|
|
Recent Compliance News
ISO 17799 - disaster recovery - business continuity defined SO 17799 is often used as a generic term to describe what are actually two different documents: ISO17799 (also ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard 'specification' for an Information Security Management System (an ISMS).
ISO 17799 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
The control objectives and controls in ISO/IEC 17799 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities - more info
An
increasing number of professionals know that small-scale emergencies can be
contained if staff members are prepared to react quickly. Damage can be limited
even in the face of a large-scale disaster. For example, cultural institutions
in Charleston, South Carolina, formed a consortium that focused on disaster
preparedness several years before they were hit by a hurricane. Many of those
institutions sustained only minor damage because they were able to put their
early warning procedures into operation. Disaster planning is
complex; the written plan is the result of a wide range of preliminary
activities. The entire process is most efficient if it is formally assigned to
one person who acts as the disaster planner for the institution and is perhaps
assisted by a planning team or committee. The enterprise's director may play
this primary role or may delegate the responsibility, but it is important to
remember that the process must be supported at the highest level of the
organization if it is to be effective. The planner should establish a timetable
for the project and should define the scope and goals of the plan, which will
depend largely on the risks faced by the enterprise.
The tasks that the leader of a disaster recovery business
continuity project needs to complete are:
Most aspects of business continuity and disaster recovery planning
apply to terrorist attacks and pandemics just as much as to fires, hurricanes,
floods, earthquakes, and other natural and manmade disasters.
It is necessary that an appropriate administrative
structure be created to effectively deal with crisis management. This will
ensure that all concerned understand who makes decisions, how the decisions are
implemented, and what the roles and responsibilities of participants are.
Personnel used for crisis management should be assigned to perform these roles
as part of their normal duties and not be expected to perform them on a
voluntary basis. Regardless of the organization - for profit, not for profit,
faith-based, non-governmental - its leadership has a duty to stakeholders to
plan for its survival. With the explosion of technology into every facet
of the day-to-day business environment there is a need to define an effective
infrastructure to support operating environment; have a strategy for the
deployment and technology; and clearly define responsibilities and
accountabilities for the use and application of technology. The template comes as both a WORD document
utilizing a CSS style sheet that is easily
modifiable.
Server enclosures provide access
control options such as lock-and-key, electronic control, RFID local readers and
access cards.
Today it still performs police duties, but as the
lone public communications system left in the city, it also carries VoIP traffic
that is the lifeline for many city businesses.
The storm wiped out wireline phone service and
cellular networks, and those that it didn't destroy outright couldn't be kept up
because the city could not get fuel to the backup generators needed to keep the
networks running, Meffert told an audience at a session during Spring VON 2006
this week.
Disaster
Recovery and Business Continuity for email requires at least six factors to be
included when the plan is created.
They are: Based on
working with thousands of customers, Janco Associates has developed a Disaster
Recovery and Business Continuity Template that includes everything that you need
to create a custom Disaster Plan. You can download a
full copy of the table of contents by going to http://www.e-janco.com/Register_drp.asp.
Business Continuity planning is key requirement for
running any modern enterprise that takes its operations and its clients
seriously. With so many potential disasters looming that can befall an
organization at any time, it seems unwise not to take actions to prepare for and
try to prevent the devastating impact of such catastrophes. There is a multiplicity of benefits in planning for
Business Continuity and disaster planning within
your organization. Not only will your data, hardware, software, etc., be better
protected, but the people that compose your organization will be better
safeguarded should a disaster occur. In addition, employees will be informed and
rehearsed as to what actions to take to immediately start the recovery process
and ensure business continuity if disaster strikes. Without this type of preparation any unexpected
event can severely disrupt the operation, continuity, and effectiveness of your
business. Disabling events can come in all shapes and varieties. They can vary
from the more common calamities like hard drive corruption, building fires or
flooding to the rarer, yet more severe and often longer lasting disruptions that
can occur on a city-wide or even national basis; events such as disruptions in
transport (oil crises, metro shut-downs, transport worker, strikes, etc.),
infrastructure weakening from terrorist attacks, or even severe loss of staff
due to illness like a pandemic flu. All of these strikes a blow at an
organization's struggle for business continuity. For smaller companies the impact of even
lesser disasters can hit much harder. For example, unexpected non-availability
of key workers alone could be catastrophic, potentially causing as much
disruption to business continuity as technological hardship, especially if it
occurs during the height of the company's busy season. If only one person is
trained to do particular and/or essential tasks, their unexpected absence can
severely disrupt productivity.
The typical cloud computing contract can look downright simple to an
experienced IT outsourcing customer accustomed to inking pacts hundreds of pages
long that outline service levels and penalties, pricing and benchmarks,
processes and procedures, security and business continuity requirements, and
clauses delineating the rights and responsibilities of the IT services supplier
and customer. And that simplicity, say IT outsourcing experts, is the problem
with cloud computing. Failure to understand the true meaning of the cloud and to
address the serious legal and contractual issues associated with cloud computing
can be catastrophic. The data security issues and business continuity issues are
particularly challenging, and failure to address them in the contract can expose
a customer to serious business
interruption and violation of mandated security requirements. If a cloud services contract (whether it's for software, infrastructure, or
platform-as a service) seems less complex, that's because it's designed to offer
products and services "as is"--without any vendor representations or warranties,
responsibility for adequate security or data protection, or liability for
damages.
