Introduction
Companies are increasingly aware of the crucial role information technology plays in their success and survival. In addition, information is a corporate asset and protecting it and the associated technology, systems and services adds value to the company (Herold, 2010). Information security is aligned with and complements business goals, such as gaining new customers, increasing market share, operating more efficiently, attracting qualified employees, boosting revenues, and cutting costs (Fitzgerald, 2012).
If employees at all levels of the organization do not know how to protect one of its most valuable business assets, its information, the company risks not only the damage or loss of the asset but also takes the chance of being non-compliant with the plethora of rules, regulations and laws that mandate that information be protected (Herold, 2010). By jeopardizing information and not making information security a priority, a company risks its reputation and future.
Overview
Not everyone is aware of the nature and scope of the unique threats and catastrophes to which IT is vulnerable. The types of incidents that could seriously impact the functioning of a company’s IT and therefore have devastating effects on business operations are:
• damage, loss or denial of access to vital hardware, software, networks or facilities
• Web-based Software-as-a Service failures
• damage to critical providers, distributors or other third party services
• contamination of crucial information
• blackmail or industrial espionage
• intentional intrusion
• cyber-attacks on critical IT systems (Holman & Houser, 2011 ).
Information Security in DR/BC Planning
Virtually all business functions rely on or utilize IT systems and services and therefore these threats may target or primarily damage IT but affect all company operations. Acknowledging that information security is a company-wide, not just an IT department priority, clarifies the need to specifically address information security in the company’s Disaster Recovery (DR) and Business Continuity Plan (BCP) (Granneman, 2015).
Integrating information security with overall DR/BCM processes will help all employees recognize elements that constitute an IT-specific disaster such as a major cyber-attack or complete server failure (Cisco, 2008). It also educates employees on ways IT could be affected in company-wide catastrophes, such as fires, man-made or natural disasters (Cisco, 2008). The IT portion of the DR/BCP will pre-define the point at which service interruptions require the launch of recovery operations (Janco, 2015). In addition, it will set and clarify realistic time frames within which the company’s IT systems and levels of service can be restored (Janco, 2015). The IT systems and services recovery process will be streamlined because roles and responsibilities will have already been defined and assigned (Slater, 2015). Understanding how IT assets such as hardware, software, facilities and staff .
This PowerPoint helps students to consider the concept of infinity.
IntroductionCompanies are increasingly aware of the crucial role.docx
1. Introduction
Companies are increasingly aware of the crucial role
information technology plays in their success and survival. In
addition, information is a corporate asset and protecting it and
the associated technology, systems and services adds value to
the company (Herold, 2010). Information security is aligned
with and complements business goals, such as gaining new
customers, increasing market share, operating more efficiently,
attracting qualified employees, boosting revenues, and cutting
costs (Fitzgerald, 2012).
If employees at all levels of the organization do not know how
to protect one of its most valuable business assets, its
information, the company risks not only the damage or loss of
the asset but also takes the chance of being non-compliant with
the plethora of rules, regulations and laws that mandate that
information be protected (Herold, 2010). By jeopardizing
information and not making information security a priority, a
company risks its reputation and future.
Overview
Not everyone is aware of the nature and scope of the unique
threats and catastrophes to which IT is vulnerable. The types of
incidents that could seriously impact the functioning of a
company’s IT and therefore have devastating effects on business
operations are:
• damage, loss or denial of access to vital hardware, software,
networks or facilities
• Web-based Software-as-a Service failures
• damage to critical providers, distributors or other third party
services
• contamination of crucial information
• blackmail or industrial espionage
• intentional intrusion
• cyber-attacks on critical IT systems (Holman & Houser, 2011
).
2. Information Security in DR/BC Planning
Virtually all business functions rely on or utilize IT systems and
services and therefore these threats may target or primarily
damage IT but affect all company operations. Acknowledging
that information security is a company-wide, not just an IT
department priority, clarifies the need to specifically address
information security in the company’s Disaster Recovery (DR)
and Business Continuity Plan (BCP) (Granneman, 2015).
