Welcome to the eighth issue of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.
Included in this issue are the following topics:
BACK-UP AND RECOVERY STRATEGY
One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.
In this phase, the key business processes are matched against the IT system and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. For large systems, it may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach.
Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could, of course, also have a significant impact on the organization's IT services and systems.
There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business processes (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:
a) No Strategy At All
This is the cheapest strategy. This also carries the highest risk and will involve no off-site back up of system or data. This option often ends up with the organization going out of business.
b) Relocate and Restore Option
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is usually considered to be inadequate for the needs of today’s business.
c) A Cold Site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.
d) A Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.
e) A Switchable Hot Site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.
f) A Fully Mirrored Recovery Site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.