Survival is Not Compulsory: An Introduction to Business Continuity

Computers
& Security,
18 (1999) 35-46
Survival is Not Compulsory:
An Introduction to Business
Continuity Planning
Mario Devargas
Mancos Computers Ltd., 1 Cvewe Road, Manchester, M23 9BE, UK.
introduction
How many times in your life have you bought something not because you needed it there and then but
‘just in case’? How often do you update your A-Z
road map - just in case? Do you not insure your
home, belongings,
etc against what could happen?
When going on holiday do you not safeguard yourself
against injury, loss of money, etc? Could you binge on
any amount of fatty food without bringing
on a heart
attack?
If the answers to all these questions are obvious then
why in business do we take so many risks? Why do we
not safeguard businesses from interruption
or failure
-just
in case? Simply waiting for something
to go
wrong is sheer negligence
and will probably prove
fatal. A well-known
statistics is that over 80% (ref.
National Audit Office) of all businesses that have a
major fire fail to recover.
Perhaps one of the reasons for this is due to the naive
faith in the power of insurance to resurrect your business from the ashes or simply the lack of understanding in how to formulate your own plan. Over 90% of
UK companies
do not have a Business Continuity
Plan and of those that do some prove ineffective when
tested by an actual incident. Many feel that the cost of
undergoing
such an activity would be too high and
they would rather trust to luck. However, as has been
proven by some companies, large savings can be made
on insurance premiums.
0167-4048/99$20.00
The other perception
many have is that their company is too small to handle such a philosophy.
Large
companies
with multi-million
pound turnover
and a
large managerial
base can afford a risk manager with
their salary being justified
as a premium
to an inhouse insurance scheme. However, smaller companies
have a much
smaller
management
team
with
Managing
Director,
Commercial
Director,
etc but
rarely a specific Risk Manager.There
are many reasons
for this but mainly because such an activity is not a
profit-making
activity by its very nature it is an
introverted
‘expensive’ exercise in anticipating
gloom
and doom.
Risk management
is an exercise in caution, directing
the company activities towards conservative
activities
and proposing procedures that can be viewed by some
employees as highly inconvenient
and unnecessary
they have done it in a particular
way for years why
change now? Not surprisingly, there is rarely any great
enthusiasm
to accept responsibility
by any existing
management
team-member.
Without
this the responsibility for developing
a Business
Continuity
Plan
tends to become
everyone’s and no-one’s, Everyone
agrees that it is a good idea but actually doing it is a
different matter - it is like getting a boy to tidy his
room - it isn’t fun and he will do it later.
But like boys, managers can be persuaded to do things
they do not want to do. Being able to reduce your
insurance premiums is a persuasive argument, especially if this can be coupled with reducing your risks and
0 1999 Elsevier Science Ltd. All rights reserved.
35
Survival is Not Compulsory/Mario Devargas
even if they occur, reducing their impact. This could
lead to more business, at a lower risk due to increased
confidence,
etc. which in the long run leads to
increased profits.
claims filed against the company,
tors, officers and other personnel.
2
Implement
the procedures
contained
in the BCP
according to the type and impact of the disaster.
When implementing
these procedures,
you need
to prioritise all recovery efforts as follows:
.
Employees: Normally,
these will be your most
important
resource and, in several respects, your
number one concern.You
can break this category
further into:
Key Managers
_
Key Specialists
Mainline Operating
Personnel
_
Support Staff
Not only must we help to ensure their survival as
a basic human concern, but for their performance
in helping
other persons on company
premises
when the disaster strikes.
What is Business Continuity?
Business Continuity
Planning (BCP) is not a black art,
nor dancing round a fire and sacrificing a calf to the
Gods to help you in your hour of need. Many would
have you believe that it requires powers of foresight
akin to Pharaohs counsellors,
advising when disaster
will strike.The
reality is very far from this perception
and can be simply defined as a logical / methodical
approach to remaining
in control of the environmental issues you can control.