Integrating information security with overall DR/BCM
processes will help all employees recognize elements that
constitute an IT-specific disaster such as a major cyber-attack
or complete server failure (Cisco, 2008). It also educates
employees on ways IT could be affected in company-wide
catastrophes, such as fires, man-made or natural disasters
(Cisco, 2008). The IT portion of the DR/BCP will pre-define the
point at which service interruptions require the launch of
recovery operations (Janco, 2015). In addition, it will set and
clarify realistic time frames within which the company’s IT
systems and levels of service can be restored (Janco, 2015). The
IT systems and services recovery process will be streamlined
because roles and responsibilities will have already been
defined and assigned (Slater, 2015). Understanding how IT
assets such as hardware, software, facilities and staff will be
recovered or utilized to respond to a crisis will ensure that
recovery and restoration of IT systems and services are
consistent with the company’s overall DR/BCP (Bailey,
Brandley, & Kaplan, 2013).
By having the entire organization examining IT along with the
technical and operational aspects of DR/BCP, risks can be
managed and damage can be mitigated (Herold, 2010).
Combining coordination of response plans with clear, accessible
and current IT incident response documents will ensure that
every level within the company can react quickly and
appropriately in a crisis (Bailey, Brandley, & Kaplan, 2013).
Lastly, the organization as a whole can learn not just ways to
recover from an IT incident, data breach, cyber-attack or
3. calamity but also ways to prevent those types of events from
occurring (Bailey, Brandley, & Kaplan, 2013)
The CISO
The Chief Information Security Officer (CISO) reports
to either the CIO or CSO and is the key IT person to “interpret
regulations, establish policy, influence employee behavior and
monitor for appropriate outcomes” (Engle & Guttman, 2014).
She or he understands the compliance requirements and
government regulations the company must follow, coordinates
with multiple departments in the development of security
budgets, and works with IT staff and all levels within the
organization to ensure that information is being protected and
security protocols are followed (Poremba, 2015). The top
priority of the CISO is to protect the organization’s information
and computer networks from cyber-attacks and catastrophes
(Poremba, 2015). Therefore, she is the executive who will
spearhead the integration of IT with the company’s DR/BCP and
have ongoing responsibility for the IT DR/BCP.
CISO Roles and Responsibilities for DR/BCP Planning
In order to incorporate information security into the company’s
DR/BCP, IT-specific incidents must be classified, causes and
effects identified, probability and severity evaluated, and
business impact and priority assessed and categorized (Cisco,
2008). The CISO is uniquely qualified to assess and analyze the
practices and events that could affect IT infrastructure and
systems and threaten important data (Bailey, Brandley &
Kaplan, 2013). The end results of the CISO’s formal assessment
will be details of the IT resources needed for data back-ups and
hardware and software recovery (Masserini, 2015). The CISO
will outline responses to cybersecurity incidents or crises that
will limit damage, reduce incident response time and expense,
increase stakeholder confidence and preserve business
reputation (Bailey, Brandley & Kaplan, 2013).
Lists of key personnel will be created and the processes for
important decision making will be streamlined (Masserini,
2015). In addition, the CISO will create readily accessible
4. rapid-response guides for a variety of common incidents
(Masserini, 2015).
The CISO will develop the integration of IT into DR/BCP as a
“stand-alone” strategy that is not dependent on the personnel
who created it to work (CSO, 2005).
The CISO can also quantify the amount of revenue that can be
lost as a result of an IT-impacting event and detail the resources
needed to ensure that the maximum is not exceeded (Masserini,
2015). This is essential information for the company’s overall
BIA. To prepare for DR/BCP implementation, the CISO will
develop cost estimates and collect pricing information that is
within budget.
CISO Roles and Responsibilities for DR/BCP Implementation
Once the CISO specifies the resources necessary to properly
respond to a variety of IT security incidents, she will work with
other departments to develop and prioritize the goods, services,
applications, support, staff, equipment and facilities necessary
to accomplish IT DR and BCP (MyMG, 2011). When possible
the CISO will “test drive” products and technologies prior to
procurement (CSO, 2005).
The procurement process will include the evaluation of vendor
supported recovery strategies such as “hot sites” in which
offsite data facilities are fully configured with commonly used
IT equipment and software (ready.gov, 2012). There will also be
widespread utilization of recent IT service trends such as
virtualization, cloud computing, mobile computing and social
networks (Slater, 2015).