Disaster
recovery and business continuity best practices - The top 7 best
practices 1.
Focus on operations 2.
Train everyone on how to execute the DRP
and BCP 3.
Have a clear definition for declaring
when a disaster or business interruption occurs that will set the DRP and BCP
process into motion - 4.
Integrate DRP and BCP with change
management 5.
Focus on addressing issues BEFORE they
impact the enterprise 6.
Validate that all technology is properly
installed and configured right from the start 7.
Monitor the processes and people to know
what critical .
Planning for a disaster is a difficult task at
best. A major provider of disaster
recovery services, lists hardware problems as the number one
cause of disaster, followed by power outages, hurricanes and floods.
CIOs often ask "What scenarios should we prepare for" and "How likely is it that
it will happen to us" When one thinks of disasters, big events such as Hurricane
Katrina or 9/11 are the first come to mind. But if we look at the ultimate
consequence of a disaster - downtime - we can see that any event, large or
small, can have the same effect on IT
infrastructure. Certain areas of the United States have also had
power supply problems in the recent past. Most notable is California with its
infamous rolling blackouts. Parts of Texas also implemented rolling blackouts
when there are abnormally high temperatures. Other regions of the country
implement brownouts, where the voltage is reduced to customers during power
emergencies. Brownouts can severely affect electronic equipment not protected
with an UPS or voltage regulation device. A CIO whose data center was located
in the region of California affected by the power crises said: You
have to restore and operate your systems from an alternate location
that has power. Obviously, that site is usually pretty far away and it is
not practical to physically move systems. Moving an interconnected web of
storage and servers to another set of infrastructure is a huge
challenge. These things just were not designed for that kind of mobility and
that is exactly the problem that virtualization solves.
Now that
you have a disaster recovery plan in place, you still have work to
do.
Disaster
planning is in trouble as many enterprises are not keeping up with changing
requirements. Many disaster recovery plans cannot keep up with the speed of doing
business in today's world. A 24-hour recovery time from a disaster is enough to
put many companies out of business. Many business executives feel their disaster recovery strategy is
woefully inadequate and that their disaster recovery plans are out-of-date and
provide for minimal coverage. This coverage includes having their legacy
applications run on their mainframe or proprietary systems. Very few disaster
recovery plans go much deeper into the application suite. In interviews with business executives
Janco estimates their coverage to be about 10% of their critical applications.
According to the some estimates, 75% of all critical applications operate 24/7.
That is precisely why corporations are moving away from disaster recovery to
replicated data and processing. However, this falls short as well. Instead, what
is needed is an architectural approach to the
problem. The Janco Disaster Recovery -
Business Continuity Template directly address these
issues.
According to Janco Associates, the primary factor
in the activiation of Disaster Recovery and Business Continuity Plans is
computer hardware failure.
Disaster
plans need to include a way to contact individuals who are in the area after
an event. Google has a tool to help people locate friends and loved ones who have been
affected by the 8.8.-magnitude earthquake in Chile. Google Person
Finder allows users to search for information about people by name or leave
information about people in both English and Spanish. The page said it contained
22,900 records. However, the page cautions users that all data input would be
viewable and usable by all and that the company plays no role in verifying the
information. Google had set up a similar Person Finder tool after Haiti's recent
earthquake.
There is a big crunch coming, and companies will
start to experience ever greater IT failures unless they start buying new
hardware. When the recession started, IT spending fell off a
cliff. Hardware and software companies are hoping that IT spending will
make a strong comeback because of the pent up demand and the fact that
there is a lot of aging IT gear installed today. Most companies have extended their maintenance
contracts, but, at some point, that will not be enough as IT systems start
failing. Predicting IT failure is not a hard thing to do.
When you deal with tens of thousands, and even hundreds of thousands of servers,
data storage systems, network equipment, etc, it is a relatively simple
statistical exercise. The fact that IT systems are aging.
Maintenance contract prices increase every year that older equipment is kept
working. At some point it becomes more expensive than upgrading. And upgrading
brings additional benefits such as higher performance from the latest processors
and subsystems. Currently, a large part of an organization's IT
budget is being spent on regulatory compliance issues, and on security, which is
related to regulatory compliance. For the executives, being in compliance means
not going to jail. But if you can't run your business IT applications
reliably then being compliant becomes a moot point. So, will spending on basic
IT infrastructure come roaring back this quarter? Or will companies try to eek
out another few months of performance out of their aging IT
systems?
