Tuesday, May 6th, 2008

So the honor of writing recovery procedures for your application, database, or platform system has been bestowed upon you. Congratulations! It is an honor to be asked to write procedures for something that is deemed so critical to the lifeline of your organization.
So where do you start? You know how to do the recovery. You could do it in your sleep. But how do you document what you do? What are the actual steps you take to perform a successful recovery? How detailed do you have to be in documenting the recovery steps? All of the above questions are very common and valid questions to address in order to write effective disaster recovery procedures.
Why Write the Procedures
Let’s start with the audience. Who is going to be reading or using your recovery procedures? You should expect a person of “like” background, education, and experience will be using them to perform an actual recovery. Below are a couple situations to illustrate this point.
>>>>>>>> Click Here to Read the Entire Article <<<<<<<<<<<
Posted in General | No Comments »
Thursday, May 1st, 2008
The Conference Board looks into use of business continuity, disaster recovery and related standards by US organizations
The majority of US companies have a formal, written plan for emergency preparedness, according to a report released by The Conference Board. But a widely adopted certification standard for such plans does not exist yet.
Three-quarters of the 302 senior corporate executives surveyed in mid-2007 said that an emergency preparedness plan exists in their companies. The analysis was sponsored by the US Department of Homeland Security as part of an ongoing research project to assess the effectiveness of security in American companies.
The survey sample was intended to reflect the characteristics of American businesses as defined by size and industry. The sample was divided into three strata: small business (companies with $5 million to $50 million in annual sales); mid-market ($50 million to $1 billion in sales); and enterprise ($1 billion or more in sales). Within these groups of companies, the survey polled executives with responsibility for security, business continuity, crisis management, and emergency response efforts.
A ‘voluntary’ certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review.
"Currently, the most significant finding is that none of the many standards proposed for certification has attained widespread usage in the private sector," says Thomas Cavanagh, senior research associate, Global Corporate Citizenship, The Conference Board.
The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23 percent of the surveyed companies. Following close behind, used by 20 percent of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12 percent of companies.
View article…
Posted in General | No Comments »
Friday, April 18th, 2008
ITPolicyCompliance.com
Performance Results: Small Business
The majority of small businesses - those with revenue, assets under management or budgets of less than $50 million - are performing at the norm when it comes to compliance results (Table 1).
Table 1: Small Business Compliance Results
| |
Small
businesses
|
All organizations, private and public
|
|
Laggards
(More than 15)
|
20%
|
21%
|
|
Norm
(3 to 15)
|
69%
|
70%
|
|
Leaders
(Less than 3)
|
11%
|
9%
|
Source: ITPolicyCompliance.com, 2006
Compliance Results: Size Does Not Matter
The compliance performance results - for small business - are nearly dentical to the performance results for all organizations. Despite slight differences, the smaller size - and presumably fewer available resources - does not materially influence compliance performance results among small businesses.
Strategic Actions to Improve Results: Mixed Results
The top five prioritized strategic actions taken by small businesses do not match, one for one, the strategic actions being taken by organizations with the best (fewest deficiencies) compliance results (Table 2).
Moreover, increasing the frequency of monitoring - the key factor determing results - is not emphasized enough by most small businesses. On average, small businesses are conducting IT audit, monitoring and reporting once every 200 days: far short of the once every 21 days of the industry leaders.
Table 2: Top Five Strategic Actions for Compliance
|
Compliance leaders
|
Small business
|
|
1. Documented business procedures, IT assets and IT controls
|
1. Automated IT configuration and controls management
|
|
2. Changed business procedures to comply with mandates
|
2. Automated monitoring and reporting
|
|
3. Automated monitoring and reporting to improve results
|
3. Changed business procedures to comply
|
|
4. Automated configuration and controls management
|
4. Automated IT security controls and procedures
|
|
5. Increased the frequency of monitoring, measurements and reporting
|
5. Delivered training and accountability to employees
|
Source: ITPolicyCompliance.com, 2006
Guidance Recommendations:
Guidance for small businesses, based on fact-based benchmark results, include:
- Document business procedures, IT assets and IT controls
- Increase the monitoring of IT policies, controls and audit logs to monthly or more frequently
© IT Policy Compliance Group, 2006
Posted in General | No Comments »