Preparing For The Unknown

Published Date: 02 Nov 2017

BUSINESS cONTINUITY PLANNING FOR INFORMATION tECHNOLOGY pROFESSIONALS

Information and Network Security Engineering 8/2/2013

Table of Contents

Introduction

A plan is only as strong as those that execute it.  Recent headlines are riddled with news from around the world highlighting the ever-growing frequency of natural disasters occurring. Whether these disasters are in the form of a tsunami, brush fires or earthquakes, the results are usually catastrophic to the local population and its businesses. The effects such disasters have on modern society are great due to the nature of the technological interdependence that we rely on so as to allow us to complete menial everyday tasks such as banking, communication, and transportation. However, it is not only natural disasters that disrupt businesses and the way they operate. Companies, organizations, and nations also experience their own kind of disasters, in the form of computer or network failures occurring from misconfigured or faulty hardware, malicious users, and hackers to name a few. Unlike a natural disaster that is all too evident, some of these organizations are not aware that their operations have been compromised. 

A Middle Eastern nation for example didn’t know that one of the country’s nuclear facilities had been compromised and under attack for months (Wired.com, 2012). An American think tank had subscriber billing information stolen before realizing what had even happened (NYTimes.com, 2012).  A hospital in the United States fell victim to its security guard when he compromised the hospitals computer network in order to "launch DDOS attacks on the websites of rival hacker groups" (FBI.gov, 2012).  Another hospital was the intended target of an eastern European hacker group who was able to gain access to 780,000 medical records (Dailymail.co.uk, 2012). An earthquake in Japan in the spring of 2011 caused a tsunami that completely wiped out hundreds of businesses. The above examples signify attacks and disasters that resulted in the disruption in the operations of the organizations that could have in some cases been prevented if a proper assessment addressing potential vulnerabilities had been carried out that would in turn form a plan in which the organization would be follow in order to minimize the operation disruption period.

This paper will concentrate on and justify to the reader what an organization, company, or country, regardless of its size, must do so its information technology operations can continue unaffected in the wake of a disaster or attack.

Preparing for the Unknown.

Almost everyone is familiar with the Presidency of the United States. There is the President and a Vice President who get elected from the people every four years. The Vice Presidents main role is to become President in the event that something should happen to the President. But what happens if something happens to the President and Vice President? What few people know is that there is a line of succession in place that predetermines who will be President in case of death, resignation or any other event that incapacitates the current leader. This plan was set into place by law to ensure that the government of the United States has continuity, because lack of continuity creates problems that most of the times are irrecoverable.

Continuity in the event of a disaster for a business’s operation is critical so as to remain in business while minimizing losses. Business Continuity is the discipline supporting an organization in coping with disruptive events that may affect its Information Technology (IT) infrastructure. The goal of business continuity is to guarantee that after certain incidents the IT infrastructure will recover its operations within a predefined time. This is achieved by carrying out a Business Continuity Plan (BCP). The BCP predicts how an organization will be able to survive when faced with unexpected disasters, disruptions or changes, assuring that the critical business processes will continue to function in most adverse circumstances with acceptable limitations.

The Known Unknowns

A business continuity plan is a plan of action that all organizations, companies, and even countries adopt to prevent or minimize the disruptions of a disaster. The continuity plan consists of some well-organized steps, procedures and protocols that cover every possible thought out scenario of possible disaster in their given environment. A business continuity plan is mandatory for every large-scale organization and very useful for smaller ones. Organizations need business continuity plans because they must be able to operate under any circumstances even after a large-scale disaster occurs. Business continuity plans are created to minimize the impact of events such as:

Natural disasters:

Earthquake

Hurricane

Tsunami wave

Infrastructures failure:

Equipment failure (such as disk crash or server breakdown)

Disruption of power supply or telecommunications

Application failure

Acts of terrorism:

Cyber crime

Terrorist attack

Malicious software

Human factor:

Employees mistakes

Bad risk management or calculation

Politics

Governmental changes

Social unrest

Laws

Co-operative organizations

Cancel a cooperation (such as cancel of supply shipment)

When do we need a Business Continuity Plan?

Always. We never know what may happen and when, and that is why we need it all the time. That is why business continuity plans have to cover every possibility, from the most likely to the most unlikely one.

A business continuity plan is a part of the organizations culture. Every component of the I.T infrastructure that is introduced into the organization must comply with the business continuity plan. A strong business continuity plan eliminates single points of failure, and in order to achieve this a top down holistic approach is required when implementing it. For example, for a company such as Amazon who primary business is selling products through the internet, it is critical for its customers or potential customers to always be able to reach the website. In business continuity terms, Amazon.com must have more than one internet connection so in the event that one internet connection goes down, another one is there to service its needs. Taking the same example one step further down, the two or more internet connections must be on separate routers, so as to overcome the possibility of a single point of failure at the hardware level.

