1 / 38

Business Continuity Planning and the Protection of Informational Assets

Business Continuity Planning and the Protection of Informational Assets. Detmar Straub Computer Information Systems J. Mack Robinson College of Business Georgia State University. Seminar University of Texas, San Antonio May, 2007.

bing
Télécharger la présentation

Business Continuity Planning and the Protection of Informational Assets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity Planning and the Protection of Informational Assets Detmar Straub Computer Information Systems J. Mack Robinson College of Business Georgia State University Seminar University of Texas, San Antonio May, 2007

  2. Business Continuity Planning and the Protection of Informational Assets • Setting the Stage, Including the Impact of 9/11 • Disaster Recovery vs. Business Continuity Planning • BC Components and MTBU • Risk and Crisis Management • Best Practices and Survivability • Potential Research

  3. Gartner Graphics Below • Used with permission

  4. Distribution of Disasters From Preparing for Evil by Ian Mitroff and Murat Alpaslan

  5. Crisis Types From Preparing for Evil by Ian Mitroff and Murat Alpaslan

  6. Visibility TechnologyTrigger Peak of Inflated Hyperbole Trough ofIrrelevance Slope ofEnlightenment Plateau ofPermanent Annoyance Maturity Cyberthreat Hype Cycle “Phishing” Spam Spyware Peer-to-Peer Exploits Wirelessand Mobile Device Attacks Social Engineering Denial of Service DNS Attacks Viruses Cyberterrorism Identity Theft Xeno Threats Hybrid Worms Zero-Day Threats “War Chalking” As of January 2004

  7. How Resilient Are Organizations? Are they prepared for … • A power outage? 88% of enterprises are ready to deal with it. • Failure of server, host, application, software or network?More than 70% of enterprises have backup. • Failure of outside service providers? Only 50% are prepared. • Loss of transportation infrastructure? 38% are set. • Loss of physical assets and work space? 36% have a plan. • Physical attacks? Only 28% are ready. • Major loss of life? Only 13% are mostly or fully prepared.

  8. Ranking 2003 2004 2002  2 Security breaches/business disruptions 1 - 2 1 1 Operating costs/budgets   3 10 4 Data protection and privacy  4 - - * Need for revenue growth  5 - - * Use of information in products/services 6 - - * Economic recovery 7 3 5 Business trends — faster innovation 8 5 3 Single view of the customer 9 7 - Greater transparency in reporting 10 4 - Enterprise riskmanagement Security and Privacy Remain Top Trends Top-10 Business Trends, 2004 * New question for 2004   Selected change in ranking compared with 2003 Source: Gartner's EXP Premier Report: Preparing for the Upswing: The 2004 CIO Agenda March 2004

  9. “Necessities” - Security Technologies Needed WillNeed • Host-Based IPS • 802.1x • Quarantine/Containment • Security Audit Capabilities • Vulnerability Management • Advanced Encryption Standard • Identity Management • Automated Password Management • Gateway Spam/Antivirus Scanning • Business Continuity Plan

  10. Real-Time Enterprise and BCP — A Collision Course • Business Is Moving Faster Than Ever Before: • Real-time interenterprise business process integration • Significant reliance on partners in the value chain • Faster flow and immediate responses expected • You are only as strong as the weakest link Yet in 2002, less than 25 percent of Global 2000 enterprises have invested in comprehensive business continuity planning; only 50 percent have fully tested disaster recovery plans.

  11. Human Error/ Operations Risk Performance/Capacity Planned/Unplanned Downtime Closed Security Incidents Outsourced Service Providers Content/Application Links to Third Parties BC in the Real-Time Enterprise: More Risks, More Collaboration Rolling Disaster/ Multiples Failure Points

  12. Evolution of Business Continuity Sept. 11 Forever ChangedBusiness Continuity Planning Disaster RecoveryRTO = Three DaysScenarios Limited Y2K and BPR+ Contingency PlanningRTO = < 24 hours Aftermath of Sept. 11+ Crisis Management+ New Scenarios Business Recoveryfor critical workprocesses Internet and BPRRTO/RPT ~ 0+ New Scenarios 1990 1995 2000 2002 RTO = Recovery Time Objective = How much time you can afford to lose RPT = Recovery Point Objective = How much data you can afford to lose

  13. 250000 200000 150000 Daily Revenues 100000 50000 0 Day 1 Day 3 Day 5 Day 7 Day 9 Day 11 Day 13 Information- Intensive Firm Non-Information Intensive Firm MTBU Based on Business Information Intensivity From Straub 2004

