The Security Risks of Not Having a Business Continuity Program

Ralph DeFrangesco

A Business Continuity Program (BCP) is essential for the continuation of key business processes and information system services in order for organizations to recover from an unexpected business interruption. A synchronized BCP and IT Disaster Recovery Plan (DRP) are two key elements needed to recover from natural and/or man-made disasters such as fire, flood, cyber-attack/virus infection or even a DoS attack.

 

I recently had the opportunity to interview Mark Kern, Safety and Business Continuity Planning Lead with Noblis, located in Falls Church, Va. Kern is a Certified Business Continuity Planner (CBCP) with over 20 years of experience dedicated to BCP. Kern commented that "today, not having a Business Continuity Program, or having a program comprised of poor or mediocre plan(s), will definitely put your company at risk as it relates to IT security."

 

The crux of this statement lies in the definition of IT security. According to ZDNet, IT security is defined as, "the protection of data, networks, and computing power." You can look at almost any definition and get a similar description. Isn't this what we prepare a business continuity program for?

 

So by not having a Business Continuity Program in place, we put our assets, our people, and our stakeholders at risk. Kern also believes that, "viewing BCP as just an insurance policy is dangerous. A fully supported BCP is an essential business and IT security process." A good Business Continuity Program starts at the top. It must have the buy-in of the board of directors, senior management, all the way down to the people who execute the plan. In other words, business continuity is everyone's responsibility because business continuity is a part of security.

 

Kern also commented that, "some organizations are satisfied with the illusion of a BCP. Having vague BCP and security policies that are rarely enforced is risky. Companies should adopt internal BCP quality standards that reflect the needs of the business. The most effective continuity plans are built from the ground up after the completion of a thorough Business Impact Analysis (BIA). The establishment of Recovery Time Objectives and Recovery Point Objectives, as well as business process application and system mapping, to identify internal and external dependencies, is critical in the development of an effective BCP."


 

As a professional who has developed, implemented, exercised and audited many continuity programs, I can tell you that some IT executives regard BCP and disaster recovery planning as a necessary evil. It is viewed as a requirement by boards of directors and stakeholders, but may have little value if not properly administered. Every IT security program should include both business and IT components.



Add Comment      Leave a comment on this blog post
Feb 20, 2009 7:19 AM Steve Guss Steve Guss  says:

Right !  I've had the pleasure of working with Mark a few years back and he is dead on.  BCP and DR professionals have been fighting this battle for decades.  From time to time, commitment to the BC Program is temporarily swayed as a result of a natural disaster, a terrorist attack or other current event.  Sadly, these tragedies/losses are soon forgotten and we find ourselves back at square one.  The Board of Directors and senior management must get beyond the internal/external audits and the potential for monetary fines and make a serious commitment to ensure the viability of their BC program.

Remember it is not a matter of if a disaster will strike but when  And when it strikes, will you be ready?

Perhaps we need a new reality show.  One that will mock test Corporate America and show them how vulnerable they really are.

Steve G.

Reply
Feb 23, 2009 2:02 AM Joe Joe  says:

I work for the government and BCP is commonly called COOP (continuity of operations) planning. While agencies didn't enforce COOP plans in the past (even though they were mandatory); they are being forced to comply now. The importance of a BCP/COOP/DRP planning is being realized by organizations more now than ever before due to the extreme dependence on IT. IT systems are even referred to as warfighting systems much like tanks or aircraft. BCP/COOP/DRP used to be looked upon as an unnecessary business expense or a luxury.  BCP is not cheap so organizations are budgeting this into their financial landscape. People are getting past the mentality that disaster recovery only addresses hurricanes and bad weather. It encompasses anything that causes any interruption in operations and who can afford that in these times?

Reply
Feb 23, 2009 3:17 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Joe

Joe,

Looking at what you wrote here reminds me of a company that I audited less than two years ago. There was no plan if they should get hit with a  virus, malware, or DoS. I asked and they said, they would just rebuild the server. I then asked why that wasn't in the plan and they said, well everybody know that's what we would do.

So although we can not account for every detailed threat, we need to be thinking broadly. Does it really make a difference if a building is destroyed by fire or flood? If it cannot be occupied then it really does not matter and that's how we need to think as planners.

-Ralph

Reply
Feb 23, 2009 10:29 AM John Nones John Nones  says:

Audit plays a large part of this since audit findings drive what executives do - I have seen the wool pulled over the eyes of many an auditor. Organizations having useless template plans, planning software or by having an elaborate training program without any plans in place? The bottom line is can the plan recover all critical aspects of your business. Does the plan (Response, IT, Business) meet all the RTO and RPO's created in a Business Impact Analysis. Have the plans been tested and is there a process for maintenance and continual improvement.