The state of IT Disaster Planning
and data protection is in flux. Conventional models of backup and restore
have become obsolete and are being replaced by newer dynamic paradigms that
involve disk-to-disk, virtual server provisioning, sophisticated data
deduplication, and appliance-based operations. Janco has identified four primary business drivers of data
protection:
Traditional backup solutions create duplicate data in two
ways: A deduplication system identifies both situations and eliminates
redundant files, reducing the amount of disk necessary to store your backups
anywhere from 10:1 to 50:1 and beyond, There are two main types of deduplication. Target dedupe systems
allow customers to send traditional backups to a storage system that will then
dedupe them; they are typically used in medium to large datacenters and perform
at high speed. Source dedupe systems use different backup software to eliminate
the redundant data from the very beginning of the process and serve to back up
remote offices and mobile users.
As business technology proliferated over the past 10 to 15
years, DRP / BCP coverage expanded from back office systems to all types of
additional business applications. New business applications and IT services help organizations
react quickly to a dynamic marketplace and provide access to information -
wherever and whenever it's needed. Areas of concern include:
A tape copy operation may be made locally and then physically
transported to another location for safe off-site storage, or data may be
replicated as part of the backup and data protection
process to a remote VTL or tape library where a removable tape copy is made.
Hybrid solutions also leverage diskto- disk locally with snapshots or other
point-intime copies that are then replicated to another location or to a
cloud-based storage managed service provider (MSP). Data and network bandwidth
optimization techniques and technologies, including compression and
deduplication among others, enable more data to be moved on available networks
or to reduce networking requirements.
How long can your Enterprise afford to be without
your data? With an Janco disaster recovery program, you never have to
answer this question. Download this disaster recovery business continuity
template table of contents and see how you can reduce RPOs and RTOs even
more. With lost data being a competitive liability, there is no room for
downtime in today's business world. The DRP template includes everything needed to customize the Disaster
Recovery Plan to fit your specific requirement. A disaster recovery is a response to a declared
disaster or a regional disaster. It is the restoration or recovery of an entire
Agent computer. A disaster recovery plan describes how an organization is to
deal with potential disasters. Just as a disaster is an event that makes the
continuation of normal functions impossible, a disaster recovery plan consists
of the precautions taken so that the effects of a disaster will be minimized,
and the organization will be able to either maintain or quickly resume
mission-critical functions.
In unveiling the Smart Business Storage Cloud, IBM
said it also planned to launch a business-grade public cloud that would offer
"flexible consumption models and a self-service user interface to fully abstract
the technology from the end user." However, no timetable or pricing was offered.
Cloud storage is a broad term that typically
applies to storage systems that are highly scalable and can be used internally
or externally. The systems often use some form of clustered or grid-based
storage. IBM's proposed solution to these problems for large
organizations comprises the tech company's XIV storage arrays, BladeCenter
servers, and General Parallel File System. The system would support multiple
petabytes of data, including text, audio, and video, in a single global
namespace. Key to IBM's private-cloud offering is a new
Information Archive, an integrated hardware and software system that provides a
single unified platform for information retention. GPFS is a core component of
the system, as is policy-based management software that automatically moves less
active information to inexpensive storage systems, such as tape. While making better use of tape, the system also
retains access to data in those systems. "Using a customizable
'collections-based' approach, the archived data can be accessed in a private
cloud computing environment, even if it's stored on tape media," IBM said in a
statement. "This capability is critical as an increasing amount of data is
expected to exist in archived formats." IBM promises a "highly secure" environment that's
built using a customer's existing security and authentication infrastructure.
IBM Global Business Services launched
cloud-consulting offerings to complement the latest products. The services are
geared toward helping organization build a business case for cloud computing,
identify processes that would benefit the most, and define a roadmap for
deployment. IBM's entry into cloud storage is likely to present
a serious challenge to other vendors, such as Amazon, Microsoft, AT&T, and
Hewlett-Packard. A recent survey by Evans Data found that developers considered
IBM as being able to provide the most secure private cloud environment, and was
also rated high in reliability and ability to execute.
Today's IT environment is increasingly complex, with a wide array
of new technologies filtering into the organization at many points - from
centralized procurement to An IT products catalog combines detailed information about all of
the hardware and software used by an organization, as well as relevant
alternatives and planned technologies. It normalizes data (identifying the
different variants and versions of software, for example), associates solutions
with vendors, puts solutions into categories, and potentially adds related data,
such as support information, power consumption, pricing and more. Unfortunately, creating and maintaining a comprehensive IT products
catalog is an enormous challenge. There are tens of thousands of vendors,
millions of products, and an exponentially larger set of product attributes. As
a result, most IT catalog attempts suffer from limited scope, out-of-date data,
and the lack of relevant business context.
|
|
Federal and state government
regulations can be a big problem for today's organizations. There
are more than 100 such regulations in the U.S. alone, and that
number continues to grow. These are in addition to industry-specific
mandates. They are all designed to safeguard the confidentiality,
integrity, and availability of electronic data from information
security breaches. So, what are the consequences if your
organization fails to comply? Heavy fines and legal action. In
short, it's serious.
