IT Governance, Risk, and Compliance » Service Disruption

Business Continuity and IT Availability – Part VIII

Robert Davis — Tue, 26 Jul 2011 20:04:12 +0000

Directly, an entity’s DRP has a significant affect on the viability of IT and information security governance programs. Indirectly, IT and information security governance programs may impact stakeholder assessed entity value. Regardless of organizational formation — corporation, partnership, co-operative, or agency — management has a generally accepted duty to plan and enact strategies permitting the entity’s survival under less than idealistic conditions. Literally, adequate business continuity management (BCM) requires securing assets that offset catastrophic events. Therefore, management should ensure ‘best practices’ DRP is deployed within the IT and information security governance frameworks as well as visibly communicate commitment expectations for sustaining a sound and effective continuity program.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part VII

Robert Davis — Fri, 22 Jul 2011 17:35:49 +0000

Through establishment and deployment of an emergency management program, top-level personnel can send a clear message to everyone in the entity that business continuity and disaster recovery control responsibilities are taken seriously. If properly institutionalized, lower-level personnel will endeavor to understand germane aspects of the entity’s continuity systems, and how they operate, as well as their own roles and responsibilities within the control program.

Within the confidentiality, integrity, and availability (C-I-A) triad; pertinent financial and non-financial information relating to external or internal events, as well as daily activities, should be identified, captured, and communicated properly and in a timely manner to decision makers. When required, established entity communication channels should permit authorized information flows throughout the organizational structure, with all relevant internal and external data reliably conveyed to intended recipients.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part VI

Robert Davis — Tue, 19 Jul 2011 20:04:26 +0000

Considering the interconnectivity of national economies through computer networks, entities are more vulnerable than ever to the possibility of technical difficulties disrupting business at any point in the communication chain. From flood or fire to computer-virus or denial-of-service, disasters can affect information assets crucial to conducting business locally, regionally, and globally.

To enable beneficial IT and information security service delivery and support (as with all processes) appropriate objectives, goals, policies, procedures, standards and rules are required. Specifically, utilizing standards for ITSM usually generates benefits the moment an entity decides to rely on a business continuity service provider. For example, using a publicly available, generally accepted, standard as the basis for a SLA between the entity and disaster recovery service partners will normally generate fewer disputes and lower costs.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part V

Robert Davis — Fri, 15 Jul 2011 02:44:20 +0000

Managerial concerns normally include: excessive business costs, forgone business opportunities, and potential revenue losses. When a business interruption occurs, restored information assets may affect operational effectiveness and efficiency. Potentially, the IT function’s costs could escalate beyond tolerable limits, while user departments experience a general productivity and/or critical resource loss disabling pursuing business opportunities as well as economical revenue generation. Specifically, errors in data back-up, storage, maintenance, retention and restoration may interfere with fulfilling organizational continuity and availability objectives. For example, many entities rely on available information to provide feedback on divisional and departmental performance. Errors in restored information could reduce management’s ability to evaluate performance and take appropriate corrective action; thus diminishing program, system and process monitoring effectiveness.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part IV

Robert Davis — Tue, 12 Jul 2011 21:32:25 +0000

Where accepted as a managerial responsibility, an adequate ISG program should have security professionals participating in system life cycle design, acquisition, testing, and maintenance phases to ensure business continuity as well as availability requirements are appropriately incorporated, that selected contingency configuration items function as intended and that deployed service restoration features are not compromised during maintenance.

As synthesized sub-frameworks, Information Technology Service Management (ITSM) and Information Security Service Management (ISSM) promote entity information technology and information security units actively identifying services customers need; then focusing on planning and delivering defined services to meet availability as well as continuity requirements. Internally and externally; IT and/or information security units should manage accepted service-level agreements (SLAs) to meet agreed-upon service restoration targets.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part III

Robert Davis — Fri, 08 Jul 2011 22:25:46 +0000

Governance usually occurs at different organizational strata, with activities flowing from processes, with processes linking up to systems, and programs receiving objectives from the entity’s oversight committee through established reporting lines. Alternatively or simultaneously, designated technological resources may provide information directly to the entity’s oversight committee for critical programs, systems, or processes. Nevertheless, IT availability is generally accepted as an information security governance (ISG) domain. Therefore, the ISG program should provide guidelines aiding management in understanding the importance of, and promote the development of, an entity-wide BCP. Proactively, an ISG program should address business continuity and availability requirements integration during system development projects.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part II

Robert Davis — Tue, 05 Jul 2011 20:24:30 +0000

Minimally, an entity’s IT governance program should address business continuity and IT availability requirements within the context of ensuring continuous service. As suggested by ISACA, a business continuity plan (BCP) assumes the role for advance planning and preparations necessary to minimize loss and ensure continuity of critical business functions in the event of a disaster. Whereby, disaster recovery planning is a key BCP component referring to the technological aspects of a BCP that encompasses consistent actions to be undertaken before, during and after a catastrophe. Sound disaster recovery preparation is forged through a comprehensive planning system, involving all of the entity’s business processes.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part I

Robert Davis — Fri, 01 Jul 2011 22:07:50 +0000

Organizational units exist for various reasons. Governance focusing on business perpetuity and reliability should address strategic to operational transformations enabling adequate continuity management. Threading from the first-tier ‘Governance Tree’ level, linked leaves are inextricably affected by external forces. Consequently, an organizational formation’s continuity depends on relevant, accurate and timely external environment information assessments to drive appropriate governance. Management, especially information security management, cannot establish an adequate safeguarding posture unless root expectations are understood and potential threats, weaknesses as well as opportunities are appropriately addressed. Towards this end, entity oversight committee members — particularly non-executive directors — should ensure they are satisfied that effective, efficient, as well as compliant processes are deployed for business continuity and IT availability.