Radian Compliance Management Services

New ISO Standard For IT Disaster Recovery Released

From fires to earthquakes to pandemics, businesses and other organizations may become the victims of disaster at any time. In order to deal with the unexpected and safeguard the interests of their stakeholders, as well as their reputation, brand and value-creating activities, a new ISO/IEC International Standard will help them mitigate risks and be prepared to respond to crises.

ISO/IEC 24762:2008, Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services aims to offer guidance on the information and communications technologies and services necessary for disaster recovery (ICT DR) as part of business continuity management. With this guidance, the standard supports the operation of an information security management system (ISMS) by addressing the information security and availability aspects of business continuity management in time of crisis.

A business continuity plan comprises an organization’s strategies to prepare for future national, regional or local crises that could jeopardize its capacity to continue with its core mission, as well as its long term stability.

According to ISO/IEC 24762:2008, business continuity management is an integral part of any holistic risk management process and involves:

• Identifying potential threats that may cause adverse impacts on an organization’s business operations, and associated risks.
• Providing a framework for building resilience for business operations.
• Providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.

With this new standard, organizations will be able to build resilience into their information and communications technology (ICT) infrastructure critical to their key business activities. This will complement their business continuity management initiative (to better manage relevant risks possibly interrupting their business activities) and their information security management initiative (to effectively protect the confidentiality, integrity and availability of information).

“This next generation standard takes into account today’s technological developments to minimize damage in a crisis situation from an information security and communication standpoint,” said Philip Sy, project editor of ISO/IEC 24762:2008. “The fallback arrangements included in the standard will help out both during periods of minor outages and, more importantly, will play an essential role in ensuring information and service availability during a disaster or failure, and for a long-term complete recovery of activities.

“This is particularly important today as organizations around the world are increasingly vulnerable to threats of terrorism, natural disasters, piracy and other crises.”

The standard includes guidelines on the implementation, testing and execution aspects of disaster recovery, and can be applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services. It provides guidance on:

• Implementing, operating, monitoring and maintaining the necessary facilities and services necessary for disaster recovery (such as the implementation of a public announcement system to alert personnel to leave a building, or the requirement that all electronic doors can be opened manually from the inside).
• Fallback and recovery support for the organization’s ICT systems.
• The capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate the organizations’ recovery efforts.
• The selection of a recovery site (e.g. considering factors such as environmental stability, good infrastructure, etc.).
• Requirements for ICT DR service providers to continuously improve their ICT DR services. ISO/IEC 24762:2008 is an initiative of ISO and the International Electrotechnical Commission (IEC) developed within the joint technical committee ISO/IEC JTC1, Information technology, subcommittee SC 27, IT Security techniques.

This international standard can be complemented by two other joint ISO/IEC standards providing control objectives for information security aspects of business continuity management to further reduce risk:

• ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, and
• ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management.

The standard can be found at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41532.

Posted in Disaster Recovery | No Comments »

NIST seeks comments on information risk management publication

The National Institute of Standards and Technology (NIST) has released the second public draft of NIST Special Publication 800-39, ‘Managing Risk from Information Systems: An Organizational Perspective’, for comment. This is the flagship publication in a series of standards and guidelines developed by NIST that relate to the Federal Information Security Management Act.

Special Publication 800-39 provides a framework for managing the risk arising from the operation and use of information systems and is built upon a common foundation of best security practices. The target audience for this publication includes agency heads, chief information officers, information system designers, developers and administrators, auditors and inspectors general.

The public comment period is from April 7-30, 2008. Comments should be emailed to sec-cert@nist.gov

Download a copy of the publication here (PDF).

Posted in Disaster Recovery, Information Security | No Comments »

Think Like A Coward

From the DRJ.com Archives - by Thejendra B.S.

An important question facing organizations today is how to protect their business from various predictable disasters that can strike at any time? Secondly, who are the best persons to protect your business? What sort of qualification and mindset does one need to work in a DR and BC department? Where and how can you find or identify such persons?

The business world has changed significantly and rapidly in the last decade. Regardless of the industry, more and more businesses are operating on a 24×7 global basis. Even tiny organizations with less than a dozen employees depend on several modern technologies and worldwide competition to remain in business.

Nowadays, it is not possible to run any business using the same methods and processes that were used five or 10 years ago. To stay in business, alive and breathing, is of paramount importance to every modern organization.

Less than a decade ago concepts like disaster recovery and business continuity were almost unknown or just considered as optional academic subjects. The only traditional method organizations followed for disaster recovery (DR) or business continuity (BC) was to enroll into some insurance for their key equipment along with a few optional covers. But protecting today’s business is beyond having some insurance covers and keeping your fingers crossed.

An important question facing organizations today is how to protect their business from various predictable disasters that can strike at any time? Secondly, who are the best persons to protect your business? What sort of qualification and mindset does one need to work in a DR and BC department? Where and how can you find or identify such persons?

You may argue that my questions are actually stupid because DR/BC is almost a mature science, and there are umpteen numbers of consultants, templates, certifications, and best practices available to everyone.

If organizations need to establish DR/BC it is easily possible to get competent resumes by the hundreds within hours of posting a job advertisement. So what is the big deal?

Agreed, there are ample sources qualified candidates, books, resources, etc., on DR/BC issues. However, in spite of all such available resources, what is that unique skill that is essential to become a successful DR/BC manager or a team member in any complex modern organization? It is a skill that no training program or certification can teach. How exactly should a DR/BC manager be different and unique from the rest of the employees in an organization?

If you are eagerly expecting me to describe that unique skill you are probably going to be a trifle disappointed. This is because I am going to describe a skill that history and society has never been kind to, something that most people feel uncomfortable or despise to be one. The kind of people I am recommending for DR/BC departments are those who can think like cowards, talk like cowards, plan like cowards, and constantly spread a healthy dose of cowardice around the organization.

Every organization that is serious about risk management should nurture, promote, and respect cowards in their DR/BC departments to protect their businesses from countless risks. Now you may loudly argue why does any organization need cowards? Nobody has ever erected a statue honoring a coward. No management guru or a business school professor drools over a coward.

READ Entire Article

Posted in Business Continuity Management | No Comments »