Benefits of Aligning Business Continuity Management with IT Service Recovery

IT departments within many organisations are likely to have well defined processes to support their own disaster recovery requirements.  General ‘good practice’ states that we need:
·         Backups;
·         Resiliency designs within the network architecture;
·         Data centre etc…etc…

IT Service Recovery is a legacy approach that many are comfortable with.  From the early mainframe computer days in the 1950’s initial recovery simply focused on restoring the mainframes, the systems were simply off line and business would have to wait, it could actually take a matter of days before affecting the business in anyway. 

However, with the explosion of the internet since 1995 and greater dependence on up-to-the-second information, the impact of loss can now be felt, not in days, but in minutes… if not seconds! 

The role of Business Continuity within an organization developed throughout the 90’s as it became obvious there was a need to provide protection and resilience spanning the entire business.  This led to Business Continuity professionals sitting well outside of IT, focusing on Business Impact Assessments, Crisis Management, and Business Continuity Plans, detailing how the business can continue to provide products and services at an acceptable minimum service level. 

IT has continued to support ‘general good practice’ and has kept up to date, where possible, on the technology that supports system resiliency and recovery, however, often choosing solutions without discussing requirements with the business.  Likewise, the business has been developing Business Continuity Plans on the assumption that IT services will be able to support their strategies.

It is therefore essential that you re-align Business Continuity Management with IT Service Recovery to ensure that the business clearly understands how it may implement strategies that either prevent incidents occurring, or reduce the impact if they do occur. 

To achieve continuity and recovery objectives an organisation should be able to answer questions such as:
·         Can IT recover the business systems within an acceptable period of time?
·         Has the business discussed what the “acceptable period of time” is?
·         Have you ever completed a full restore from backup?
·         Do you carryout vulnerability scans or penetration tests to examine the adequacy of your network designs?
·         Is your Data Center far enough away? Or is it likely to be impacted by the same disruptive incident as you?

CQR Services

CQR is able to help you define your Business Continuity and Service Recovery Strategies through a number of services, such as:

Service	Benefit
Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard	We will review existing business continuity plans, supporting documentation and governance against the industry standard ISO 22301
Business Continuity Management System (BCMS) Development	We can work with you to create a BCMS that can be certified to ISO 22301 or simply be ‘compliant to’ the requirements of the standard
Business Impact Analysis	We will work with you to analyse the consequences of a disruptive incident on your most time sensitive business processes. Output will feed into your risk register, business continuity and recovery plans and most importantly verify whether IT are able to recover within the desired timeframes.
IT Service Recovery Technical Review	We will provide an independent review of your IT Service Recovery Plans, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.
Vulnerability Assessment	We have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture. We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.
Exercise / Test Facilitation	CQR can work with you to design and facilitate an exercise that will test the limits of your documentation and ensure that it is: -       Accurate and up to date -       Relevant -       Complete -       Appropriate The exercise will also ensure that staff get to understand their roles and responsibilities in an event. We can also help you to test the continuity and recovery strategies outlined in the documentation to ensure that they will work as expected.
Document Development	We can review, update and create relevant business continuity and recovery documentation as per your requirements.

Yvonne Sears

Senior Security Specialist

www.cqr.com

The Perils of Cloud Analogies

Moving your operations to the cloud is like... a dream for those who love analogies.  All sorts of things have been claimed, but there is only one reality.  It's like outsourcing, because that's exactly what it is.

The biggest business risk with outsourcing is that you replace technical controls with contracts, and while a move from tactical operation to strategic management looks excellent in a business plan, it can fail badly when interacting with the real world.  The claim that "insert-vendor-here" should be better at running the infrastructure because they developed it, is much more an article of faith than a well-reasoned position.

Consider the failure of the Windows Azure platform over the last weekend.  I noticed it when I couldn't play Halo 4.  As a gamer it didn't occur to me that there was anything deeper than the Halo servers weren't working, but it turns out they were hosted on a cloud infrastructure.  And the cloud had failed.  Completely.  The reason: "Storage is currently experiencing a worldwide outage impacting HTTPS operations due to an expired certificate."  In 2013.

Information security is a people business, and the people failed.

As Sony previously discovered, the total failure of their game platform is a pain, but it isn't going to threaten the company.  To Microsoft's credit they had it all restored in about 8 hours.

But Windows Azure doesn't just host games - it hosts businesses.  And the same failure happening in the middle of the week would mean that businesses that had fully moved to the Microsoft cloud could do nothing.  No backup.  No failover.  No disaster recovery.  Because all the availability controls were outsourced.  And it is very unlikely that the clients using the service are big enough to make any contractual claim for loss.

This isn't just a Microsoft problem, Amazon had the same sort of outage last year.  Every cloud hosting provider will have these problems.

So here's my cloud analogy: it's like putting all your eggs in one basket - a basket you've never seen and can't locate - along with everyone else's eggs, and having faith that this will be managed well by the fox.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

Myth #10: We have a security plan

We have a security plan, and I can point you to the binder that contains it.  It’s got all the sections that the consultants told us we needed: policy, risk management, personnel security, information classification, incident management and BCP.  So we must be secure!

No doubt the magic binder is in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.

Plans that exist only for compliance purposes aren’t functional, and quite literally aren’t worth the paper they are written on.  No-one knows about them, no-one follows them, no-one keeps them up to date.  The only thing that they really are useful for is waving at clueless auditors.

That said, we have a security plan at CQR.  Actually we have a security management system certified to ISO 27001.  But you’d expect that of a security company.  This is because we practice what we preach.

So here’s the preaching: security plans only work if they are part of the day to day operations.  If they are just what you do, not what you drag out to appease the auditors, then practical and pragmatic plans really do add value.  I know it’s a cliché, but security really is a journey, not a destination, with a security plan being the map.

With a good plan, security is easy and this myth is confirmed.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com