Wednesday, April 30, 2014

ARTICLE: Disaster Recovery Planning And Cloud Computing

    by Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV  
  
   January 2011
If you asked a group of IT practitioners or business people what cloud computing is they would probably answer in a manner consistent with blind men trying to describe an elephant with only the sense of touch. Each would have an answer consistent with their own specific perceptions.
In fact Public Cloud Computing is a relatively new term that has been around for only a few years and refers to the use of information technology services, infrastructure, and resources that are provided on a subscription basis. Public Cloud Computing is a Web or Internet accessed business solution where most or the entire computing infrastructure (computers, network, storage, and etc.) are contained remotely from the actual business site and is managed by a third party.
Many companies rely upon Public Cloud Computing in part or in whole for their business operations critical and other wise. So as we look at disaster recovery and Public Cloud Computing we are looking at a relatively new set of risks that need to be addressed to properly protect a business against unforeseen events.
Before I address the areas of concern to DR planning for public cloud computing let me discuss the various popular forms of public cloud computing available to the business.
There are three basic types:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)
Software as a Service (SaaS) is defined as a service based on the concept of renting software from the service provider rather than buying individually for your business. The software is hosted on network servers which are made functionally available over the web or intranet. This service provides software on demand and is currently the most popular type of public cloud computing because of its flexibility, ability to be scaled, and because maintenance is provided by the service provider as part of the cost of the service. There are many CRM, ERM, and unique applications that are all provided as SaaS services. With web-based services all that employees need to do is register and log-in to the cloud provided instance. The service provider hosts both the application and the data so the business user is capable of utilizing the service from anywhere potentially across the globe. With SaaS the service provider is responsible for all issues dealing with capacity, upgrades, security and service availability.
Platform as a Service (PaaS) is defined as a service that offers a platform for developers. The business users develop their own code and the service provider uploads that code and allows access to it on the web. The PaaS provider provides services to develop, test, deploy, host and maintain applications on their development environment. The service providers also provide various levels of support for the creation of applications. Thus PaaS offers a quicker and cheaper model for application development and delivery. The PaaS provider will manage upgrades, patches and system maintenance.
Infrastructure as a Service (IaaS) is defined as a service where the service provider delivers the computing infrastructure as a fully outsourced service. The user can purchase various components of the infrastructure according to their requirements when they need it. IaaS operates on a “Pay as you go” model ensuring that the users pay for only what they have contracted for – such as network, computing platforms, rack space, and environmental (HVAC and power). Virtualization has enabled IaaS vendors to high volumes of servers to customers. IaaS users purchase access to enterprise grade IT Infrastructure and resources and personnel to keep the infrastructure running. No application or monitoring of data bases or data is provided by the hosting vendor above the OS level unless contracted at an additional cost.

Basic Flaw in the "... as a Service" Offerings
In the cloud computing definitions that are evolving, the services in the cloud are being provided by third-party providers and accessed by businesses via the internet. The resources are accessed as a service on a subscription basis. The users of the services being offered most often have very little knowledge of the technology being used, the security being deployed, the availability of the service being offered, or the operating best practices (monitoring, patching, maintenance, and etc.) utilized by the service provider. The business subscribers also have little or no control over the infrastructure that supports the technology or service they are using.

   How to Take Control
Under the standard of “Due Care” and charged with the ultimate responsibility for meeting business information technology objectives or mission requirements, senior management must ensure that the services they contract, which include these “. . . as a Service” solutions are appropriate to meet all of the necessary business requirements including the areas: legal, technical, financial, and operational.
This business continuity due diligence comes only through a thorough vetting of the “. . . as a Service” provider in several areas. I have listed some of the more important ones below.

