Los Angeles Computer Consulting

Business Continuity Planning:

A Byte of prevention is worth a Gigabyte of cure

By Manuel Navarro,

Account Manager, Praxis Computing

In 2005 we witnessed threats to our business systems and critical data undergo a dramatic evolution in sophistication. But how is this evolution of threats relevant to your organization? How should we be thinking about planning for these threats to our business, and what steps should we be taking to protect ourselves?

As my father once told me, “Preparation and planning prevent poor performance.” To ensure that your organization remains healthy through difficult and unforeseen interruptions, it is of paramount importance to have a robust, detailed plan to mitigate and respond to the risk posed by the fast evolution of security threats.

Over the past year, attacks have evolved from simple cyber-vandalism to sophisticated attacks, targeting the availability of your network and the theft of your customers’ and employees’ identity. Through sophisticated viruses, ad-ware, spy-ware, and bot-ware, cyber-thieves are targeting vital Internet resources, potentially effecting productivity and creating public relations nightmares.

The 2005 CSI/FBI Computer Crime and Security Survey (Computer Security Institute www.gocsi.com) showed that virus attacks continue as the source of greatest financial losses. Unauthorized access showed a dramatic increase, replacing denial of service as the second most significant contributor to computer crime losses. However, the true impact of technology threats is likely even worse than shown, as many companies indicated they do not report security incidents because of concerns over negative publicity.

Because IT resources are so essential to every organization’s success, it is critical that the services provided by network systems operate without unscheduled interruption. Downtime impairs productivity: employees’ individual production can be drastically affected, and lost hours multiplied by the burdened hourly rate causes huge loss for the small business and enterprises alike. Beyond direct expenses, security incidents can cause lost future revenue, affect cash flow, alter credit ratings, and even affect stock prices. Incidents can also lead to long term losses from damaged reputation with customers, suppliers, financial markets, and business partners.

So, where do we begin approaching these risks? Albert Einstein once said, “Intellectuals solve problems, geniuses prevent them.” When considering the future plans for your business and aligning your information technology infrastructure with your business strategy, prepare for imminent and unforeseen events; do not wait for them to occur.

So we must ask ourselves as business managers:

What are the mission critical applications required to keep my organization productive?
What are the relevant risks to these applications?
How much downtime of these critical applications can I afford?
Do I have an infrastructure in place to mitigate the risk of downtime of critical applications or information theft?
Do I have a plan to recover from a major systems failure or other technological or environmental disaster?

Business continuity planning answers these questions. Continuity planning is a business process to fortify security and ensure the maintenance and recovery of operations, when facing unforeseen events or attacks such as natural disasters, technological failures, human error, malicious code, viruses and cyber-crime. The objectives of a business continuity plan are to minimize financial loss to the company; continue to serve customers and mitigate the negative effects disruptions can have on a business’ strategic plans, reputation, operations, and ability to remain in compliance with applicable laws and regulations.

An effective continuity planning process includes the following steps:.

Identify resources with high business value

An executive management workshop empowers you to approach IT from a business perspective and helps to identify and prioritize systems and components which are critical to business operations. Management will identify preventive controls and review measures to reduce the effects of disruptions. Your business leaders will identify systems and resources with high business value that are vital to your company’s success.

Perform a security assessment

A security assessment (also referred to as a security audit or risk assessment) determines the relevant risks to IT systems which have been identified by the executive management as critical to the operations of your organization. Through the assessments, you identify threats and vulnerabilities so that appropriate controls can be put into place to either prevent incidents from happening or to limit the effects of an incident. Because risks can vary over time and new risks may replace old ones as a system evolves, the risk management process must by ongoing and dynamic. Therefore, the security assessment process must be repeated on a regular basis to maintain the health of the organization.

Build strong architecture:
Design an environment with integrated security, focused on protecting critical business assets and defending against relevant risks. A resilient environment typically includes redundant communication paths, lack of single points of failure, and power management systems which are appropriately sized. An effective architecture also includes policies and procedures which restrict employee access to appropriate systems and resources. Regular maintenance of the environment should include installation of current and robust hardware and software solutions that protect against viruses, malicious code, and un-authorized access.
Create a disaster recovery plan

A strong architecture focused on relevant risks to key business assets significantly reduces the likelihood of business interruption. However, even the best design can not eliminate the chance of a disaster, since the security landscape is constantly evolving and environmental threats are not completely under our control. Therefore a suitable disaster recovery plan is a key aspect of business continuity planning.