| Business Continuity Planning is a term popularized | | | | enterprise alike. Not to mention direct revenue loss, |
| over the last two decades and has evolved from | | | | compensatory payments, lost future revenue, billing |
| planning in the event that there is an earthquake to | | | | losses, investment revenue losses leading to impaired |
| planning in the event that there is an earth-shattering | | | | financial performance, revenue recognition, affected |
| e-virus. How is the evolution of threats facing | | | | cash flow, lost discounts, payment guarantees, credit |
| business today relevant to your business? How much | | | | rating, and even your company's stock price. |
| downtime can you afford on your network? | | | | Other expenses may include temporary employees, |
| Moreover, how should we be thinking about planning | | | | equipment rental, overtime costs, and related travel |
| for these threats to our business systems and critical | | | | expenses. Also, consider a damaged reputation with |
| data, and what steps should we be taking to protect | | | | customers, suppliers, financial markets, business |
| ourselves? As my father once told, "Preparation and | | | | partners, and perhaps even careers lost. A survey by |
| planning prevent poor performance (I took the liberty | | | | the FBI and Computer Security Institute ( found that |
| of editing the explicative). | | | | in 2001 the financial loss due to security breaches |
| What is Business Continuity Planning? Business | | | | among 186 surveyed companies was nearly $378 |
| continuity planning is the process whereby businesses | | | | million, compared to $266 million reported by 249 |
| ensure the maintenance or recovery of operations, | | | | respondents in 2000. The average security breach |
| including services to customers, when confronted | | | | cost was, therefore, approximately $2.0m in 2001, up |
| with adverse events such as natural disasters, | | | | from $1.0m in 2000. But this is only a fraction of the |
| technological failures, human error, malicious code, | | | | true cost. |
| viruses and/or cyber terrorism. The objectives of a | | | | Albert Einstein once said, "Intellectuals solve problems, |
| business continuity plan (BCP) are to minimize financial | | | | geniuses prevent them." |
| loss to the company; continue to serve customers | | | | Here are some steps to keeping your network |
| and mitigate the negative effects disruptions can | | | | available and maintaining your company's business |
| have on a business' strategic plans, reputation, | | | | continuity. |
| operations, market position, and ability to remain in | | | | To effectively determine the specific risks to an IT |
| compliance with applicable laws and regulations. In | | | | system during service interruption, a risk assessment |
| order to ensure that your business remains healthy | | | | of the IT system environment is required. A |
| through difficult and unforeseen interruption, it is of | | | | thorough risk assessment should identify the system |
| paramount importance to have robust business | | | | vulnerabilities, threat, and current controls and |
| continuance plan BCP. | | | | attempt to determine the risk based on the likelihood |
| In the past, documents, critical data, and information | | | | and threat impact. Because risks can vary over time |
| systems were largely stored and managed on paper | | | | and new risks may replace old ones as a system |
| and therefore the threat of a natural disaster, civil | | | | evolves, the risk management process must by |
| unrest, or accidental fire were the greatest problems | | | | ongoing and dynamic. |
| facing the secure storage of and accessibility to the | | | | Conduct a DAP (Digital Asset Protection) Workshop: |
| systems and data vital to a business. The idea of | | | | A DAP Workshop helps to identify and prioritize |
| remote pirates entering your facility through sockets | | | | critical IT systems and components. Executive |
| in your walls and tampering with, even interacting | | | | Management should be involved to help identify |
| with information systems was an idea limited to | | | | preventive controls and review measures taken to |
| talking computers in Sci-Fi films. Yet the threat of a | | | | reduce the effects of system disruptions that can |
| cyber crime attacker became a reality in due time. | | | | increase system availability and reduce contingency |
| From the "I Love You" virus to the "Slammer" | | | | life cycle costs. |
| attack, threats are quite apparently evolving from | | | | Consider a Security Assessment which can identify |
| angry students torching documents on campus in the | | | | critical systems whose loss could cause a major |
| 60's to cyber-hackers un-leashing worms and viruses | | | | impact to the company. This security assessment |
| that could compromise event the most sophisticated | | | | process should be repeated on a regular basis to |
| networks. In the past, Barney Fife with a flashlight | | | | maintain the health of the organization. Security |
| and a walkie-talkie may have sufficed for some | | | | Assessments identify threats and vulnerabilities so |
| businesses, but today security is an integral part of | | | | that appropriate controls can be put into place to |
| business, information, and accounting systems. | | | | either prevent incidents from happening or to limit |
| Today, companies increasingly depend on | | | | the effects of an incident. |
| computer-supported information processing and | | | | Build strong architecture, consider redundant |
| telecommunications. The increasing dependency on | | | | communications paths, lack of single points of failure, |
| computers and telecommunications for operational | | | | enhanced fault tolerance of network components |
| support poses the risk that a lengthy loss of these | | | | and interfaces, power management systems with |
| capabilities could seriously affect the overall | | | | appropriately sized backup power sources, load |
| performance of the company. Information technology | | | | balancing, and data mirroring and replication to ensure |
| and automated information systems are vital | | | | a uniformly robust system |
| elements in most business processes. IT systems are | | | | In conclusion, consider the evolution of security in |
| vulnerable to a variety of disruptions, ranging from | | | | relation to the evolution of car safety, in the 1950's |
| mild (e.g., short-term power outage, disk drive failure) | | | | they added seat belts to cars, today most cars |
| to severe (e.g., equipment destruction, fire) from a | | | | come standard with air-bags, anti-lock brakes, |
| variety of sources such as natural disasters to | | | | power-steering and other tools to help you run safely |
| terrorists actions, viruses, mal-ware, spy-ware and | | | | and smoothly. In fact you don't leave the house |
| ad-ware. | | | | planning to get in accident, but you definitely want to |
| Because these IT resources are so essential to an | | | | be ready in the event of an accident. The same can |
| organization's success, it is critical that the services | | | | be said for your business and information systems, |
| provided by network systems are able to operate | | | | we do not enter the office each day planning to be |
| effectively without excessive interruption. Downtime | | | | attacked and disrupted from serving our customers, |
| impairs productivity: Employees individual production | | | | but if it happens; won't you be glad that you chose |
| can be drastically affected, when multiplied by the | | | | to wear your seat belt? Please buckle-up and drive |
| number of hours out, times the burdened hourly rate; | | | | your business safely! |
| it can equal a huge loss for the small business and | | | | |