Business Continuity Planning
Business Continuity Planning, Backup, and Recovery
An important strategy for organizations is to be prepared for any eventuality. A critical element in any security system is a business continuity plan, also known as a disaster recovery plan.
Business continuity is the chain of events linking planning to protection and recovery. The purpose of the business continuity plan is to keep the business operating after a disaster occurs. The plan prepares for, reacts to, and recovers from events that affect the security of information assets, and the subsequent restoration to normal business operations. The plan ensures that critical business functions continue.
In any of major disaster, organizations can employ several strategies for business …show more content…
continuity.
These strategies include
• Hot sites
• Warm sites
• Cold sites
• Off-site data storage.
A hot site is a fully configured computer facility, with all services, communications links, and physical plant operations.
A hot site duplicates computing resources, peripherals, telephone systems, applications, and work stations.
Hot sites are fully staffed and include all the equipment, software, and communications capabilities of a primary location. The hot site can take over operations within an hour and some hot sites can take over instantaneously. This is the most expensive of the three types of sites, but it provides the most effective disaster recovery solution.
A warm site provides many of the same services and options as the hot site. However, a warm site typically does not include the actual applications the company needs. A warm site does include computing equipment such as servers, but it often does not include user work stations
Warm sites are a compromise between hot sites and cold sites. Hot sites are too expensive for most organizations and cold sites often take too long for full operation. Instead, the organization can identify what to stage at the warm site based on their needs. For example, the organization can stage some or all of the equipment at the warm site. They can keep the systems powered on, or power them on when needed. They can have copies of data there, or copy the data after a …show more content…
disaster.
A cold site provides only rudimentary services and facilities, such as a building or room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user work stations.
Cold sites include power and connections, but that’s about all. There isn’t any equipment or data at the site. If a disaster occurs, the organization must send personnel and all the appropriate resources to the cold site to take over services. This is the cheapest to maintain, but it takes the longest to become operational. In some cases, organizations use a cold site if they don’t need to be operational for a few days after a disaster.
Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data center. Also known as vaulting. It is the strategy of sending critical data out of the main location. Data is usually transported off-site using removable storage media such as magnetic tape or optical storage or usb drives
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.
Information Systems Auditing
Companies implement security controls to ensure that information systems work properly. These controls can be installed in the original system, or they can be added after a system is in operation. Installing controls is necessary but not sufficient to provide adequate security. People responsible for security need to answer questions such as:
• Are all controls installed as intended?
• Are the controls effective?
• Has any breach of security occurred?
• If so, what actions are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such observers perform the task of information systems auditing. In an IS environment, an audit is an examination of information systems, their inputs, outputs, and processing.
Types of Auditors and Audits:
There are two types of auditors and audits:
• Internal
• External
IS auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. An external auditor reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a certified public accounting (CPA) firm.
Auditing considers all potential hazards and controls in information systems. It focuses on topics such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from the Institute of Internal Auditors (www.theiia.org).
How Is Auditing Executed?
IS auditing procedures fall into three categories:
(1) Auditing around the computer
(2) Auditing through the computer
(3) Auditing with the computer.
Auditing around the computer means verifying processing by checking for known outputs using specific inputs. This approach is best used in systems with limited outputs.
In auditing through the computer, inputs, outputs, and processing are checked. Auditors review program logic and test data.
Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware. This approach allows the auditor to perform tasks such as simulating payroll program logic using live data.
. . . . . . . . . . . . . . .
TO READ
An organization talks about DR(disaster recovery) sites and the concept of hot, warm and cold, when they require to have their data available in case of the unavailability of their main data site (primary data centre).
If the organization cannot afford to have any downtime, they have a similar setup at the primary site as well as the DR site. This includes not only servers, applications and databases, but also personnel, vendors and business teams. This is a 'hot' backup. Business as usual image is maintained.
If the organization can afford a certain amount of downtime, the concepts of warm and cold come into play. A warm site is where you have certain amount of systems, applications and databases (maybe not up-to-date). It is possible to have them up and running in a few hours.
A cold site is where the premises and basic connectivity and infrastructure are provided. It may take a few days to get this up and running.
Coming to the main question of 'which strategy to
choose?', I feel that these concepts are outdated. In my entire consulting career as a BCP consultant, I have never suggested a 'cold' site. It does not make financial sense for any organization, however rich, to have a site that is vacant and unused. Businesses always want to make use of the space they have available. The options that I feel are really viable to organizations are - split operations (some part of the business is conducted at the alternate location), work-space provided by specialist providers, keeping systems, applications and data ready at another location of the same organization thus reducing real estate overheads, etc.
You can combine multiple strategies depending on which strategy is suitable for your organizations key products and services that you want to continue.
Hot, warm & cold sites can also refer to work area recovery –
Hot is immediately ready to use (either an owned location or dedicated seating from a 3rd party vendor), Warm is where it takes an amount of effort to set up (this may be syndicated seating or if an owned location, for example, where PC's need to be delivered) and Cold is where the building is owned but not utilised at all (this might be used in a manufacturing environment where a production line will need to be created). ( I have used cold as an option for this type of operation as they had offsite kit & stock that could be moved to site).
