SecureWorks is advising organizations to be proactive at protecting their information technology assets in case they are faced with a natural or man-made disaster. This means that it is critical for organizations to have a solid disaster recovery plan in place, prior to an incident occurring. To illustrate the threat, back-to-back hurricanes and tropical storms, i.e.: Gustav, Hanna and Ike, have had devastating effects on entire regions of the country. And the threat is not over as hurricane season begins June 1st and ends on November 30th, with most hurricanes occurring mid August through mid October.
Although hurricanes originate in the Atlantic and Eastern Pacific oceans before making landfall along coastal states, organizations in other geographical areas should be concerned with preventing business disruptions as well. According to news reports, the affects of Hurricane Ike, for example, reached areas like Illinois, Ohio, Kentucky and New York, causing floods, wind damage and power outages. Kentucky alone saw winds of up to 75 mph and had four deaths attributed to the storm.
For companies who have not yet formalized their BCP plans, here are some guidelines which are aligned with some of today’s common regulations:
- Make sure your business continuity plan has a section for disaster recovery, and make sure your BCP is enterprise-wide, considering every critical aspect of your business including personnel and physical workspace. The BCP should include a sequence of tasks and responsibilities that are clearly spelled out.
- Do a thorough business impact analysis (including a security business impact analysis) and risk assessment.
- Test your BCP for its effectiveness, and make adjustments/updates to reflect changes in your organization. Testing is recommended at least on an annual basis, and you should include third parties like data processors, managed security service providers and core processors.
- Identify alternate locations to operate from in the event you are no longer able to conduct business from your office. This should include a capacity for data centers, computer operations and telecommunications.
- Back up data, operating system configurations, applications and utility programs, and identify alternate telecommunications.
- Identify off-site storage for back up media, supplies and documents such as your BCP, inventory list, operating and other procedures, etc.
- Make sure you have alternate power supplies in case you are without electricity (uninterruptible power supplies [UPS] and back-up generators).
- Assemble a team in advance and designate people who are responsible for various tasks in the event of a disaster. All personnel should be trained in their contingency-related duties and new personnel should be trained as they join your organization.
Many organizations and regulating bodies have guidelines on how companies should handle data loss prevention, response and recovery. The Federal Financial Institutions Examination Council (FFIEC), which prescribes uniform principles and standards for financial institutions, outlines key areas of a business continuity plan (BCP) in its Business Continuity Planning IT Examination Handbook.