Philip Carter argues that disaster recovery and business continuity should not be too tightly regulated
We all know that business continuity is something that all firms should be undertaking. But regulation of business continuity is a topic of much debate among authority bodies the world over, particularly in the financial services sector.
In what could be seen as a knee-jerk reaction to the tragic events of September 11, 2001, the Federal Reserve, Treasury Department and Securities and Exchange Commission laid out requirements that Wall Street firms should move their recovery centers 200 to 300 miles away from their primary data centers.
This was far too prescriptive. Although that kind of drastic action would be needed in the event of a metropolitan-wide disaster, in the event of a more likely flood or fire, it is entirely inappropriate to expect staff to travel 200 miles away.
Unsurprisingly, Wall Street firms objected to those regulations, arguing that, apart from the huge staff logistical issues, it would be extremely disruptive to relocate expensive and well-established recovery centers.
I was very pleased to note that on January 3, 2002 the federal regulators dropped the proposed plan. Now, the regulatory bodies say they will work individually with companies to develop contingency plans to help keep recovery centers in New York.
The European financial community takes a risk management approach, as witnessed by Basel II (an international framework) and Financial Services Authority (FSA) guidelines (confined to U.K. companies). Basel II will ensure that companies put aside a certain amount of capital according to their individual financial risk, while the FSA regulations will ensure that firms report back their business continuity plans via year-end reports. Neither of these guidelines are mandatory, but often investors will require that a firm meets regulatory suggestions.
As for the ISO17799 code of practice, this simply requires that firms "have a business continuity plan." As this is voluntary not many firms will jump to comply unless they are forced to by investors or auditors.
Companies need to ask their business continuity providers, or those responsible for this function, to take an objective look at the business to understand the criticality of each business function. This should start with a business impact analysis, which should identify the most critical functions of the business. The analysis then allows you to move to protect them through backup, or by spreading the risk of downtime across multiple suppliers. Put simply, companies should move to reduce the single points of failure in their organizations, regardless of the regulations suggested or imposed on them.
I would argue that regardless of the suggestions, requirements and best practice guidelines put forward by various regulators, it is up to each firm to regulate itself. It is a matter of corporate responsibility really, showing you are serious about your business.
Philip Carter is director of planning solutions at SunGard Availability Services (www.sungard.com).
Companies ignoring infosec baselines
A majority of some 1,000 security managers across the globe is failing to meet minimally acceptable standards for managing IT security across the enterprise.
According to the Human Firewall Council's Security Management Index (SMI), an ongoing online survey that bases questions on internationally accepted standards set out in ISO17799, as well as best practices from security analysts and professional associations, security managers worldwide scored an 'F' on 10 key areas of security management.
"We appear to be losing the battle to secure our organizations properly, even as reported security vulnerabilities and incidents have been increasing at an exponential rate," says Steve Kahan, president of the Human Firewall Council and senior vice president of marketing, security management and administration for NetIQ. "Organizations worldwide are more vulnerable to inside and outside attacks than ever before, and the cost of security breaches continues to escalate."
So far, over 1,000 security managers from corporate and government organizations throughout the world have participated in the survey. Any score less than 70 is viewed as unsatisfactory and is assigned a 'D' grade or below. Of those polled, close to 8 in 10 organizations received a 'D' overall on managing their security programs, with most getting a failing grade.
"These scores confirm that few organizations have made much progress in implementing even minimal standards of security management practices as prescribed by security industry analysts, professional associations and international standards such as ISO17799," says Kahan.
And security, he notes, is more than just meeting minimal standards cited in ISO17799 categories of security. "Organizations must also have the ability to combine functionality across these categories to produce an integrated holistic view of the state of their security," he says.
If you're interested in taking the online survey, please visit the Human Firewall's web site. The SMI attempts to organize and identify the key security issues organizations around the globe now face, and helps those taking the survey to benchmark their own company's progress on managing security.