The CISO will research potential suppliers that can provide the
required products and services according to the agreed-upon
specifications (MyMG, 2011). There will be an emphasis on
using standardized equipment and readily available software
and systems to facilitate recovery and restoration processes and
reduce costs (ready.gov, 2012).
Once the CISO has determined the best value and awarded
contracts and issued purchase orders, she will continue to
manage the procurement process by ensuring products and
5. services are provided in accordance with the contract and
purchase order terms (Procure Point, 2015). The CISO is best
qualified and well positioned to evaluate the performance of the
equipment, systems, applications and software and measure the
reliability and value of the vendors and suppliers (Procure
Point, 2015).
CISO Roles and Responsibilities for DR/BCP Execution
After the IT DR/BC plans are devised and the necessary goods
and services are procured, the CISO will be ready to put the
DR/BCP into action during an incident and manage recovery
operations. The CISO will supervise training so that all
employees know their roles and responsibilities and be prepared
to provide the appropriate level of support in the IT DR/BCP
(Janco, 2015). The CISO test this training by conducting
realistic company-wide DR and BCP exercises to make sure all
employees practice responding to a crisis (Slater, 2015). The
CISO will hold postmortem examinations that objectively
evaluate the company’s performance after each exercise and
endeavor toward constant improvement (CSO, 2005). In
addition, the CISO will form and maintain good rapport with
local emergency response agencies (Slater, 2015). The CISO
will constantly review and refine the IT department’s
contribution to the DR/BCP. She will also stay abreast of new
technology that can aid in the DR/BCP process.
Best practices for implementing DR/IT Service Continuity
Following are some of the best disaster recovery and IT service
continuity practices:
Define Disaster
It is important to have clear criteria for declaring an emergency
or incident that will set response and recovery processes in
motion (Janco, 2015). There also need to be pre-determined
processes and procedures for the allocation of resources and
assignment of responsibilities and personnel (Janco, 2015).
Proactively Address Issues
Identify and address issues before they adversely affect the
company or disrupt business operations. Potential problems and
6. threats need to be anticipated and thwarted before they impact
the organization (Bailey, Brandley, & Kaplan, 2013).
Identify Key Personnel
An executive such as a CISO should have overall responsibility
for implementing IT DR and BCP and integrating the plans
throughout all levels of the organization (Bailey, Brandley, &
Kaplan, 2013). In addition, key personnel who are crucial to
response and recovery efforts should be identified along with
their designated back-ups in the event they are unavailable
(Slater, 2015).
Establish Good Relationships
The executive in charge of IT DR and BCP as well as key
DR/BCP personnel should forge and maintain good working
relationships with local emergency response agencies (Slater,
2015). In addition, service-level agreements and good rapport
should be maintained with external IT DR/BCP providers,
consultants and experts (Janco, 2015).
Ensure Good Working Order
Ensuring that hardware, software, systems and facilities are
properly installed and configured will dramatically reduce
future problems and downtime (Janco, 2015).
Document, Document, Document
Validate that the IT DR and BC plans are constantly evaluated,
updated and easily accessible to the entire company (Slater,
2015).
Conclusion
Information security is an integral part of disaster recovery and
business continuity planning and cannot be developed in
isolation from other business processes (Slater, 2015). It
requires regular communication across all levels of the
organization and a subject matter expert, such as a CISO, to
assess, identify and implement the best information security
practices and integrate them into the company’s DR and BCP.
7. References
Bailey, T., Brandley, J. & Kaplan, J. (2013). How good is your
cyber incident-response plan? McKinsey & Company. Retrieved
fromhttp://www.mckinsey.com/insights/
business_technology/how_good_is_your_cyberincident_respons
e_plan
Cisco. (2008).Disaster recovery: Best practices. Cisco Systems.
Retrieved from
http://www.cisco.com/en/US/technologies/collateral/tk869/tk76
9/white_paper_c11-453495.html
CSO Contributor. (2005, March 1). Top eight best practices for
I.T. disaster recovery. CSO. Retrieved from
http://www.csoonline.com/article/2118026/business-
continuity/top-eight-best-practices-for-i-t--disaster-
recovery.html
Engle, B. & Guttman, R. (2014, October 28). The evolution of
the CISO role and organizational readiness. CSO. Retrieved
from http://www.csoonline.com/article/2838371/security-
leadership/the-evolution-of-the-ciso-role-and-organizational-
readiness.html
Fitzgerald, Todd. (2012). Interacting with the C-suite.
