|
by Three senior
business continuity planners discuss new dimensions in the relationship
between BCP, disaster recovery and information security.
BRIAN MACKAY, FBCI, is the
senior business continuity coordinator for Check Free Corp., a provider
of financial e-commerce services and products based in Norcross, Ga. (www.checkfree.com).
He is also a Fellow of the Business Continuity Institute.
MELVYN MUSSON, FBCI, CISSP, is the business
continuity planning manager for Edward Jones, a leading financial institution
in St. Louis. He is a Fellow of the Business Continuity Institute and
a Certified Business Continuity Professional from the Disaster Recovery
Institute International.
MICHAEL SLINGLUFF, FBCI, is a business
continuity planner at the Federal Home Loan Mortgage Corp. (Freddie Mac).
He is also president of the mid-Atlantic Disaster Recovery Association,
and a Fellow of the Business Continuity Institute.
MODERATOR: PHILIP JAN ROTHSTEIN,
FBCI, is president of
Rothstein Associates Inc., a management consulting firm in Brookfield,
Conn. (www.rothstein.com). He is the editor of Disaster Recovery Testing:
Exercising Your Contingency Plan and publisher of The Rothstein Catalog
on Disaster Recovery. He is also a Fellow of the Business Continuity Institute.
INFORMATION
SECURITY MAGAZINE (ISM): There's a lot of debate these days
about what constitutes an information security issue vs. what constitutes
a business continuity issue. Virus and worm attacks, Trojan horses and
distributed denial-of-service attacks are considered information security
issues, but they are also business continuity issues. There's not always
a clear definition, and that muddies both jobs considerably.
MACKAY: I agree. In almost every organization,
you have an IT function that probably handles dozens of problems a day,
if not more-systems that are down, files that are open, validation issues
that are never addressed beyond the IT organization, or are addressed
and coordinated internally. I think there is a fine line between an IT
inter-organizational problem and a business continuity problem. Do you
draw that line at the point where the company as a whole is being impacted,
as opposed to a system or a platform? Viruses are a great example, because
the actual response to protecting against the virus-cleaning the virus,
whatever tools are necessary to attack that situation-lie within the IT
organization. As a business continuity planner, I try to ensure that the
organization has those tools and a plan in place, and that they understand
it's a risk. If the company is affected, my job would be not to go in
and coordinate the recovery, but to go and touch base with the IT point
person handling it. I'd then act as a conduit to senior management or
any of the groups-for example, PR or HR-that need to get the information
out to the public about how we're doing, what we're doing, what we believe
the impact is going to be, etc.
Historically, data processing ran
business continuity. Now, the business units themselves run the data center,
and they're really the core of your planning. How long can you be out
of business? What impact does that have on your customers? What impact
does that have internally? As a business continuity professional, my job
is to make sure those processes are in place, and can be executed when
they need to be.
ISM: So the ownership of the problem resolution,
in this example, would be with the information security area, but the
ownership of the business impact would be with the business units themselves.
MACKAY: Correct. Let the experts fix the
problem. Their resources need to be allocated to resolving and fixing
the problem, not to getting on the phone to call senior management, trying
to touch base with PR people, trying to assess the impact outside of the
organization, etc. Their job is to fix the problem, get it resolved or
provide a workaround, so that the impact is either not there at all or
lessened considerably.
MUSSON: I'd go even a little further than
that. You need to define where the business continuity plan would be activated,
or could be activated, and this is the key thing-if you know something
is happening, you can monitor the situation and start to see if the business
units are going to be affected. If they are, then, obviously, you have
to look at the business continuity plan and see what's needed. But the
actual work of handling the virus, reconstituting data and everything
else, that's for information systems/information security.
MACKAY: I think this gets back to how we
design our organizations, and the best practices and professional standards
we use. When IT identifies a problem, they should be able to depend on
the business continuity department to activate either core response teams
or market-support teams, to get hold of the internal communication groups
and send out a broadcast message or voice mail, saying, 'Here is the situation
as we know it, here is what you can and cannot do, and here's when you'll
get further updates.' There may be one message for staff, one for management,
one for the public, one for stock holders and so forth, and it all has
to be orchestrated.
ISM: Of course, the best disasters are no
disasters at all. Kenneth Brill of Compusite Engineering often talks about
the value of avoiding the pain and destructiveness of a 'corporate heart
attack' that could have been prevented in the first place. To what extent
do business continuity professionals really focus on preemptive risk-assessment,
mitigation and prevention-as distinct from contingency planning-to deal
with disruptive events when they actually occur?
SLINGLUFF: I think the business continuity
planner has to have oversight and see what's there before the disaster
occurs. Here's a classic example: At a customer site, we once moved a
wire room from one building to another. But after the move, the company
turned around and eliminated the backup site. It took me about three months
to get it put back in-and about a month later we needed it and actually
used it. There was no disruption to the customer's business, yet if I
hadn't done that, we would have had a major problem. It can be extremely
hard to sell preventive measures to an organization that's always busy
trying to push the leading edge or a new development. So my feeling is
that a business continuity planner should have the ability to find these
things, which generally show up as a result of exercises and tests, and
the appropriate business areas or IT can go ahead and fix them before
a problem occurs.
