Business continuity starts with us
by Tom Olzak, Olzak on Business Continuity
Thu, 2008-09-18 15:45
Topic(s):

Since this is my first posting, I'm going to set the tone for my future comments and opinions about business continuity, how it fits into an overall security program. I might be a little unusual, but I get pretty excited when talking and writing about data and system availability assurance. So let's jump right in.

Most security professionals are familiar with the CIA triad of security—confidentiality, integrity, and availability. Confidentiality and integrity seem to get most, if not all, the attention. Because loss of availability doesn’t usually cause the same journalistic frenzy, it is often pushed to the bottom of the IT priorities list. But business continuity isn't just an IT issue.

During my years of dealing with disaster recovery and business continuity issues, I concluded that IT is typically much better at paying attention to at least catastrophic event planning than the business users. Management teams outside the IS department see DR and business continuity management (BCM) as an "IS problem." Little attention is paid to DR outside of ensuring there is a hot site contract in place, to be dusted off during the annual audit.

In my opinion, security managers must assume leadership of BCM. Like other security controls, it's up to the CSO to make a business case for planning for service interruption events. Working with risk management personnel, if they exist outside the security function, security managers are in a good position to demonstrate business impact if employees are unable to execute against existing business processes. After all, understanding business processes is a key element of segregation of duties and least privilege enforcement as well as HIPAA and SOX compliance. BCM is more than restoring data center function after a disaster. It is a proactive approach to ensuring established processes are designed and implemented to consistently achieve business objectives, even when the unexpected happens.

Future posts will address these and other issues related to BCM, including:

  • The importance of a BCM strategy and how to create one

  • How a management supported BCM policy starts the process of strengthening availability as well as integrity and confidentiality
  • The differences and similarities between BCM and disaster recovery
  • How the guidelines included in the BCM Code of Practice can be applied in a reasonable and appropriate way in your organization
  • Integrating BCM into day-to-day design and implementation activities
  • The role of BCM in an enterprise security program

In summary, I’ll share my experiences and opinions with the expectation you’ll share right back—building a community of managers collaborating to integrate BCM best practice and lessons learned into our organizations.

» read more from Tom Olzak | post a comment
Reader Feedback
Thu, 2008-09-25 07:27
Business Continuity
By Bernard, a security consultant in Cambodia

Tom,

You are right on! In a few lines you have summarized what we, security professionals, are faced with all too often.
Your initial posting should be a must read for all CEOs and business owners provided they will not pass the buck to their IT managers
It is kind of discouraging to see that too many companies wait for a first disaster to occur to decide to take BCM seriously.
May a lot of business decision makers read your column. They will certainly benefit from it much earlier than they may think.

» Reply | Report as spam
Sun, 2008-09-21 13:19
Business Continuity
By Anonymous

The term availability has been warped into meaning all things related to continuity. Availability from a security standpoint only deals with security threats to availability, not everything under the sun.

Business continuity belongs to the business, not IT and certainly not security. The business must know what they depend upon and build the best BC plans to fit their treats. Security is actually a customer in this since security should be factored into change in process. This should not mean that security owns the entire process.

One day, businesses will understand this and build a healthy BC practice, but in the meantime IT and security will continue to be the lap dogs to do the work that businesses should be doing.

» Reply | Report as spam
Tue, 2008-09-23 15:15
BCM
By Anonymous

BCM planning can only be successful once ownership for it is willingly and enthusiastically accepted by business management. Too often, it falls on IT or Security to develop continuity plans. Without full involvement from the business, it will fail.

» Reply | Report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast