Disaster Recovery Planning

 

 

Introduction

Due to the tragic events that occurred on September 11, 2001 more attention is focused on security, at airports, public and sporting events such as the Olympics, etc., and of course security of computer systems.

 

Disaster recovery as seen in New York was stymied by the fact that the city of New York had its emergency response center located inside of the World Trade Center.This was the first time in the history of the US stock market that a disaster caused it to be closed for a period of two weeks.

 

The role of security, and disaster recovery/business resumption planning in an organization has taken on a new urgency in the business world, and the government with the creation of the Department of Homeland Security.

 

Security of Critical Business Information Processes

As businesses automate core functions, they gain competitive advantages over their competitors that may be doing similar tasks manually. Automating core and critical business functions should increase the profit of a business, if it is carried out in a cost effective manner with the proper security. As business functions are automated to increase efficiencies, the revenues per employee should continue to rise along with its stock price. As output of a company rises from automation, the efficiencies create a win-win situation for the company and our economy.

 

The need for better and faster computing technologies incorporated into the business infrastructure continues at a fast pace, as our society and economy becomes increasingly information based.

 

Businesses need to examine and plan their computer technology security very carefully as they become more dependent on automated business processes. A secure computing environment is as much a business problem as a technological problem that needs to be addressed, starting at the upper levels of management.

 

Information Security

Information Technologysecurity, Information Security (InfoSec), or computer security are synonymous terms. These terms address the areas of protecting your computing system and everything associated with it. This includes the building, terminals, printers, cabling, networks, hard disks, tapes, power sources, and your data and programs stored on these systems. Most people think of outside intruders who break into systems to steal or wreak havoc as the main danger. Outside intruders do exist and receive most of the media attention, but they are not the only or primary danger to your IT systems. There are more immediate dangers such as divulging passwords to others, failing to make back ups of critical data, accidentally spilling on or destroying equipment, or opening e-mail attachments that have viruses, which are more likely to cause problems to your IT systems on a daily basis.

 

There are three distinct aspects of computer security: secrecy or confidentiality, accuracy or integrity, and availability. Your assessment of what type of security your organization requires will influence your choice of the particular security techniques and products needed to meet those requirements.

 

Secrecy and Confidentiality

In business environments, confidentiality ensures the protection of private information, such as payroll data, as well as sensitive corporate data, such as internal memos and competitive strategy. Secrecy is important to the DoD, to protect vital assets and information from the enemy. In these environments, the other aspects, integrity or availability, may not be as important as secrecy and confidentiality.

 

Accuracy, Integrity, and Authenticity

This ensures that the system does not corrupt the information or allow any unauthorized malicious or accidental changes to it. In network communications, a related variant of accuracy known as authenticity provides a way to verify the origin of data, by determining who entered or sent it, and by recording when it was sent and received. In financial systems, this is generally the most important aspect of security.

 

Availability

This addresses the issues of keeping your computer systems hardware and software working efficiently, and the system is able to recover quickly and completely if a disaster occurs. Internet based businesses, e.g., Ebay, Yahoo, etc., regard availability as one of the most important aspects. If their servers go down, customers cannot access the company's services and products. The business grinds to a halt. Availability is important, also, for the other two aspects, because if you do not have access to your computer you do not know the status of confidentiality or accuracy.

 

The Distributed Computing Environment

Any computer that is networked has the potential to be compromised. Since most large businesses have various operating system platforms networked together, they fall into the category of a Distributed Computing Environment (DCE). As a business it is the management's responsibility to determine how much effort and money will be spent on securing the IT infrastructure and determining the risk/reward ratio that a company or organization is willing to accept.

 

Enhancing IT Security Through Planning for Disaster Recovery, Developing Security Policies, and Addressing System Vulnerabilities

Planning for disaster recovery is a serious undertaking that is required by all companies with a DCE infrastructure. This effort needs to come with a commitment from upper management. Financial resources need to be allocated with the establishment of a planning committee. Critical business processes need to be identified and a risk assessment of DCE vulnerabilities needs to be completed.

 

Security policies and strategies must address the following vulnerabilities of the IT infrastructure:

• Physical building and computer room break-ins. Intruders can break in and steal vital information. This vulnerability may be addressed with alarms, locks, guards, biometric authentication devices, i.e., fingerprints, voiceprints, and retinal scans.
• Natural disasters such as earth quakes, floods, fire, power loss, lightning, volcano activity, dust, humidity, freezing, meteorite impact, etc.. Having redundant storage and backup computing facilities removed far enough so that the natural disaster area does not impact both locations is a way to protect against this vulnerability.
• Hardware & Software improperly configured operating systems, software applications that have inherent weakness divulged or discovered, or incorrectly connected hardware components. Proper configuration of the operating systems, updating software with patches, or installing more secure applications are ways to protect against these types of vulnerabilities.
• Media-disk and tapes can be damaged or stolen. Sensitive information may remain even after deletion of files. A fix for this vulnerability is to have the proper backups of critical information and deleting all information on disks by a low level format and writing with 1's and 0's to the media, or destroying the media.
• Electronic Emanations-electronic equipment emits electromagnetic signals that may be picked up with electronic eavesdropping equipment divulging sensitive information or passwords. Buying Tempest equipment or providing adequate shielding of the IT infrastructure is a possible remedy for this vulnerability.
• Communications-computers connected to a network, cable or phone modem are vulnerable to outside penetration. Any IT equipment that is connected to a network may be penetrated given enough time or resources by an outside intruder. Installing firewalls, proxy servers, routers, honey pots, encrypting data and communications, or disconnecting your system from the network are some of the ways to achieve protection.
• Human-insiders administering your computer system are the greatest threat. Insiders may be bribed, decide to turn to a life of crime, get even with their employer, etc. Dividing sensitive operations among a group of people, doing mini-audits when key individuals are on vacation, etc., may mitigate this vulnerability.

 

Conclusion

Not incorporating secure IT into a business leads to increased business operational vulnerabilities, possible bankruptcy, and possible litigation from investors. Planning initially with support from the management to incorporate secure IT into the business infrastructure may be a small price to pay compared to potential disasters waiting to happen or paying the increased costs after your infrastructure is complete.

 

Contact HarvestSoft for your Disaster Recovery and Business Continuity Planning needs now!