Security Audit Program
ISO 27001 - ISO 27002 - Sarbanes-Oxley - HIPAA - PCI
Compliant

In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.

Power supplies and communication links are one of the most critical components in a DRP/BCP strategy.

The concept of Maximum Tolerable Period of Disruption (MTPOD) is an issue with the introduction of British Standard 25999-2.  When applied appropriately, MTPOD will improve management's understanding of your disaster recovery business continuity program and clarifies your enterprise's recovery priorities.

BS 25999-2, Section 4 says that the goal of a business impact analysis is to "determine the impact of any disruption of the activities that support the organization's key products and services." A key aspect of determining the impact of a disruption is identifying what BS 25999 calls the "Maximum Tolerable Period of Disruption," or MTPOD. BS 25999 defines MTPOD as the "duration after which an organization's viability will be irrevocably threatened if product and service delivery cannot be resumed."  MTPOD is the maximum amount of time that the organization's key products or services can be unavailable or undeliverable before its stakeholders realize unacceptable consequences.

The full application of this concept can mean rethinking how a business impact analysis  is approached. While many DRP / BCP professionals start a business impact analysis   by gathering data from individual departments, MTPOD forces them to first look at products and services. Disaster Recovery and Business continuity professionals should understand downtime tolerance, taking into account:

• Customer expectations
• Regulatory requirements
• Reputational issues
• Financial and operational impairment
• Strategic consequences.

Based on management input, disaster recovery / business continuity professionals can propose preliminary Maximum Tolerable Periods of Disruption for key products or services within the scope of the business continuity program.

Once MTPOD is established for key products and services, the traditional business impact analysis  or service. From there, the business impact analysis  can either validate or disagree with preliminary MTPOD conclusions. In addition, the business impact analysis  does identify the department, function and process details that are needed to achieve the MTPOD.

Perhaps most importantly, the disaster recovery / business continuity professional must understand the amount of time required to perform the process or activity in order to deliver the product or service to its key stakeholders (internal or external). This is referred to as cycle time. For example, in a manufacturing company, cycle time would be how long it takes to obtain the necessary stock, manufacture the product, and deliver it to the customer.

With an understanding of MTPOD and cycle time, the business continuity professional can identify what is commonly accepted as the core output of the business impact analysis   - the recovery time objective, or RTO. RTO is the point in time following a disruption when operations must resume (at a minimum level) in order to meet downtime tolerances.

True disaster recovery and business continuity plans must allow for recovery from site-wide disasters, such as a hurricane. The primary site may be completely down, due to a lack of power and network connectivity. The secondary site located in a non-affected area would be used to restore services until the primary site comes back online.

Many enterprises opt for remote Disaster Recovery Business Continuity site(s) for such scenarios. Many system administrators opt for virtual servers, which use asynchronous replication to replicate both the data and virtual machines to the secondary site, which has several standby servers. That way if they need to activate the secondary site, they just direct the activity to the virtual machines and all the systems are back up and running with the latest data.

The Janco Disaster Recovery / Business Continuity Plan Template can help you create a plan for disaster prevention and response. This template will help you:

• Prepare for the most likely emergencies,
• Respond quickly to minimize damage if disaster strikes, and
• Recover effectively from disaster while continuing to provide services to your community.

Not all Internet users were affected, but some that use larger providers--such as AT&T or Verizon--appeared to be disproportionately hurt because large ISPs "peer" with Google, or interconnect their networks with Google's networks in order to improve speed and reduce bandwidth costs. Not all customers at those providers were affected, and smaller ISPs that did not interconnect their networks were able to route around the problem.

SMBsÂ’ prioritization of disaster recovery, backup and high availability for 2008 shows that businesses understand the risks to their business and the value of protection. However, many organizations still errantly think that backup is a sufficient disaster recovery plan. But, mid-sized enterprises are at the most risk to disaster and are more likely to rely strictly on backup as a disaster recovery plan.

The needs and resources of mid-market firms are unique. Midsized companies must work with limited finances infrastructure and human resources. Robust disaster recovery used to be affordable and manageable only by large enterprises. Mid-sized enterprises relied more on backup than on a formal disaster recovery plan. As businesses' reliance on IT has grown, backup has increasingly shown its weaknesses. However, the introduction and maturation of several key technologies, such as virtualization, have brought affordable and easily implementable disaster recovery  to small and mid-sized companies. SMBs do not always equate virtualization with disaster recovery  because awareness of the many virtualization applications is just starting to grow.