Legal & Regulatory

  • Will the service provider meet any of you data breach notification requirements (remember even though you are hosting you are responsible for the data under your protection i.e. PHI, PII, and etc.)?
  • Will the provider meet data retention requirements of the business?
  • Will the provider meet the standards for data encryption and protection you require?Are “Safe Harbor” needs met?
  • Data destruction or return on end of contract well defined to meet your business requirements?
  • What is their incident management program?
  • Are they prepared to react in a timely fashion in case of any eDiscovery needs of data they store for you?
     Service Availability
     Are the facilities housing the service provider adequately secured (video surveillance,              access control, and etc.?
Are the RPOs and RTOs consistent with the business’ requirements?
·         How often are backups taken, are they maintained off-site, and have backups and restores been tested to your satisfaction?
·          Are standard backup methods and media used just in case the business needs to bring data back into house?
·     Maintenance and maintenance windows satisfactory with your operational needs?
·   What types of technical security do they employ (i.e., firewalls, virus protection, Intrusion Detection Devices, and etc.)
·     Are their hours of operation coincident with yours?
·     If you are a global company do they provide multilingual support?
·    Are there clear escalation procedures in case of an incident?
·   Does the vendor provide global diversity so if one goes down another can be used in its place?

Operational
·         Do they have a current SAS 70 Type II audit findings report?
·         Have they corrected any areas of concern to your business?
·       What capacity planning do they have in place to meet the growing needs of your business?
·    What standards of practice do they adhere to (i.e., ISO 27001, BS25999, and etc.)?
·       Do they have a patch management program in place and what is it? Does it meet your requirements?
·      Do their SLAs meet your business and operational requirements?
I have developed a hosting questionnaire which each “. . . as a Service” vendor is required to   answer to the satisfaction of my client and I would recommend that you do the same. Sometimes it takes a few iterations to complete the form to the satisfaction of the client, but when completed it does provide documentation of due diligence and a clearer picture of what can be expected from the service provider. If the vendor will not complete the questionnaire then it would be best to move on to another vendor – regardless of cost. If you can’t come to terms before a contract or Statement of Work is signed it will be ten times more difficult after signature to come to an agreement.

In Summary
Now this article has only scratched the surface and provided information on the basic questions that should be asked and answered to protect businesses utilizing “ . . . as a Service” providers. However, the intent of this article was to inform the reader that there are many types of “. . . as a Service” offerings and ways to reduce and/or eliminate problems that I have experienced over the last few years. The issue the article wants to impress upon the reader is one of due diligence. We as corporate or governmental IT security or business continuity experts need to make sure that our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information. To allow them to decide between implementing adequate controls and safeguards now to protect against risks or to potentially pay later in reparations and lost confidence of those whose data they (senior management) have been entrusted to protect but have lost or allowed to be taken.

The Author
Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV has a PhD in Technology and Operations Management and is the Chief Consulting Officer for Recovery-Solutions. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Author can be reached at Recovery-Solutions@xcellnt.com

For more information about Business Continuity, IT Disaster Recovery and Audit Training and Certification, visit www.sentryx.com or contact info@sentryx.com or call 1-800-869-8460
Posted by at No comments:
Labels:

ARTICLE: Implementing A Good Information Security Program

The frequency and potential impacts of information security breaches are increasing. Dr. Jim Kennedy explains why and looks at what organizations can do about it.

Computer, network, and information security is based on three pillars: confidentiality, integrity, and availability. In my business as an information & cyber security, business continuity and disaster recovery consultant, I see every day how various sized and types of companies address these three areas. Some very well, some not so well, and some really poorly.
Given all the regulations and standards (like HIPAA, SOX, NERC-CIP, FISMA, PIPEDA, and etc.), developed and published over the last five years you would think that business and government should be doing much better in securing their computing systems and network infrastructures. However, based on the on-going events prominent in the press and trade journals almost every day this does not seem to be the case.
We continue to be informed that government agencies and private sector companies continue to have numerous cases of data leakage: a politically correct way of saying data loss, theft, or compromise. We hear about the theft of credit card and personal information and worst of all we hear of companies that have lost critical personal and health related information despite the many security controls that were supposed to be in place. Worse yet we hear of extremely large sums of monies extorted from banks and other financial institutions and also of the fragility of our power grids and gas distribution systems world-wide.
And from time-to-time the media will provide on screen experts that speak of ‘script kiddies’ or non-expert computer hackers that use pre-packaged software to break into systems without the use of their own intellect. Often the term is used in a derogatory or sarcastic fashion to denote the less than knowledgeable hacker.
So when it comes to information security, where exactly are we?

