Managing the companies risk is gaining more and more importance.
Companies are getting more aware of
the fact that risks should be foreseen and addressed before they
could prove havoc for the organization in
38.1 Corporate Culture and Risk Management
As it goes, “The ultimate risk is not taking the risk”.
Recognizing and managing risk should be an important
part of the corporate culture. IS related risk management is a
one level deeper into the over all corporate
risk strategy. Assuming that most of the business processes have
become computer and technology
dependent to whatever extent actually used, a secure IS
supported with a sound risk management strategy
must be available to the organization.
38.2 Constituents of Risk Management
Usually the following constitutes the risk management process.
Passwords – already been
Securing Web based
security in IS
The objective of the entire risk management process is that no
one should hamper the working of the
smooth working of IS. Risk management in a newly computerized
environment and that in an ongoing
operation will have to be viewed differently. The scope of risk
should be defined by the organization; only
then mitigation strategies can be undertaken. The organization
should have a business continuity plan and
should also know how to use it.
38.3 Risk management
Risk management in a newly computerized environment and that in
an ongoing operation will have to be
viewed differently. In an ongoing operation, risk management
itself cannot be done without evidence
collection and evidence of risks. Where the organization is
desiring to implement a new system, careful
thought needs to be given to see how potential risks can be
managed. Security and risk management policies
can be developed s the system expands and greater evidence of
actual threats begins to become available.
Establishing clear audit trails is an absolute must as much as
managing physical environmental risks. They
help in identifying the start and execution of transaction from
the cradle to the grave. Audit logs to be kept
should also record the errors occurring and possible actions
should be taken to mitigate risks. Maintaining
audit logs also helps in drilling down for investigation
purposes. Exception report can also be prepared
from these audit logs.
38.4 Business Continuity Planning
Part of the Risk management process is to ensure that the
organization has a well considered business
continuity plan. This becomes extremely essential in on-line
environments where customer, supplier
interaction is high e.g. ATM, on-line supply or purchase orders.
In online environment, a critical need arises
for an efficient recovery plan to minimize the discontinuation
time and to perform back up activity.
“Business Continuity Planning (BCP) is a methodology used to
create a plan for how an organization will
resume partially or completely interrupted critical functions
within a predetermined time after a disaster or
BCP can also be defined as
“BCP is the process where by the institutions ensure the
maintenance and recovery of operations including
services to customers when confronted with adverse events such
as natural disasters, technology failure,
human error and terrorism.”
The Senior management and the board of Directors are responsible
for identifying, assessing, prioritizing,
managing and controlling risks. They should ensure that
necessary resources are devoted to creating,
maintaining and testing the BCP. The effectiveness of the BCP
depends on management commitments and
ability to clearly identify what makes business processes work.
BCP is not limited to the restoration of the
IS technology and services or data maintained in electronic
form. Without a BCP that considers every single
business unit including personnel workspace and similar issues.
An organization may not resume serving its customers at
acceptable level. Business Continuity Planning is a
process designed to reduce the organization’s business risk
arising from operational dysfunction. These
operations are critical and necessary for the survival of the
organization. The operations which are critical
may be either manual or automated.
The planning of operations also include human/material resources
supporting these critical
function/operations and assurance of the continuity of the
minimum level of services necessary for critical
operations. BCP methodology is scalable for an organization of
any size and complexity. The plan can be
made for an organization with operations of any type. Any type
of organization may create a BCP manual,
and arguably every organization
have one in order to ensure the organization's
longevity. A business
continuity plan is much more than just a plan or the information
system. A business continuity plan
identifies what the business will do in event of disaster.
38.5 Components of BCP
The business continuity plan includes:
1. The disaster recovery plan that is used to recover a facility
rendered inoperable, including relocating
operation into a new location.
2. The operations plan that is to be followed by the business
units while recovery is taking place.
3. The restoration plan that is used to return operations to
normality whether in a restored or new facility.
Business Continuity Planning vs. Disaster Recovery planning
Business continuity planning:
Where will employees report to work, how will orders be taken
while the computer system is being restored,
which vendors should be called to provide needed supplies. For
Example, in a web based environment
where operations are active 24/7, there should be such an
arrangement that the system, in case of crash,
shifts over to a back up system to provide uninterrupted
Disaster Recovery Planning:
This typically details the process IT personnel will use to
restore the computer systems. Disaster recovery
plans may be included in the business continuity plan or as a
separate document all together. Business
continuity plan may not be comprehensively available in a
non-critical environment but Disaster Recovery
Plan should be there at least to manage and help organization to
recover from disasters. A subcomponent
of business continuity plan is the IT disaster recovery plan. IS
processing is one operation of many that
keep the organization not only alive but also successful, which
makes it of strategic importance.
38.6 Phases of BCP
The BCP process can be divided into the following life cycle
Creation of a business
continuity and disaster recovery policy.
operations and criticality analysis.
Development of a
business continuity plan and disaster recovery procedures.
Training and awareness
implementation of plan.
Business Continuity and Disaster Recovery Policy
A business continuity and disaster recovery policy should be
proactive and encompass preventive, detective
and corrective controls. The business continuity plan is the
most critical corrective control. It is dependent
on other controls, being effective, in particular incident
management, and media backup.
38.7 Incident Management:
An incident is any unexpected event, even if it causes no
significant damage. Incident and crises are dynamic
by nature. They evolve, change with time and circumstances, and
are often rapid and unforeseeable.
Because of this, their management must be dynamic, proactive and
well documented. Depending on an
estimation of the level of consequential damage to the business,
all types of incidents should be categorized.