Another critical business function for Amazon is for its customers to browse the products located on their website. Because this is a critical function for Amazon, it is mandatory for their website and all the relevant data (products) to be accessible at any time. In order to achieve this, Amazon has geographically dispersed their data centers around the globe, in effect minimizing the chances that a single natural disaster can bring down their system.

Who should participate in a Business Continuity Plan?

Any business or institution that is obligated to have its services running even though one of the disruptions stated above may occur, in order to have minimum financial losses, prevent downtime, and to keep safe the company’s reputation to its customers. In order to develop an effective continuity plan a team needs to be formed very carefully by choosing the right member that will fulfill the necessary traits such as leadership, technical, and or business skills. In order to identify the number of the staff and the necessary requirements that they need in order to accomplish important occupations within the business. The members of such team would be the following:

Technical team members:

Information Security Officer

System administrators

Database administrators

Storage engineers

Security professionals

Application specialists

Financial team:

Chief Financial Officer

Accountant

Procurement personnel

Budget and reporting personnel

Operations team:

Chief Operations Officer

CRM personnel

Human resources team

Sales team

Sales officer

Sales personnel

For each of these team members that participate into the BCP team, the person’s name, address, as well as home and cell phone numbers are always kept on hand so that they can be reached any time of day. Also for each person include a reason why this person has to be contacted and his occupation within the BCP Recovery team.

After the team has been chosen, a discussion needs to be done with the team members in order to identify the actions that need to be taken in case important services and functions of the business have to be eliminated. The following topics have to be documented:

Identify the new issues.

Make an action plan for each issue

Assign issues to specific personnel within the team in order to solve the problem

Assign responsibility for each team member

Start working with the team or individually and report to manager.

Also an action plan for each service of the business has to be organized. This plan will be the model that the Recovery team will follow in order to keep business functions consistent.

A description of each service of the business that has to be performed

Personnel responsible for each of the functions

Backup personnel responsible for each of the functions

Documentation that describes the steps that need to be done in order for function to be achieved

The impact that each function has on the business

Resources that are needed in order to complete the function.

After the BCP Recovery team has been composed, the members of the recovery team have to review the plan and discuss with each other key elements of the plan. In order to understand the overall impact of the action that they have to take on such occasion. Also the plan needs to be tested, revised and updated when needed. Also the following actions need to be take:

Preform scheduled maintenance of the plan

Test periodically the plan

Test availability and awareness of the BCP Recovery team

How to prepare a Business continuity Plan?

This can be done in six steps, each of them is equally important for the plan to work as good as possible.

Project initiation

The company has to first consider what is important, which in most cases is unwise to try and cover everything. An initial analysis has to take be conducted so as to see what business functions should be covered. A committee is needed to decide and prepare the plan. Last but not least in this first step is to define the policies that should be used as long as the continuity plan is in place.

Business analysis

This is where the risk analysis will take place. The company (or the committee responsible for the plan) has to decide which functions of the organization are the most vital to its continuity. At this stage it is wise to have more than one strategy so the organization will have the option of choosing one plan over another other. Lastly the organization will have to make a budget and benefit analysis to see what plan is more suited for the type of disruption that occurs.

Design and Development

The most integral part of the business continuity plan relies on the, so creating business recovery teams and assigning tasks is an important part of the design. Creating continuity scenarios, such as what will happen if the database is deleted is part of a strategy that relies on realistic scenarios to see how well the plan can be executed. The organization has to then consider what will be the escalation levels of the plan and how, when and who will be notified about the continuity plan once it is in effect and what are the criteria that will activate the plan.

Implementation & Testing

Exercise the selected scenarios in practice, to see if they will correspond equally well in real situations. Afterward see the results of the test and evaluate them if they went according to plan and if they had the wanted results. In both cases, train the personnel in order to be more effective.

Maintain and update the plan

This step is omitted in many cases but it is still very important. The plan has to be reviewed regularly since new technologies and strategies are developing every day. Update the plan to improve it according to the new needs, and of course make the plan known to the people of interest that will use the plan.

Conclusion

An important part of any business continuity plan that I discovered throughout my research is the disaster recovery plan. The disaster recovery plan is reactive in comparison to the proactive approach of the business continuity plan. In short, a disaster recovery plan is a plan of action that outlines the technical steps and equipment required in order to restore an organizations operation. Having researched this topic thoroughly, I have come to believe that it is not the business continuity plan itself that plays a critical role for the survivability of an organization during a disaster, but how well trained, informed and rehearsed the personnel are in carrying out the plan. The human factor is what makes continuity possible, and as with everything else in life, practice makes perfect.