Hence, in terms of business requirements
it relates to
establishing
the right
processes,
procedures
and
resources
necessary
to continue
in business
in an
acceptable
form when ‘something’
interrupts
that
business.The
emphasis is on uninterrupted
availability,
not just reacting to disasters - prevention
rather than
prescription.
Note that this implies that not every
business function
needs to be restored immediately,
and probably
will not be necessary to meet senior
management’s
requirements
for an acceptable level of
operation. Degraded levels of service by certain business functions
may also be acceptable, at least for an
agreed period.
Therefore,
the process in planning
for disasters is to
logically
define the steps to be taken to maintain
acceptable operations -- where what is ‘acceptable’ is
probably different for different companies. The aim of
BCP can be summarised
into three areas:
Eliminate
or reduce the potential
for injuries or
the loss of human life, damage to facilities, and loss
of assets and records. This requires the appropriate
steps to be taken to:
a) Minimize disruption
of services to the company
and its customers.
b) Minimize
financial loss.
c) Provide for a timely resumption
of operations in
the event of a disaster.
d) Reduce or limit exposure to potential
liability
36
and its direc-
l
l
.
Customers: As you do with employees, we must
help to ensure the survival or care of customers
affected by the disaster; physically, mentally, emotionally and financially.
Facilities: After ensuring the safety of employees
and customers, we then secure the facility as shelter for both people and assets.These include office,
production
and service work sites and other fixed
assets as well as those essential support services that
are not part of your own human or information
resources.
Assets: Although
for the most part recoverable,
assets will only be addressed after people and facilities are secure.These
can be categorised as:
- Materials, Products and Customer Service Functions.
This includes your raw material and component
resources, your work-in-process
and finished
goods.
- Intangibles. These
are the other
intangibles
besides information
that can easily impact the
health, growth and continuity
of your business.
Sudden and unrecoverable
loss of market share,
degraded
customer
or vendor relations, public
image or individual
reputation,
legal or regula-
Computers & Security, Vol. 18, No. I
l
tory prohibition,
massive unanticipated
lawsuits,
stockholder
or advocacy group actions all fit
into this category.
Records: As with assets, we will only address the
recovery and reconstruction
of important
records
when all people are cared for, facilities secured, and
all assets have been audited and stored. This class
includes not only the information
itself used by the
company but also the hardware, software, telecommunications
and support
structure
required
to
keep your information
processing operational.
Risk Management
Though perhaps not always aware of it, we all manage
risks every day. Actions as routine as putting on your
car seat-belt, carrying an umbrella when rain is forecast, or writing down a list of things to do rather than
trusting to memory fall into risk management.
People
recognise various threats to their best interests and take
precautions
to guard against them or to minimize
their effects.
If business
risks are also routinely
managed,
for
example, to maximize the return on their investments,
businesses must often decide between aggressive (but
high-risk)
and slow-growth
(but more
secure)
investment
plans. These decisions require analysis of
risk, relative to potential
benefits,
consideration
of
alternatives,
and, finally, implementation
of what
management
action.
the
best
course
of
In addition, a risk management
exercise can be used to
help identify critical resources needed to support the
organization
and the likely threat to those resources.
This examination
normally
includes
gathering
data
about the threatened
area and analysing the information to make it useful focusing on those areas that
result in the greatest consequence
to the organization
(i.e., can cause the most harm).This
can be done by
ranking threats and assets.
Risk has many different components:
assets, threats,
vulnerabilities,
safeguards, consequences,
and likelihood:
i
Asset Valuation. These include the information,
software, personnel,
hardware, and physical assets.
The value of an asset consists of its intrinsic value
and the near-term
impacts and long-term
consequences of its compromise.
ii
Threat Identification. A threat is an entity or
event with the potential to harm the asset.Typical
threats are errors, fraud, disgruntled
employees,
fires, water damage, hackers, and viruses. Threats
should be identified and analysed to determine
the
likelihood
of their occurrence
and their potential
to harm assets.
