Try this for yourself: Step into any company, seek an appointment with the Chief Technical Officer or EDP manager and ask them whether they have taken sufficient steps to secure themselves against the various threats that they have exposed themselves to by connecting their internal networks to the Internet. In all probability the answer will be an emphatic YES.
Don't let it rest at that; dig deeper - ask them just what steps they have taken. Then, sit back and listen to a long litany of the various technical measures they have in place, ranging from anti-virus software, firewalls, intrusion detection systems et al. Don't let it rest at that. Probe deeper. Ask them what else they have in place. In all probability, you will get a blank stare in return. Reminds me of The Emperor's New Clothes! As the story goes, once upon a time, four guys walked into the court of a King and lavished him with praises (much as salesmen today try and bond with a potential client the first time they meet him). Thus having bonded with the King, the four then told him that they were the best tailors that he would ever come across (much like salesmen portray the company they represent to a potential client). Having got the King's attention by now, they then offered to knit for him a new set of clothes that would be the cynosure of all eyes (much like salesmen offer the deal of the century to a potential customer). By now, the King was sold on the idea, hook, line and sinker. And so, the four guys were commissioned to make the King a new pair of clothes. They took his measurements, and on the day appointed for the trial fitting, showed up with NOTHING. In response to the King's query, they said that the clothes were there; it was only that one had to concentrate to be able to see them. Which was not difficult, they said. Only a really stupid person would not be able to see them. Now, of course there were no clothes. But these four guys were so convincing that the King and his courtiers got taken in. None of them wanted to be the odd man out ie admit to being stupid, and so all of them, including King pretended to concentrate and then said "Aaah.. WE SEE THE CLOTHES NOW". And since each of them believed that everybody else could see the clothes, well you wouldn't want to admit to being stupid, would you? And so, the grand day came. The four guys dressed up the King in his non-existent new clothes all the while exclaiming how handsome he looked in them. And since sycophancy was around as much then as it is now, all the courtiers praised the Emperor's new clothes. Having paid the four tailors for their efforts, the King then set out for a walk in his capital so that all his subjects could admire his new clothes. And his subjects lined the streets to see the King's new clothes. And having heard much about the clothes and the fact that only a really stupid person couldn't see them, the streets echoed with cries of how handsome the King looked in his new clothes until a little child in all his innocence cried out: "BUT THE EMPEROR HAS NO CLOTHES!" And so the bubble burst and sense dawned on everyone, but by then the four tailors had decamped with their loot.
And that is the story of the Emperor's new clothes. And so it is today, an organization believes that it has secured itself by putting in place various technical measures such as anti-virus software, firewalls, intrusion detection systems et al. And yet, I say "BUT THE EMPEROR HAS NO CLOTHES!" Since the entire gamut of what would constitute adequate clothing when it comes to securing the confidentiality, integrity and availability of one's digital assets are too numerous to dwell on in great detail here. I will restrict myself to addressing one of them viz., the mechanics of disaster recovery and business continuity. The issue of disaster recovery and continuity aims to address the core issue of the steps a business should take in order to continue operations in the event of a major disruption in the information systems process. As the term suggests, disaster recovery is the ability to recover from an event that could be termed as disastrous. Obviously, a great deal of thought must go into planning for such an event. Disasters such as earthquakes, floods, fires etc can severely impact normal business functions carried out by computers and related assets. In addition, system malfunctions; data corruptions, file deletions, hacks and cracks etc can also impact business functions. Such disruptions can be termed disastrous depending on how severe the impact is on the ability of the business to be able to continue operating under such adverse conditions.
We define a disaster as something that causes a disruption in the normal system, which causes one or more facilities to be inoperative for a considerable period of time usually over one day. A disaster is termed as catastrophic if it involves the destruction of an entire processing unit. Obviously, planning for a catastrophe is more complex than planning for a disaster. An effective business continuity plan hence starts with identifying critical business functions, the continuity of which need to be ensured at all costs. Having done that, the next step involves determining the various types of disastrous events that could occur, and the impact they could have on the various critical business functions identified at the start of the exercise. I define panic as something that causes people to do something that they would otherwise not do if they were told and trained to do other wise. It is quite common to observe people panicking under adverse conditions and as a result doing things that actually cause further disruptions in the normal system. A Business Continuity Plan (BCP) must hence pay great emphasis to the task of identifying and notifying the right people during a disaster, people that have been trained to deal with the situation in a cool, collected manner which is a result of well documented procedures and training. This goes a long way in preventing panic that can cause further disruptions. Specifically, the BCP should identify key personnel required to initiate and carry out recovery efforts. It is obvious that once key personnel are contacted in the event of a disaster, they will need to fall back on something to be able to carry out their function. This something includes all supplies necessary for recovery such as current hardcopy procedures of how to proceed with functions they may be unfamiliar with. Also included in this category are any hardware and software that may be required to continue with business operations. It is also important that the key personnel should be aware of their responsibilities and the tasks they are expected to fulfill. Depending on the nature of the disaster and the disruption of services, several teams may need to be formed to handle specific tasks. These tasks can be many in number and the teams that deal with them can be categorized depending on the task they perform. As for example, the Emergency Action Team would be concerned with the orderly evacuation of personnel and securing of human life. The Damage Assessment Team would be responsible for assessing the extent of damage and estimating the time required to recover operations. Several other teams would be tasked with a wide variety of tasks such as retrieving critical data from off-site storage, installing systems software and applications at recovery sites, monitoring the security of system and communication links, rerouting communication traffic across networks etc, anything and everything that it may take to be able to get the business operating again despite the hiccup that it may have suffered.
BCP also involves risk assessment in terms of identifying critical systems and the time one can afford to have them non-functional. This is known as systems tolerance. Tolerance can range from critical (functions that cannot be performed unless replaced by identical capabilities therefore implying that tolerance to interruption is very low, cost of interruption is high) to non-critical where functions can be interrupted for an extended period of time at marginal cost. Obviously greater emphasis and resources hence need to be devoted to those critical functions compared to non-critical ones. The flip side of computing is that as processes become more automated, the more difficult it becomes to prioritize systems especially when systems integration has reached a high level. It may hence become imperative that recovery procedures cater for a mirrored site rather than rely on just a back-up facility. The reader by now should be aware of the complexities of planning for disaster and business continuity armed with the above information (which in no way is a comprehensive list of EVERYTHING a BCP should provide for). Human nature being what it is, most people's reactions to BCP in general would be "but I've got stuff like firewalls, anti-virus, intrusion detection systems etc in place. As for disasters they happen to others they wouldn't happen to my organization". To them I would say that it is not a question of IF disaster strikes; it is a question of WHEN it strikes. And, when it does (which sooner or later it will), no matter what firewalls or anything else you have, without a BCP you'll will be as vulnerable and exposed as our venerable old Emperor who had no clothes!
(The author is Neville Bulsara
. He is CEO, N&N Systems and Software Pvt Ltd, Mumbai)