The risk of cutbacks or substandard plans is simple - if any part of the planning process fails so will your recovery.

Reply
Feb 23, 2009 10:55 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to John Nones

John,

After auditing many BC/DR plans in my career, I couldn't agree more. As you said, you can have all the fancy software and templates you want, but will your plan recover critical business processes? Planning? Let me leave you with a quote from General Dwight D. Eisenhower, "when preparing for battle I have always found that plans are useless, but planning is indespensable".

Thanks for your comments.

-Ralph

Reply
Feb 23, 2009 11:48 AM John Sweeney John Sweeney  says:

Too often, people take a project management approach to DR. Let me update a phone number here and there and then place the plan back on the shelf until next year. It should be clear now, more than ever, that the BR/DR effort must be an integrated approach that accounts for people and processes, how they interact and how systems and applications SUPPORT the business.  It needs to be an evolving program that changes as the business changes and that takes committment, committment which can only occur if senior management makes it a priority.

Reply
Feb 26, 2009 8:40 AM Jason Hall Jason Hall  says: in response to Ralph DeFrangesco

Ralph,

As always, great topic. I am going to keep it simple and probably upset many people.

We all know that a BCP Plan is essential. Let's take it a step further. How about we approach a simple topic like "Documentation". You can pull any type of documentation from that, including infrastructure designs, policies, procedures, etc. How many IT professionals actually take the time to do this? From my experience, very few.

IT is "supposed" to support and guide the business. It should be the responsiblity of the IT Leader (CIO, CTO, Manager, Director, etc) that provides assurance to management. If that were the case, we would not always have to be selling management on technology and processes. Why? Because they put their trust in us. Unfortunately, executives have to be convinced because IT has always beeen a black hole of investment. For that, I fault IT as a whole.

Get on board and do your job! Don't be lazy! That is my suggestion to creating a BCP.

Jason Hall

Stuart Hall Technologies, Inc.

Jason.Hall@shtechnologies.net

Reply
Feb 27, 2009 5:18 AM Jim Leflar, CPP, CBCP Jim Leflar, CPP, CBCP  says:

For years I have taken the approach that effective organizational resiliency involves a holistic perspective that blends BCP, crisis management, physical security, IT security, risk, etc into a culture of risk management acceptance and involvement.  When this culture is developed and effectively implemented it creates a synergy that produces the results that we know are necessary and desirable.  Ralph, Mark and the others are correct in acknowledging the need for all members of the organization to accept the responsibility of organizational survival - it starts at the top and goes to the bottom.  Without that culture of acceptance and involvement people are waiting for failure to arrive.  It is more than just an IT problem or a DR problem; it is often a systemic issue that requires both an integrated and multidisciplinary approach to a successful resolution.

Reply
Feb 27, 2009 6:07 AM Jack Roken Jack Roken  says:

The important fact that must be noted, is that 1% of an organizations yearly IT budget must be on an effective and up to date BCP.  In today's trying economic times it would be a fatal mistake to short change this budget.

The entire enterprise is at risk without the proper fiscal spending on a BCP.  I hope that Mark is getting the executive support to achieve his goals for the good of the organization.

Reply
Feb 27, 2009 7:10 AM Bill Adamowski Bill Adamowski  says:

I have been the divisional CIO/CTO of two very large financial services entities, Wells Fargo and GMAC.  I appreciate all the comments of the BCP professionals that have commented on this blog and will concede that their expertise is much greater than mine regarding this area.

However, one of the key reasons we did the rigorous planning and testing regarding business continuity was our commitment to the customer.  No one would accept a Bank or Financial Services entity to be "down" because of disaster, much less a virus attack.  We are the place of "Security" for these people.  It is part of the core value proposition. 

In my opinion, this is not an IT "problem."  We shouldn't have to convince anyone.  It should be a dialogue at the highest level of an organization and simply answer the question "What is our commitment to our Customers?"  If the answer is the customer doesn't care if we are down due to disaster, virus attack, etc...then you don't need a great BCP.  If the answer is that it is critical to our customers, then "Live up to your Commitment."  In a Financial Services company, all you have is your reputation and I, as the CIO, made sure the entire executive committee and board of directors, understood this.

Just an old CIO's opinion...

Reply
Feb 27, 2009 8:29 AM Kathleen Matteo Kathleen Matteo  says:

My speciality is not in BC, however, I have been in IT for many years.  In some corporations, leaders really need to be educated on the importance of business continuity planning.  I agree it has to be a top down culture in order to be properly insitutionalized.   Some corporate leaders feel they only need a BC plan for a major catastropy and the risk is not great enough to warrant the expense.  I have seen BC plans implemented during system outages that would be considered minor by their standards but could have been the ounce of prevention needed to save a corporation from the mad scramble when a critical system goes down. 