Risk Assessment
A Management Perspective
What is Risk Assessment?
Comprehensive study of
potential threats, probability
of occurrence and cost of
needed deterrents.
to be
By definition
risk is therefore defined as the possibility of something
adverse happening.
Risk management is the process of assessing risk, evaluating
the
cost, taking steps to reduce risk to an acceptable level
and maintaining
that level of risk.
-
n
determines
111
Vulnerability Analysis. A vulnerability
is a condition or weakness in (or absence oI) security procedures, technical
controls, physical controls,
or
other controls that could be exploited by a threat.
Vulnerabilities
are often analysed in terms of missing safeguards. Vulnerabilities
contribute
to risk
because they may ‘allow’ a threat to harm the
system. The interrelationship
of vulnerabilities,
threats, and assets is critical to the analysis of risk.
37
Survival is Not Compulsory/Mario Devargas
iv Safeguard Analysis. A safeguard is any action,
device, procedure,
technique,
or other measure
that reduces a system’s vulnerability
to a threat.
Safeguard analysis should include an examination
of the effectiveness of the existing measures. It can
also identify new safeguards that could be implemented; however, this is normally performed
later
in the risk management
process.
V
Consequence Assessment. The consequence
assessment estimates the degree of harm or loss
that could occur. Consequences
refer to the overall, aggregate harm that occurs, not just to the
short-term
or immediate
impacts. While
such
impacts often result in disclosure, modification,
destruction,
or denial of service, consequences
are
more
the
significant long-term
effects, such as lost business,
loss of reputation,
violation
of privacy, injury, or
loss of life.The more severe the consequences
of a
threat, the greater the risk to the system (and,
therefore, the organization).
drawbacks, risk management
provides a very powerful
tool for analysing the risk associated within a business.
What can go wrong?
Although
it is impossible to anticipate
all the things
that can go wrong, it is important
to identify a likely
range of issues. Creating hypothetical
scenarios will
help you and your company develop the right BCP
to address a wide range of possible threats. These scenarios should include small and large contingencies.
While some general classes of contingency
scenarios
are obvious, imagination
and creativity, as well as
research, can point to other possible, but less obvious,
contingencies.
Risk Assessment
A
-
Management Perspective
Where do Threats come from?
Phywal
Dishonest
Employees
vi Likelihood Assessment. Likelihood is an estimation of the frequency
or chance of a threat happening.A likelihood assessment considers the presence, tenacity, and strengths of threats as well as the
effectiveness of safeguards (or presence of vulnerabilities). In general, the greater the likelihood
of a
threat occurring,
the greater the risk.
In summary, Risk management
can help you select
the most appropriate
cost effective control, however,
it is not a magic wand that will cure all your difflculties. Like the old computing
terminology
GIG0
(Garbage In Garbage Out), it all depends on the quality of the input and the type of analytical method
used. In some cases, the amount
and cost of work
required to achieve high-quality
input would not be
justified. In other cases, achieving high-quality
input
may be impossible, for instance, in terms of evaluating
the advantages of particular safeguards against a particular threat - the level of uncertainty
may negate
any quantitative
result.
It must be noted that complete information
is never
available, uncertainty
is always present.
Despite these
38
The following are examples of some of the types of
possible threats and the types of questions required to
address each area:
Human factors:
Theft, sabotage, terrorism can all have dramatic effects
on your business viability; - do you have spare tools
to cover loss of equipment?
Can people get to work?
Are key personnel
willing to cross a picket line? Are
there critical skills and knowledge
possessed by one
person? Can people easily get to an alternative site?
Processing
capability:
Most businesses rely to some extent on technology,
especially computers
and communications.
Accounts,
Computers & Security, Vol. 18, No. 1
sales information,
databases, management
reports etc
are all vital to your business; - if your computer network crashed or you lost your data, could you recover the lost information?
How much time would be
lost? How much business could you lose? Are the
computers
harmed? What happens
if some of the
computers
are inoperable,
but not all? Can the computers communicate?
