Beruflich Dokumente
Kultur Dokumente
Prepared by: Janis Elain and Kristin Myers IT 486: Critical Issues in Information Technology Central Washington University Prepared for: Terry Linkletter February 13, 2012
Abstract
This paper explores three challenging topics related to Business Continuity and Disaster Recovery. Preparing for unknown threats by identifying as many threats as possible, comprehensive planning and practice will aid in a companies ability to deal with ALL threats. Increasing cyber security through data protection planning and recovery insures a business can continue to operate or recover quickly in the aftermath of unfortunate events. Management support, employee buy-in and transparent communication processes create a culture of accountability throughout the organization. Solutions, benefits and rationale to support our recommendations are discussed within this paper. Keywords: business continuity, disaster recovery, accountability, cyber security
BUSINESS CONTINUITY AND DISASTER RECOVERY - 4 which the organization may be exposed. A SWOT (strengths, weaknesses, opportunities and threats) and what if analysis is also helpful. In addition, it may be beneficial to network with other organizations of a similar nature to find out what they perceive as possible threats. Once identified, a plan for dealing with each emergency type can be proposed, prepared and practiced. Involve Employees Employees are more likely to buy in to something they help create, so including employees in the development of a BC & DR plan is important. It is equally important to continue employee involvement through regular communication and training, so disaster preparedness and emergency response procedures are always on the forefront of employee thought. An alert staff member can go a long ways toward detecting a problem early, bringing it to the attention of the companys management, and initiating the processes outlined in the organizations BC & DR plan. In addition to developing BC & DR procedures and plans, it is important to practice different scenarios with employees, so they understand what to do in different kinds of situations and can modify their actions accordingly when the unexpected happens. Promote Early Detection and Quick Responses Having the systems in place to quickly identify and respond to an emergency whether previously known or unknown is crucial. The sooner a threat is identified, the quicker the response can be initiated. Depending on the nature of the threat or disaster, a speedy response may make the difference between saving and losing the companys resources, profits, and reputation and possibly even peoples lives. An early detection system may include a combination of physical alarms (fire alarms, security alarms, network firewall alarms) as well as, alert employees who know whats normal and what is not. With rapid identification of a threat
BUSINESS CONTINUITY AND DISASTER RECOVERY - 5 and intervention, a company can implement its BC & DR plan as rapidly as possible improving the chances of a positive outcome.
BUSINESS CONTINUITY AND DISASTER RECOVERY - 6 cannot get into a companys computer system, but they will greatly enhance a companys ability to protect itself against attack (or to recover more quickly and with less long-term damage after an attack). Since the nature and content of cyber threats change over time, it is imperative that organizations stay abreast of these changes and do their best to protect themselves using every measure possible. Top-Down Support and Involvement It almost goes without saying that security (including cyber security) participation, support, and buy-in are required across the entire companys organizational chart, from the top down. Upper management must believe that security measures are important and setting aside the manpower, money, and other resources needed to implement a security program that is right for the organization. Involvement from employees at all levels is also imperative. Department heads need to communicate to their staff not only the companys general security policies and procedures, but also specific guidelines that may apply to their unique jobs including cyber security. Employees on the front line need to be trained on what to look for, whats right and what is not and what to do when something seems wrong. On-going training keeps awareness high. Working together, upper management, middle management, and frontline employees can identify and mediate potential threats that might derail the company. IT Department is at the Forefront Although security support is needed from all parts of the company, as previously stated, the IT department plays a key role in keeping the organizations computers and data safe from potential threats. In order to do their jobs effectively, the IT department must be adequately staffed and financed. BC & DR often takes a back seat when more immediate projects demand the attention of IT employees. So making security a priority and providing the IT
BUSINESS CONTINUITY AND DISASTER RECOVERY - 7 department with the manpower and resources it needs to design, implement, and test security and backup systems are crucial for success not just when dealing with disasters, but at all times. Identify and Remedy Weaknesses A healthy BC & DR plan includes identifying weaknesses, potential threats, and taking steps to remedy them to minimize exposure and risk. The same is true for security in general (and cyber security specifically). An organization should periodically take stock of its weaknesses, identify gaps or areas that need improvement, and install the systems or solutions needed to correct them. This pro-active approach to security will help to prevent many problems before they have opportunity to occur. Conclusion Strong cyber security makes good business sense not only for keeping the company and its data safe during daily operations, but also to protects the organization from a variety of threats and prepares it for a more successful recovery after a disaster strikes. A comprehensive BC & DR plan will include cyber issues to protect the company on a day-to-day basis, as well as in times of crises.
