Keep Your Guard Up
When you’re coping with an emergency, you can’t afford to let your guard drop when it comes to information security, argues Neil Barratt of Survive

Neil Barrett is visiting professor of computer crime at the Centre for Forensic Computing, RMCS, Cranfield University, and the author of ‘Traces of Guilt’.

Obviously, this requires planning and resources, particularly focused on those business-critical systems on which your organisation depends for its key business transactions. But in concentrating on those systems, it’s crucial that you don’t lose sight of other important considerations – in particular, information security.
Your all-important transactional, accounting, customer relationship, supply chain and other major systems all contain information that needs protecting. As part of your normal daily business, you almost certainly have systems in place to protect sensitive data against hackers, snoops, viruses and accidental corruption. You have taken the necessary steps to ensure the confidentiality, integrity and accessibility of your information assets, and have processes in place to ensure that you conform to the appropriate regulations.

Constant vigilence
Such compliance is not just an important issue now – the complexity of regulations is constantly increasing and requires vigilance to ensure you don’t break the law. These regulations include the Data Protection Act, which requires you, among other things, to keep information confidential. Then there are industry-specific rules, such as banking regulations, and general business legislation such as Sarbanes Oxley which require that information systems conform to strict guidelines with regard to company financial data and company reports.

Adequate safeguards
But what happens when disaster strikes and all your attention is focused on not losing business? Are you sure your safeguards are still adequate?
At the same time that you are ensuring continuity of the business, can you also guarantee continuity of security? It would be a pity, after all, if all your efforts actually resulted in creating a new problem.
Security concerns fall into three main areas – confidentiality, integrity and availability. All three are at risk when BCP provisions are put into action. Confidentiality may be compromised because your backup systems don’t contain the same level of protection to ensure that the data doesn’t accidentally become publicly available (or available to hackers). Integrity is at risk because backup systems or the process of moving your data and processing systems could lead to corruption or out-of-date information being used. And the change of infrastructure might mean that, for some or all of your users, the data is simply no longer available. How real these risks are is largely dependent on your planning and your systems, but it’s essential that risk calculations, taking these matters into account, form part of your BCP strategy.

So let’s look at those risks in some more detail. The change of infrastructure and move to different systems could provide openings for opportunist hackers or data thieves. Most data theft occurs within the organisation, but if you’re working from a new site you could be opening doors to others, too.

If you’re storing backup data off-site, you need to ensure that the security provisions at that site are as effective as your in-house systems. It can’t be a ‘second-best’ environment. Similarly, if your BCP plans include using another site while your main site is returned to usable condition, does that site have the same security facilities and capabilities?
Putting a BCP strategy into action can involve transferring sensitive data between sites. Is this communication secure?
Are backup systems (such as replacement web servers and mail servers) configured precisely like your normal live systems? What kinds of configuration options or security systems might get forgotten in this kind of situation? Is everything as up-to-date as your first-line systems – including anti-malware systems and software patches?

Security policies
It’s likely that some of your most sensitive data is encrypted. It seems obvious, but if your offices are put out of action, will you be able to decrypt and use this data? And is it still encrypted when it needs to be? It’s essential to ensure that your security policies and systems still work properly on what is likely to be an infrastructure with a somewhat different architecture, perhaps involving communications links you didn’t have before. That also brings up the question of firewalls and Intrusion Detection Systems (IDSs). You need to make sure they are properly configured – perhaps by being in the habit of storing the configuration information off-site. Now you’re using your backups – are you still making backups? Disaster can strike more than once, and with the increased risk of data loss or corruption, having an effective backup strategy is actually more important than ever. And that may mean finding a third location so that you can still keep backups off-site.

Finally, do your staff understand the additional or different security implications of working with the backup systems or from a new site on new systems? You might want to think about whether this requires additional training. Making the right provision When creating your business continuity strategy, you have to make provision for information security alongside your plans for information continuity – the two elements are inseparable. At every stage of your plan, you need to consider the threats posed by the problems outlined above, and how you might tackle these.
Reviewing your backup procedures is obviously critical, but even before you start with that you should adopt a ‘risk register’ approach to analysing, enumerating and quantifying the potential problems. And remember that this issue does not end with the planning – security must be a key element in your BCP testing.

One effective way of bringing a formal structure to this issue is to contract with an ICT services partner. A BCP arrangement with a company such as Computacenter means that many of the issues we’ve examined – such as ensuring that all replacement PCs are full patched – are actually an integral part of the service. Making information security one of the Key Performance Indicators of the contract also helps to ensure that all bases are covered. And the services supplier will be able to provide expertise and capabilities – such as secure connections and encryption systems – that you might not be able to provide cost-effectively in-house.