Welcome to this, the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
SECTION 11: CONTINUITY BACK-UP / RECOVERY STRATEGY
One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.
In this section of the planning process, the key business processes are normally matched against the IT systems and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. It may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach and related support.
Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could have a significant impact on the organization's IT services and systems.
There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business process itself (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:
No effective back-up strategy
This at first glance appears to be the cheapest strategy but it also carries the highest risk as it will often involve no effective off-site back up of systems or data. As you would expect, this strategic option usually ends up with the organization eventually going out of business as they are not prepared for any unexpected emergencies occurring. You would be surprised at the number of businesses that adopt this approach to Business Continuity and Disaster Recovery. It often ends up being the most expensive strategy of all.
Relocate and restore
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is often considered to be inadequate for the needs of today's business.
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.
Switchable hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.
Fully mirrored recovery site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.
Finally, if you do decide to outsource some or all of these IT disaster recovery back-up processes don’t forget to insist that your supplier also has adequate business continuity planning processes in place that are up-to-date and fully tested!
Additional advice and guidance on Business Continuity and Disaster Recovery Planning can be found at: http://www.disaster-recovery-guide.com