- BIA - Business Impact Analysis Risk Methodology Defined
- BYOD a reality that all CIOs need to address in order to implement best practices
- Business Continuity, Security and Safety Program are all needed to meet mandated requirements
BIA - Business Impact Analysis Methodology Defined
Risk Assessment Methodology is Based On ITIL Compliant Framework
Business continuity focuses on keeping the business operating. Where disaster recovery tends to deal with systems and data, business continuity is focused on overall business operations. Typically business continuity involves prioritizing various business processes and recovering the most important ones first. Thus, disaster recovery is likely to be concerned with getting the entire storage network back up while business continuity is more likely to work on getting the parts dealing with critical processes like transaction processing back first.
Business impact analysis supports business continuity by attempting to decide which processes are the most critical to recover in case of a disaster. This usually involves assigning monetary value to the protection of assets involved in specific business processes.
ITIL Risk Assessment Methodology
The typical organization has hundreds of applications all at different recoverability capability. For example some have no plan, some have out of region architectures some have not exercised in long time and some are in great shape testing every quarter.
All of the applications need to be categorizing them so that the Disaster Planning Team can start re-mediating the ones that place the enterprise at the most risk to the business from both a compliance and readiness perspective.
Using the ITIL framework, you can weigh each Critical Success Factor (CSF) and scoring their Key Performance Indicators (KPI). That allows you to create a rating system and developing a score card report by tiers.
Weighting Critical Success Factors
- 6 = Critical to success of recovery
- 3 = Required for timely recovery (could recover without but risk is increased)
- 1 = Needed to support recovery but only minimal impact on recovery efforts
Scoring of Key Performance Indicators
- Not in place or not implemented = 0
- Completed but past the KPI deadline, not accurate or incomplete = 1
- In place or completed on time = 3
- Final rating for each CSF and the associated KPI multiply the weight of the CSF by the score of the KPI
Critical Success Factors/Key Performance Indicators
- CSF: Conduct exercise at alternate facility (Weight 6)
- KPI = Conduct an annual exercise alternate facility
- CSF: Update BCP Plans (Weight 3)
- KPI = Update BCP plans by each year
- CSF: Conduct Annual Tabletop of recovery Plan (Weight 3)
- KPI = Conduct at least 1 annual tabletop of BCP plans by December
BYOD a reality that all CIOs need to address in order to implement best practices
With the advent of user owned devices and the ever increasing mandated requirements for record retention and security CIOs are challenged to manage in an ever more complex and changing environment. Before the CIO and enterprise can start the process of implementing BYOD policies they need to ensure that what is created meets the an enterprise's compliance, culture and operational requirements. This requires defining the scope and objectives of the policy:
- Cost - Who will pay for the data plan? What rewards will be provided to get people to buy in?
- Agree to Acceptable Use - What terms will be included in the Acceptable Usage Policy, and how will the enterprise ensure its employees understand and agree to it?
- Mandated requirements : the enterprise will have to account for factors such as open source variables for Android implementations for different devices and any security or regulatory requirements that relate to your industry (i.e. Healthcare HIPAA compliance)
- Security: Will the policy state how the passwords be enforced? Encryption? Will the enterprise blacklist any applications?
- Management: how will the enterprise manage the devices connected to your network?
The steps to do this are well defined in Janco's BYOD Policy template which includes a detail best practices that:
- Implement remote wipe from the enterprise - As the number of personal devices used increases, the greater the chance that one of them will be lost or stolen. Given that a remote wipe that can be generated from the enterprise with all of its implications should be implemented.
- Provide simple workable solutions that even novices can use - Solutions should allow users to log-on to the user interface and access a list of their enrolled devices. From there, they can locate their device, lock it, reset its password, or wipe it. The user interface should be able to self-audit the device and report compliance issues.
- Build a facility to deal with terminated employees - Even before an employee is leaves the enterprise they are a security risk. That risk is magnified once the process of termination begins - either voluntarily or involuntarily.
- Protect sensitive and personal information - Personal devices are full of personal information, documents, and applications that are on the device for non-work purposes. There should be a way to identify your personal vs. corporate owned devices, and apply a particular policy to hide the personal information from IT administrators.
- Implement a records management policy for business records - Records management is a critical compliance requirement and should be controlled by the enterprise and not left to the individual user. A clear definition of what is a business record and how it should be saved and archived should be defined. (See Record Management, Retention, and Destruction Policy)
- Isolate corporate data - When supporting BYOD, you need to be able to isolate corporate data on the phone, which includes, but is not limited to: Mandated records management requirements for archive and revival; Disaster recovery and business continuity implications; e-Mail Accounts; VPN and Wireless settings; and Enterprise applications that have been pushed down Documents.
- Continuously monitor automated actions - The enterprise should have the ability to monitor the state of each device accessing the network wither it is approved or not: Is the device enrolled: ? Is it in compliance?: and Does it have any new applications? Answering these questions will allow the enterprise to make adjustments based on the data you're seeing. This information will tell you if you need to make new policies or compliance rules. Options that you can take include, but should not be limited to: Send a notification to the user with steps to be taken; Block the device from accessing the corporate network and/or email; and Wipe the device (full wipe or selective wipe).
Disaster Recovery Plan, Security Policies and Procedures, and Safety Program are all required to meet mandated requirements
No Reason to Re-Invent - All the Heavy Lifting has already been done
When recovery from a disaster starts, the environment often is hazardous and froth with danger. No one wants to put their employees at risk and yet the disaster recovery must proceed.
When natural disasters strike, enterprises realize that personnel must take care of themselves and your family first. There are serious problems to deal with before recovery begins. Illness or injury may result from contaminated water, debris-filled roadways, electrical and fire hazards, and displaced wildlife.
At the same time sensitive data often is often open to attack via damage to it or the unauthorized availability to hackers, competitors or others. The reality is that many businesses don't truly know where they stand with data security. They usually cover the basics: The firewall is in place, systems are being patched, backups are being made and user accounts have strong passwords. But many managers assume these basic data security measures are enough. But you never really know how well you're protected until you take a look from the perspective of a malicious attacker or a rogue insider who may try to take advantage of the situation.