Tuesday, 15 October 2013

Are security and business continuity a good fit?

Daniel Dec
Cognizant Technology Solutions

The answer to that question is 'yes' - security and business continuity are a good fit and my reasons for this are based on observations and experiences over my career, along with some research evidence to support my position. My reasons can be summarised under five broad headings and these are:

Availability, core in security and BC
The definition of Information Security focuses on three main principles - confidentiality, integrity and availability. It is the availability part of this triad that illustrates the close relationship that BC has with security. Computerized information is only of value if it is available when needed. The concepts and objectives of BC support the availability of Information Security. In addition, there is more relevance as the need for high availability has increased which we will talk more about in a future section.

The bottom line is information is only useful and of value if it is available when needed, and having a well architected and tested DR/BC program supports this availability principle.

Typical organizational structure of the BC and security roles
More than two thirds of the companies that I have visited over the years have BC as one of the responsibilities of the person responsible for security. In addition, several studies by various IT related organizations support this fact. The value that many organizations gain because of the close relationship of BC and security is why this responsibility typically resides with the Information Security Officer.  Both security and BC rely on influencing others to perform tasks so this is another piece of evidence illustrating they are a good fit.

High availability – security – BC
The need for more systems to have low RTO/RPO, including having zero time, has increased over the years and so has the need for a full BC program.  This includes the technical mechanisms to protect of the security of the production and failover systems.

But those complex systems also require adequate security to ensure that unauthorized access including malicious activities does not adversely affect the ability of the use to process information as intended.

Need for security in BC data
Staying with the premise that information is only useful if accessible, information is also only useful if there is integrity behind it.  So strong security controls must be present around the backup/failover data and backup/failover systems.  One of the main documented reasons for failures in recovery testing is the lack of security around backup data/media resulting in lost or mislabelled information. This is critical during recovery and many a test has been stopped in their tracks because of the lack of security over the recovery data.

Inclusion of BC and security in various regulation and standards
Various regulations and standards have closely related their requirements to include controls surrounding BC and security.  For example, the HIPAA healthcare Security Rule has a safeguarding provision for having a Continuity Plan. From a risk perspective, ISO27002 along with the security of key company information also include having a contingency plan.

Daniel will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 13:05.

No comments:

Post a Comment