Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next

Section 3-2
Business Continuity Planning

Chapter 3-2-1
Business Continuity in Distributed Environments

Steven P. Craig

Today’s organizations, in their efforts to reduce costs, are streamlining layers of management while implementing more complex matrices of control and reporting. Distributed systems have facilitated the reshaping of these organizations by moving the control of information closer to its source, the end user. In this transition, however, secure management of that information has been placed at risk. Information technology departments must protect the traditional system environment within the computer room plus develop policies, standards, and guidelines for the security and protection of the company’s distributed information base. Further, the information technology staff must communicate these standards to all users to enforce a strong baseline of controls.

In these distributed environments, information technology personnel are often asked to develop systems recovery plans outside the context of an overall business recovery scheme. Recoverability of systems, however, should be viewed as only one part of business recovery. Information systems, in and of themselves, are not the lifeblood of a company; inventory, assets, processes, and people are all essential factors that must be considered in the business continuation design. The success of business continuity planning rests on a company’s ability to integrate systems recovery in the greater overall planning effort.


Distinctive areas must be addressed in the formulation of a company’s disaster recovery plan, and attention to these areas should follow the steps of the scientific method: a statement of the problem, the development of a hypothesis, and the testing of the hypothesis. Like any scientific process, the development of the disaster recovery plan is iterative. The testing phase of this process is essential because it reveals whether the plan is viable. Moreover, it is imperative that the plan and its assumptions be tested on an ongoing, routine basis. The most important distinction that marks disaster recovery planning is what is at stake — the survival of the business.

The phases of a disaster recovery plan process are

  Awareness and discovery
  Risk assessment
  Response and recovery

Recovery planners should adapt these phases to a company’s specific needs and requirements. Some of the phases may be combined, for example, depending on the size of the company and the extent of exposures to risk. It is crucial, however, that each phase be included in the formation of a recovery plan.

Awareness and Discovery

Awareness begins when a recovery planning team can identify both possible threats and plausible threats to business operations. The more pressing issue for an organization in terms of business recovery planning is that of plausible threats. These threats must be evaluated by recovery planners, and their planning efforts, in turn, will depend on these criteria:

  The business of the company.
  The area of the country in which the company is located.
  The company’s existing security measures.
  The level of adherence to existing policies and procedures.
  Management’s commitment to existing policies and procedures.

Awareness also implies educating all employees on existing risk exposures and briefing them on what measures have been taken to minimize those exposures. Each employee’s individual role in complying with these measures should be addressed at this early stage.

In terms of systems and information, the awareness phase includes determining what exposures exist that are specific to information systems, what information is vital to the organization, and what information is proprietary and confidential. Answering these questions will help planners determine when an interruption will be catastrophic as opposed to operational. For example, in an educational environment, a system that is down for two or three days may not be considered catastrophic, whereas in a process control environment (e.g., chemicals or electronics), just a few minutes of downtime may be.

Discovery is the process in which planners must determine, based on their awareness of plausible threats, which specific operations would be affected by existing exposures. They must consider what measures are currently in place or could be put in place to minimize or, ideally, remove these exposures.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.