450 likes | 700 Vues
Business Continuity Planning and the Protection of Informational Assets. Detmar Straub Computer Information Systems J. Mack Robinson College of Business Georgia State University. Seminar University of Texas, San Antonio May, 2007.
E N D
Business Continuity Planning and the Protection of Informational Assets Detmar Straub Computer Information Systems J. Mack Robinson College of Business Georgia State University Seminar University of Texas, San Antonio May, 2007
Business Continuity Planning and the Protection of Informational Assets • Setting the Stage, Including the Impact of 9/11 • Disaster Recovery vs. Business Continuity Planning • BC Components and MTBU • Risk and Crisis Management • Best Practices and Survivability • Potential Research
Gartner Graphics Below • Used with permission
Distribution of Disasters From Preparing for Evil by Ian Mitroff and Murat Alpaslan
Crisis Types From Preparing for Evil by Ian Mitroff and Murat Alpaslan
Visibility TechnologyTrigger Peak of Inflated Hyperbole Trough ofIrrelevance Slope ofEnlightenment Plateau ofPermanent Annoyance Maturity Cyberthreat Hype Cycle “Phishing” Spam Spyware Peer-to-Peer Exploits Wirelessand Mobile Device Attacks Social Engineering Denial of Service DNS Attacks Viruses Cyberterrorism Identity Theft Xeno Threats Hybrid Worms Zero-Day Threats “War Chalking” As of January 2004
How Resilient Are Organizations? Are they prepared for … • A power outage? 88% of enterprises are ready to deal with it. • Failure of server, host, application, software or network?More than 70% of enterprises have backup. • Failure of outside service providers? Only 50% are prepared. • Loss of transportation infrastructure? 38% are set. • Loss of physical assets and work space? 36% have a plan. • Physical attacks? Only 28% are ready. • Major loss of life? Only 13% are mostly or fully prepared.
Ranking 2003 2004 2002 2 Security breaches/business disruptions 1 - 2 1 1 Operating costs/budgets 3 10 4 Data protection and privacy 4 - - * Need for revenue growth 5 - - * Use of information in products/services 6 - - * Economic recovery 7 3 5 Business trends — faster innovation 8 5 3 Single view of the customer 9 7 - Greater transparency in reporting 10 4 - Enterprise riskmanagement Security and Privacy Remain Top Trends Top-10 Business Trends, 2004 * New question for 2004 Selected change in ranking compared with 2003 Source: Gartner's EXP Premier Report: Preparing for the Upswing: The 2004 CIO Agenda March 2004
“Necessities” - Security Technologies Needed WillNeed • Host-Based IPS • 802.1x • Quarantine/Containment • Security Audit Capabilities • Vulnerability Management • Advanced Encryption Standard • Identity Management • Automated Password Management • Gateway Spam/Antivirus Scanning • Business Continuity Plan
Real-Time Enterprise and BCP — A Collision Course • Business Is Moving Faster Than Ever Before: • Real-time interenterprise business process integration • Significant reliance on partners in the value chain • Faster flow and immediate responses expected • You are only as strong as the weakest link Yet in 2002, less than 25 percent of Global 2000 enterprises have invested in comprehensive business continuity planning; only 50 percent have fully tested disaster recovery plans.
