DigitalNow: Association Leadership in the Digital Age

Afternoon Presentation: Colin Rankine & Philip Rosch
Digital Security and Disaster Preparedness

Key Points

Continuity Planning

IT spending on Disaster Recovery preparedness

• Historically estimated at 2-6% of IT Budget
• Giga Position: DR costs are significantly underestimated
• To reduce total expense, DR practices and procedures must be automated and institutionalized to the greatest extent possible

Prevention is still the best cure…but the threat profile has changed. A lot of risk to organizations can be mitigated.

• 15% of all issues deal with power outage
• 12% hardware error
• Since 9-11 28% of all issues now are from the terrorist bombings

Business Continuity Process Planning

• Must have a business impact analysis
• Develop a local threat profile-what are the issues specific to your organization

Disaster Recovery Planning

• Communication Plans
• Local site hardening
• In-house recovery vs. commercial hot-site selection
• Technology selection
• Documentation and automation development
• Test Plan development and execution
• Plan maintenance and enhancement

Business Impact Analysis

• How quickly do I need to restore operations?
• How much data can I afford to loose?
• What resources do I really need to support a business process?

Consulting

• Threat assessment
• Business impact analysis
• Disaster recovery planning
• Major IT consulting firms

Software

• BIA and DRP Assessment/planning tools
• Automated applications resources identification/collection
• Data replication, remote journaling
• Backup, recovery, and repair utilities

IT trends impacting continuity planning

• Server Centralization and Data Center Consolidation
• Businesses increasingly dependent on external partners and web applications for day-to-day operations
• Stand-alone applications are nearly extinct
• Dramatic advances in software and server technology combined with the aforementioned server consolidation activity is creating increasingly large application images
• Increasing amounts of business critical data contained in Wintel environments: servers, desktops, and laptops

Summary

• Need to improve quality of back-up in other places — 80% of backup is usually disabled by user (laptop/desktop)
• Think globally
• Disaster Recovery Plans continuity planning is not an impossible undertaking
• Once you identify your backup and recovery needs, automate and institutionalize the relevant procedures
• Evaluate service and technology providers based on your specific requirements
• Security issues:
  • Easy access to information
  • Amount of data in electronic form
  • Number of people using computer
  • Job hopping culture
  • Netiquette - the granny factor

How does this affect security?

• People turn inward
• Personal threshold was also lowered

Risk: No Single point of contact for security. Need to establish who is in charge if there is a problem and know who they are at all times. "Effective security is a business enabler!"

What to do: Hire/Name a chief security officer with following agenda

1. Accountable for security architecture and policies
2. Perform Business Analysis
3. Define emerging business requirements
4. Map gaps and emerging business requirements to a "desire state" environment
5. Execute migration to desired state

Risk: IT complexity exacerbates overall security risk and cost

What to do:

1. Define and implement association wide architecture and standard tech management life cycle
2. Reduce complexity
3. Enforce architecture and product standards
4. Stay the course!
5. No guts, no glory!

Risk: Potentially problematic relationships weaken the security organization

What to do:

1. Aggregate responsibility into the office of the Chief Security Officer
2. Plug the Chief Security Officers organization into the COO's or higher
3. Make security a business issue.