by Simon Biles
Before I go on, I should clarify that there is a difference between BCP and DRP – one (BCP) tends to be used for aspects of failure, such as a hard-disk failing, the other (DRP) is in the case of catastrophic events, such as your building burning down. In my experience most people don’t have adequate of either, however there is a lot of common material between the two, and I’m going to continue this article from more of a DRP perspective.
In a lot of businesses, the “cloud” is a great solution, all of your data is “out there” and all you need is a “dumb” terminal to get to it – however for those of us that operate in the security or forensics space this is an impossible thing – although I know a few freelancers that make use of the professional Google Tools for their e-mail – although that, sadly isn’t a guaranteed solution either.
So as a minimum what should you be doing to manage your DR plans? I’d like to propose a model (I’ve not seen it done before, but I hesitate to call anything new in this day and age! [ I was infuriated the other day to see that someone had trademarked the word “automagically” – something that I’ve been using for decades (and will continue to do, citing prior art if anyone complains !) ] ) based on Maslow’s Hierarchy of Needs:
Biles’ Hierarchy of DR Needs
Fundamentally, of course, there is actually a layer underneath the bottom one here, which is the most critical of all – the fundamental wellbeing of staff. If there has been a significant event which has resulted in a site becoming unavailable then there is a risk of trauma to staff – potentially physical, but also emotional – even more so if you generally work from home! Also in recent cases where BCP/DR plans have had to be enacted through terrorist action, there can be a lot gained by providing a mechanism for communication between staff and their nearest and dearest so that they can be reassured that there are no issues. I was lucky on July 7th, not only was I not on the tube in London at the time, but I had called my wife from the station saying that I was OK before the mobile phone network became overloaded – knowing that she wasn’t worrying and that she knew I was walking to work meant that when I got in the office I could get on with what needed to be done (and so could she).
The above pyramid, though, does quickly illustrate what you need – but bear in mind how easy some of these are to comply with. You can get through nearly all of the first three with a laptop, a mobile-phone and the local pub with a Wi-Fi point – in fact, if you have Skype, you can even skip the mobile phone. Clearly, though, these features change as soon as you are operating your business from an unstable Middle Eastern state – if that is the case then you need to consider Inmarsat phones and data links, petrol generators and a stash of local currency – but each plan is dependent on scenario.
Please bear in mind the potential size of an incident – there were reported issues for companies in the aftermath of the Buncefield fire where their DR site was just as badly damaged as their main site, being almost equidistant on opposite sides of the event!
Click here to discuss this article.
Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years. Simon is studying Forensic Computing at Cranfield University, although very slowly because of work commitments! He posts on the forum as Azrael and you can read an interview with him here.