To where? Can people communicate? Are information
services down? For how long?
If your phones went dead how would you cope?
Would customers assume you had gone out of business? Would unanswered
incoming
sales enquiries end
up being business for your competitors?
Has data
integrity
been affected? Is an application
sabotaged?
Can an application
run on a different
processing
platform?
“Its all insured so I’m OK...” This is one of the
biggest issues when justifying
contingencies
is that
many companies
believe that like calling the emergency sergvices they will be covered by insurance
if
the worse occurs. But like calling an ambulance,
if it
arrives too late the inevitable
fatality will occur. In
business the reality of the situation is that most insurance policies do not cover for: loss of research and
intellectual
property;
reduced
share value; lawsuits
arising from the inability to meet contractual
arrangements; loss of market opportunities;
loss of suppliers;
loss of customer confidence;
reduction
in staff morale
and productivity.
In reality you are only likely to
recover 30%-50% of the total cost of an insured interruption. Furthermore,
how will you keep your business running while your losses are assessed?
Natural disasters:
“I’m sure we would cope...” It is mistakenly
assumed that if you can cope with the day-to-day
traumas of running
a business you can cope with any
eventuality
this is just putting
on another
hat!
However, the circumstances
surrounding
a disaster are
totally different to day-to-day
business and while you
are finding your feet in muddling
through, your customers will have gone elsewhere
for their business,
your suppliers will probably have downgraded
your
credit rating and your debt will escalate.
Fire & flood damage can be incredibly
expensive.Yes,
you may be well insured, but insurance does not fully
take into account the potential of lost business and lost
time. Do people have a place to sit? Do they have
equipment
to do their jobs? Can they occupy the
building?
The common
thread in all the above is that, although
you cannot prevent risks becoming
reality you can
have plans in place to ensure that your business will
continue
effectively and with minimum
loss should
any of these happen.
Myths
Myths are widely held on what effective Business
Continuity
Planning
is and why people should bother with it. The most common
ones are:
“It will never happen to me...” In March 1998,
the Computer
Security
Institute
reported
that over
60% of companies surveyed reported a breach in 1997.
These figures are repeated over and over and the likelihood of a business not being interrupted
once within a period of five years is minimal if not zero. How
can anyone predict with 100% certainty natural disasters like storms, floods, hurracanes, etc?
“If I don’t have a disaster I’ve wasted my
money.. .“You could say this about any type of insurance policy, however, the reasoning behind taking out
any type of policy is not based on ‘wasting money’. It
is also highly probable that an effective BCP will pay
for itself by reducing
your insurance
premiums
and
improving
your processes which in turn will reduce
the risk of interruption.
What are the Business Benefits?
Establishing
the benefits of business continuity
planning is very simple in terms of defining a company’s
overall mission
which
is: “To live long and
Prosper”.
It is similar to liability insurance
providing
a certain level of comfort in the fact that if a major disaster occurs, it will not result in financial
ruin.
However, as described above, insurance, by itself, does
not provide the means to ensure continuity
of the
39
Survival is Not Compulsory/Mario Devargas
organization’s
operations, and may not compensate
for
the incalculable
loss of business during the interruption or the business that never returns.
BCP therefore provides the guidance required during
a crisis and ensures that vital issues are not overlooked.
When properly formulated,
a comprehensive
plan will
effectively guide even inexperienced
staff in helping
the company to recover. The very existence of a plan
can be a defence that the company had not neglected
preparation
for disasters in management
responsibilities and insulate its ‘offricers’ from litigation for negligence.
exceed their expected
priate to the business
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
benefits associated
BCP include:
with developing
Evaluation
and Reporting
Exercise including
Policy development
process.
Purchase and support of hardware and applications
that provide the controls.
Implementation
of the policy and its impacts upon
the organization.
Training and awareness of staff.
Administration
of the policy, staff and controls.
Auditing.
a com-
Minimized
potential economic
loss.
Reduced
legal liability.
Reduced
disruption
to normal operations.