Current state
Every government entity or private enterprise business generally has a security plan in place which utilizes numerous types of controls to reduce or attempt to eliminate the adverse effects coming from security risks to their operations. For the most part there are three basic types of controls in use:
·         Technology – software and hardware used to address internal and external threats to the security of the organization.
·         Process – policies, processes, and practices to address vulnerabilities and to reduce security risks while establishing baseline standards of secure operations.
·         Ignore the vulnerability and threat.
The third control type is, disturbingly enough, used more frequently than one would think. However, I will focus on the first two types of controls which are more realistic and really do attempt to provide some safety and security for the information and/or systems being protected. In the controls of the first type (Technology) we find firewalls, intrusion detection/protection systems (IDS/IPS), virus scanning software (AV), data loss prevention systems (DLP) and malware detection software (to protect against key loggers, Trojans, and backdoors).
In the controls of the second type (Process) we find the corporate or government policies, standards of practice, and standard operating procedures.
All of these types of controls, if implemented and maintained correctly, form a good and sound basis for protecting the organization that uses them.
Yet despite the risk and vulnerability assessments, and the implementation of the above mentioned controls, security breaches and information leakage continues to rise. Why?

Failing controls
I have been reviewing, over the last fifteen years, the security breach and incident reports collected by Verizon, AT&T, Ponemon, amongst many others which are published yearly. My research shows that the trend of data breaches and security intrusions continues to be on the increase, despite new government regulations and laws in addition to the advances in technology and understanding of potential threats, as a whole year-after-year. Oh yes, we (the information/cyber security experts) have made some progress in some areas only to fall back in others.
However, one thing that I have found is that many of the breaches and intrusions which succeeded did so by attacking known vulnerabilities that had been identified and had been around for years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until only yesterday by the security community at large. And, even more disturbing, social engineering continues to be a most successful way to begin and/precipitate an attack.
So let’s look at why.
One simple thing to remember is that if we look at very successful predators in general (such as the lion or the cheetah) they do not attack the fastest prey or the most protected; they attack the sick, the slow, the tired, or the unwary. Why? Because it presents the least expenditure of energy with the most potential for a successful outcome or food source. So also is the case with information and cyber attacks where the predator is the hacker.
For some small and medium sized companies (and, more often than not, some very large) cost and manpower is always an issue. So the upgrade of hardware and software is often slow and arduous and takes time to occur. Often budgets for security software and/or hardware upgrades are sparse of put off for more business important reasons or for when security comes to the forefront of board thinking and can be made available. Virus software and signatures are often out of date, systems often go un-patched, and hardware is often years old and cannot run the newer, more secure operating systems. Many times the implementation of hardware security devices, such as firewalls and intrusion detection systems, are done without giving the employees installing them, often for the first time, adequate training making the installations improper or marginal at best. I have found many large companies who do not have proper or adequate firewall rules established prior to installation of the device leaving holes for hackers to easily find and to penetrate.
Further, I have also found from personal experience that a majority of security breaches could have been avoided if only the security policies and processes already in place and in effect were actually followed.
Companies have done a fairly good job creating policies, but a less than admirable job in insuring that people are trained on the policies and in making sure that those policies are followed. Often failure of compliance with the policies, when uncovered, result in only a stern warning, followed by everyone going back to the ‘business as usual’ of not following the policies already in place. Many times this non-adherence of policy has resulted in the loss of thousands of personal information and/or health records or company intellectual property, and in still more acted as the vector for the hacker to use to focus their efforts on to break into the networks or systems of that agency or company.
Another big reason for the increase of security breaches and information leakage is the continuing success of social engineering (the art of manipulating people into performing actions or divulging confidential information).
Why is social engineering so successful? Because most people, who work for companies or government, generally want to be helpful wherever possible: that is their organization’s mantra. This is preyed upon by malicious hackers every day. To compound the problem government and companies spend less money and time on security awareness training for their employees than they do yearly on copy paper: and hackers know it. So calling up and indicating that they are from Tech Support and need to fix the boss’s computer so they need to have his secretary change his password to ‘ABC123’ may find a secretary who is happy to comply. Or compliance may follow when the VP of the Marketing and Sales organization gets an unsolicited phone call where the caller indicates that they are from a virus protection firm and they know, based on some trumped up information, that the VP’s computer is infected, but they will clean it up if he or she just logs into a specific web site and then relinquishes control to the tech support person on that site. Once the VP links to the site they find that minutes later their computer stops working and their files copied and/or erased. Both of the above situations are actual examples from true situations that I have been called upon to investigate.
Lastly the sophistication of hackers is also increasing. Just as many companies and government agencies purchase off-the-shelf software to accomplish normal business functions rather than develop it on their own, so do hackers. Today, less than successful hackers can purchase or acquire pre-packaged malware (such as backtrack, metasploit, nmap, and etc.) which is produced by very expert and knowledgeable hackers. This sophisticated ‘shrink wrap’ malware is capable of identifying what versions of hardware and software are being run on computers or network systems and what types of attacks will be successful. Then would be hackers using that knowledge along with well-publicized known vulnerabilities are very capable of breaking into many computer systems and networks that are not properly protected. Hacking has become a commodity business, accomplishable by anyone capable of buying, loading and executing pre-packaged software.
Oh, and one last thing. Do not think that because your organization has placed their computing infrastructure in the cloud that it is any safer. The security of the cloud has the same issues and short comings as your own internal computing infrastructure, as I have explained above. I have personally performed security assessments on over 100 cloud providers over the last few years and have found some are very secure and many are very vulnerable as well.

