Disaster recovery/IT service continuity plans are very instrumental in identifying latent and existing risks that are evident within the business environment. The same plans are also responsible in the evaluation of response and preventive measures which in turn are used in the determination of standards and policies. There are some certain factors that have to be considered before any risk is evaluated:
Event: What would happen?
Probability: How possibly is it to happen?
Impact: its consequences?
Mitigation: how can probability being reduced and at which rate?
Contingency: How can impact being reduced and at which rate?
Reduction = mitigation x contingency
Exposure = risk – reduction
Once you have identified the above, the outcome will be what is known as exposure; this will be the amount of risk that cannot be escaped.
When we think of disaster recovery, we often think of natural disasters, but progressively Information Technology departments all over the World have found the need to adapt to the ever evolving threat of cyber security, which has been shown to be capable of bringing down a business to its knees, literally. Incidents of breaches and cyber attacks disabling business systems such as the famous Sony attack, where computers were rendered inoperable have further heightened awareness into cyber security measures and increasing role in Disaster recovery/IT service continuity plans in the current business environment (Augustine,2013).
Security is directly associated to incidence response mechanisms. These mechanisms are actually steps taken to react to breaches, malware occurrences, and cyber security threats. Incident response is in line with business continuity.
CISO Roles in Disaster Recovery/It Service Continuity Planning
Design and commission of a security program while also defining access controls: IT continuity planning entails steps that ensure IT systems, networks and connected infrastructure and elements that support vital business processes continue to operate in the face of disasters. This comprises facets such as fault tolerance, resilience or systems that have control over the people who have access to the resources.
The CISO (Chief information security officer) and his technical team are responsible in ensuring IT Industry standards are aligned to industry standards such include: NIST, ISO 27001, ISO 15408, and RFC 2196 (Lavia, 2012). .
The CISO and his team also design, map out and are responsible for scheduling and coordination of IT Disaster recovery security tests. This analysis is principally centered on examining the proper procedure of security systems and applications of Disaster recovery technologies (Lavia, 2012).
CISO Roles & Responsibilities for DR/BCP Implementation
The CISO should be well versed in matters that involve procurement policies and practices. The CISO and his team have the responsibility of procuring the necessary systems as well as offering the training and awareness to the enterprise users, on threats. The CISO is responsible in the provision of suitable organizational leadership and management. He/she is also responsible in associating Disaster Recovery necessities in Service Level Agreements (SLAs), contracts including regulations aligned with the major IT Disaster Recovery plan. He/she also support s the deployment of new security technologies to align to the IT disaster recovery plan.
CISO Roles & Responsibilities for DR/BCP Execution
The CISO and his team are responsible in the identification of breaches. In cases of data breach, it’s the responsibility of the team to log and back up data, so as to avoid destruction of evidence. It is also through this phase that the team shuts down unlawful access. Where a disaster has occurred, they work with the CTO and his team, to recover and restore system operations (Augustine,2013).
Cyber security cannot be ignored in the IT disaster recovery plan within the business continuity, but with enough practice and competence of the it security team and a well thought out and designed plan, threats can be mitigated to reduce the impact of any breaches or cyber attacks.
- Augustine, N. 2013. Managing the Crisis You Tried to Prevent. Boston: Harvard Business Review Press.
- Contingency Planning Guide for Information Technology Systems: Recommendations of the
National Institute of Standards and Technology, byMarianne Swanson, Amy Wohl, Lucinda Pope, Tim Grance, Joan Hash, and Ray Thomas. NIST Special Publication 800-34
- Lavia, A. 2012. Strategic Planning in Times of Turmoil: If They’re Going to Survive, the Service Providers Must Change Their Approaches to Planning and Organization. Journal of Business Communications Review, March, 45(3), pp. 34-42.