Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


DEPARTMENTAL PLANNING

Often, consultants are asked to help a company develop its business resumption plan and to focus only on the systems environment to reduce the overall cost of planning efforts. Often, companies take action on planning as the result of an information systems audit and thus focus solely on systems exposure and audit compliance. These companies erroneously view disaster recovery as an expense rather than as an investment in business continuity.

A plan that addresses data integrity and systems survivability is certainly a sound place to begin, but there are many other factors to consider in recovery planning. Depending on the nature of the business, for example, telecommunications availability may be much more important than systems availability. In a manufacturing environment, if the building and equipment are damaged in a disaster, getting the systems up and running may not necessarily be a top priority.

A company’s business continuation plan should be a compilation of individual department plans. It is essential that each department identify its processes and prioritize those processes in terms of recovery. Companywide operating and recovery priorities can then be established by the company’s management based on the input supplied by the departments. Information technology, as a service department to all other departments, will be better equipped to plan recovery capacity and required system availability based on this detailed knowledge of departmental recovery priorities.

Information Technology’s Role

Information technology personnel should not be responsible for creating individual department plans, but they should take a leadership role in the plan development. Information technology generally has the best appreciation and understanding of information flow throughout the organization. Its staff, therefore, are in the best position to identify and assess the following areas.

Interdepartmental Dependencies

It is common for conflicts in priorities to arise between a company’s overall recovery plan and its departmental plans. This conflict occurs because departments tend to develop plans on their own without considering other departments. One department may downplay the generation of certain information because that information has little importance to its operations, but the same information might be vitally important to the operations of another department. Information technology departments can usually identify these discrepancies in priorities by carefully reviewing each department’s plan.

External Dependencies

During the discovery process, recovery planners should determine with what outside services end-user departments are linked. End-user departments often think of external services as being outside the scope of their recovery planning efforts, despite the fact that dedicated or unique hardware and software are required to use the outside services. At a minimum, departmental plans must include the emergency contact numbers for these outside services and any company account codes that permit linkage to the service from a recovery location. Recovery planners should also assess the outside service providers’ contingency plans for assisting the company in its recovery efforts.

Internal and External Exposures

Standalone systems acquired by departments for a special purpose are often not linked to a company’s networks. Consequently, they are often overlooked in terms of data security practices. For example, a mortgage company funded all of its loans via wire transfer from one of three standalone systems. This service was one of the key operations of the company. Each system was equipped with a modem and a uniquely serialized encryption card for access to the wire service. However, these systems were not maintained by the information technology department, no data or system backups were maintained by the end-user department, and each system was tied to a distinct phone line. Any mishap involving these three systems could have potentially put this department several days, if not weeks, in arrears in funding its loans. Under catastrophic conditions, a replacement encryption card and linkage establishment would have taken as much as a month to acquire.

As a result of this discovery, the company identified a secondary site and filed a standby encryption card, an associated alternate phone line, and a disaster recovery action plan with the wire service. This one discovery, and its resolution, more than justified the expense of the entire planning effort.

During the discovery process, the recovery planner identified another external exposure for the same company. This exposure related to power and the requirements of the company’s uninterruptable power supply (UPS). The line of questioning dealt with the sufficiency of battery backup capacity and whether an external generator should be considered in case of a prolonged power interruption. An assumption had been made by the company that, in the event of an areawide disaster, power would be restored within 24 hours. The company had 8 hours of battery capacity that would suffice for its main operational shift. Although the county’s power utility company had a policy of restoring power on a priority basis for the large employers of the county, the company was actually based in a special district and acquired its power from the city, not the county. Therefore, it would have power restored only after all the emergency services and city agencies were restored to full power. Moreover, no one could pinpoint how long this restoration period would be. To mitigate this exposure, the company added an external generator to its UPS system.

Apprise Management of Risks and Mitigation Costs

As an information technology department identifies various risks, it is the department’s responsibility to make management aware of them. This responsibility covers all security issues — system survivability issues (i.e., disaster recovery), confidentiality, and system integrity issues.

In today’s downsized environments, many information technology departments have to manage increasingly more complex systems with fewer personnel. Because of these organizational challenges, it is more important for the information technology staff involved in the planning process to present management with clear proposals for risk mitigation. Advocating comprehensive planning and security measures, and following through with management to see that they are implemented, will ensure that a depleted information technology staff is not caught off-guard in the event of disaster.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.