Why is it important to have disaster recovery and business continuity policy?

Business continuity plan (BCP) is the way in which an organization should recover and restore its organizational function within a predetermined time frame after a total or partial disturbance to its services during a disaster. These disasters can be earthquake, flood, natural disaster, terrorist attack, or any major event which cause a catastrophic event to the organization. In simple terms, BCP is a method of planning strategically to prevent or if possible manage the consequences of a disaster, as a result reduce the consequences to a limit that businesses can absorb.

BCP manual is a printed manual which is stored in a safe place (remote site) which contains names, contact numbers, crisis management staff and other staff details, venders, clients and details of offsite backup site to operate, other important legal documents and business documents, etc. Organizations should make sure their BCP manual is realistic and easy to follow in a crisis situation without adding another burden.

Disaster Recovery Plan is a map of how an organization gets recovered in the event of a major disaster and continues its business. This is a key component in an organizational business continuity planning. Business continuity plan has a broader scope than disaster recovering planning in an IT perspective.

We cannot predict what disaster will happen next and what impact that will have on our business or the patterns in which those disasters are occurring. Businesses have to continue with minimum interruption to survive in the industry. Suppose an organization is faced with a disaster, as a result its network and the communication went down. How can you operate the organization in a situation like this? This is where you see the practicality of investing for a BCP and DRP to backup plan to guide you how to operate in a disaster situation and how to get out of the disastrous situation. BCP guides you during this difficult situation how to find the resources and operate with business till you recover fully from the disaster. DRP is more towards the technology and how to build the normal operation after the disaster is over, while BCP helps to operate the business functions during the disaster’s period.

Project Processes which should be followed when implementing IT Security projects

IT security project require well defined processes because omission and errors can leads to huge security holes. There are quite a lot of processes should define to implement a IT security project. These processes are briefly discussed below.

Acceptance criteria - These is predefined results which can be expected during the security project. These results are agreed y discussing with key stakeholders of the IT security project.

Risk management - you conduct a thorough risk assessment and threat assessment to identify the risk associated with the security project and define in which way those risk can be avoided, mitigate or transfer during and after the project.

Change management - Errors and omissions in security project is hard to avoid but keeping proper track of what went wrong, when, where, how and what measures you take should be properly documented to avoid countering or solve the risk and problems that could occur in future.

Communication procedure - Most importantly the communication has to be managing properly. Project’s key stakeholders and sponsors have to keep informed about the milestones of the project throughout the security project. The process of when, how, who to keep update and at what frequency should to known when starting the security project. Otherwise project manager and team will have a tough time what, when and whom to inform when the security project underway.

Quality management - Quality measured through testing and this should be clearly defined in your quality management procedure. What test methodologies to use, what modules to test, when to test, etc have to be defined in advance. Level of testing required for IT security projects is solely depend on the type of the security project and the severity of the impact to the organization.

Status reporting - Status of the project should be updated to project sponsors and key stakeholders when needed. This frequency of reporting can be agreed during the project requirement phase, where you can discuss the report type required and what frequency they needed.

Escalation procedure - If the issues cannot solved through the normal channels, you need to pass the issue to the next level in the escalation hierarchy to reach a solution. These escalation paths have to be identified accurately and defined clearly in case of an emergency to follow without causing any delay for the project.

Documentation - Every aspect of the project should be clearly documented. This documentation will greatly help in future when managing, monitoring and troubleshooting some errors in the project.

Approval procedures - Approval procedure should include who has the authority to approve for changes in the project. Mostly this will be the project sponsor who makes the decision about the security project. You cannot run here and there to see who should approve the changes in urgent situation. If these procedures are clearly defined, the unwanted delays could be avoided.

Deployment - Deployment procedure should include when and how the deployment should happen. Before the deployment all the affected parties must be informed in advance to avoid unwanted systems problems, this can be address in the communication plan.

Operational procedures - How the security system is monitored during the day to day activities and who is responsible for the maintenance and monitoring of the implemented system is mentioned in the operations procedure. It includes how to manage the security system and to whom to contact in case of any emergency, etc.

Training procedure - Users of the security system should be adequately trained to get the maximum use of the implemented security system. Through training you increase the awareness level of the users and make them responsible for the system, where they can report any suspicious activity.