So what can we do?
I have found that some basic steps can have an order of magnitude improvement of security management as it stands today in your environment. Remember these steps will only be effective if top management agree that security is important and endorse (act as champions) the security activities to be undertaken.
Step one: Conduct a risk assessment to determine exactly what information and data is most important (mission critical) to your organization and identify security vulnerabilities to those resources. Create a risk register which identifies critical systems, vulnerabilities, internal & external threats, and controls needed. This is a very important first step, so, if you do not feel that you have the expertise in-house it would be prudent to have a knowledgeable security consultant perform this task for you to give you a good baseline from which to operate. It also provides a mechanism to identify projects for budgeting and planning purposes.
Step two: Based on the vulnerabilities and threats identified develop policies (like password policies, acceptable use policies, encryption policies, and etc.) to identify proper process and standards of practice the organization wants followed. However, recognize that people do not always follow these policies, process and procedures.
Step three: Implement necessary technical controls (insure that they are designed and implemented by knowledgeable personnel – proper training to internal staff on the new technologies). The reason for technical controls is that, wherever possible, we should endeavor to protect humans from their own bad practices. So if they feel pressured to work around security controls the technology will not allow them to do so.
Step four: Implement security awareness training across the entire staff – from board to lowest levels in the organization. Again this should be conducted by knowledgeable people and bringing in experienced trainers would not only be smart but most cost effective. Training to address social engineering and Internet/email good practices will go a long way to protecting an organization.
Step five: Implement a good security monitoring program. Often many anomalies or inconsistencies in network traffic or systems access is a precursor for a more intensive attack to come. Make sure that security logs are kept and reviewed on a weekly basis, more if the assets you are protecting are extremely critical to the survival of your organization or its customers.
Step six: In security we have our own mantra: Trust but Verify. So, do not simply trust that steps one through five when complete are sufficient. Technology, business operations, hackers, and threats are all continually changing and evolving. What works today may not work tomorrow. So, conduct regular (at least once a year) vulnerability tests. Use an independent third party so you get the real scoop on you security posture not what your organization’s people think is politically correct.
Information and computer security continues to be a ‘work in progress’ never complete. So, treat it that way.