Ensured organizational
stability.
Ensured orderly recovery.
Minimized
insurance premiums.
Ensuring the safety of personnel
and customers.
Compliance
with legal and regulatory requirements.
Minimizing
decision-making
during a crisis.
Eliminating
confusion
and errors
Providing training materials for new employees
Reducing
reliance on certain key individuals
and
functions
Decreasing potential exposures
Reducing
the probability
of occurrence
Protecting
the assets of the organization.
Minimizing
disruption
to production.
Minimizing
the impact
on customer
loss of
confidence
probability
of
loss
of
the
Reducing
invoices/orders,
etc.
costs
The
costs associated
with
Business
Continuity
Planning should be carefully examined in both monetary and non-monetary
terms to ensure that the cost
of implementing
controls
and procedures
do not
40
and are appro-
In order to evaluate the cost of BCP you will need to
do a Cost Benefit Analysis exercise that examines
assets, threats, and vulnerabilities
of the environment
in order to determine
the most appropriate cost-effective mechanisms
(note, you may not do anything and
take the risk). Once this is done you will have a set of
direct and indirect costs associated with implementing
the right Business Continuity
Plan for your organization. Included in the direct costs are:
Benefits
Additional
prehensive
business benefits
environment.
Included
-
in the indirect
costs are:
Affect on user productivity.
Additional
time taken by staff to access information necessary to accomplish
their jobs.
Employee morale.
Legal Issues
It is important
to review your Business Continuity
Plans in terms of its legal perspective
before actually
progressing
with it. There are two areas when your
BCP need to be ‘legally’ sound:
Statutory
Requirements:
- There are many laws
and regulations
that all businesses need to be aware of
and adhere to, e.g., “UK Fire Precautions
(Workplace)
Regulations
- 1997” which implement
the fire safety
requirements
of the EC Framework
and Workplace
Directives. These Directives deal with the minimum
health and safety requirements
in the workplace; UK
Computer
Misuse Act 1990 which defines criminal
offences in relation
to unauthorized
access to IT
hardware.
Computers & Security, Vol. 18, No. 1
Contractual
Requirements:
- All businesses have
contracts,
and some contracts
require suppliers
to
deliver no matter what. This means that if your BCP
does not measure up you could be left with a large
law-suit for not supplying
your products or services
on time.The
issue within the law is whether you have
woefully
been negligent
in the pursuit
of your
business.
For example, ABC Ltd loses their computer
centre,
losing its records of receivables and delaying thousands
of orders. ABC Ltd does not have adequate contingency plans and hence is unable to recover quickly
and as a consequence
ABC Ltd further looses a substantial number of contracts. The shareholders, feeling
the business has been mismanaged,
want to get their
money back. So they file a ‘suit’ against the directors of
the business, alleging that they failed to exercise good
business judgement
in failing
to have a current
in huge financial
disaster recovery
plan, resulting
losses. Depending
of the other facts of the case, the
shareholders could win such a suit.
The tendency
is now for major organizations
to
include
within
their contracts
the requirement
for
their suppliers to have business resumption
capabilities. Furthermore,
some major insurance
companies
have also insisted on this within
insurance
policies
with the inclusion
of discounts
for companies
that
maintain
effective
Business
Continuity
Planning
programmes.
What is a sound Business
Continuity Planning Approach?
Business Impact Analysis
A business impact analysis involves identifying
the
critical business functions
within
the organization,
determining
the impact of not performing
the business function and ascertaining
the cost implications.
It
could be a very simple statement
of the number
of
items not sold in a specific time-period
or an estimate
of the potential loss.The purposes of a business impact
analysis are:
To identify the potential risks.
Estimate the effects of a disaster on the organization as a whole.
Determine
the requirements
for a recovery strategy, including
the resources necessary for a successful recovery.
Provide
the financial
justification
for disaster
preparation
and recovery.
Determine
the criticality of each business function
based upon the overall impact to the organization
and prioritize
their recovery.