BC is not so much about the expense of redundant systems as it is the proper processes (manual/paper) in place to be able to achieve your business goals or minimize revenue loss during down time.  For a major outage, however, dollars do need to be spent to have proper recovery in place.  And for this you need to consult a DR Professional to weigh the risk versus the expense.

I'd like to see more blogs like this to educate and highten awareness.

Reply
Mar 4, 2009 3:15 AM Hank Hank  says:

Okay, I admit it. I am new to BC. Should I update our plan every 6 months, yearly or as things change? I don't want to be stuck updating this thing all the time.

Reply
Mar 4, 2009 6:12 AM Mark Mark  says: in response to Hank

Hi Hank,

Your organizations business continuity program office or BCPO (If you have one) should determine policies & procedures governing the BCP program.....including plan maintenance.  Of course, each BCPO has their own opinion on all aspects of a continuity program but what I prefer is that each plan owner should perform quarterly mini-reviews and semi-annual major revisions of the BCP.  Major revisions are usually a result of new findings in the business impact analysis or as a result of certain recovery exercise objectives not being met which would result in the BCP procedures needing to be modified.  The new recovery procedures would then be re-tested to see if the new solution will achieve the previously failed objective.  It is important to understand that one of the main objectives of BCP exercises is to identify gaps/deficiencies in your recovery procedures so that you can continually make the plan better. A BCP is never done.  Also, you should not be the lone person responsible for developing, exercising and maintaining the BCP.  Your entire recovery team should be involved in the BCP processes.   

Reply
Mar 5, 2009 4:10 AM Hank Hank  says: in response to Mark

Mark,

Thank you for the quick response. Unfortunately, I am the BCPO. I work in the business and I was tagged for this project because no one else wanted it. I spoke up and said I see the value...and the rest is history. You guys offer some good advice. I hope to see more coverage like this. Thank you.

Hank

Reply
Mar 5, 2009 5:34 AM Mark Mark  says: in response to Hank

Hi Hank,

It sounds like you have your hands full.  A couple of things that can help you is to try to identify a C-level or senior executive that understands the importance of BCP and would be the executive sponsor for the program.  Another great way to get support is to have an actual disaster which results in total chaos because of a lack of attention paid to BCP.  I do not know how large your organization is, or if you are doing both IT disaster recovery as well as business continuity, but it always helps to have BCP liaisons in each of your functional areas to assist in developing functional area continuity plans.  It is also helpful to have a strong and enforceable  BCP and IT DR security policy and that your continuity liaisons have BCP written either into their job descriptions or is part of their perfromance objectives so that they have some sort of incentive to actively participate in the BCP program.    

Reply
Mar 9, 2009 2:37 AM Chad Smith Chad Smith  says: in response to Mark

Mark,  I think you have a great strategy in place.   The more you test and validate your plan,  the more prepared your organization will be.   Also,  I agree with your note to get everyone on your recovery team involved.   From my experience,  those programs seem to have the highest success rate.

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me,  I feel a "walk before you run" strategy is very important in the design and build of your BC plan.   If you test and validate your plan accordingly,  you can implement and budget  funds as you go.   This not only justifies consistent improvement of your plan,  but it should keep financial issues at a minimum...thanks.

Reply
Mar 9, 2009 2:38 AM Jim Leflar Jim Leflar  says: in response to Bill Adamowski

Bill, I agree that the BCP or any other emergency plan must consider and account for the core business values.  If an organization neglects to adhere to their core values they are certainly missing the most important aspects of ethical business.  Emergency planning must be an inherent part of the business operation, or in other words, the business culture; it is ill advised to try to separate them.  Just my 2 cents from the soap box.

Reply
Mar 9, 2009 2:40 AM Chad Smith Chad Smith  says: in response to Mark

Mark,  I think you have a great strategy in place.   The more you test and validate your plan,  the more prepared your organization will be.   Also,  I agree with your note to get everyone on your recovery team involved.   From my experience,  those programs seem to have the highest success rate.

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me,  I feel a "walk before you run" strategy is very important in the design and build of your BC plan.   If you test and validate your plan accordingly,  you can implement and budget  funds as you go.   This not only justifies consistent improvement of your plan,  but it should keep financial issues at a minimum...

Reply
Mar 9, 2009 2:42 AM Chad Smith Chad Smith  says: in response to Mark

Mark,  I think you have a great strategy in place.   The more you test and validate your plan,  the more prepared your organization will be.   Also,  I agree with your note to get everyone on your recovery team involved.   From my experience,  those programs seem to have the highest success rate.

