January 12, 2009
Working Toward ISO 17799/27001 Business Continuity Management Compliance
This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.
The first step in compliance is to develop and implement a BCP management process. The process needs to identify the critical business processes within the organization and incorporate management requirements.
Process:
- Identify critical business processes and associated assets. Create a template or leverage the disaster recovery (DR) documentation (Note: The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
- Identify the consequences in the event of a disaster. Again most of this should be in a DR plan.
- Identify controls to reduce risk.
- Ensure information for business operations is available.
- Ensure BCP is integrated within business processes and includes security.
- Ensure that plans are updated and tested on a regular basis.
Below is a sample that can be used and quickly put together to help meet some of this compliance. Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.
The next step is to identity the results of different events by doing a business impact analysis. Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes. Controls that can be put in place to reduce risk should be identified.
The Threat should define “Who”
The Event should define “What, Where, and When”
The table below is an expansion of the above. (Threats are repeated for consistency)
After the assessment the following must be done:
- Continuity plan(s) must be created.
- Roles and responsibilities must be documented. Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
- Procedures and processes must be documented. Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations. A few additional procedures may need to be created like the process of documenting and updating plans.
Plans must have the same framework. This means all departmental plans must be a on a standard template. A centralized escalation and evacuation plan should be developed. Evacuation plans can simply state follow building evacuation procedures. Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.
Plans need to address:
- Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
- Summary pointing to the documents that have recovery procedures for operations. In many cases these procedures are in the disaster recovery area or part of the standard operating function.
- Testing of plans. This needs to track and schedule each element and when its tested.
- Storage of plans at alternate locations
- Ownership of plans
- Fallback procedures
- Resumption procedures
- Awareness and Training
- Review of plan(s)
Putting everything important together is the key to the business continuity plan. Many of the items above exist within many organizations but they have not been organized or consolidated in one area. A document detailing each of these items and consolidating them all in one location is the key to passing the assessment. If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations. In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations. Some assessments will look for both centralized and departmental plans.
For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.
December 26, 2007
Army Says Mac’s Are More Secure! Are They?
An article was recently published about the Army adding Macs to improve security. Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part.
Article in Full:
http://news.yahoo.com/s/nf/20071224/bs_nf/57382;_ylt=AtIAHN4BI3dTDzpNM.n7xA8E1vAI
There is one particular statement that is worrisome whereas the Army security spokes person has been quoted “Apple’s version of Unix is inherently more secure than Windows”. Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.
2007 Stats:
http://blogs.zdnet.com/security/?p=758
2004 Stats:
http://www.techworld.com/security/news/index.cfm?newsid=1798
Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more then Macs when it comes to security strategy. He comments about Mac being “behind the curve in security”. Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.” On the other hand diversifying is good if you use one product to backup the function of another project in the event one fails. So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.
December 19, 2007
Disaster Recovery – Alternate Site Geographical Distance
There is an article that came out earlier from DRJ (Thomas L. Weems) based on a study that provides guidelines on the required geographical distance for alternate site locations. This is good news for those performing risk assessments where this is considered vulnerability, because as far as I know FEMA has provided no specific guidelines.
http://www.drj.com/articles/spr03/1602-02.html (registration required to view)
Ideally 105 miles point to point is the key number for all the threats listed below. For those who don’t have access to the article below is a breakdown of the recommended geographical distances based on the threat.
NOTE: The article provides a graph so the numbers below is based on my interpretation of the graph.
Alternate Site Distance Recommendations
Hurricane: 105
Volcano: 75
Snow/Sleet/Ice: 70
Earthquake: 60
Tsunami: 52
Flood: 48
Military Installation: 45
Forest Fire: 42
Power Grid: 36
Tornado: 35
Central Office: 29
Civilian Airport: 28
None of the Above: 21
Off Site Storage Facility Distance Recommendations
Hurricane: 85
Volcano: 64
Snow/Sleet/Ice: 56
Tsunami: 45
Earthquake: 43
Flood: 43
Military Installation: 41
Forest Fire: 38
Power Grid: 36
Central Office: 25
Tornado: 24
None of the Above: 24
Civilian Airport: 22
Also the key here is to remember that the off site storage facility should accessible from the alternate site facility, which is a mistake many organizations make.
Problems and Revisions
Based on some quick research there are a few problems with the current distances above. For example, I took three common disasters and did a quick analysis and here are the results along with some suggested changes.
Hurricane – Katrina spanned a much larger distance then 105 files proving that this distance is not adequate in a very large hurricane storm. The article below explains that Katrina expanded over 780 miles whereas the outer regions were probably only affected by rain. However, from my research severe damage was over about a 200 mile radius. Therefore, I would suggest doubling the current metric to 210 miles.
http://earthobservatory.nasa.gov/NaturalHazards/shownh.php3?img_id=13083
Volcanoes – Although the current figure will probably be fine in most cases there is information to support that volcanoes can spread ashes up to 100 miles as displayed in the below article. Therefore, this number should be revised to 105 miles based on the type of volcano.
http://pubs.usgs.gov/gip/volc/types.html
Earthquake – Similar to the volcano this distance will probably be sufficient but why take the chance when there is evidence that a 7.8 earthquake ruptured 220 miles of a fault. Therefore, this number and the definition should be clarified to be at least 60 miles from a major fault line.
August 3, 2007
BS 25999-2 Business Continuity Management
The BS 25999-2 Specification for business continuity management is out in draft form free to download and review. My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review. Anyway it’s still good to download while you can.
July 19, 2007
MTA NYC Explosion: Poor Business Continuity
It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct. The link below has a summary of the disaster scenario
Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city. Usually the commuters take the Metro North trains. Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.
Problem
More then 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action. If you dialed the MTA-Info number listed on their web site you would be out of luck. Response – All lines are busy. The website did not have a service alert message for commuters.
Ok phones out of service expected, except that only MTA’s phones are the issue. Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City. 311 staff didn’t know the status of the MTA trains. 311 staff also couldn’t contact MTA because phones were still out of service at MTA. Out on the street it was worse. The police were controlling the area, so they were the only government staff that a person could ask a question. The answer the police responded with was “you have to wait around”.
I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north. Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.
Improvement
This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines. MTA needs to update their current plan to include:
Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).
Faster update of the website for emergency situations.
Identify key contacts to improve downstream communications to the police on the street.
Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.
Good Practice
What did MTA do right? They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.
More on Emergency Management and Business Continuity
FEMA has a great deal of information on Emergency Management
http://www.training.fema.gov/EMICourses/EMICourse.asp
DRJ has a good deal of information on business continuity and disaster recovery