Assess the financial
exposures
and operational
impacts, quantifying
the effects as much as possible.
& signs on estimates of lost revenues and productivity have a higher credibility than subjective hazy
estimates.
Determine
the timeframes in which essential functions and operations must recover.
This will identify what is critical to keeping the company in operation and hence determining
the breadth
of the proposed
continuity
plan. Overprotecting
is
costly while under protecting
will give you a false
sense of security. The investigative
approach
of this
Business Impact Analysis is normally based upon getting answers to a set of basic business questions, for
instance:
If a disaster occurred,
how long could a specific
department
function
without
the existing equipment and departmental
organization?
What are the high priority tasks including
critical
manual functions
and processes in a department?
How often are these tasks performed,
e.g., daily,
weekly, monthly, etc?
What staffing, equipment,
forms and supplies would
be necessary to perform the high priority tasks?
How would the critical equipment,
forms and
supplies be replaced in a disaster situation?
What reference manuals and operating
procedure
manuals are used in the department?
How would these be replaced in the event of a
disaster?
Identify the storage and security of original documents. How would this information
be replaced in
the event of a disaster? Should any of this information be in a more protected location?
41
Survival is Not Compulsory/Mario Devargas
10
11
12
13
What are the current backup procedures? Have the
backups ever been restored? Are any critical backup copies being stored off-site?
What would the temporary
operating
procedures
be in the event of a disaster?
How would other departments
be affected by an
interruption
in a specific department?
What effect would a disaster at the main computers have on a specific department?
What outside services/vendors
are relied on for
normal operation?
Who
would
be responsible
for maintaining
a
department’s
contingency
plan?
Answering
these types of questions will identify the
potential
areas of impact within
the business as a
whole, defining
the level of Business Interruption,
Revenue
Loss and Business Embarrassment,
ie.:
of production,
Business interruption: Disruption
business, or computer
processes can be felt almost
immediately,
eg., loss of computerized
support can
slow production
processes within
an unacceptable
timeframe,
thereby
disrupting
all production
and
delivery
commitments.
However,
administrative
systems may have greater tolerance.
Revenue loss: Loss of orders can occur within minutes if customers sense an inability to quickly resume
normal production;
more quickly upon indication
of
an inability to meet commitments.
After the first 24
hours it is likely that raw material, finished goods, and
distribution
channel
slack will no longer suffice to
respond to customer order needs. It is foreseeable that
other vendors would be more than willing to step up
to these orders.
Embarrassment:
Every
company
has a certain
degree of visibility within its market sector which it
needs to safeguard. Consequently
its credibility would
almost certainly be taken to task should it fail to meet
its commitments.
The competitive
environment
has
customers very unsympathetic
to problems and very
quick to shift dependence
quickly at signs of weakness
in ability to fulfil orders.
42
Producing a Phased Plan -The
Methodology
MD
Business Continuity
Planning
can be a very complex
and labour intensive process, it therefore requires redirection
of valuable technical
staff and information
processing resources as well as appropriate
funding. It
is therefore important
that a strategic project plan be
developed to manage the Business Continuity
Process
and minimize
the impact on scarce resources.
+
The MANCOS Approach!
Typically
3 months
Stage 1 Planning for Survival
Stage 2. Identify ‘Vulnerabilities
m
1
Stage 3. Business Impact Analysis
Stage 4. Creating a Plan for Recovery
Staae 5. Implementation of the
Bus/ness Continuity Plan
Stage 6. BCP Awareness Campaign
..:
.i..i
~_ ._...
A
I
In order to achieve this undertaking
it is beneficial to
use a structured methodology
as defined by MD. MD
defines a BCP project methodology
into six separate
phases, as described below.
