In light of the recent series of hurricanes, organizations should be proactive in protecting their information technology assets in case they are faced with a natural or man-made disaster. This means that it is critical for organizations to have a solid disaster recovery plan in place, prior to an incident occurring. To illustrate the threat, back-to-back hurricanes and tropical storms, such as Gustav, Hanna and Ike, have had devastating effects on entire regions of the country. And the threat is not over as hurricane season begins June first and ends on November 30th, with most hurricanes occurring mid August through mid October.
"It is critical that organizations ensure they have measures in place to swiftly respond to adverse affects of natural disasters, such as hurricanes and man-made disasters," said Al Tirevold, director of security architecture at SecureWorks. "Safeguarding critical customer or member data is not just an IT issue; it's a business continuity issue, and the opposite can cause you financial loss and an inability to serve your customers."
"We checked on our clients in Texas after Hurricane Ike hit because our clients' well-being is always our first concern," said Tirevold. "We were pleased to find out they were doing well and in good spirits despite the circumstances, and they were in full disaster recovery mode. One client reported 13 of their 29 centers in Houston had power, and they were open for business. They had disaster recovery trailers equipped with computers and generator power in place. They had ample fuel capacity for their data center, and they were able to shift personnel to other locations because of a damaged call center and damages to their corporate headquarters. This is an organization that minimized business disruption because of a well-thought out and well-executed disaster recovery plan," explained Tirevold.
Although hurricanes originate in the Atlantic and Eastern Pacific oceans before making landfall along coastal states, organizations in other geographical areas should be concerned with preventing business disruptions as well. According to news reports, the affects of Hurricane Ike, for example, reached areas like Illinois, Ohio, Kentucky and New York, causing floods, wind damage and power outages. Kentucky alone saw winds of up to 75 mph and had four deaths attributed to the storm.
Many organizations and regulating bodies have guidelines on how companies should handle data loss prevention, response and recovery. The Federal Financial Institutions Examination Council (FFIEC), which prescribes uniform principles and standards for financial institutions, outlines key areas of a business continuity plan (BCP) in its Business Continuity Planning IT Examination Handbook. Additionally, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce, offers guidance on preparing for disasters as well.
For companies who have not yet formalized their BCP plans, here are some guidelines which are aligned with some of today's common regulations:
- Make sure your business continuity plan has a section for disaster recovery, and make sure your BCP is enterprise-wide, considering every critical aspect of your business including personnel and physical workspace. The BCP should include a sequence of tasks and responsibilities that are clearly spelled out.
- Do a thorough business impact analysis (including a security business impact analysis) and risk assessment.
- Test your BCP for its effectiveness, and make adjustments/updates to reflect changes in your organization. Testing is recommended at least on an annual basis, and you should include third parties like data processors, managed security service providers and core processors.
- Identify alternate locations to operate from in the event you are no longer able to conduct business from your office. This should include a capacity for data centers, computer operations and telecommunications.
- Back up data, operating system configurations, applications and utility programs, and identify alternate telecommunications.
- Identify off-site storage for back up media, supplies and documents such as your BCP, inventory list, operating and other procedures, etc.
- Make sure you have alternate power supplies in case you are without electricity (uninterruptible power supplies [UPS] and back-up generators).
- Assemble a team in advance and designate people who are responsible for various tasks in the event of a disaster. All personnel should be trained in their contingency-related duties and new personnel should be trained as they join your organization.