The Author
Dr. Jim Kennedy, MRP, MBCI, CBRM, CEH, CHS-IV, CRISC has a PhD in Technology and Operations Management and is the Lead and Principal Consultant for Recovery-Solutions. Dr. Kennedy has over 35 years' experience in the information/cyber security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of three books, ‘Blackbook of Corporate Security,’ ‘Disaster Recovery Planning: An Introduction,’ and ‘Security in a Web 2.0+ World – a standards based approach,’ and is author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Dr. Kennedy can be reached atRecovery-Solutions@xcellnt.com

For more information about Business Continuity, IT Disaster Recovery and Audit Training and Certification, visit www. sentryx.com or contacinfo@sentryx.com or call 1-800-869-8460.
Posted by at No comments:
Labels:

ARTICLE: Vital Records And Business Continuity Planning

by Dr. Jim Kennedy, MRP, MBCI, CBRM CHS-IV.

As business continuity and disaster recovery professionals we continue to address the rapidly changing face of business and technology. We are caught up in the frenzy of our employers or clients wishing to converge their voice and data networks. We must maintain the RTOs and RPOs necessary to restore mission critical infrastructures along with all of the electronic data that moves across networks or is stored on magnetic media. We know that companies that go through a severe loss of mission critical computerized records may never reopen.
However, as we have seen from past disasters, like those suffered during hurricanes Katrina and Rita or even the most recent floods in the Midwestern portions of the United States, that electronic and digital data is not the only medium of information critical to an organization’s business mission. Neither is electronic data the only storage medium of importance to customers or patients who rely upon critical paper records and their protection for their financial futures or health and well-being.
Disasters such as floods, fires and tornadoes can happen almost anywhere and at any time. Some come with prior warning, but most do not. With hurricanes there is often advanced warning, but the actual ultimate severity is still pretty much a ‘best guess’ due to the complex factors which can change a category three into a category five or change the final direction of a storm. Those changes can mean the difference between severe flooding, levee breaches, and near absolute destruction of property or just a lot of rain and some local street flooding and wind damage.
We have seen and experienced some of the most destructive weather and natural disasters imaginable in the last ten years. We also know that more localized incidents like a roof collapse under the weight of above average snowfall or a pipe bursting due to age can also cause catastrophic outcomes. As contingency planners we continue to learn and base our future efforts on lessons learned from the past. We have learned to apply an ‘all hazards’ approach when planning.
We also need to take an ‘all media’ approach to data protection. As such, we all need to look very closely at the continued reliance of businesses such as financial, healthcare, government, and education on paper records and information.
Until businesses can move entirely to the use of electronic records and adequately back up that information, organizations will continue to remain vulnerable to all types of disasters. Many organizations today could fail and never reopen their doors if they suffered a loss of just paper records due to a fire or flood.
As we saw during the catastrophic destruction of hurricane Katrina and then Rita, thousands of medical records were permanently lost and healthcare was ultimately compromised in the region. Doctors in attempting to treat their patients could not find their medical records. So they (the doctors) could not look for past allergies to medications or previous illnesses. Patients often did not know the names of their critical prescriptions so they were forced to go without.
Small and medium businesses that had lost their computers in the storm had also lost several weeks of paper business transactions. Architectural and engineering firms lost many important drawings not maintained on computers and numerous local and county governments lost paper deeds, court records, birth records and many other valuable papers and documents.