BUSINESS CONTINUITY AND DISASTER RECOVERY - 8 Company Culture Culture grows, develops and changes within a company. Management can influence or control employee behavior, but culture evolves from all employees. Employees must hold each other accountable for facilitating organizational change. Making group decisions, sharing information and improving processes are part of building trust at all levels of the organization. This trust must be in place to allow employees to engage and truly care about saving the company in a disaster situation. This is not something that can be mandated and enforced; it must be cultivated over time. Leading by Example Managers must set the standards for accountability within an organization. Often the word accountability is associated with punishment or negative consequences. When applying accountability to BC & DR it is important to remove the negative image and focus on empowering employees to make good decisions, in potentially bad situations. Executives, managers and anyone in a leadership role must take responsibility for their own actions and set good examples. Similarly, BC & DR policies and procedures must flow from the top-down in the organization, but employees need to accept ownership. According to Grimaldi (2002), business continuity plans fail most often because of a lack of initial effort and subsequent commitment; this is largely due to the fact that developing and implementing Business Continuity Plans can be an arduous and politically sensitive project. If management views BC & DR as an organizational burden, so will its employees. Planning, Practice and Improvement Planning is essential to BC & DR. A well-developed plan will insure your organization can continue to operate or recover quickly from disaster. This planning must incorporate all
BUSINESS CONTINUITY AND DISASTER RECOVERY - 9 areas of the business with very clear assignment of tasks. A cross-functional team should lead the process with accountability to both management and upper management. Updates to the processes and procedures should occur on a regular basis. Clearly defined roles and responsibilities, with the appropriate level of decision-making power, must participate in the planning process. To insure accountability personnel must have the appropriate knowledge, training and background in BC & DR. Distributed duties across the organization, with contingency responsibilities will ensure sufficient coverage during an actual event. Regular practice of BC & DR plans insures everyone in the organization understands their responsibility and contribution. A good practice session proves the plan is usable, not just a document. During a crisis, it is unlikely that staff will be able to refer to a written copy, so everyone involved must have a good working knowledge of their required actions. According to the CPM and Strohl (2002) survey, a variety of testing methods are used: 58% of respondents use a combination of IT specific tests, walkthroughs and enterprise wide testing. These practice sessions also help identify missing components. Practice should occur at regular intervals and at unplanned times using the element of surprise as a planning component. Even the best plans have room for improvement. Employees change positions, new technology arrives, systems are retired and change is one of the only constants in business. Regular review of BC & DR policies and procedures helps identify organizational changes. If the plan does not work effectively, continual improvements are necessary until it fits the organization. Case studies and reenactments of real scenarios are valuable when looking for ways to improve plans.
BUSINESS CONTINUITY AND DISASTER RECOVERY - 10 Communication Communication flows in all directions within an organization. Upper management announces management changes. Management informs employees of organizational changes. Employees discuss the changes around the water cooler. Information flows both horizontally and vertically. Transparency between all levels of management and employees gives credibility to communication and builds trust thought the organization. Effective BC & DR relies on your employees trusting each other and management during a catastrophic event. Communication is crucial to throughout the process. Very good communication planning happens on paper, but trust and accountability enable it to occur in the real world. Knowledge workers are the key to your business. They know the day-to-day operations better than any management personnel. The employees who are responsible for these operations are the best resource for formulating how business will recover or continue daily operations. Ask them what the minimum requirements are for doing their job and listen. Not only will you discover a lot of interesting business practices, your employees will feel like you care to hear their input. Brainstorming sessions are also a very good way to collect input from all levels of employees. Teams comprised of both management and non-management employees can make everyone feel valued. Management Priority Varying levels of management accountability are essential to BC & DR practices. The level of involvement depends on the size and structure of the organization. Regardless, employees must know that the senior management and executives set BC & DR as a priority in the organization. Regular management review and approval of all BC & DR policies and procedures is critical. Sharing plans for improvements keeps higher management involved and
BUSINESS CONTINUITY AND DISASTER RECOVERY - 11 engaged in the process. A financial commitment through strategic business planning, even during difficult times, will show overall management support to the project. The same level of accountability is required for management as well as, employees. Employee Buy-In In the end, you are relying upon your employees to use their experience, knowledge, analysis and expertise to make good decisions regarding the recoverability of your business. Ongoing feedback to employees about BC & DR and the companys progress towards implementation and improvement goals adds to employee buy-in. BC & DR should not be happening in a vacuum, sharing the budget, deliverables and progress through corporate metrics and the key performance indicators encourage employee participation. Companies often forget to celebrate success, rewards are appropriate after completion of milestones and goals. When all employees participate, all employees should celebrate in the success. Rewards do not have to be expensive or monetary, sometimes just saying thank you and acknowledging the completion of a large project is sufficient.
Conclusion
Business Continuity and Disaster Recovery is critical to both information technology and business. Preparing for unknown threats, increasing cyber security through planning and accountability throughout the organization are priority areas for improvement within our organization. We proposed several possible solutions, explained the benefits and provided rationale to support our recommendations. Ongoing management support and employee buy-in are persistent themes throughout all our solutions. A cycle of planning, practice and improvement is critical to the success of any BC & DR program.
References
BC Management Group Survey. (July 2009). International Business Continuity Program Management Benchmarking Report. Retrieved February 9, 2012, from http://www.bcmanagement.com. CPM Group and Strohl Systems. (October 2002). Study Reports on Plan Activation and Testing. Retrieved January 31, 2012, from http://www.auerbach-publications.com/. Grimaldi, R. L. (May 2002). Why do Business Continuity Plans Fail? Risk Management, Vol. 49 (5), May 2002, pp. 34-39. Retrieved January 31, 2012 from http://www.uplanit.com.au/index.php?option=com_content&view=article&id=17:whydo-business-continuity-plans-fail&catid=4:business-continuity-planning&Itemid=22. Molire, J. B. (n.d.). Harvard Business Review. Retrieved January 31, 2012, from Management Quotes Web Site: http://www.mgmtquotes.com/subject/Accountability/.