1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
6. Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

There are a few issues at hand here. Not only must the backup provider ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is "clean" enough to be plugged back into the system without a hiccup. It's the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren't always as proactive as the results they were expecting.

For enterprises rolling out security across PCs, laptops and servers, standardized hardware encryption translates into minimum-security configuration at installation, along with higher performance with low overhead. The specifications enable support for strong access control and, once set at the management level, the encryption cannot be turned off by end-users.

Required Processes	Recommended Solution	Cost
Implement formalized security policies and procedures	Security Manual Template
Audit access to databases and network	Security Audit Program
Monitor network activity to identify unusual activity	Network Event Viewer
Monitor user activity to identify unusual activity	Smart Disk Monitor
Archive logs to meet compliance requirements	Text Log Monitor
Automate monitoring	Network Event Viewer Smart Disk Monitor Text Log Monitor Internet Service Monitor

• Ability of agencies to talk across disciplines - via voice, data, image, video, or multimedia that include multiple forms of information.
• Ability to communicate and share information as authorized when it is needed, where it is needed, and in a mode or form that allows the practitioners to effectively use it.

Since a disaster or business interruption event or incident can happen anywhere, key staff members must have data communications on the scene, as well as away from the scene (at home), for command control and information to complete their missions. Homeland Security requirements have recognized the need for temporary networks that can form automatically on-scene among first responders. Temporary networks must be able to integrate with larger temporary or fixed networks, but need to be independent of fixed infrastructure in case the latter is disabled. Because disaster or business interruption scenes often expand as incidents develop, temporary networks need to be capable of expanding easily with the scene.

Planners are contemplating new scenarios, in which massive closures in business along with a major disaster like a terrorist attack or a pandemic that limit travel and prevent workers from congregating in offices.

The striking new challenge is how to maintain employee productivity when the workforce is confined to their homes or other remote locations. The question is how can a company go from 10% of its employees working outside of the office to 80%?

Key issues facing enterprises that might need to turn office workers into mobile workers, rapidly and in large numbers include:

• The technical and human challenges of supporting business processes during and after the business interruption event.
• The planning required.
• Procedures to equip employees with the information and technology to remain productive.
• Potential impact on the infrastructure and on support staffs.

Each of these is addressed in the Disaster Recovery Business Continuity Template published by Janco Associates.

The document is provided in both Word 2003 and Word 2007 format and is easily modified. 

• Data centers
• Desktops
• Working at home
• Services and processes for customers
• Services and processes for suppliers and affiliates

These have to be considered and included in the disaster recovery and business continuity plan.  The question that also has to be answered is what the cost impact in troubled economic times is.

• Access control - Open racks leave equipment vulnerable to accidental or intentional misuse. Enclosures with locking entries provide physical protections from unauthorized access and other environmental hazards, and permit more deployment options.
• Temperature Control - Central air conditioning can only go so far in overcoming the heat output of rack server environment. Enclosures can be equipped with fans to keep temperatures within acceptable levels throughout the equipment.
• Power Control - Power protection and battery backup can be provisioned in compact units to protect servers and enclosures from power problems.
• Cable Control - Look for options that provide for a neat, well-organized arrangement of cables that will not impede airflow or enable cables to be accidentally unplugged.
• Flexibility Control - The server environment should accommodate rack-mounted or shelf-mounted equipment, linking of bays into larger units, graceful management of unused space, and the option to roll the entire unit to another location as needs change.
• Management Control - IT equipment is expected to run unattended most of the time. A monitoring/management system provides good visibility and control of the IT environment from anywhere, over the company network.

• Look at the big picture – your business processes, systems, networks, data, and people all need to be considered when planning and implementing these processes.
• Understand your levels of tolerance for lost work, missing data, and unproductive time.
• Document and test your plans, and update them when business needs change.
• Configure your environment to minimize the likelihood of a failure escalating into a disaster.
• When evaluating technology solutions, take into account meeting your recovery objectives, kinds of disasters youÂ’re likely to face, and levels of cost, complexity, and disruption involved.
• Know the advantages and limitations of each technology, and adjust your expectations accordingly.
• Remember that backing up your data is the most reliable form of protection, without which your business is vulnerable.

The first step to crafting an individual disaster recovery plan is mapping out the most critical aspects of day to day business. If a great deal of time is spent communicating with clients over the phone, then a backup phone system needs to be addressed. This can be as simple as having employee cell phones, so that if the office's land line is damaged, workers can call clients using their cell phones. It may also be as complex as having a backup call center located in another state, so that traffic can be routed to another location if problems arise at a certain call center.

