Business continuity starts with us
Since this is my first posting, I'm going to set the tone for my future comments and opinions about business continuity, how it fits into an overall security program. I might be a little unusual, but I get pretty excited when talking and writing about data and system availability assurance. So let's jump right in.
Most security professionals are familiar with the CIA triad of security—confidentiality, integrity, and availability. Confidentiality and integrity seem to get most, if not all, the attention. Because loss of availability doesn’t usually cause the same journalistic frenzy, it is often pushed to the bottom of the IT priorities list. But business continuity isn't just an IT issue.
During my years of dealing with disaster recovery and business continuity issues, I concluded that IT is typically much better at paying attention to at least catastrophic event planning than the business users. Management teams outside the IS department see DR and business continuity management (BCM) as an "IS problem." Little attention is paid to DR outside of ensuring there is a hot site contract in place, to be dusted off during the annual audit.
In my opinion, security managers must assume leadership of BCM. Like other security controls, it's up to the CSO to make a business case for planning for service interruption events. Working with risk management personnel, if they exist outside the security function, security managers are in a good position to demonstrate business impact if employees are unable to execute against existing business processes. After all, understanding business processes is a key element of segregation of duties and least privilege enforcement as well as HIPAA and SOX compliance. BCM is more than restoring data center function after a disaster. It is a proactive approach to ensuring established processes are designed and implemented to consistently achieve business objectives, even when the unexpected happens.
Future posts will address these and other issues related to BCM, including:
Most security professionals are familiar with the CIA triad of security—confidentiality, integrity, and availability. Confidentiality and integrity seem to get most, if not all, the attention. Because loss of availability doesn’t usually cause the same journalistic frenzy, it is often pushed to the bottom of the IT priorities list. But business continuity isn't just an IT issue.
During my years of dealing with disaster recovery and business continuity issues, I concluded that IT is typically much better at paying attention to at least catastrophic event planning than the business users. Management teams outside the IS department see DR and business continuity management (BCM) as an "IS problem." Little attention is paid to DR outside of ensuring there is a hot site contract in place, to be dusted off during the annual audit.
In my opinion, security managers must assume leadership of BCM. Like other security controls, it's up to the CSO to make a business case for planning for service interruption events. Working with risk management personnel, if they exist outside the security function, security managers are in a good position to demonstrate business impact if employees are unable to execute against existing business processes. After all, understanding business processes is a key element of segregation of duties and least privilege enforcement as well as HIPAA and SOX compliance. BCM is more than restoring data center function after a disaster. It is a proactive approach to ensuring established processes are designed and implemented to consistently achieve business objectives, even when the unexpected happens.
Future posts will address these and other issues related to BCM, including:
- The importance of a BCM strategy and how to create one
- How a management supported BCM policy starts the process of strengthening availability as well as integrity and confidentiality
- The differences and similarities between BCM and disaster recovery
- How the guidelines included in the Print
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
Sponsored Links
RESOURCE CENTER
- Home |
- About |
- Privacy Policy |
- Terms of Service |
- Subscribe to CSO Magazine |
- Advertising |
- Events |
- Site Map |
- AdChoices
THE IDG NETWORK
- CFOworld |
- CIO |
- Computerworld |
- CSO |
- DEMO |
- GamePro |
- Games.net |
- IDC |
- IDG |
- IDG Connect |
- IDG Knowledge Hub |
- IDG TechNetwork |
- IDG Ventures |
- InfoWorld |
- ITwhitepapers |
- ITworld |
- JavaWorld |
- LinuxWorld |
- Macworld |
- Network World |
- PC World
© 1994 - 2012 CXO Media Inc. a subsidiary of IDG Enterprise