Natural disasters are not the only incidents to threaten vital paper records. I was personally involved several years ago in an incident in which a local bank vault, used to archive not only financial records but other vital records of the community, became fully engulfed in a fire. The only way to get to and then put the fire out was to drill several holes in the concrete ceiling above the vault and then fill it with water to extinguish the blaze. The very water used to extinguish the blaze and save the building from the fire also compromised and/or destroyed important documents and records, many of which had been there for over one hundred years. Luckily with the help of a document recovery company the bank was able to restore some of the records over time, but with a very expensive price tag.
Even paper files and records that are kept in an off-site storage facility can be susceptible to the same types of damage and destruction that other businesses are. In many instances widespread natural disasters, like floods, often compromise off-site storage facilities in the same manner as the primary sites that sent them there for protection.
So as you can see paper continues to be a medium on which many critical records and irreplaceable information continues to reside. So as contingency planners we need to ensure that our evaluation of business includes any and all data that is critical to the operation of that business – that includes vital paper documents and records.
Defining, identifying and inventorying vital paper records
This is possibly the most important and sometime the most difficult first step to proper data protection. This is where organizations need to distinguish between important data and a vital record. A vital record is defined by the Business Continuity Institute as: Computerized or paper record which is considered to be essential to the continuation of the business following an incident.
Typically only between 3 to 15 percent of the paper records archived are typically categorized as vital. However, in the case of healthcare and governmental organizations this number can be quite a bit higher. So, someone at a senior level in the organization must make the final judgment as to what is vital and what is not. Also, many paper records are maintained for legal reasons. Many need to be maintained due to some type of regulation from the FDA, SEC, Internal Revenue, or HIPAA. The terms of the retention period can vary from three years to seven years for tax information to the life of a patient for some medical records. So an organization’s legal council should also be contacted for their recommendations.
Categories of recorded data, on paper, that typically fall under the category of vital may include:
  • Patient healthcare records, controlled drug administration, results of clinical trials, and etc.
  • Birth records, court records, vital statistics and etc.
  • Contracts/agreements that prove ownership of property, equipment, and etc.
  • Operational records such as Sarbanes-Oxley accounting records, architectural drawings, shipping delivery records, software licenses, maintenance contracts, and etc.
  • Current client files and account information
  • Intellectual property such as source code, formulas, schematics, SOPs, and etc.
  • Legal documents such as tax records and correspondence or other documents which is a part of ongoing litigation
Assessing the threat to vital records
The identification of hazards that can result in damage or destruction of paper records is the very important next step. Flooding or water damage of records in storage areas can occur due to:
  • Pipes bursting or leaking
  • Roof leaks or collapse (rain, snow)
  • Localized flooding (water main breaks, traffic accidents)
  • Chemical spills
The risk of damage due to fire is possible when:
  • Fire detection and protection mechanisms are not proper for the types of materials being protected or are in place and not maintained and checked annually (e.g., sprinklers can cause more damage from water than fire would have caused)
  • NO SMOKING protocols are not established and adhered to
  • Improper housekeeping is found in document storage areas (e.g., flammable liquids, cleaning solvents, or other materials are found in the same area or in close proximity as document storage, and there is an accumulation of flammable materials)
  • Paper records are not stored in a UL or CSA rated fireproof/fire safe and water retardant storage cabinet
Other threats to paper records:
  • Theft
  • Sabotage
  • Mishandling
  • Negligence
  • Loss
Some paper records due to age or paper material used can be damaged due to improper handling or environmental excesses such as temperature, humidity, or sun or fluorescent light. As such these need to be protected by:
  • Air conditioning to maintain constant temperature and humidity levels
  • In storage cabinets to keep the document from direct light of any kind
So any threats to the maintenance and operation of air conditioning or environmental controls must be considered as well.
Another red flag is a lack of adequate levels of security protection in storage containers or spaces used for on or off site storage locations. Adequate access controls and proper 7 X 24 X 365 monitoring of the records must be maintained at any storage facility selected to house vital records.
Establish a plan to protect vital records
In order to protect vital records from disaster many organizations:
  • Move and store the paper records off-site at a facility specializing in transportation of vital records and providing secured vaulting services;
  • Convert paper to other media such as: optical disk, microfiche, microfilm, magnetic disk or tape and etc.
Each of these contingencies is good provided that it provides the necessary flexibility to access records when needed and provides the necessary protection to properly preserve those records. That is whether or not the vital records will be kept on or off site the vaulting facility must have adequate security, provide proper environmental controls (humidity and air conditioning), have adequate fire protection facilities, and employ trusted or bonded workers.
In any case all threats identified in the risk assessment should be addressed, either by: elimination through mitigation; adequately insuring against loss; or a cognizant decision by senior management is made to ignore.
Once the threats have been addressed the business continuity plan can proceed in the development of the sections on vital records protection, restoration and recovery. The plan should include a thorough inventory of all vital records stored on or off site. The plan should also include a description of how records will be identified, transported, and handled during restoration. Also the plan should designate who is the responsible party within the organization to authorize initial storage and any subsequent recovery of vital records so that the confidentiality and integrity of the data can be maintained.
One component of the vital paper records plan should include an agreement or contract with a document recovery and restoration company in case documents are compromised during an incident. This saves time by identifying one of the first organizations to be contacted if paper records are damaged. If not a contract, at least have emergency contact information of such an organization included in the plan.
Once the plan has been exercised, including the vital records component, and found to be ‘fit-for-purpose’ the contingency planner can breathe somewhat easier and the plan can be finalized and released.
Summing it up
Paper records can be as critical to the operation and survival of a business as other forms of media. We as business continuity or resilience planners need to adopt an ‘all hazards’ and an ‘all media’ approach when developing plans to ensure that we have provided the necessary due diligence to protect our businesses and its associated operations.
Author
Dr. Jim Kennedy has a PhD in Technology and Operations Management and is the business continuity/security services practice lead and principal consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. jtkennedy@alcatel-lucent.com
For more information about Business Continuity, IT Disaster Recovery and Audit Training and Certification, visit www. sentryx.com or contact info@sentryx.com or call 1-800-869-8460.
Posted by at No comments:
Labels:

NEWS: What Is Business Continuity?

Written by: Dr. Akhtar Syed, Phd, CBRM, MABR, CISSP.
Disasters can strike quickly and without warning. Webster’s dictionary defines disaster as:
“A calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship, as a flood, airplane crash, or business failure” [1].
Floods, earthquakes, tornadoes, and hurricanes are examples of major calamitous events.
Businesses are vulnerable to the impact of not only major calamities but also minor business disruptions. Factors such as increased dependency on technology and “speed to market” pressures have made businesses sensitive to even minor disruptions.  Some examples of minor disruptive events are power outages, information technology (IT) system failures, manufacturing equipment failures, hazardous material contamination, voice and data communication failure, and computer viruses.
Over the past decade, the risks of natural disasters, technical and accidental failures, and malicious activities have increased the possibility of business disruptions.  In spite of increased risks, studies show that many businesses have remained complacent.  According to Gartner, “… many enterprises that experience a disaster never recover.  Gartner estimates that two out of five enterprises that experience a disaster go out of business within five years” [2].  These findings reflect the failure of businesses to invest in adequate disaster planning and preparations.
Serious consequences of business disruptions can be avoided through business continuity planning (BCP).  BCP is a discipline that prepares an organization to maintain continuity of business during a disaster through an implementation of a business continuity plan.  A business continuity plan is a document that contains procedures and guidelines to help recover and restore disrupted processes and resources to normal operational status within an acceptable time frame.
A business continuity plan cannot function effectively without the collective efforts of the people assigned to various roles and responsibilities defined in the plan.  Continuity of business cannot be maintained without the continuous support of critical business processes—tasks and operations performed by business units or functions—and various resources required by these processes.
The figure below depicts the typical resources involved in a business continuity plan, namely, IT infrastructure, data centers, manufacturing and production facilities, critical machinery and equipment, critical records, office work areas, critical data, voice and data communication infrastructure, and off‑site storage facilities.
What_is_Business_Continuity1
Conceptually, BCP can be divided into two areas:
  1. Business continuity planning management (BCP management)
  2. Business continuity planning process (BCP process)
The typical activities of BCP management and BCP process are shown in the figure below on a time line relative to a business disruption.
What_is_Business_Continuity2
BCP management focuses on management and organizational components of BCP.  Some of the key activities of BCP management are:
Issue an organization wide business continuity policy that directs management and staff of each business unit to take responsibility for maintaining continuity of critical business functions and processes in the event of a business disruption.
  • Establish a steering committee with members from senior management to define the BCP scope, provide ongoing BCP support and direction, monitor BCP status and progress, and allocate BCP funding.
  • Initiate a formal project for developing a business continuity plan that covers the entire organization.
  • Ensure that personnel involved in the development and implementation of the business continuity plan are adequately trained.  Develop and implement a BCP awareness and training program for the entire organization.
  • Ensure that BCP is in compliance with pertinent government laws and regulations, and industry standards.
  • Coordinate BCP activities with relevant disaster recovery and business continuity agencies and local authorities.
  • Ensure that the business continuity plan remains in a state of readiness at all times.
  • Execute the business continuity plan at the time of disaster.
Together, BCP management and BCP process enable an organization to develop a business continuity plan, maintain it in a constant ready-state, and execute in the event of a business disruption.
The BCP process defines a life cycle for developing and maintaining a business continuity plan.  The BCP process life cycle model consists of the following stages:

  • Stage 1—Risk Management
Stage 1, risk management, assesses the threats of disaster, existing vulnerabilities, potential disaster impacts, and identifies and implements controls needed to prevent or reduce the risks of disaster.
  • Stage 2—Business Impact Analysis (BIA)
Stage 2, business impact analysis, identifies mission-critical processes, and analyzes impacts to business if these processes are interrupted as a result of a disaster.
Stage 3—Business Continuity Strategy Development
Stage 3, business continuity strategy development, assesses the requirements and identifies the options for recovery of critical processes and resources in the event they are disrupted by a disaster.
  • Stage 4—Business Continuity Plan Development
Stage 4, business continuity plan development, develops a plan for maintaining business continuity based on the results of previous stages, specifically, risk management, BIA, and business continuity strategy development.
  • Stage 5—Business Continuity Plan Testing
Stage 5, business continuity plan testing, tests the business continuity plan document to ensure its currency, viability, and completeness.
  • Stage 6—Business Continuity Plan Maintenance
Stage 6, business continuity plan maintenance, maintains the business continuity plan in a constant ready state for execution.
Stages 1 through 5 are part of the “Plan Development Project” activities of BCP management.  Stage 6 is part of “Maintain Disaster Readiness” activity of BCP management.
At the time of a disaster, business continuity plan becomes the most critical document to guide the organization towards timely and effective disaster recovery. Adequate and proper training of business continuity team is crucial in developing, maintaining and executing a comprehensive, effective and reliable business continuity plan.
For a comprehensive training and certification in business continuity planning, Audit and IT disaster recovery planning, contact Sentryx (www.sentryx.com, 1-800-869-8460):
  1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
  2. 3-day CBRITP (Certified Business Resilience IT Professional) his is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption.  The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry's standards and best practices.
  3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry's best practices and standards including:
  • ISO 22301: Business Continuity Management Systems – Requirements
  • NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs
  • ITIL v3: Information Technology Infrastructure Library
https://www.sentryx.com/cbra-seminar.html

 For more information about Business Continuity, IT Disaster Recovery and Audit Training and Certification, Please visit www. sentryx.com or contact info@sentryx.com or call 1-800-869-8460.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)