Incidents may vary from causing no damage to serious impacts on
the continued functioning of the
business. Hence they should be documented, classified, and
followed up on until corrected or resolved. This
is a dynamic process, as a major incident may deescalate
momentarily and yet later expand to become a
Media Back up
Taking back up on regular basis of business transactions and
other data from the IS is very critical to an
38.8 Business Impact Analysis (BIA)
In this phase, identification of the potential impact of
uncontrolled non specific events on the institutions
business processes and outcomes. Consideration of all
departments and business functions not just data
processing and estimation of maximum allowable downtime and
acceptable level of data and financial
losses. To perform this phase successfully, one should obtain an
understanding of the organization, key
business processes, and IT resource used by the organization to
support the key business process. The
criticality of the information resources (e.g. applications,
data, networks, system software) that support an
organization’s business processes must be established with
senior management approval. Various
approaches to perform a BIA can be followed, for instance,
questionnaire, interview group of key users and
discussions with IT staff and end users together.
Classification of operations and criticality analysis
During this phase, risks and threats are analyzed. Impacts of
these risks on the system are also computed.
The Risk: The system
will suffer a serious disruption over the next five years:
Chance of Occurrence:
10% or 0.1
Assessed impact of
disruption: Rs. 10 million x 0.1 percent = Rs. 10000 over five years
Based on these assessed impacts, the risks are ranked so that
suitable recovery strategies can be developed.
38.9 Recovery Strategies
There are various strategies for recovering critical information
resources. The strategy is considered to be
appropriate if cost of implementation is acceptable, recovery
time taken by the strategy is acceptable,
cost and recovery time are also reasonable compared to the
impact and likelihood of occurrence as
determined in the business impact analysis.
Types of recovery Strategies
Disaster recovery must meet two requirements. First, The minimum
application and application data
requirements. Second, the time frame in the application and
applications data requirements must be made
available. Following are the various recovery strategies.
1. Cold Site
2. Hot Site
3. Warm Site
4. Reciprocal agreement
5. Third Party arrangements
If an organization can tolerate some downtime, cold sites backup
might be appropriate. A cold site has all
the facilities needed to install a information system raised
floors, air conditioning, power, communication
lines and so on. The cold site is ready to receive equipment,
but does not offer any components at the site
in advance of the need. Activation of site is may take several
weeks depending on the size of information
If fast recovery is critical, an organization might need
hot-site backup. All hardware and operations facilities
will be available at the hot site. In some cases, software,
data, and supplies might also be stored there. Hot
sites are expensive to maintain. They usually are shared with
other organizations that have same hot site
They are partially configured, usually with network connections
and selected peripheral equipment, such as
disk drives, tape drives and controllers, but without the main
computer. Sometimes a warm site is equipped
with a less powerful CPU, than the one generally used. The
assumption behind the warm site concept is that
the computer can usually be obtained quickly for emergency
installation and since, the computer is the most
expensive unit, such a arrangement is less costly than a hot
site. After the installation of the needed
components the site can be ready for service within hours;
however, the location and installation of the
CPU and other missing units could take several days or weeks.
Two or more organization might agree to provide backup
facilities to each other in the event of one
suffering a disaster. This backup option is relatively cheap,
but each participate must maintain sufficient
capacity to operate another’s critical systems. Reciprocal
agreements are often informal in nature.
Third Party arrangements
Apart from having a give-and-take relationship with other
organizations, an agreement may also be signed
with third party vendors so as to outsource the disaster
recovery process. The responsibility of the site
development lies completely with the third party. The shift in
responsibility can help organization to stop
worrying of the recovery site all the time.
38.10 Development of Business Continuity and Disaster Recovery
In this phase, a detailed business continuity and disaster
recovery plan should be developed. It should
address all issues involved in interruption to business
processes, including recovering from a disaster. The
various factors that should be considered while developing the
Pre disaster readiness
covering incidence response management to address all incidence
affecting business processes and analysis
Procedure for declaring
which a disaster should be declared. All interruptions are not disasters,
but a small incident if not addressed in a timely or proper
manner may lead to a disaster. For
example, a virus attack not recognized and contained in time may
bring down the entire IT
Development Of Business Continuity And Disaster Recovery Plans
The various factors that should be considered while developing
the plan are:
The clear identification
of the responsibilities in the plan
The clear identification
of the person responsible for each function in the plan
The clear identification
of contract information.
The step by step
explanation of the recovery option
The clear identification
of the various resources required for recovery and continued operation
of the organization.
The step by step
application of the constitution phase.
Training and awareness program
Now the employees need to be made aware of the policies which
have been devise. Initially the program
will be an organization wide activity. Subsequently all new
recruitments should be trained under the
Testing and implementation of plan
Since BCP is a plan devised for any emergency situation
emerging, employees should be made to face
mocked situations so as to be prepared what to do when an
emergency comes up. Certain issued may need
to be resolved even if there is no undesirable situation. For
example, where an organization opts for hot site
strategy, basic equipment should be available all the time and
ready to be used in the case of emergency.
Once the plan has been tested and implemented, it needs to be
monitored and updated on regular basis for
Changes in business
strategy may alter the significance of critical application or deem additional
applications as critical.
Changes in the software
or hardware environment may make current provisions obsolete or
Incidents emerging and
affecting the organizations business continuity issues.
Reassessing the risks,
their impact and likelihood of occurrence
Identifying any newly
emerged risks and including them in the BCP
Training of the new
recruits as and when they are employed.