MACKAY: I think risk assessment is one of
the core competencies of a business continuity planner. Our job is to
go out there, evaluate the risks, present them to the business units and
management and provide solutions; whether they choose to buy into it or
not, that's a business decision. But our job is to identify risks and
suggest how to mitigate them. Here at Check Free, I will identify a virus
as a risk, or denial-of-service attacks or hackers, whatever the case
may be; we are very Internet-based, so those are risks for us. And it's
up to the information security people to put appropriate procedures into
place. But it's also my job to create a virus-response plan, because we
don't want to look at planning as being for recovery only. We want to
be proactive, which means putting together a virus- response plan-i.e.,
if we have a denial- of-service attack, or a hack, or a virus, here's
what we're going to do as an organization. The information security people
will do this, public relations will do this, senior management will do
this and so on. And it's my job to make sure that plan is coordinated
and executed when necessary.
ISM: Information security professionals
are often perceived as being intrusive when they put policies in place
to protect the organization on a proactive basis. Do you ever find yourselves
in the same type of battle, fighting the perception that somehow you're
not helping but rather disrupting business processes?
MUSSON: I think it really depends on how
you present it.
MACKAY: I agree. Y2K, for example, was a
mixed blessing. It was great because there's much higher awareness now
about business continuity and risk mitigation; but, on the other hand,
so little happened that a lot of people were asking, 'Well, why did we
go through all of this?' That's a risk sometimes, and it depends on the
management and it depends on how you sell it. If you sell it as a proactive
measure-that it's going to enhance either information security or the
business as a whole-I think you get a better reception than if you try
to force it as an audit requirement, for instance, to the business units.
MUSSON: You've got to explain the problem
and also what the plan is going to do. You can't just impose it. It comes
back to education and awareness. And it doesn't matter whether it's security,
business continuity, or whatever. Education and awareness are key.
SLINGLUFF: I agree with Mel, you've got
to integrate it into the business, and they've got to see the benefit
of it. Otherwise, they won't do it.
MACKAY: In my experience, the best time
to implement awareness or program planning is after you've had a disaster,
because that's when the awareness is highest-after a tornado has come
through in the county next to yours, or after the building down the street
has burned down. That's when you get your most impact.
MUSSON: Well, I think you can also do it
another way. One of the things that you can do is develop credible scenarios.
These show what the impact of a disaster like a tornado or earthquake
would have on a company, its employees and the community. What would happen
if there were a gasoline or propane explosion? Using these real-life scenarios,
you can make believers out of most management and the people in the business
units.
ISM: It's amazing how many organizations
stumble through a recovery and somehow come out okay despite a lack of
planning. I wonder if that's part of the reason why business continuity
isn't as well established as information security in organizations. Is
it that companies do too good a job recovering without the resources?
That, when things actually do happen, they seem to muddle on through anyway?
MACKAY: It's true that most organizations
will somehow get through it. What we provide is the ability to react quickly
and get through it very quickly, with pre-established and preplanned objectives.
Instead of a 12-hour recovery, we have a two-hour recovery, because procedures
are in place, the exercises have been conducted, and expectations are
already established.
MUSSON: Yes. You've got to provide information
on disasters-or let's call them incidents-that were prevented, or where
impact was reduced because of mitigation measures or prevention measures
that had been put in place. I think what you need is an after-action report.
It doesn't have to be a major document, but you've got to be able to define
what happened, what was done to handle it, and what were the problems.
Then you've got to spell out the lessons learned, and what your recommendations
are to reduce the impact even further should it happen again.
SLINGLUFF: Part of what I've been struggling
with is how to manage soft costs: things like good will, loss of business,
how much of your business will go to someone else if you have an outage.
How do you quantify this? Or, in our case, the regulatory impact, or external
orders jumping all over if you have one of these things. Customers, good
will, shareholders-they're all tangible losses if you have an outage.
MACKAY: As a whole, business continuity
departments are nonprofit centers; we do not generate income. We prevent
a loss of income, but how do you quantify that? However, one of the advantages
we're starting to see is that, for many companies, business continuity
has become a marketing edge. Potential business partners are now coming
in and saying, 'Okay, it's wonderful all these things you can do for us,
but what's your continuity program? How can we set a service level with
you and know we're going to perform these functions or transactions within
these time frames consistently?' So business continuity is slowly starting
to evolve, and we're working with the transition teams and the sales and
marketing teams a little bit more.
ISM: How do you really measure the performance
of a business continuity professional? There are employee performance
reviews, which are not really much more than how many pages of documentation
they've written. Very few organizations have objective measures of contingency
planners' performance. How does an organization really gauge the effectiveness
of its business continuity practitioners?
