Disaster Recovery and Business Continuity
Disaster recovery planning and preventive measures ensure business continuity. The main question is “What if an attacker succeeds and renders an organization’s functions impossible?” Whether the break in business continuity is a short or long one, this is where an organization’s disaster recovery plans comes into play. The disaster recovery plans define the resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster. By focusing on disaster recovery plans and preventions, network managers can minimize the impact that catastrophic events may have in their environment. The recovery plan is the best way to insure that a business survives an IT emergency.
The various potential disasters that security administrators need to be concerned about can be classified as human induced incidents, natural, internal, armed conflict, and external. Human induced incidents can include loss of power, transportation accidents, and chemical contaminations. Natural incidents can include flood, earthquake, and tornado. Internal incidents include sabotage, theft, and employee violence. Armed conflict can include acts of terrorism, like the 911 attacks, civil unrest, and war. External incidents include hacking, unauthorized use, and industrial espionage.
Organizations identify potential threats and analyze what needs to be achieved in order to continue operating as though nothing had happened. After identifying these potential threats, security administrators can be in a better position to protect the mission-critical information systems.
Data backup is an essential part of any disaster recovery plan. Data backup allows personnel to restore files and application software that is vital to continue business. An effective data backup strategy should address how often backups are run, type of backup medium, when the backups are run, are backups automated or manual, backup verification, storage, who is responsible for the backups, and the fallback person responsible for backups. Addressing the need for off-site storage may also be an important guideline for organizations with extensive business-critical data (Boswell…, 2003 p. 433).
Organizations must include thorough planning and testing and include provisions for business continuity. Anticipating disasters is the first in the process. There is a lot to be learned and corrected from the testing phase and it needs to be taken very seriously. The testing exercise helps minimize losses during an actual attack. An effective disaster recovery plan should include the following documents: a list of covered disasters, a list of the disaster recovery team members, a business impact assessment, a business resumption and continuity plan, backup documentation, and restoration documentation.
It has been said that the most important step in managing potential disasters is to have in place a well-trained and ready to respond team including a member from senior management, members of the IT department, representatives from facilities management, and representatives from the user community affected by the crisis. In a real crisis, the disaster recovery team meets to evaluate and determine the sources of the disaster and identify the critical components that are affected. The team than assesses the business impact of the disaster, estimating how long the disaster may disrupt business continuity. In this process the cost of the disaster is also ascertained. Exhaustively documenting changes that are implemented during the rush to solve the problem is also crucial.
It is also important that organizations show their commitment to these plans that come from the IS department by adopting well-defined security policies and human resource policies that reflects their support to information security. A useful and well-written security policy should include sections on acceptable use, privacy, due care, separation of duties, “need-to-know” issues, password management, service-level agreements, and the destruction or disposal of information and storage media (Boswell…, 2003 p. 437). Human resources policy deals with personnel management. There should be thorough hiring practices including background, reference, and educational checks. To minimize a security risk, employees should have periodic reviews and rotate job functions and duties, which is beneficial in an emergency due to the more even distribution of information. Employee termination practices are also important in the protection and prevention of threats. Exit interviews should be conducted, individuals should be escorted off the property, and the terminated employee’s computer accounts and passwords should be deactivated and changed. A code of ethics should also be included in an organization’s human resources policy. This would help define and clarify the company’s stance on information security and provide a foundation built on ethics (Boswell…, 2003 p. 441).
An incident response policy can also play a critical role. This policy covers how to deal with a security incident after it has occurred. Following a sound incident response methodology lessens the likelihood that incompetent and inefficient actions will occur and contributes to the practice of due care. An incident response policy should follow the steps of preparation (being ready before an incident occurs), detection (recognizing the presents of malicious code or whether files have been altered), containment (preventing further loss or disruption of services), eradication (removing viruses or malicious code along with cleaning and reformatting hard drives that were affected), recovery (restoring the system), and follow up (develop set of lessons learned) (Boswell…, 2003 p. 442).
In conclusion, in is important to combine a disaster recovery plan with a well-defined and documented security policy, human resources policy, and incident response policy, which can minimize the effects of a catastrophic event and help assure business continuity. It is said, “Failure to prepare is preparing to fail.”
Boswell, S., Calvert, B., Campbell, P. (2003). Security + Guide to Network Security
Fundamentals. Boston, Massachusetts: Thomson Course Technology.