Human Error/ Operations Risk Performance/Capacity Planned/Unplanned Downtime Closed Security Incidents Outsourced Service Providers Content/Application Links to Third Parties BC in the Real-Time Enterprise: More Risks, More Collaboration Rolling Disaster/ Multiples Failure Points
Evolution of Business Continuity Sept. 11 Forever ChangedBusiness Continuity Planning Disaster RecoveryRTO = Three DaysScenarios Limited Y2K and BPR+ Contingency PlanningRTO = < 24 hours Aftermath of Sept. 11+ Crisis Management+ New Scenarios Business Recoveryfor critical workprocesses Internet and BPRRTO/RPT ~ 0+ New Scenarios 1990 1995 2000 2002 RTO = Recovery Time Objective = How much time you can afford to lose RPT = Recovery Point Objective = How much data you can afford to lose
250000 200000 150000 Daily Revenues 100000 50000 0 Day 1 Day 3 Day 5 Day 7 Day 9 Day 11 Day 13 Information- Intensive Firm Non-Information Intensive Firm MTBU Based on Business Information Intensivity From Straub 2004
Myth: “It Doesn’t Matter if the Security Team Understands the Business” People Uh-oh, the Flubber ordering system could go down and cost millions. Business Processes Business-Focused Transactions The Demilitarized Zone Applications We're vulnerable to an xyz-based denial-of-service attack. IT-Focused IT Infrastructure Security Devices
Just As The Security Action Cycle Provides a Feedback Loop Deterrence Feedback Deterrence Prevention Detection Deterred Remedies Abuse Prevented Prevented Abuse Abuse Objective: Undetected Maximize Abuse Unpunished Objective: -based on Nance and Straub ( 1988 ) Abuse Minimize
So Must Business Continuity Monitor & Test Identify & Analyze Build & Implement
Recovery Strategy Creating Business Continuity Plans PROCESS Ongoing Process Change Management Education Testing Review Testing Risk Reduction Implement Standby Facilities Group Plans and Procedures Project Create Planning Organization Risk Analysis Business Impact Analysis Policy Resources Scope Organization Business Continuity Planning Initiation
Risk and Risk Assessment • Annual Loss Expectance (A.L.E.) = annual likelihood of event * cost of event to business • Risk assessment includes thorough risk identification, likelihood estimation, and prioritization based on impact of this business risk
Risk Management The risk management process Monitor results Accept/transfer Contractual, risk financing, insurance Mitigate Eliminate, avoid, reduce Analyze/assess/measure How much, how often, how related? Identify Who, what, where, when, why, how?
Hot Sites vs. Cold Sites • Hot sites have all the equipment (and sometimes the software) needed for the enterprise to continue operation, including office space and furniture, telephone jacks, and computer equipment. • A cold site is a similar type of disaster recovery service that provides office space, but the customer provides and installs all the equipment needed to continue operations.
DR Preparedness Response Recovery BCP Preparedness Response Stabilization of Business Assessment Resumption of Normal Business Event Integrating BCP and DR (Adapted from Castillo 2004) Event
Planning vs. Adaptability • It is impossible to predict all possibilities • The MTBU is finite • Planning and practicing for what is anticipated maximizes the time available to adapt and to handle the unanticipated • Not planning but counting totally on adaptability is an invitation to “disaster” and an expired MTBU!
Survivability: A New Generic Principle For your most essential resources: • Asset dispersion • Partial duplication Allows business to be resilient and to continue functioning with somewhat reduced capacity
Cost-Benefit Tradeoff Model Sites R R+1 R+M R+N 1 # Risk Distri- bution $ Overall $ Where R is a simple redundant capability; R+M is an optimal number of distributed sites; and R+N is the largest number of distributed sites possible in a firm. Snow et al. 2005
Specialized Organizational Structure • Emergence of dedicated organizations for handling security breaches: CSIRT, or “computer security incident response teams” (CMU SEI Killcreece et al. 2003)
DR Preparedness Response Recovery BCP Preparedness Response Stabilization of Business Assessment Resumption of Normal Business Sequential Path Model Event Event Integrating BCP and DR (Adapted from Castillo 2004)
1.0 Business Continuity Plans 2.0 IT Disaster Recovery Plans 1.1 Scoping 2.1 Scoping 1.2 Recovery/ Remediation 2.2 Recovery/ Remediation 1.3 Re-assessment 2.3 Re-assessment 1.4 Adjustment 2.4 Adjustment Resumption of Normal Activities Parallel Path Model Event Event
Example Case • A terrorist act destroys a firm’s main data center facility which also houses a central branch of the online sales order division. Key personnel have been injured or killed. There is widespread physical damage to the facilities themselves.
Information Security Policies, Processes, and Practices Detmar W. Straub Sy Goodman Richard Baskerville M.E. Sharpe, Armonk, NY USA, 2007, forthcoming. Edited Book on this Topic, Plus
Conclusion • BCP/DR has been a subject of some interest in the trade press for decades • A smattering of academic interest in the topic • Current models show how to organize the effort, how to develop good plans, and how to exercise them • No tests of effectiveness from a scientific standpoint
Conclusion • Research needed in the intersection between organizations, systems, and management • Such research fraught with problems, particularly because organizations are being asked to divulge their losses and internal security arrangements • But this study is important for society and the academy itself