How Do We Plan?
There are several pieces of a normal security program that will feed into the development of both the business continuity plan and the disaster recovery plan.
A risk assessment is a formal analysis of Information System (IS) assets, threats, and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. Additionally, a risk analysis determines whether existing countermeasures and safeguards adequately reduce the probability of loss to an acceptable level and determines the need for additional cost-effective countermeasures.
Assessing the risks to a system should be an ongoing activity, so that new threats and vulnerabilities are identified and necessary security measures are included throughout the Systems Development Life Cycle (SDLC).
A business loss/impact analysis is used to determine the critical resources required to support the business mission. Assets/resources (servers, workstations, operating systems and other software, etc.) are defined as valuable objects, both physical and functional, that require protection from harm or compromise. The analysis determines the potential loss to these resources from four threat/impact categories:
- Modification of resources
- Destruction of resources
- Disclosure of data
- Denial of service
The resultant loss impact values can be expressed in qualitative or quantitative terms.
These two processes will feed directly into the development of your plans. They are necessary to ensure that business owners have a proper understanding of the risks to their critical business functions. It’s always prudent to follow industry best practices when performing any work of this nature.
It’s also advisable to follow an outline or guide to ensure that you address all critical points in the plans. For government agencies, NIST has provided the Contingency Planning Guide for Information Technology Systems. There is also an extensive section known for Federal Agency Security Practices, which provides sample documents and outlines to ease the pain of writing the plans from scratch. For the commercial industry, there’s the ISO-17799 Information Security Standard, as well as multiple certification institutions for training and certifying your staff.
Planning Is Not Enough
Now that you’ve developed and written your plans, your business is safe, right? Wrong! As with all aspects of your security program this, too, should be part of a Security Life Cycle. These plans should be considered living documents, requiring ongoing review and maintenance.
First, a testing program needs to be developed and implemented. It will need to be updated to reflect changes in business procedures and practices, hardware and software upgrades, system modifications, and any problems that might be discovered during testing.