MACKAY: Unfortunately, a lot of companies
still rely on the audit at the end of their business continuity planning.
But I think that that's too simplistic a method. An audit is a paper-driven
objective-you're just satisfying specific requirements and proving that
the documentation is in place. The actual conducting of exercises, proof
of concept, implementation of recovery plans and risk mitigation is a
whole other arena.
MUSSON: This is probably the major problem
that we have at the moment. I don't think we have the metrics, or measuring
methods, clearly defined, and that probably comes back to the professional
practices you mentioned. You asked about being evaluated on the basis
of the number of plans written. I'm not really sure that's a good measurement,
because you can churn out an awful lot of plans, but they may not be effective.
MACKAY: I agree. And these plans are the
only metric that the HR supervisor has available to measure us right now.
There are no established metrics.
ISM: The only other one that comes to mind is how many disasters you didn't
have.
MUSSON: Yes, but you're never going to acknowledge
those. The thing is, we've got to change senior management's thinking,
because they're looking for successful tests-basically, everything went
right and the test was completed on time and everything was recovered.
And yet we all know that the best test, or the best exercise, is when
things go wrong. We've got to change management's thinking about that,
otherwise they're going to end up thinking, well, this exercise had a
lot of problems and we get a bad rating in the evaluation.
SLINGLUFF: At Freddie Mac, what we're looking
at is, can we recover the business? That's the ultimate goal. The other
thing is that business continuity planning has to be integrated with the
various business areas, so they all take ownership; they know what changes
they need. We put together a basic policy that said the business area
is responsible for recovering the system, regardless of whether there's
a disaster or not, in order to continue doing business. This changes the
ownership, and it may take five to seven years to complete. You've also
got to test the typical data center recoveries; you've got to integrate
that with the business recovery. But recovering the business is the challenge.
We've folded two other areas into
it. First, we create a crisis to start the exercise, whether it's a business
one or a mainframe one. We get management's crisis-management perspective
before we start the recovery, and get the business areas involved in the
initial flow. We've started to do a number of these in real time, where
instead of prepositioning tapes and people on our exercise, we just call
it and basically go through the travel and everything else. It gives you
a better understanding of how to recover, as well as the shortcomings.
But back to the initial question: How do you measure it? As part of our
test plans, we've got to find at least three major things that we need
to improve out of an exercise, or it's not a good one-that is, we haven't
written a test page that's strenuous enough.
ISM: Since all three of you are fellows
of the Business Continuity Institute (BCI), let's touch on professional
certification. How important is it to business? Does management really
care as much as they would about, say, certification for infosec practitioners?
MUSSON: It's becoming more and more important,
and I think one of the things we have to do is work within BCI and the
Disaster Recovery Institute International (DRII) to emphasize its importance.
We hear a lot of talk about standards for business continuity, but I think
we're going to hit a major problem as we go further into standards, so
certification could be the best option.
SLINGLUFF: Basically, the certification
program is kind of a mixed blessing at this stage of the game. When we
got started, nobody would recognize it. As it has matured, it is being
used more and more by recruiters, so if you're moving around and you're
consulting, you have to have certification from one of the groups. Traditionally,
DRII certification is better in the United States, and BCI certification
is more international in its focus. But you'll want to have one in order
to be considered.
MACKAY: I agree with Mike. We're seeing
more and more recruiting efforts geared toward certification. But I don't
know if there's a really good understanding of what certification encompasses,
other than some letters behind your name. However, the management of larger
companies are now identifying it as a core competence; we did a recent
recruiting effort for a planner and the requirement was certification
from either the DRII or the BCI.
MUSSON: I think it behooves the BCI and
the DRII to educate HR and senior management about the certification programs.
It's also important that these are kept up to date. I think one of the
arguments is that even with professional practices, they can get a little
bit behind on new concepts. BCI and DRII are now working on a bi-annual
review process for professional practices, so that new concepts and ideas
can be incorporated.
ISM: How close is business continuity to
achieving maturity as an industry?
SLINGLUFF: Well, we still don't have tools
and acceptable standards-or even a com-mon nomenclature-that we can use
across the industry. Vendors and practitioners call the same things by
different names. We've got to get some kind of uniformity and standards
there.
MUSSON: I think there are two key issues-well,
three, actually: We've got to try and work together more, rather than
going all our different ways. The nomenclatures and wording-there's got
to be standardization there. And then, finally, we've got to look more
and more at professional standards and best practices.
MACKAY: I think the industry as a whole
is on the cusp of taking that step into maturity and creating appropriate
standardization and organization. We've got the right people in place
now, we've got experienced practitioners, and we've got new practitioners
coming up as companies commit to business continuity. We need to lay the
groundwork for those people coming into the industry; if we want to be
successful in doing that, we're the ones who have to go forward and make
that happen.
Copyright (c)2000, Information Security Magazine. All
Rights Reserved.
|