The last column
describes
expected from each phase.
the types
of deliverables
Computers & Security, Vol. 18, No. I
Phase
1. Project
Planning
Objectives
11
Deliverable(s)
This phase determines the scope of the Business
Continuity Assessment Programme, defining project
schedules, work programs and identifying any issues
that could have an impact on the delivery and the
success of the project. During this phase a ‘Decision’
Board should be established to take overall responsibility for providing direction and guidance to the
Project. Interview schedules for conducting the
Security Assessment and the Business Impact
Analysis should be defined at this stage.
a) Top Management
Commitment
b) Project Infrastructure
c) Project Plans
d) Awareness Campaign
Plans
Identify factors which could adversely impact on the
normal business processes and initiate a risk reduction programme. This phase should assess areas
such as physical; personnel; communications; operating procedures; backup and contingency planning;
data; systems; access control; insurance.
a) Assessment Reports
i. Worst Case Scenario
ii. Recommended
Scenario
b) Business Health Check
Report
3. Business
Impact
Analysis
Establish the critical business processes, determine
their recovery time-scale requirements and quantify
the financial consequences of all business functions,
The aim is to : identify critical systems, processes
and functions; assess the economic impact of incidents and disasters that could result; assess the ‘pain
threshold’, that is, the length of time business functions can survive without access to systems, services
and facilities; identify the timeframes in which critical
systems must be recovered after an interruption.
a) BIA Report
i. Critical Areas
ii. Important Areas
iii. Non-Essential Areas
b) Risk Assessment
Review
c) Business Continuity
Plans
4. Strategy
Development
Determine the options for recovering the critical business processes and make recommendations. The
aim of this phase is to define a profile of alternative
recovery strategies and how subsequent operational
plans can be defined. Recovery Strategies will be
based on short term, intermediate term and long
term outages.
Recovery plan components can include the implementation of changes to all procedures, vendor contract negotiations (with suppliers of recovery services) and the definition of Recovery Teams, their
roles and responsibilities. Recovery standards can
also be developed during this phase.
a) Disaster Recovery
Procedures
b) Training Plans
43
Survival is Not Compulsory/Mario Devargas
Test Results from:
Checklist tests
l Simulation tests
l Parallel tests
l Full interruption tests
Business Continuity
Test Plans
Risk Assessment
Review - Addendum
Contingency Options
Report - Addendum
The goals and strategies for tests are defined here.
These should be tailored to the business needs and
culture. Once these goals are agreed you then develop, execute and evaluate the test results.
6. Maintenance
Program
The plan needs to be kept updated or it will not reflect
the changing business needs. It is critical that any
change management processes are reviewed against
the established recovery plans.
Assist in defining change management processes.
Next Step
Awareness Campaign
Although
often many of the disasters associated with
Business Continuity
Planning are an ‘act of God’, it is
important
that your staff are informed of their responsibility to maintaining
a safe and secure environment
and how to react in the event of a disaster. It is well
known that people are one of the weakest links in
securing any environment.
The purpose of a security/safety
awareness programme,
training
and education is to enhance the processes by:
Improving
awareness of the need to protect system
resources.
Developing
skills and knowledge
so staff can
perform their jobs more securely.
Building in-depth knowledge, as needed, to design,
implement,
or operate security/safety
programmes.
A sound awareness and training programme
can help
an organization
reduce the number
and severity of
errors, omissions
and negligence
issues. Awareness
must be used to reinforce the fact that a secure environment
supports the mission of the organization
by
protecting valuable resources. However, in general staff
44
l
I
r
a) Business Continuity
Plan
often regard security and health/safety
procedures
as
an obstacle to their productivity.To
help motivate staff,
awareness should emphasise how being secure, from a
broader perspective,
contributes
to productivity.
The
consequences
of poor security should be explained,
while avoiding the fear and intimidation
that employees often associate with security.
If employees view security/health
& safety procedures
as a whole as just bothersome
rules and procedures,
they are more likely to ignore them. In addition, they
may not make any suggestions
about improving
security nor recognise and report security threats and
vulnerabilities.
Making users aware of their responsibilities
and teaching them correct practices helps them change their
behaviour.
It also supports individual
accountability,
which is one of the most important
ways to improve
security/safety.
