1. $VVHW 6HFXULW DQG 'LVDVWHU 5HFRYHU 3ODQQLQJ
%< + /(52 ' 6/$16. 6(37(0%(5 $5 ,16,*+76 (
.(:25'6
PAP, CHAP, DRP, UPS, TEAM, Security, Disaster, Recovery, Hacker, Terrorist
6800$5
The terrorist attack on America has changed the world, heightening the need for in-
creased security and disaster recovery planning. Better security saves lives and prevents
damage to assets and operations. Disaster recovery planning is a systematic approach
for returning to normal business operations quickly. A few simple procedures and pre-
cautions can maintain a safe and profitable business.
$1$/6,6
Every business requires some level of security ranging from simple protection of impor-
tant information to more complex solutions for potentially dangerous assets. Step one is
a better understanding of the possible threats. Currently, terrorism tops the list of im-
mediate threats. Government and large installations, volatile manufacturing facilities,
utilities, food processing, or any business where many lives can be endangered through
terrorist acts must be on high alert.
Close proximity to a high profile target significantly increases
6HFXULW 3ODQQLQJ an otherwise low security risk. Fortunately, terrorism is the
• 8QGHUVWDQG VHFXULW LVVXHV least likely security threat for most businesses, although it
• 3HUIRUP VHFXULW ULVN DQDOVLV must remain as a high priority for security planning and disas-
• 'HWHUPLQH OHYHO RI SURWHFWLRQ QHHGHG ter recovery. More common security threats, such as hacker
• ,QVWDOO SURSHU SUHYHQWLRQ DQG GHWHFWLRQ
attacks on valuable information or insider sabotage (inten-
• 'HYHORS FRPSUHKHQVLYH UHFRYHU SODQ
tional or unintentional) can disrupt and damage your
• )UHTXHQWO UHYLHZ DQG XSGDWH VWUDWHJ
business. An appropriate disaster recovery plan (DRP) should
exist for all threats, including software and hardware failures.
%DVLF 6HFXULW 0RGHO
The basic security model focuses on protection, detection, and recovery. Protecting
against and detecting threats is the preferred solution. Recovery from disasters can be
long, painful, and costly. The ARC basic security model covers five major areas includ-
ing physical, viral, access, backup, and environmental security.
@IU@SQSDT@Ã6I9ÃH6IVA68UVSDIBÃTUS6U@BD@TÃAPSÃDI9VTUS`Ã@Y@8VUDW@TÃ
2. 6S8ÃD†vtu‡†ÃQhtrÃ!Ã
Physical security normally means locks or constraints that prevent unauthorized access.
Alarms usually signal a breach of security. Physical security is complemented by envi-
ronmental security that includes detection and alarming for smoke, fire, loss of power, or
other life threatening conditions. Alarms may or may not signal unauthorized access.
Both physical and environmental security must be monitored closely. Fire, accident pre-
vention, and response information
6HFXULW should be readily available as part of
0RGHO 3KVLFDO 9LUDO $FFHVV %DFNXS (QYLURQPHQWDO normal safety procedures. An Unin-
3URWHFWLRQ ORFNV VKLHOG SDVVZRUGV GDLO 836 terrupted Power Supply (UPS) can
'HWHFWLRQ DODUPV VFDQ WUDFH VFKHGXOHG VKXWGRZQ easily manage the loss of power and
5HFRYHU VSDUHV FOHDQ FKDQJH UHVWRUH UHVWDUW permit an orderly shutdown or
automatic backup of computer files.
,QIRUPDWLRQ 6HFXULW
The World Trade Center attack crippled the U.S. financial community for days. The im-
pact on the world economy was limited, thanks to strong information security practices
by the financial community. Routine offsite information backups permitted the recovery
of most important financial data within days. Manufacturers should use many of these
same information security techniques. Information on financials, client records, order
entry, supply chain, production data, and other dynamic data must be backed up regu-
larly and stored offsite. Never assume that your information is secure until you have
verified it. The best security procedures can overlook backups, viral scans, or access pro-
tection.
Daily backups offer the greatest protection and should be automatically scheduled.
Daily incremental or partial backups with periodic full backups are acceptable when a
large amount of business data prevents full daily backups. But this approach does make
the recovery process more complicated. Every company should annually test their data
restore procedures. The inability to restore existing backup data is not uncommon and
can easily be avoided by occasional audits and validation of procedures.
Other common threats are viral attacks and unauthorized access to user accounts.
Improving password protection procedures and implementing strong trace algorithms
can help avoid such breaches of security. Frequent password changes, a password
authentication protocol (PAP), and a challenge handshake authentication protocol
(CHAP) improve access security. All businesses also should implement software shields
and virus scans, which are simple to install and easy to use. Again, prevention costs far
less than the recovery from a hacker or virus attack.
‹Ã! ÇÃ6S8Ã6q‰v†‚…’ÃB…‚ˆƒÃ‡ÃÃ6yyvrqÃ9…v‰rÇÃ9rquh€ÃH6Ã!!%ÃVT6ÇÃ' # ÇÃ6S8rip‚€Ã
VT6ÇÃVFÇÃBr…€h’ÇÃEhƒhÇÃDqvhÃ
3. 6S8ÃD†vtu‡†ÃQhtrÃÃ
RVW %HQHILW DQG 5LVN $QDOVLV
Knowing your risk of various threats will help avoid unnecessary costs. A realistic as-
sessment of your business, facilities, employees, information, and other assets
determines your level of exposure and the appropriate security measures. If your type
of business or location is subject to a natural or manmade disaster, then increased physi-
cal, backup, and environmental security are appropri-
10
ate. If your production and business systems are
9
8 integrated, then additional infrastructure and net-
7
work security is required. If business information is
Investment
6
5 accessed from remote or multiple company sites, then
Cost
4
Expected Loss access, viral, and backup security should be en-
3
2 hanced. Implementing unneeded security is
1 expensive and wasteful. The security investment
0
1 2 3 4 5 6 7 8 9 10 11 12 should be based on the level of protection required to
Level of Protection cover any potential losses.
'LVDVWHU 5HFRYHU 3ODQ
Many companies go out of business after a major disaster. A good DRP is essential and
must focus on minimizing downtime and lost productivity. It should identify and en-
able the most cost-effective recovery, insure continuity of operations, and maintain
customer satisfaction. There must also be a strong disaster recovery team with well-
defined responsibilities and expectations. Both primary and alternate team members
should meet regularly to develop, review, and update the DRP, since planning will play
a critical role in these meetings. Because Total Enterprise Asset Management (TEAM)
includes asset security for infrastructure, production, and operations, many TEAM par-
ticipants should qualify as good DRP candidates.
Developing a DRP starts with a model of your business to help identify critical opera-
tions. The profit and loss centers should be identified, and important information flows
should be mapped. Automation of important business processes such as production,
financials, sales, and service will speed recovery. So will implementing fully redundant
or fault tolerant environments such as disk mirroring and backup wireless communica-
tions. Automation with redundancy implies consistent and repeatable processes with an
existing database of recent information.
A major DRP component is a recovery informational database that will support the re-
covery process. Such a database should include information on employees, customers,
suppliers, asset listings, and equipment specifications. Most importantly, it should con-
tain all of the data needed to re-create the manufacturing process, such as process plans,
‹Ã! ÇÃ6S8Ã6q‰v†‚…’ÃB…‚ˆƒÃ‡ÃÃ6yyvrqÃ9…v‰rÇÃ9rquh€ÃH6Ã!!%ÃVT6ÇÃ' # ÇÃ6S8rip‚€Ã
VT6ÇÃVFÇÃBr…€h’ÇÃEhƒhÇÃDqvhÃ
4. 6S8ÃD†vtu‡†ÃQhtrÃ#Ã
workflows, production schedules, parts inventories, manpower requirements, manufac-
turing processes, and standards. It must be kept current, which includes periodic
training of management and employees on their disaster responsibilities.
Unfortunately recovery does not begin until you know what
'LVDVWHU 5HFRYHU 3ODQQLQJ is wrong. Most attacks require a detailed damage assess-
• ,PSOHPHQW SUHYHQWLYH VHFXULW PHDVXUHV ment. A good measurement of a disaster’s magnitude is the
• 8QGHUVWDQG GLVDVWHU ULVNV DQG REMHFWLYHV estimated time and cost to recover. Recovery times of less
• ,GHQWLI '53 WHDP DQG SURFHGXUHV than a day are usually minor, but losses can still vary. For
• $XWRPDWH DQG PDS FULWLFDO RSHUDWLRQV example, a loss of power or a security breach may be brief,
• 'HYHORS GDPDJH DVVHVVPHQW VWUDWHJ but can hurt customer satisfaction and loose business.
• 'RFXPHQW DQG VKDUH '53 ZLWK VXSSOLHUV
Therefore, establish ways to assess damages, their conse-
quences, and recovery procedures as part of the DRP.
The recovery team must be fluent in troubleshooting existing operations and the use of
alternate methods such as mobile technology. In most disasters, the level of recovery
depends on the quality of backups. This includes information, personnel, materials, and
facilities. A copy of the latest information is a major advantage that can be made avail-
able by frequently moving mission critical data offsite. Cross training the recovery team
and having backup personnel will provide the properly skilled personnel to recover op-
erations. Maintain critical spares, documentation, and supplies at offsite locations. This
can be at another company or in cooperation with key suppliers. Sharing the DRP with
strategic suppliers is a great idea. Many suppliers can help develop an alternate facilities
startup plan and support the disaster recovery with materials and qualified personnel.
5(200(1'$7,216
• The ARC security model for protection, detection, and recovery will deter many se-
curity threats and reduce the time and cost for restoring normal business operations.
• Disaster recovery planning is unpopular, but very important. Nobody wants to plan
for a disaster, but you must do it because the consequences of being unprepared can
be devastating.
• Better security and a DRP should be part of every business process from customer
relationship management to supply chain management. It should be an integral part
of your product and asset management strategies.
For further information, contact your account manager or the author at hleroy@arcweb.com.
Recommended circulation: All EAS clients.
‹Ã! ÇÃ6S8Ã6q‰v†‚…’ÃB…‚ˆƒÃ‡ÃÃ6yyvrqÃ9…v‰rÇÃ9rquh€ÃH6Ã!!%ÃVT6ÇÃ' # ÇÃ6S8rip‚€Ã
VT6ÇÃVFÇÃBr…€h’ÇÃEhƒhÇÃDqvhÃ