In Information security governance simplified: from the
boardroom to the keyboard. Retrieved
from http://library.books24x7.com.ezproxy.umuc.edu/assetview
er.aspx?bookid=47187
Granneman, J. (2015, February). How should organizations
make a cybersecurity policy a top priority? TechTarget.
Retrieved from
http://searchsecurity.techtarget.com/answer/How-should-
organizations-make-a-cybersecurity-policy-a-top-priority
Herold, R. (2010). Managing an information security and
privacy awareness and training program (2nd ed.). New York:
Auerbach Publications. Retrieved
from http://www.infosectoday.com/Articles/Security_Awareness
_Training.htm
8. Holman, E. & Houser, K. (2011).ITSCM (IT service continuity
management) overview: ITIL®'s IT disaster recovery and
business continuity management. Share. Retrieved
from https://share.confex.com/.../Session%2010043%20Continui
ty%20Manag
Janco. (2015). DRP and BCP best practices. Janco Associates,
Inc. Retrieved from http://www.e-
janco.com/DisasterPlanningBuinessContinuityBestPractices.htm
Masserini, J. (2015, January 26). Business continuity planning,
The CISOs secret weapon. Security Current. Retrieved
fromhttp://www.securitycurrent.com/en/writers/john-j-
masserini/business-continuity-planning-the-cisos-secret-
weapons
MyMG Team. (2011). Project procurement management: 5 steps
of the process. My MG. Retrieved
fromhttp://www.mymanagementguide.com/project-procurement-
management/
Procure Point. (2015). Six stage process for
procurement. Procure Point. Retrieved from
https://www.procurepoint.nsw.gov.au/policy-and-reform/goods-
and-services/six-stage-process-procurement
Poremba, S. (2015, April 15). A CISO’s job description: What
is a day in the life of the CISO? SunGard Blog. Retrieved
fromhttp://blog.sungardas.com/2015/04/a-cisos-job-description-
what-is-a-day-in-the-life-of-the-ciso/
Ready.gov. (2012). IT disaster recovery
plan. Ready.gov. Retrieved
from http://www.ready.gov/business/implementation/IT
Slater, D. (2015, May 20). Business continuity and disaster
recovery planning: The basics. CSO. Retrieved from
http://www.csoonline.com/article/2118605/disaster-
recovery/pandemic-preparedness-business-continuity-and-
disaster-recovery-planning-the-basics.html?nsdr=true&page=2
Introduction
9. What is a Disaster Recovery Plan? It is a stand-alone document
that “contains all procedures and detailed equipment recovery
scripts, written to a level sufficient to achieve a successful
recovery by technically competent IT personnel and outside
contractors.” (Tipton, Nozaki, 2007). The potential for
disasters, natural or malicious is a constant threat to business
processes that can not be put on hold. It is clear that any
disruption in services can negatively impact each of our
departments. As such, it is critical that the Disaster Recovery
(DR) team members have a clear understanding of the
cybersecurity functions and responsibilities of the Office of the
Chief Information Security Officer. The Office contains various
functional areas, however this review will discuss the best
practices as they apply to implementing a Disaster Recovery /
IT Service Continuity plan. “Every year, thousands of
businesses are affected by floods, fires, tornadoes, terrorist
attacks, vandalism, and other disastrous events. The companies
that survive these trauma are the ones that thought ahead,
planned for the worst, estimated the possible damages that
could occur, and put the necessary controls in place to protect
themselves.” (Harris, 2013). Only through excellent
collaboration and focused effort can the products of a disaster
recovery team provide a competitive edge post disaster to
capture a greater market share (Brunetto, Harris, 2001).