Without
knowing
the necessary
measures (and how to use them), users cannot be truly
accountable
for their actions.
Awareness
stimulates
and motivates
those being
trained to care about security/safety
and to remind
them of important
security/safety
practices. A typical
implementation
schedule for this could be:
Computers & Security, Vol. 18, No.
Step 1: Identify Programme Scope, Goals, and
Objectives
The scope of the programme
should provide training
to all types ofpeople.The
scope of the programme
can
be an entire organization
or a department.
Since staff
need training which relates directly to their use of particular systems, a large organization-wide
programme
may need to be supplemented
by more specific
programmes.
In addition,
the organization
should
specifically
address whether
the programme
applies to employees only or also to other users of organizational
systems. The overall goal of a programme
is to sustain
an appropriate
level of protection
for resources
by increasing
employee
awareness
of their security/safety
responsibilities
and the ways to fulfil
them.
Step 2: Identify Training Staff
There are many possible candidates for conducting
the
training including internal training departments,
computer security staff, human resource staff, or contract
services. Regardless of who is chosen, it is important
knowledge
of
sufficient
trainers
have
that
security/safety
issues, principles,
and techniques.
It is
also vital that they know how to communicate
information and ideas effectively.
Step 3: Identify Target Audiences
Not everyone needs the same degree or type of security/safety information
to do their jobs. A programme
that distinguishes
between groups of people, presents
only the information
needed by the particular audience, and omits irrelevant
information
will have the
best results. Segmenting
audiences
(e.g., by their
function
or according
to existing level of awareness)
can also improve the effectiveness of a programme. For
larger organizations,
some individuals
will fit into
more than one group. For smaller organizations,
segmenting
may not be needed.
I
Step 4: Motivate Management and Employees
To successfully implement
an awareness and training
programme,
it is important
to gain the support of all
levels of management
and staff.
Motivating
management
normally relies upon increasing awareness. Management
commitment
is necessary
because
of the resources
used in developing
and
implementing
the programme
and also because the
programme
affects their staff. Motivation
of managers
alone is not enough. Employees often need to be convinced of the merits of security/safety
and how it
relates to their jobs. Without
appropriate
training,
many employees will not fully comprehend
the value
of the systems with which they work.
Step 5: Administer the Programme
There are several important
istering the programme.
considerations
for admin-
-Visibility. The visibility of a programme
plays a key
role in its success. Efforts to achieve high visibility
should begin during the early stages of program development.
However,
care should
be given
not to
promise what cannot be delivered.
- Training Methods. The methods
used in the
programme
should be consistent
with the material
presented and tailored to the audience’s needs.
are more
topics
in
- Training Topics. There
security/safety
than can be taught in any one course.
Topics should be selected based on the audience’s
requirements.
- Training Materials. In general,
higher-quality
training materials are more favourably received and are
more expensive.
- Training Presentation. Consideration
should be
given to the frequency of training (e.g., annually or as
needed), the length of training presentations
(e.g., twenty minutes
for general presentations,
one hour for
updates or one week for an off-site class), and the style
of training presentation
(e.g., formal presentation, informal discussion, computer-based
training, humorous).
45
Survival is Not Compulsory/Mario Devargas
Step 6: Maintain the Programme
Efforts should be made to keep abreast of changes in
technology
and security/safety
legislation and requirements. A training programme
that meets an organization’s needs today may become ineffective when the
organization
starts to use a new application
or changes
its environment,
such as by connecting
to the Internet.
Step 7: Evaluate the Programme
It is often
awareness
46
difficult to measure the effectiveness of an
or training
programme.
Nevertheless,
an
evaluation
should attempt
to ascertain
how much
information
is retained,
to what extent
security/
safety procedures are being followed, and general attitudes toward security/safety.
The results of such an
evaluation should help identify and correct problems.
Mario Devargas,
is MD Project Manager
Based
in
Manchester,
UK.
He
[email protected].
with Mancos
can
be
Computers
contacted
Ltd.
at: