In today’s modern world almost every business has a web presence and uses a vast array of technology from emails, webpages and in some cases, such as aviation and health, interactive complex systems to enhance their core business.
Today’s society relies so heavily on its Information and Communications Technology (ICT) that our everyday lives can often depend on it, as seen in the latest malware outbreaks, the ransomware ‘Wannacry’ had a massive impact on the UK’s National Health Service, cancelling potentially lifesaving operation as well as causing British Airways to delay flights due to a power supply issue.
A Business Impact Analysis (BIA) is a useful tool used to identify operational functions and the effect a disruption might have upon your business.
The process of recovering against threats similar to those mentioned above is often contained within an Information Technology Disaster Recovery (ITDR) plan. ITDR planning is all about having identified and implemented plans or procedures to reduce the time between a critical incident and its resolution. ICT Readiness Business Continuity (IRBC) is analyzing the business in terms of what could go wrong with your ICT components. The minimal downtime is the optimal result of implementing an ITDR plan.
There are 6 main considerations for effective IRBC:
- Key Competencies and Knowledge
- Facilities
- Technology
- Data
- Processes
- Suppliers
These 6 factors are essential components of IRBC planning process critical to a business’s success. The desired result of IRBC is to maximize the business’s capability of support to its business operations by prevention, detection and response to disruption and recovery of ICT services in the event of a failure. ITDR is an overall process of identifying and putting in place the most cost and time efficient disaster recovery plans for a business’s ICT requirements.
The first factor in the IRBC is the Key competencies and knowledge of the team. Some questions often raised in this phase of the process are: who has these skills? How can we disseminate the vital knowledge and information to all relevant areas in case of a disaster efficiently and effectively? Do we retain staff in-house or do we outsource this requirement?
The second component of the IRBC is Facilities. This is a wide area that each business must look at to individually customise it to the way the business operates. Does the business maintain data warehouses at each site and provide backup services for each, essentially decentralising its ICT structure or centralise its ICT in one building and remotely access and back it up? There are many ways that can effectively provide comprehensive ICT coverage to a business from working from home, remote sites or using facilities provided by third party specialists. Another consideration is what facilities or tools are used as part of the plan as well as considerations around transporting in replacement parts in case of a disruption? Issues regarding the use of remote sites would include site security, staff access and availability and proximity to existing facilities.
Technology is the next part of the ITDR planning process. This looks at how, or what technology is the business going to use to achieve its ICT objectives. This phase looks at components of this strategy such as locations and distances between sites, number of sites and remote access. How will the technology interact with the ICT to achieve the goals identified previously? Recovery Time Objectives ( RTO ) and Recovery Point Objective ( RPO ) are identified in this phase in relation to the technologies used. How quickly can the system be recovered using these technologies is the critical factor.
Data is a vital component in the IRBC plan. There are so many factors which need to be addressed in relation to data. What data is required to restore business activities, and in what amount of time? Which security controls (e.g., access control) must be in place always to secure the data? How will the data be backed up and restored? How will it be stored, either onsite or offsite? What medium will it be backed up on? These factors will affect how easy and time efficient the IRBC is.
At this point, you must consider which Processes you have in place to deal with an incident or disaster, and how the processes needed to make the elements from categories 1 to 4 (competencies and knowledge, facilities, technology, and data) work together to deliver the business services needed (e.g., communications, applications, user accesses, etc.). Processes need to be revisited as new technology and methods arise in the ever-changing Information Technology sector.
Finally, a look at the Suppliers. Which suppliers and supplies (e.g., software copies and hardware spare parts) are critical to ICT continuity? How do your suppliers ensure they can support your organization’s business continuity requirements? What skills and expertise can they bring to our business that we do not already possess or outsource? Can someone do it better and cheaper than we are currently?
Because over the years more and more industries (including aviation) have become dependent upon information and communication technologies (ICT), and ICT failures are becoming more critical, it is natural to expect the spread of literature dealing specifically with this issue to increase.
In this context, the ISO 27031 standard approaches how to use the PDCA (Plan-Do-Check-Act) cycle to put into place a systematic process to prevent, predict, and manage ICT disruption incidents that have the potential to disrupt ICT services. By doing so, this standard helps to support both Business Continuity Management (BCM) and Information Security Management (ISM).
Agilient are experts in the application of ISO 27031 and can assist you in implementing effective standards based ITDR systems.
Brendan Cahill for the Agilient Team