery plans. The first level is in house; when they
design networks they build in the necessary redundancy and have the spare
equipment to handle minor disasters.
The second level is to rely on professional disaster recovery firms to
provide second-level support for major disasters. These professional disaster recovery companies provide a full
range of services; the simplest is offsite storage of backup data and
applications. Full services may include
a complete hot site with the organization's entire data and applications stored
and ready to operate within hours.
These are not cheap but compared to millions of dollars by not operating
they may be bargain.
Developing and maintaining a Business Continuity Plan
(BCP) is essential to provide complete management of IT. Neglecting to provide BCP is legal
negligence. BCP can be performed even within a very small company that may use
only one computer. It is not the size
or complexity of IT that dictates the need for BCP, it is the need to survive
loss of electronic data and access to that data. BCP may be as simple as coping your home computer files on a
floppy or as extensive as developing hot sites. The essential thing is that a recovery plan is made and tested
one way or the other.
As mentioned previously, most large
organizations have a two-level disaster recovery plans. The first level is in house; when they
design networks they build in the necessary redundancy and have the spare
equipment to handle minor disasters.
The second level is to rely on professional disaster recovery firms to
provide second-level support for major disasters. These professional disaster recovery companies provide a full
range of services; the simplest is offsite storage of backup data and
applications. Full services may include
a complete hot site with the organization's entire data and applications stored
and ready to operate within hours.
These are not cheap but compared to millions of dollars by not operating
they may be bargain.
In the Verification and Validation phase, on
completion of the disaster recovery testing, the disaster recovery team should
review results to ensure they are adequate.
Team members should evaluate the results for, e.g., time to perform
activities, accuracy, amount of work completed, etc. The results will most likely result in revisions of the BCP. After revisions to the plan, upper
management should review it before acceptance.
Contact HarvestSoft now to lead you cost
effectively through your Business Continuity Planning!