Welcome to the eighth issue of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.
Included in this issue are the following topics:
POTENTIAL EMERGENCY TYPES FOR BUSINESS CONTINUITY PLANNING: PART 1
A key part of the business continuity planning process is to examine what types of potential disaster or emergency situations will need to be catered for. The focus here should be on the level of business disruption likely from each serious incident. One category of potential emergencies to be considered are those caused by one or more of the following Information Security incidents:
a) Loss of records or data
The loss of records or data can be particularly disruptive where poor back up and recovery procedures result in the need to re-input and re-compile the records (if possible). This is normally a slow process and is particularly labour intensive. This can result in an increase in costs through additional working hours and a great deal of embarrassment and potential direct loss where information is unexpectedly not available.
b) Disclosure of sensitive information
Not necessarily an availability issues, but nonetheless a serious information security incident which can result in severe embarrassment, financial loss, and even litigation where damage has been caused to someone’s reputation or financial standing. Further types of serious disclosure involve secret patent information, plans and strategic directions, secret recipes or ingredients, information disclosed to legal representatives etc. Deliberate unauthorized disclosure of sensitive information is also referred to as espionage.
c) IT system failure
With the almost total level of dependence on IT systems within many businesses, a failure of these systems can be particularly devastating. The types of threats to computer systems are many and varied, including hardware failure, damage to cables, water leaks and fires, air conditioning system failures, network failures, application system failures, telecommunications equipment failures etc.
d) Cyber crime
Cyber crime is a major area of information security risk. It includes attacks by hackers, denial of service attacks, virus attacks, hoax virus warnings and premeditated internal attacks. All cyber crime attacks can have an immediate and devastating effect on the organization’s normal business processes. The average cost of an information security incident has been estimated at US$30,000 and over 60% of organizations are reported to experience one or more incidents every year.
Each of the above scenarios needs to be developed and examined in detail, and an analysis prepared of the potential consequences. Each scenario should also be assessed for possibility of occurrence (probability rating) and possible impact (impact rating). A suggested rating structure for probability and impact assessment is given in the table below:
Again, this sort of approach is covered by a tool such as the Business Continuity Plan Generator as described above, or by an automated system like COBRA. The key, however, is the process: rationalizing issues which superficially do not seem to lend themselves easily to analysis.