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me,  I feel a "walk before you run" strategy is very important in the design and build of your BC plan.   If you test and validate your plan accordingly,  you can implement and budget  funds as you go.   This not only justifies consistent improvement of your plan,  but it should keep financial issues at a minimum...

Reply
Mar 9, 2009 2:43 AM Chad Smith Chad Smith  says: in response to Mark

Mark,  I think you have a great strategy in place.   The more you test and validate your plan,  the more prepared your organization will be.   Also,  I agree with your note to get everyone on your recovery team involved.   From my experience,  those programs seem to have the highest success rate.

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me,  I feel a "walk before you run" strategy is very important in the design and build of your BC plan.   If you test and validate your plan accordingly,  you can implement and budget  funds as you go.   This not only justifies consistent improvement of your plan,  but it should keep financial issues at a minimum...

Reply
Mar 9, 2009 3:17 AM Chad Chad  says: in response to Jim Leflar

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me,  I feel a "walk before you run" strategy is very important in the design and build of your BC plan.   If you test and validate your plan accordingly,  you can implement and budget funds as you prove value.   This not only justifies consistent improvement of your plan,  but it should keep financial issues at a minimum...

Reply
Mar 9, 2009 3:37 AM Steve Guss Steve Guss  says: in response to Jim Leflar

There were a lot of interesting points of view and I sensed that some of you, for obvious reasons, treaded lightly with your responses.  We all agree that both the DR and BC plans must be in sync to have a successful recovery.

We all know that the real problem here is obtaining the buy-in from executive management. 

The Auditors only have a week or two tops to perform their audits and are easily "snowed".   Executive management is well aware of this fact and will not commit financially as long as they can get past the audits !!!

So where do we go from here?  Nobody knows these plans better than ourselves   We know exactly where the points of failure are and what is needed to make these plans successful.  We have the information that the Auditors are seeking.

The question of commitment falls back in our laps.   Are you willing to commit?  Will you take the risk?

Reply
Mar 10, 2009 1:40 AM Chad Chad  says: in response to Ralph DeFrangesco

I would like to add that I see more and more companies trying to jump into the BCP process full throttle, and that often leads to roadblocks due to financial issues and budgeting.   To me, I feel a "walk before you run" strategy is very important in the design and build of your BC security plan.  If you test and validate your plan accordingly, you can implement and budget funds as you go.   This not only justifies consistent improvement of your plan, but it should keep financial issues at a minimum as your program will continually show a value proposition.

Reply
Mar 10, 2009 9:14 AM Mark Mark  says: in response to Steve Guss

Very refreshing Steve,

To Steve's point, this excerpt was taken from "The Legal Issues of Business Continuity Planning"

Pay close attention to the last sentence!

"DETERMINING LIABILITY - Courts determine liability by weighing the probability of the loss occurring against the magnitude of harm, balanced against the cost of protection. This baseline compels companies to implement a reasonable approach to disaster recovery in which the cost of implementation is in direct correlation to the expected loss. In other words, if a company stands to lose millions of dollars as a result of an interruption to its computerized processing, the courts would take a dim view of a recovery plan which lacked the capability to restore the computer systems in a timely manner.  Another precedent-setting case referred to as the Hooper Doctrine can be cited when courts are looking to determine a company's liability. This doctrine establishes that even though many companies do not have a disaster recovery plan, there

are "precautions so imperative that even their universal disregard does not excuse their omission." Simply put, a company cannot use, as a defense, the fact that there are no specific requirements to have a disaster recovery plan and that many other companies do not have one.

Liability is not just related to corporations, but to individuals who develop disaster recovery plans as well. In 1989, in Diversified Graphics v. Ernst & Whinney, the United States Eighth Circuit Court of Appeals handed down a decision finding a computer specialist guilty of professional negligence. In this case, professional negligence was defined as a failure to act reasonably in light of special knowledge, skills and abilities. If the directors and officers of a corporation can be held accountable for not having a disaster recovery plan, then this case provides the precedent for individuals who are certified disaster recovery planners to be held personally accountable for their company's disaster recovery plan"

Reply
Mar 10, 2009 11:38 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Mark

I think the key line in Mark's post is the following, "This baseline compels companies to implement a reasonable approach to disaster recovery in which the cost of implementation is in direct correlation to the expected loss." It's the words "reasonable approach" that interest me. I have seen the best and worst. In defense of good companies, most do a decent job, or at least they want to. Lets admit it, it's the companies that don't do anything - don't take a reasonable approach - that Marks posting is addressing. The "bad apples" are the ones that make it difficult for the rest of us and in this case, cause a ruling to be issued.-Ralph

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.