An important strategy for organizations is to be prepared for any eventuality. A critical element in any security system is a business continuity plan, also known as a disaster recovery plan.
Business continuity is the chain of events linking planning to protection and recovery. The purpose of the business continuity plan is to keep the business operating after a disaster occurs. The plan prepares for, reacts to, and recovers from events that affect the security of information assets, and the subsequent restoration to normal business operations. The plan ensures that critical business functions continue.
In any of major disaster, organizations can employ several strategies for business …show more content…
continuity.
These strategies include
• Hot sites
• Warm sites
• Cold sites
• Off-site data storage.
A hot site is a fully configured computer facility, with all services, communications links, and physical plant operations.
A hot site duplicates computing resources, peripherals, telephone systems, applications, and work stations.
Hot sites are fully staffed and include all the equipment, software, and communications capabilities of a primary location. The hot site can take over operations within an hour and some hot sites can take over instantaneously. This is the most expensive of the three types of sites, but it provides the most effective disaster recovery solution.
A warm site provides many of the same services and options as the hot site. However, a warm site typically does not include the actual applications the company needs. A warm site does include computing equipment such as servers, but it often does not include user work stations
Warm sites are a compromise between hot sites and cold sites. Hot sites are too expensive for most organizations and cold sites often take too long for full operation. Instead, the organization can identify what to stage at the warm site based on their needs. For example, the organization can stage some or all of the equipment at the warm site. They can keep the systems powered on, or power them on when needed. They can have copies of data there, or copy the data after a …show more content…
disaster.
A cold site provides only rudimentary services and facilities, such as a building or room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user work stations.
Cold sites include power and connections, but that’s about all. There isn’t any equipment or data at the site. If a disaster occurs, the organization must send personnel and all the appropriate resources to the cold site to take over services. This is the cheapest to maintain, but it takes the longest to become operational. In some cases, organizations use a cold site if they don’t need to be operational for a few days after a disaster.
Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data center. Also known as vaulting. It is the strategy of sending critical data out of the main location. Data is usually transported off-site using removable storage media such as magnetic tape or optical storage or usb drives
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.
Information Systems Auditing
Companies implement security controls to ensure that information systems work properly. These controls can be installed in the original system, or they can be added after a system is in operation. Installing controls is necessary but not sufficient to provide adequate security. People responsible for security need to answer questions such as:
• Are all controls installed as intended?
• Are the controls effective?
• Has any breach of security occurred?
• If so, what actions are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such observers perform the task of information systems auditing. In an IS environment, an audit is an examination of information systems, their inputs, outputs, and processing.
Types of Auditors and Audits:
There are two types of auditors and audits:
• Internal
• External
IS auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. An external auditor reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a certified public accounting (CPA) firm.
Auditing considers all potential hazards and controls in information systems. It focuses on topics such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from the Institute of Internal Auditors (www.theiia.org).
How Is Auditing Executed?
IS auditing procedures fall into three categories:
(1) Auditing around the computer
(2) Auditing through the computer
(3) Auditing with the computer.
Auditing around the computer means verifying processing by checking for known outputs using specific inputs. This approach is best used in systems with limited outputs.
In auditing through the computer, inputs, outputs, and processing are checked. Auditors review program logic and test data.
Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware. This approach allows the auditor to perform tasks such as simulating payroll program logic using live data.
. . . . . . . . . . . . . . .
TO READ
An organization talks about DR(disaster recovery) sites and the concept of hot, warm and cold, when they require to have their data available in case of the unavailability of their main data site (primary data centre).
If the organization cannot afford to have any downtime, they have a similar setup at the primary site as well as the DR site. This includes not only servers, applications and databases, but also personnel, vendors and business teams. This is a 'hot' backup. Business as usual image is maintained.
If the organization can afford a certain amount of downtime, the concepts of warm and cold come into play. A warm site is where you have certain amount of systems, applications and databases (maybe not up-to-date). It is possible to have them up and running in a few hours.
A cold site is where the premises and basic connectivity and infrastructure are provided. It may take a few days to get this up and running.
Coming to the main question of 'which strategy to
choose?', I feel that these concepts are outdated. In my entire consulting career as a BCP consultant, I have never suggested a 'cold' site. It does not make financial sense for any organization, however rich, to have a site that is vacant and unused. Businesses always want to make use of the space they have available. The options that I feel are really viable to organizations are - split operations (some part of the business is conducted at the alternate location), work-space provided by specialist providers, keeping systems, applications and data ready at another location of the same organization thus reducing real estate overheads, etc.
You can combine multiple strategies depending on which strategy is suitable for your organizations key products and services that you want to continue.
Hot, warm & cold sites can also refer to work area recovery –
Hot is immediately ready to use (either an owned location or dedicated seating from a 3rd party vendor), Warm is where it takes an amount of effort to set up (this may be syndicated seating or if an owned location, for example, where PC's need to be delivered) and Cold is where the building is owned but not utilised at all (this might be used in a manufacturing environment where a production line will need to be created). ( I have used cold as an option for this type of operation as they had offsite kit & stock that could be moved to site).