Security Should be part of Business Continuity Planning
By Polar Cove Staff
---------------------------------------------------------------------------------
Disaster Recovery Planning
The essential determinant in post-disaster recovery is "time to data". Companies that go too long without key business process restoration quickly lose revenues, customers, lose market position, and eventually lose everything.
Security Planning
The essential determinant in developing a security strategy is "access to data". Companies that allow their critical data to be vulnerable can quickly lose revenues, lose customers, lose market position, and eventually lose everything.
----------------------------------------------------------------------------------------------------
In both cases the key question is; what is the critical data? Most organizations do not know the answer. Finding out the answer should be part of every organizations business continuity and security strategizing.
A security consultant typically wants to know a few things at the beginning of an engagement: What does the network look like? What are the critical business processes? Where is the critical data? The critical processes and data are what the consultant should try hardest to protect. Most organizations usually answer the first question readily with layers and layers of highly detailed network maps, but then hesitate about the business processes and data. The reason for the hesitation is invariably because the organization has not classified its data, business processes, or associated data with particular business processes. From the point of view of information security, this is like asking a general to defend a country from invasion using maps marked with roads but no cities or landscape. To develop an organizational security strategy, the organizations business processes must be identified, and the data must be classified. If this has not been done, the organization must do two things: increase their security and greatly improve their data backup and disaster recovery plan at the same time.
At the planning stage, information security can be thought of as a subset of disaster recovery planning. For example, network intrusion can be thought of as a form of disaster. By helping an organization form a classification scheme that addresses business continuity, a good security strategist can limit an organization's risk exposure as quickly and cost effectively as possible. In disaster recovery planning, priority matters. In security priority matters just as much since you can not secure everything and can never accomplish complete security. In backup planning, one has to know what data needs to be backed up every day, hour, or minute, and what data needs to be taken offsite. An organization needs to develop such tactics as where to install storage area networks; where restore procedures should be practiced most often; and which procedures must be audited most frequently. None of these plans can be done well without classifying data and business processes first. Likewise, security strategies need the same information for the same sorts of reasons: Where do you place the intrusion detection systems? Which data needs to be encrypted? Who gets the keys? Which network segments should be routinely tested for vulnerabilities? Where should intrusion containment occur? Where is strong authentication most needed? Until an organizations data and its business processes are classified, these questions are hard to answer. If the classification is already done, an organization will get a better security strategy and be able to create an information security system that has the greatest chance of surviving security incidents while maintaining business continuity.
Phase 1: Classify Your Business Processes
Answering this question is the first step in developing a data classification scheme useful to both disaster recovery and information security, and it requires a two step process.
First, the organization's business processes need to be identified and then associated with the IT infrastructure. For example, a particular business process might span a wide area network, some local systems, a data storage network, and a few departmental servers running various operating systems. Start by identifying work procedures and then collect information regarding individual processes and their particular IT infrastructure supports.
Second, measure the impact of interrupting
these business processes. Assume the interruption will occur at the worst
possible time. A disaster recovery planner will measure interruptions
in the form of events such as flood damage to a data center. A security
planner will focus on interruption events in forms like a vigorous denial
of service attack on a certain point on the WAN. The ability to cope with
an interruption will help an organization understand the relative importance
of that particular process. For example, lets say a business with a very
strong sales orientation accesses all of their leads via a data replication
process from an outsource agent. The company relies on cash flow from
a couple of thousand sales a day based on those leads. This is likely
to be flagged as a critical business process for such a company. What
would happen if a denial of service attack was focused on the data replication
gateways? If the answer is, "Our business would be crippled",
then a critical business process has been identified. Not all of the examples
are this easy-typically several dependencies of processes, data, and infrastructure
cloud the picture. If an organization does not identify the processes
that are critical vs. noncritical, it will not know how to develop strategies
for disaster recovery and security.
Phase 2: Classify Your Data: What is important? & Where is it?
No data is noncritical or critically important on its own. Data is only important to the degree it supports business processes or satisfies the financial or legal requirements of the business. Each category of organizational data--account histories, shipping records, licensed software, source code, manuals, contracts, email directories, auditable records, contact lists-will contain data ranging from "critical" in importance to maintaining business continuity to "noncritical". Users of the data should be asked to identify work procedures, and when Phase 1 and 2 are complete, a security strategist can begin developing tactics for securing the critical business processes and protecting the critical data.
The first two phases will allow the development of threat profiles. A threat profile represents a possible threat to the business process resulting from an undesirable security threat (denial of service attacks, intrusion, defacements, etc). After threats are understood and their relative likelihood established, plans to mitigate the risks with protection, detection, and containment tactics can begin. The goal of the tactics is to maximize business continuity in the event of a security disaster.
Phase 3: Initiate a Data Classification Process: Keep up with the data.
Data in most corporations is growing at a rate of over 100% a year. Therefore keeping a business continuity plan intact and useful will require an ongoing process. Ongoing classification is important for security planning as well as disaster recovery planning. Once a classification scheme has been developed, it should be made into a useful policy. The policy needs to address how data is classified, and what is to be done after it is classified. For example, the accounting department might require a policy stating that certain auditable records be considered "critical", and that all critical data be digitally signed and stored on server X (the most secure server). Analogously, there would be a data recovery policy requirement for such information as well, though it would not be addressed in the same policy.
After the policy is in place, departmental "owners" of information for each business unit, department, and workgroup need to be identified and given the responsibility of "owning" the data. Given a good security and business continuity plan, each owner can then readily classify new data. How the data is stored, secured, transmitted, and backed up can then be handled by the particular IT staff. The IT staff would be operating under the guidelines of a different policy.
An ongoing data classification process will certainly help disaster recovery planning. What most organizations do not know is also crucial to forming an effective security strategy.
| A
Simplified Data and Infrastructure Classification Scheme |
|
| Critical to Business Continuity |
Critical
Processes |
| These are functions that can not be performed without exactly duplicating the lost functions. Critical processes can not be replaced by manual methods of any kind. Tolerance to interruption is very low, and cost of interruption is very high. | |
| Critical
Data |
|
| Any data that must be retained for legal reasons, for use in essential business processes, or for restoring critical business processes to a minimally acceptable work level. | |
| Vital to Business Continuity |
Vital
Processes |
| These are functions that either can not be replaced by manual methods, or can replaced but for only a brief time. There is a higher tolerance to interruption provided the restoration occurs within a set brief period of time. A brief interruption can be tolerated, but the interruption will require a considerable amount of work and high cost to catch up after restoration | |
| Vital
Data |
|
| Documentation and data that that is needed for use in normal business processes and represents a substantial investment by the organization. This data is likely hard to recreate or recoup. Data that requires some secrecy usually fits this category. | |
| Sensitive to Business Continuity |
Sensitive
Processes |
| These can be performed, albeit at a tolerable cost and with some difficulty, by manual means for an extended period of time. There will be considerable catching up once restored. | |
| Sensitive
Data |
|
| Documents and data that is needed during the course of normal business operations, but can be recreated (even at some cost) from other sources. | |
| Non-Critical to Business Continuity |
Non-Critical
Processes |
| These can be interrupted for an extended period of time at little or low cost to the company and will require little to no catching up after restoration. | |
| Non-Critical
Data |
|
| Documents and data that can be recreated at a minimal cost of time and expense, or duplicates of sensitive, vital, or critical data. | |
If an organization answers the question, "Where is the critical data?"
and then executes sound security and disaster recovery strategies, that
organization is far better prepared to keep their revenues, customers,
market position, and business growing.
© 2006 Polar Cove