TISC Insight, Volume 3, Issue 19

Welcome to Volume 3, Issue 19 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.

TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.

Enjoy, and be safe,

Dave

Editor's Corner

It's unfortunate that it takes events as horrible as those of September 11th to force us to consider the many ways in which our business processes and workforce are so very vulnerable to unanticipated damages and losses of life. In this issue, Mark Edmead presents some sobering figures that illustrate how generally ill-prepared many organizations are to react to a disaster, be it natural, manmade, or terrorist-instigated, and offers basic procedures for creating Business Resumption and Disaster Recovery Plans. Be safe...

What Can We Learn From The September 11th Attacks? Are You Prepared In The Event Of A Disaster?

Mark T. Edmead

Like most Americans, on September 11th I sat in front of my T.V., mesmerized at the events taking place in New York, Washington DC, and Pennsylvania. My good friend lives in NY, so I immediately tried to contact him at his home and cell phone. To my dismay, neither of his numbers were operational - just a busy signal. Eventually that evening he did call me to let me know he was OK. My inability to contact him started me thinking about how the disasters can affect the way we normally do business. A few days after the attacks, this same friend called to ask me if I had room on my Web server to host his company's website. Did his company not have a contingency plan in case they lost use their Web servers? My friend's company was not in the World Trade Center, but about 10 blocks away. Regardless, their building experienced loss of power, telephone communications, and Internet access. How many other businesses' IT infrastructures were affected and how will they be able to resume operations?

Looking back at the bombing of the New York World Trade Center back in 1993, I learned that of the 350 business that were affected by the blast, and 150 of these eventually went out of business. Some other interesting statistics to ponder:

One company that suffered an unimaginable loss was the bond trading company Cantor Fitzgerald. According to news reports, of the 1,000 people employed in Cantor Fitzgerald's World Trade Center office, only 370 were not at work when the first plane hit the North Tower. Of the 630 Cantor Fitzgerald employees who were in the building, nearly all died. This highlights the basic purpose of business continuity planning - the protection of human life.

What can you do to prevent this from happening to you? As the saying goes, "Plan for the worst and hope for the best." There are two plans you can develop to handle a disaster event: the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP).

Distinguishing a Business Continuity Plan from a Disaster Recovery Plans

While you might hear these two terms used interchangeably, they actually address two different concerns. The business continuity plan addresses an organization's ability to continue functioning when normal operations are disrupted. In essence, it addresses the continuity of the critical business functions. The BCP may include other plans such as disaster recovery, end-user recovery, contingency, emergency response, and crisis management. A BCP by definition is an all-encompassing term covering both disaster recovery planning and business resumption planning.

A Disaster Recovery Plan defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist a company in restoring the business process within the stated disaster recovery goals. Specifically, the DRP is used for the advanced preparation and planning necessary to minimize the damage caused by the disaster, and ensures the availability of the critical information systems of the organization.

Basic Procedures for Creating a BCP and DRP

The actual steps for the creation of Disaster Recover and Business Continuity Plans are too lengthy to cover in just one article. But here are the basic procedures you will need to follow:

  1. Obtain Management Approval - Without approval from upper management, the project will be stranded before it even gets of the ground. Management will not only provide the budget necessary for the development and implementation of the plan, but also make available the people you will need to interface with while writing the plan.

  2. Form a committee - This committee should include representatives from the various departments in your organization. The main goal of the committee is to define the scope of the BCP and DRP. In some instances, an outside auditor is also part of this process.

  3. Perform a Business Impact Analysis/Risk Assessment - A key effort to determine what types of disasters can affect your business. This assessment should determine the type of risk (i.e. naturally occurring or man-made disasters), and the effects these disasters would have on your operations. In this section, you determine the type of disaster that could occur (e.g., protracted electrical outage), the impact this disaster would have on the organization (e.g., loss of computing and networking), and the cost of mitigating the problem (e.g., investment in alternative electrical resource such as generator equipment). Note that there are some cases where the cost of mitigating the risk is higher than the value of the asset you wish to protect.

  4. Determine Key Processes and IT Systems - Critical processes (i.e. payroll or accounts receivable) as well as critical IT systems (email or Web server) should be identified. That is, the committee should identify the critical components of the organization that should be protected (and recovered quickly) in the event of a disaster. Remember however, that the main purpose of the DRP is to protect lives.

  5. Determine Recovery Methods -Several options are available. Critical business processes that use IT systems could perhaps be done manually; for example, you might replace computer-based payroll system with manual checks procedures. Recovery options for IT systems include: hot sites, warm sites, cold sites, reciprocal agreements, and service centers. The case of Cantor Fitzgerald illustrates how not only must the replacement and recovery of IT systems should considered, but also the replacement of personnel to keep your company in business. Recovery methods could include establishing a line of succession in management, identifying a temporary agency from which you can draw secretarial and other employees, and establishing a "resumption" relationship with an IT consulting services group.

  6. Document the Plan - The DRP for instance, should contain procedures for system recovery. The plan should include important contact information such as critical call list (vendors, employees, emergency agencies), as well as any other pertinent and critical documentation.

  7. Test the Plan - Don't wait until an actual disaster to see if the plan works. The plan should be tested periodically (at least once a year), and any problems found in the test should be corrected and the plan modified accordingly. The plan should also be updated when new critical business processes and/or IT systems are introduced.

  8. Approve the Plan - Once the plan is tested, management should then approve it. Management will be responsible for the dissemination of the plan to the various departments, establishing policies for its use, and most of all, make sure that the plans meet with the strategic objectives of the company.

The business continuity/disaster recovery plans are living documents that will change as your business changes. Hopefully you will never have to put the plan into place. But if disaster strikes, at least you will be prepared, and have the ability to resume business operations quickly and effectively.

Further Information

Disaster Recovery Institute International - Founded in 1988 to provide a base of common knowledge in contingency planning. DRII also administers a certification program for qualified business continuity/disaster recovery planners.

Contingency Planning & Management - Periodical and a central resource for technology, products, services, information, and management strategies that support business continuity to safeguard the physical, informational, and communication assets of a business; ensure the safety of employees and the public; and protect the financial well-being of the company.

Disaster Recovery Journal's Homepage - dedicated to the field of disaster recovery and business continuity. Over 50,000 subscribers. The DRJ also sponsors two annual conferences that pull in over 2500 disaster recovery professionals from all over the world, which makes their conferences the largest in the entire industry.

Federal Emergency Management Agency - is an independent agency of the federal government, reporting to the President. Since its founding in 1979, FEMA's mission has been clear: to reduce loss of life and property and protect our nation's critical infrastructure from all types of hazards through a comprehensive, risk-based, emergency management program of mitigation, preparedness, response and recovery.

The MIT Business Continuity Plan

University of California Campus Business Continuity Planning

State of Massachusetts Y2K Sample Business Continuity Plan

© 2001 - 2006 Core Competence & Mactivity, Inc.