CISO Staff Functions Overview
The Chief Information Security Officer (CISO) and staff are
responsible for several areas which area critical to a successful
DR/BCP. These areas are Planning & Forecasting, Coordinating,
Controlling, Organizing, and Directing the many moving parts
in the organization that contribute to the mechanics of an
effective cybersecurity program. In the Planning & Forecasting
stage the CISO staff will assist team members in developing a
DR/BCP planning statement which provides guidance and
authority to support the project. This stage also includes
conducting the business impact analysis, developing recovery
strategies, contingency plans, and test and review cycles for the
10. DR/BCP. Forecasting specifically identifies possible changes to
the DR/BCP due to the dynamic nature of the external security
threat surface.
In the Coordinating stage, the staff will work to ensure existing
security controls and processes are carried over to the DR/BCP.
Early coordination promotes early buy-in, which can address
challenges across each department, streamlining processes, and
leveraging scalable technology to reduce cost. The Controlling
stage measures the effectiveness of the program using metrics
identified in the Planning stage. An example would be
scheduled audits to ensure access controls have been
implemented at a Continuity of Operations site in accordance
with the company's cybersecurity strategy. Finally Directing, is
the CSO’s responsibility which gives security direction the the
team ensuring unified security efforts, in line with the
organization's strategic goals.
Best Practices
As every company is different, each of their Disaster
Recovery/Business Continuity Plans will be different. However,
there are common practices among successful plans. A “DR
program with strong governance tends to be resilient” (Klaus,
Walch, 2012). Information Systems Audit and Control
Association (ISACA) describes three tiers of a DR program. The
first and single most important practice is, incorporating IT
Governance Frameworks such as CobiT (Control Objectives for
Information and related Technology), published by ITGI, and
ITIL (Information Organization for Standardization Technology
Infrastructure Library) published by the UK government, and
ISO/IEC 27002 (International Standards Organization) into your
DR/BCP. The second and third are IT “Management” and
“Technical Operations of Disaster Recovery Infrastructure”
(Klaus, Walch, 2012). Although both CobiT and ITIL provide
best practice guidance, CobiT is used to provide a higher level
governance framework while ITIL’s framework defines service
management aspects. Kozina (2009). In addition to these
management and process frameworks, ISO 27002 provides an
11. access control security framework of best practices. It focuses
on improving information security through areas such as asset,
operations, compliance and organizational security
management.
When integrating these frameworks into a DR/BCP the first step
is “Tailoring”. This is a dynamic process that begins during the
“Planning & forecasting” and is where each organization applies
specific framework standards and practices based on their
individual requirements. Although the CISO is the single point
of developing a DR/BCP, there are many interdepartmental
dependencies that can make implementations costly if not
organized properly. As such, the second best practice is
“Prioritizing” which is a critical process through each of the
CISO functions, especially in the “Coordinating” stage. The C
suite involvement and buy-in is imperative at this point. The
organization needs an effective and realistic plan based on
resources and skill levels, otherwise the plan risks becoming
shelf ware.
Third is an effective information campaign that aims at creating
a common language supporting CobiT, ITIL, and ISO 27002.
“Regardless of methodology, the goal of IT Governance is to
improve an organization's competitive advantage, optimize
operation and mitigate tasks.” (Orakzai, 2014).
References
Brunetto, G., & Harris, N. L. (2001). Disaster recovery. How
will your company survive?. Strategic Finance, 82(9), 57-61.
Harris, Shon. (2013). Cissp all-in-one exam guide, sixth edition.
[Books24x7 version] Available from
http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?book
id=50527.
Klaus, J., & Walch, D. (2012). JOnline: A Strategic Framework
for IT Disaster Recovery Assessments . ISACA
JournalOnline,6(12), 1-1.
Kozina, M. (2009). COBIT - ITIL mapping for business process
continuity management. Proceedings of the 20th Central
European Conference on Information and Intelligent Systems,
12. 113-119.
Orakzai, T. (2014). COBIT, ITIL and ISO 27002 Alignment for
information security governance in modern organisations. SSRN
Electronic Journal SSRN Journal.
Tipton, H., & Nozaki, M. (2007). Contingency planning best
practices and program maturity. In Information Security
Management Handbook (6th ed., Vol. 1, p. 431). Hoboken, NJ:
CRC Press.
University of Maryland University College. (2015). Module 02:
Organizations and their security programs. InCybersecurity in
Business and Industry: Summer 2015 [Class lecture slide].
Retrieved from https://learn.umuc.edu/