Data safety is a crucial and overlooked aspects of disaster recovery. Being able to call your customer and clients on another phone system is little help if you do not have a list of customers and clients, their orders, and their phone numbers. You cannot take new orders if you do not have access to your inventory system or are unable to put in new shipping orders. Data disaster recovery often includes making frequent backups of all critical data and records, both digital and hard copies, and storing them in a secure, remote location.

It is also important to keep in mind the time frame for disaster recovery. If your company needs to be able to recover almost instantly from a disaster, much more complex and redundant steps must be taken than if you have the ability to spend more time recovering. If your company works in a real time, online environment, you need multiple backup systems standing by so that, in the event of a disaster, they can instantly come online. If your company works in longer time frames, then allowing for several hours or days to recover records, organize documents, and resume work may be acceptable.

In the event of a disaster, will your business have the ability to pick up the pieces and get back to work, or will things grind to a halt? While it isn't possible to plan for every event, a solid disaster recovery plan can make all the difference. A disaster recovery plan is one of those difficult but necessary aspects of a successful business. With luck, you may never need to rely on your disaster recovery plan, but if you ever do, you'll be glad that you planned ahead.

• Perform an initial risk assessment to determine current information systems vulnerabilities.
• Perform an initial business impact analysis to document and understand the interdependencies among business processes and determine how the business would be affected by an information systems outage.
• Take an inventory of information systems assets such as computer hardware, software, applications, and data.
• Identify single points of failure within the information systems infrastructure.
• Identify critical applications, systems, and data.
• Prioritize key business functions.

The Disaster Recovery Plan Template has tools that can be used immediately and defined in detail all of these responsiblities and provides a work plan that can be use as is.

How can organizations effectively evaluate their business continuity needs and ensure that the technologies in place are effective? One key step is to conduct a business impact analysis which examines all the business functions and assesses the damage if a function suffers outages. Storage systems - and more specifically the data thatÂ’s stored in them - are extremely relevant for business continuity. But so are the applications, servers, networks and people who run the applications.

Metric for business continuity and disaster recovery include timelines for recovery point objectives (RPOs) and factors defined as recovery time objectives (RTOs).  For data to be available when needed, it needs to be replicated to a remote site. Depending on the desired RPO, that could be synchronous or asynchronous data transfer. In some cases it could be a combination of data that is replicated synchronously to a location that is geographically close and then asynchronously replicated to an out-of-region recovery center.

But data is only part of the equation. Servers, networks and other IT components also play a major role. Just having the data replicated might be okay for a disaster recovery environment with longer acceptable recovery time objectives.  The high cost of storage, communications, network access, and software replication are just a few of the challenges in implementing adequate business continuity.  For a complete real business continuity plan, more than just the data needs to be replicated and available at a secondary site - employee workstations, communication, servers, and applications need to be available. Only with a complete business continuity and disaster recovery plan and strategy in place can organizations ensure continuous operation of the enterprise and availability of vital information.

For example, a small distribution company (revenues of $25,000,000) located in Florida could rate  a hurricane an high probability with a high impact, an earthquake threat as low probability and high impact, while the threat of utility failure due to a power outage could rate high probability and high impact. So in this company's risk analysis, a hurricane and power outage would be a higher risk than an earthquake and would therefore be a higher priority in the disaster recovery plan.

• Voice: It would be absolutely essential for disaster recovery personnel to communication with one another on a common voice channel. A useful service in this regard is provided by the push-to-talk voice call system that has been incorporated by the GSM standard in its Phase 2+ version as an additional service. The push-to-talk system enables an almost instant voice connection to be setup between the speaker and the intended call recipients, thus saving precious time in emergency situations.
•  Data: Disaster recovery personnel at the disaster site must be able to exchange data with the Remote Command Center in real time. Further, the personnel must be able to exchange data with one another. Lastly, they should be able to connect to the public internet and possibly to a remote third party via a secure link.
• Location information: Each of the disaster recovery personnel at the disaster site must be able to Â’seeÂ’ the locations of all other active personnel in a specified area, relative to their own positions. This service may prove crucial in situations where in a worker want to warn nearby workers of dangerous conditions (e.g. collapsing buildings after an earthquake) or wants to request backup for immediate help in rescuing disaster victims.

Even if the job is assigned to the most responsible person in the entire company – the person who’s always around – there's no guarantee that the job will be done correctly, consistently, or in a timely manner across sites. The office manager at one site may have a different method than the inside sales representative in another location. The marketing manager at a third site may perform the task with less consistency than the other two.