As last year's tragic events have crystallized the critical need for comprehensive continuity planning in every
organization, once again management is turning to security to shoulder the load.
And as if busy security professionals didn't have enough on their plates with their endless battle against hackers and viruses, many are now having to quickly become masters of the art of business continuity and disaster recovery planning. But unlike the fight against viruses, there's zero room for error when planning for disaster.
Fifteen years ago when Ireland's biggest bank was planning to relocate its main IT center to a hardened bunker twenty feet below the building, it considered the risky move a potential disaster. As a network security consultant to the bank at the time, they turned to me for advice. It may seem an unusual step to turn to a crypto guy for advice on such a major continuity project, but even in those days anything to do with risk was instinctively laid at the door of the security department. The more things change?
Crisis? What crisis?
It doesn't take a genius to figure out that when major disasters strike, those who failed to plan are more than likely to reap the rewards of their efforts. But, not everyone's listening.
Despite the events of Sept. 11, a recent report by research firm Gartner, Inc. estimated that two out of five enterprises that experience a disaster will go out of business within five years of the event and that fewer than 10% of small and midsize businesses (SMBs) have crisis management, contingency, business recovery and business resumption plans.
"Many SMBs don't believe they will ever be affected by a disaster the magnitude of what happened on Sept. 11," said Jim Browning, vice president and research director for Gartner. "But the reality is that it's the hundreds of comparatively minor vulnerabilities, such as an e-mail virus or a sustained power outage, that pose the biggest threat to derailing normal operations because of their greater likelihood of occurring," he said.
One of the main reasons for this failure is that many SMBs simply don't have that security team or professional to ask for help. Larger enterprises on the other hand, should have little excuse. Yet the Business Continuity Readiness Survey published by Gartner in January 2002 reported "the areas in which companies and government organizations are least prepared are the same areas that are most likely to incur loss or damage in physical attacks. Only 28% report business continuity plans for addressing physical attacks, and only 36% have a plan for complete loss of physical assets and workspace."
Security professionals should welcome the challenge of continuity planning as a discipline core to the survival of their workplace and also as an invaluable new skill that could significantly improve job security and career prospects. If only because it might end up protecting the very building that houses their career.
So how do they do that?
According to the Disaster Recovery Institute, one of the world's leading think tanks on recovery planning, professionals need to address 10 key subject areas that constitute the core elements of continuity and disaster planning knowledge:
1 - Project initiation and management: Establish the need for a Business Continuity Plan, including obtaining management support.
2 - Risk evaluation and control: Determine the events and environmental surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, the controls needed to prevent or minimize the effects of potential loss and a cost-benefit analysis.
3 - Business impact analysis: Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts.
4 - Developing business continuity strategies: Determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies.
5 - Emergency response and operations: Develop and implement procedures for response and how to stabilize the situation following an incident or event, including establishing and managing an Emergency Operations Center.
6 - Developing and implementing business continuity plans: Design, develop and implement the Business Continuity Plan that provides recovery within the recovery time objective.
7 - Developing awareness and training programs: Prepare a program to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the Business Continuity Plan.
8 - Maintaining and exercising business continuity plans: Pre-plan and coordinate plan exercises, and evaluate and document plan exercise results.
9 - Public relations and crisis coordination: Develop, coordinate, evaluate and exercise plans to handle communications with media, employees and their families, key customers, corporate management and all other key stakeholders.
10 -Coordination with public authorities: Establish applicable procedures and policies for coordinating continuity and restoration activities with local authorities while ensuring compliance with applicable statutes or regulations.
(For more information on this subject, visit the DRI International Web site.
Planning a planning career?
If you've been asked to lead or participate in continuity planning as part of your security role and don't know where to start, training and certification is as good a place as any. Certification in continuity planning is very similar to CISSP certification, requiring a number of years' industry experience, a written exam and regular recertification.
More than 2,500 students worldwide have successfully completed the professional certification exams of the Disaster Recovery Institute (www.drii.org). The three certifications available are Associate Business Continuity Planner (ABCP), Certified Business Continuity Professional (CBCP) and Master Business Continuity Professional (MBCP).
Certifications requirements range from "some knowledge" in the field and a 75% score in the written exam (for ABCP) and a minimum of five years' experience and an 85% score (for MBCP).
With continuing cutbacks in security and IT budgets, adding continuity planning skills to your security expertise could not only save your job, it might even save lives.About the author
Neal O'Farrell has been involved in information security for nearly twenty years, as an entrepreneur, consultant and writer. He is also an expert on SearchSecurity and answers your questions on e-mail, e-commerce and end-user security, as well as encryption.