Content

Planning for less than a disaster

Creating a systems and site availability plan to protect critical business processes and systems.

Since 9/11 many companies associate vivid memories with the term disaster.  In addition to the devastating loss of life and the ripple effect on the families of the fallen, many businesses ceased operations due to their inability to execute a disaster recovery plan. 

Arguably, that day has sparked renewed interest in disaster planning for many businesses.  Companies are preparing for the next disaster by contracting traditional consulting companies to assess their recovery needs and develop a disaster recovery plan.  These plans typically included the technical and operational plans to restore business systems and processes at off-site facilities.  

Disaster recovery planning is only one step of a bigger process.

Companies often stop after completing a disaster recovery plan without addressing the ways in which disaster recovery planning fits into an organization's larger risk management, security, emergency preparedness and IT contingency planning programs. 

By focusing on disaster, companies are often blinded to the need to construct networks capable of providing system and site availability when less than a disaster strikes.  What happens when a major system outage occurs due to a failed server, corrupt database, worm outbreak or a downed Internet connection? 

In many cases, the above gap exists because most disaster recovery initiatives do not include security and technology experts and many of the security initiatives do not include disaster recovery or technology experts. 

By not soliciting input from all three groups an organization is incapable of creating a layered approach to system and site availability that encompasses threats such as a worm outbreak to a full scale disaster such as the loss of a building.

Companies must unite their security architects, business continuity planners and technologist to create a comprehensive system and site availability plan.

Quick Steps to Creating a Systems and Site Availability Strategy

Risk Management

We all know IT systems are vulnerable to a variety of disruptions, ranging from mild to severe.  Risk management should identify threats and vulnerabilities so that appropriate controls can be put into place to either prevent incidents from happening or to limit the effects of an incident.  In addition, risk management should identify residual risks for which contingency plans must be put in place. The contingency plan, therefore, is very closely tied to the results of the risk assessment and its mitigation process.

Technology Mapping

Many of the threats and vulnerabilities discovered during the Risk Management process can be minimized or eliminated through technology.  During this phase the Security and Technology Architects take the findings from the Risk Management process and create a technology mapping.  The end result is a blue print for implementing technology in a cohesive fashion to mitigate the threats and vulnerabilities discovered during the risk management process.

People and Process

Technology mapping, combined with proper processes and trained employees, completes the mitigation of risk defined by the risk management process.  An example of this would be the development of a Cyber Incident Response Plan which is a process meant to mitigate the risk of a cyber attack on an organization.  This plan incorporates people and process in a seamless fashion to identify, mitigate and recover from malicious activity.

Contingency Planning

Lastly, contingency planning is needed since it is virtually impossible to completely eliminate all risks. Contingency planning is designed to mitigate the risk of system and service unavailability by focusing on effective and efficient recovery solutions.

Reassess

Because risks can vary over time and new risks may replace old ones as a system evolves, the risk management process must be ongoing and dynamic. The person responsible for IT contingency planning must be aware of risks to the system and recognize whether the current contingency plan is able to address residual risks completely and effectively. The shifting risk spectrum necessitates ongoing contingency plan maintenance and testing, in addition to periodic reviews.

The above process is a high level road map.  Risk Management and Contingency planning are comprehensive undertakings with many sub components not mentioned in this article.

Marc Malizia is Chief Technology Office for RKON Technologies.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.