Security Should be part of Business Continuity Planning        [ PDF ]
By Polar Cove Staff

----------------------------------------------------

Disaster Recovery Planning

The essential determinant in post-disaster recovery is "time to data". Companies that go too long without key business process restoration quickly lose revenues, customers, lose market position, and eventually lose everything.

Security Planning

The essential determinant in developing a security strategy is "access to data". Companies that allow their critical data to be vulnerable can quickly lose revenues, lose customers, lose market position, and eventually lose everything.

------------------------------------------------------

In both cases the key question is; what is the critical data? Most organizations do not know the answer. Finding out the answer should be part of every organizations business continuity and security strategizing.

A security consultant typically wants to know a few things at the beginning of an engagement: What does the network look like? What are the critical business processes? Where is the critical data? The critical processes and data are what the consultant should try hardest to protect. Most organizations usually answer the first question readily with layers and layers of highly detailed network maps, but then hesitate about the business processes and data. The reason for the hesitation is invariably because the organization has not classified its data, business processes, or associated data with particular business processes. From the point of view of information security, this is like asking a general to defend a country from invasion using maps marked with roads but no cities or landscape. To develop an organizational security strategy, the organizations business processes must be identified, and the data must be classified. If this has not been done, the organization must do two things: increase their security and greatly improve their data backup and disaster recovery plan at the same time.

At the planning stage, information security can be thought of as a subset of disaster recovery planning. For example, network intrusion can be thought of as a form of disaster. By helping an organization form a classification scheme that addresses business continuity, a good security strategist can limit an organization's risk exposure as quickly and cost effectively as possible. In disaster recovery planning, priority matters. In security priority matters just as much since you can not secure everything and can never accomplish complete security. In backup planning, one has to know what data needs to be backed up every day, hour, or minute, and what data needs to be taken offsite. An organization needs to develop such tactics as where to install storage area networks; where restore procedures should be practiced most often; and which procedures must be audited most frequently. None of these plans can be done well without classifying data and business processes first. Likewise, security strategies need the same information for the same sorts of reasons: Where do you place the intrusion detection systems? Which data needs to be encrypted? Who gets the keys? Which network segments should be routinely tested for vulnerabilities? Where should intrusion containment occur? Where is strong authentication most needed? Until an organizations data and its business processes are classified, these questions are hard to answer. If the classification is already done, an organization will get a better security strategy and be able to create an information security system that has the greatest chance of surviving security incidents while maintaining business continuity.

Phase 1: Classify Your Business Processes

Answering this question is the first step in developing a data classification scheme useful to both disaster recovery and information security, and it requires a two step process.

First, the organization's business processes need to be identified and then associated with the IT infrastructure. For example, a particular business process might span a wide area network, some local systems, a data storage network, and a few departmental servers running various operating systems. Start by identifying work procedures and then collect information regarding individual processes and their particular IT infrastructure supports.

Second, measure the impact of interrupting these business processes. Assume the interruption will occur at the worst possible time. A disaster recovery planner will measure interruptions in the form of events such as flood damage to a data center. A security planner will focus on interruption events in forms like a vigorous denial of service attack on a certain point on the WAN. The ability to cope with an interruption will help an organization understand the relative importance of that particular process. For example, lets say a business with a very strong sales orientation accesses all of their leads via a data replication process from an outsource agent. The company relies on cash flow from a couple of thousand sales a day based on those leads. This is likely to be flagged as a critical business process for such a company. What would happen if a denial of service attack was focused on the data replication gateways? If the answer is, "Our business would be crippled", then a critical business process has been identified. Not all of the examples are this easy-typically several dependencies of processes, data, and infrastructure cloud the picture. If an organization does not identify the processes that are critical vs. noncritical, it will not know how to develop strategies for disaster recovery and security.

Phase 2: Classify Your Data: What is important? & Where is it?

No data is noncritical or critically important on its own. Data is only important to the degree it supports business processes or satisfies the financial or legal requirements of the business. Each category of organizational data--account histories, shipping records, licensed software, source code, manuals, contracts, email directories, auditable records, contact lists-will contain data ranging from "critical" in importance to maintaining business continuity to "noncritical". Users of the data should be asked to identify work procedures, and when Phase 1 and 2 are complete, a security strategist can begin developing tactics for securing the critical business processes and protecting the critical data.

The first two phases will allow the development of threat profiles. A threat profile represents a possible threat to the business process resulting from an undesirable security threat (denial of service attacks, intrusion, defacements, etc). After threats are understood and their relative likelihood established, plans to mitigate the risks with protection, detection, and containment tactics can begin. The goal of the tactics is to maximize business continuity in the event of a security disaster.

Phase 3: Initiate a Data Classification Process: Keep up with the data.

Data in most corporations is growing at a rate of over 100% a year. Therefore keeping a business continuity plan intact and useful will require an ongoing process. Ongoing classification is important for security planning as well as disaster recovery planning. Once a classification scheme has been developed, it should be made into a useful policy. The policy needs to address how data is classified, and what is to be done after it is classified. For example, the accounting department might require a policy stating that certain auditable records be considered "critical", and that all critical data be digitally signed and stored on server X (the most secure server). Analogously, there would be a data recovery policy requirement for such information as well, though it would not be addressed in the same policy.

After the policy is in place, departmental "owners" of information for each business unit, department, and workgroup need to be identified and given the responsibility of "owning" the data. Given a good security and business continuity plan, each owner can then readily classify new data. How the data is stored, secured, transmitted, and backed up can then be handled by the particular IT staff. The IT staff would be operating under the guidelines of a different policy.

An ongoing data classification process will certainly help disaster recovery planning. What most organizations do not know is also crucial to forming an effective security strategy.

If an organization answers the question, "Where is the critical data?" and then executes sound security and disaster recovery strategies, that organization is far better prepared to keep their revenues, customers, market position, and business growing.