  14. DR vs. BCP (Nemzow)

  15. Myth: “It Doesn’t Matter if the Security Team Understands the Business” People Uh-oh, the Flubber ordering system could go down and cost millions. Business Processes Business-Focused Transactions The Demilitarized Zone Applications We're vulnerable to an xyz-based denial-of-service attack. IT-Focused IT Infrastructure Security Devices

  16. Just As The Security Action Cycle Provides a Feedback Loop Deterrence Feedback Deterrence Prevention Detection Deterred Remedies Abuse Prevented Prevented Abuse Abuse Objective: Undetected Maximize Abuse Unpunished Objective: -based on Nance and Straub ( 1988 ) Abuse Minimize

  17. So Must Business Continuity Monitor & Test Identify & Analyze Build & Implement

  18. Recovery Strategy Creating Business Continuity Plans PROCESS Ongoing Process Change Management Education Testing Review Testing Risk Reduction Implement Standby Facilities Group Plans and Procedures Project Create Planning Organization Risk Analysis Business Impact Analysis Policy Resources Scope Organization Business Continuity Planning Initiation

  19. Risk and Risk Assessment • Annual Loss Expectance (A.L.E.) = annual likelihood of event * cost of event to business • Risk assessment includes thorough risk identification, likelihood estimation, and prioritization based on impact of this business risk

  20. Risk Management The risk management process Monitor results Accept/transfer Contractual, risk financing, insurance Mitigate Eliminate, avoid, reduce Analyze/assess/measure How much, how often, how related? Identify Who, what, where, when, why, how?

  21. Hot Sites vs. Cold Sites • Hot sites have all the equipment (and sometimes the software) needed for the enterprise to continue operation, including office space and furniture, telephone jacks, and computer equipment. • A cold site is a similar type of disaster recovery service that provides office space, but the customer provides and installs all the equipment needed to continue operations.

  22. DR Preparedness Response Recovery BCP Preparedness Response Stabilization of Business Assessment Resumption of Normal Business Event Integrating BCP and DR (Adapted from Castillo 2004) Event

  23. Building Plans: The BC Planning Process (Karakasidis 1997)

  24. Planning vs. Adaptability • It is impossible to predict all possibilities • The MTBU is finite • Planning and practicing for what is anticipated maximizes the time available to adapt and to handle the unanticipated • Not planning but counting totally on adaptability is an invitation to “disaster” and an expired MTBU!

  25. Best Practices -- Zsidisin et al. (2003)

  26. Survivability: A New Generic Principle For your most essential resources: • Asset dispersion • Partial duplication Allows business to be resilient and to continue functioning with somewhat reduced capacity

  27. Cost-Benefit Tradeoff Model Sites R R+1 R+M R+N 1 # Risk Distri- bution $ Overall $ Where R is a simple redundant capability; R+M is an optimal number of distributed sites; and R+N is the largest number of distributed sites possible in a firm. Snow et al. 2005

  28. Specialized Organizational Structure • Emergence of dedicated organizations for handling security breaches: CSIRT, or “computer security incident response teams” (CMU SEI Killcreece et al. 2003)

  29. DR Preparedness Response Recovery BCP Preparedness Response Stabilization of Business Assessment Resumption of Normal Business Sequential Path Model Event Event Integrating BCP and DR (Adapted from Castillo 2004)

  30. 1.0 Business Continuity Plans 2.0 IT Disaster Recovery Plans 1.1 Scoping 2.1 Scoping 1.2 Recovery/ Remediation 2.2 Recovery/ Remediation 1.3 Re-assessment 2.3 Re-assessment 1.4 Adjustment 2.4 Adjustment Resumption of Normal Activities Parallel Path Model Event Event

  31. Example Case • A terrorist act destroys a firm’s main data center facility which also houses a central branch of the online sales order division. Key personnel have been injured or killed. There is widespread physical damage to the facilities themselves.

  32. Potential Areas For Research In BC

  33. Potential Areas For Research In BC

  34. Areas For Research In BC

  35. Information Security Policies, Processes, and Practices Detmar W. Straub Sy Goodman Richard Baskerville M.E. Sharpe, Armonk, NY USA, 2007, forthcoming. Edited Book on this Topic, Plus

  36. Conclusion • BCP/DR has been a subject of some interest in the trade press for decades • A smattering of academic interest in the topic • Current models show how to organize the effort, how to develop good plans, and how to exercise them • No tests of effectiveness from a scientific standpoint

  37. Conclusion • Research needed in the intersection between organizations, systems, and management • Such research fraught with problems, particularly because organizations are being asked to divulge their losses and internal security arrangements • But this study is important for society and the academy itself

  38. End of Presentation….  Q&A

More Related