Information Securityby Andy Taylor
Other key planning aspects
There are two other areas of business planning that are not confined to information security planning, but which must include it: business continuity planning (BCP) and disaster recovery (DR) planning.
These two are related but distinct areas. Both are designed to deal with potential problems that could have an impact on the normal daily work of an organisation. These can range from simple equipment failures though to strikes and natural disasters, such as floods and fires and even loss of life. All need to be considered appropriately and measures put in place to deal with the circumstances should they arise.
What has this to do with information security?
If a fire or flood denied you access to the building, do you have contingency plans that would enable you to access critical customer information? If your computer system came under attack and crashed, how long could you carry on before the business suffered serious damage and do you have a plan for dealing with the possibility?
Getting the balance right
The whole field of security is always a compromise and in the case of information security you need to seek a balance between total security and essential availability. On the one hand, it is possible to conceive of a workplace where all the information is stored in strong rooms with no access to anyone and free from any risk of flood, fire, plague or pestilence. On the other, we are now headed into a world where staff expect appropriate information to be made available as and when required, wherever they need it.
The first situation could be seen as ‘ideal security’: there is little chance of the wrong people gaining unauthorised access to any information – indeed there is little chance of anyone gaining access to it. In the second, there are huge security issues because of the ease of eavesdropping on digital communications of all sorts, of loss of information or the device used to access it and so on. So if these two suggestions are either ends of the spectrum, the pragmatic solution is to find an acceptable compromise. Thus the accessibility of information where and when it is required, in a manner conducive to good practice, and in the business’ best interests, becomes a significant issue. Not having that access or having the access disrupted in some way is why BCP and DR is included here.
BCP versus DR
In general, the distinction between the two is that of time and impact. If an event is likely to be short lived or has very limited impact on an organisation, either in business terms or time-wise, then BCP is the way to deal with it. BCP concerns planning for a short-term problem for which the short-term fix may simply be to accept the disruption. If, on the other hand, the disruption is serious, (notably in a financial sense) or is likely to last more than, say, 24 hours, then DR comes into play.
Business continuity plans are drawn up to deal with any number of potential disruptions or risks. If, for example, your computer system was unavailable for an hour, this might not be significant if it only meant some staff sitting idle until the system was restored. In other industries, however, it could literally be a life and death matter because it might be impossible, for example, to prescribe patients the correct drugs. In the first case, it might be acceptable simply to live with the risk, but in the second case you might require a backup system. This could mean keeping a copy of the relevant files on a different system, which could be brought into operation quite quickly, or perhaps you might even have a paper version of critical information. In either case, the backup would need to be kept up-to-date and secure, yet available when needed.
It is sometimes assumed that everyone working on a computer must have the system available day and night, every day of the year. In some cases, such as medical support systems or safety and monitoring systems, that is clearly correct. In other cases, staff might require 100 per cent availability at certain times, but this might be less significant at other times. Financial trading systems, for example, must be 100 per cent available during trading hours, but outside that a much lower level may be acceptable.
Critical periods vary enormously, so when you conduct a business impact analysis it is crucial not to make assumptions, but actually to ask the relevant people what they may be able (but not necessarily willing) to accept in terms of disruption.
Disruption isn’t confined to computer systems. Lack of electricity is now so significant that for minor disruptions it is not uncommon simply to send staff home for the rest of the day until things have been restored. Access to buildings, lifts in a high-rise building, water supplies or even strikes by postal and transport workers can all affect the normal operations of an organisation. All these issues are dealt with at least initially by BCP.
When the disruption reaches a new level (to be determined by the management using what are known as the invocation criteria), then the disaster recovery (DR) plans kick in. These plans will often include moving to different premises and, as a result, may involve significant expenditure. The degree to which such plans can be made is totally dependent on the risk appetite of the senior management. If they are happy to live with the potential risks of fire, flood and other major disruptions, then there is little point spending too much time and money on the plans.
Getting back to normal
Planning for normal operations is another area where early effort can reap huge dividends in the event of an incident. It should not be assumed that things will return to normal just because the problem has been resolved. It may not always be possible or sensible to allow all users back into a system immediately after an issue is resolved. A phased provision of access may be a much better idea and this needs to be thought through before the incident, not during or afterwards.