Establishing Digital Trust: Don't Sacrifice Security for Convenience
Unfortunately, these issues happen not only in our personal lives, but inbusinesses, as well.
Foresight is a virtue, to be sure. We all have heard our mothers tellingus to ''wear clean underwear without holes in case you are in anaccident.'' The Boy and Girl Scouts have preached to always ''beprepared''.
And yet, many times we just aren't prepared.Why?
Because it takes a conscience effort, as well as time, to plan in advancefor these type of events. In business, they are known as continuity plansor disaster plans. Both federal agencies, as well as industry, haveidentified methods and guidelines to prepare for unforeseen events. Forexample, there is the National Response Plan (NRP) and the NationalIncident Management System (NIMS). The NIMS encompasses the principles ofthe Incident Command System (ICS), a nationally recognized incidentmanagement system. There also is the Disaster Recovery InstituteInternational (DRII), which provides continuity and disaster recoveryconcepts and principals.
Even with these regulations and guidance, Continutiy of Operations Plans(COOP) are still not being viewed with great importance-- although theyneed to be.
For example, the terrorist attack on Sept. 11, 2001 proved that there issignificant oversight in contingency planning. Backup IT plans are notdisaster recovery plans. Getting employees quickly back to work andperforming enterprise functions after a disaster can mean the differencebetween enterprise survival or failure.
''Two out of five businesses that are struck by a disaster will ceaseoperations within five years,'' according to industry analyst firmGartner Inc., of Stamford, Conn.
So, how do you manage a disaster or a disruption?
In today's uncertain environment, one of the ways to protect yourcritical enterprise functions and information is through development andmaintenance of an enterprise continuity plan. No longer can we assumethat if IT has a back up plan, we are secure and safe.
One misconception is that the IT systems are the business functions.This is a false, and often fatale, conception. IT systems support theenterprise functions. Enterprise functions depend on IT systems tocomplete the tasks associated with the function or mission of thebusiness. Therefore, enterprises require a continuity plan. An EnterpriseContinuity Plan (ECP) encompasses more than the information technology(IT) -- it includes the enterprise functions, processes, people andassets.
Continuity of Operations Planning (COOP) processes and documents havebeen developed for many years, focusing solely on the IT level andfailing to recognize the importance of the functionality level of anenterprise. A good COOP process should provide an enterpriseinfrastructure with reasonable methods to prevent, respond, resume,recover, and restore services at the enterprise functionality levelshould events occur which prevent or disrupt normal operations.
A basic COOP should include a business impact analysis, a concise planthat identifies backup and recovery strategies, an implementation plan toensure the backup data site is operational, the personnel site has beenidentified and the appropriate agreements are in place. The COOP alsoneeds to be tested at least yearly. And, no, testing does not includethose actual events when a COOP goes into effect.
In addition, COOP exercises and maintenance also should be addressed inthe overall plan. Testing and exercising the plan can be accomplishedthrough various methods. A desktop exercise is where personnel review theplan and identify any weaknesses. Another method is a walkthrough,whereby a panel gets together and ''walks through'' the plan to identifyweaknesses.
The most complete method is the simulation, though it requiresresources. A simulation tests the COOP completely. Simply put, a disasteris simulated and the plan is put to the test. Only the minimum number ofpeople should know that a simulation will take place, otherwise theresults will be false.
The plan is a living document, meaning that it should be updatedregularly to meet its objectives. There are many issues which would causea COOP to require an update. Any results or lessons learned from testingwill require an update to the COOP. New systems or business processeswill need to be added to the COOP.
Only by keeping the COOP up to date, can it be effective.
This type of approach provides an overall plan that will mitigate risk byproviding the ability to continue critical enterprise operations in theevent of a contingency and cultivates a risk management culture focusingon continuance, not just recovery.
Contingency plans are important to us all -- not only in our privatelives, but in our professional lives. Without a plan, chaos will becomethe only thing you have going when disaster strikes. Wouldn't you ratherknow where you want to be and how to get there than leave it up tochance?
The only way to accomplish that is to have a solid and tested COOP. And,of course, wearing clean underwear.