Yes, for continuity of business operations after a major
In most cases, disaster planning often
Security processes are part of the recovery planning efforts. Transferring customer records, supplier records or proprietary information must occur without error to avoid interruption to business processes or a loss of trust during an unusual event. Plans and training activities need to be prepared to accommodate plausible situations, with rehearsals for all
Senior managers need to participate in these planning sessions and rehearsal activities to provide suggestions, critique and visibility to all
Disaster planning is a very serious and expensive process. It assumes very difficult scenarios will occur that require the same four basic management skills mentioned earlier in this section ” responsibility, integrity, trust and ethics ” to successfully execute.
Security architectures must focus on business threats, operational continuity, and recovery activities. In many cases, they begin to implement or expand the overall themes described in the governance planning activities detailed in the previous section. In addition to defining and engineering system redundancy, operational flexibility and a strong infrastructure to build upon, security architectures focus on the business requirements that must be supported.
Weaving together multiple threads of process, resources and technology, security planners span the what if world to the how world within the confines of budget, schedule and technical capability. Given the uncertainty of the type of threats, where they might come from, and what impact they might cause, some might say the planning challenge is overwhelming. In some cases it is, which requires a return to the underlying assumptions and objectives to revalidate them. In other cases, significant thought and cross-organizational planning become the only way to successfully
|
Best Practice |
Criticality |
Frequency |
Participants |
Activity Results |
|---|---|---|---|---|
|
Review and verify the current threat matrix against current assumptions |
High |
Six months |
Management, security |
Current and accurate threat matrix to proactively plan responses against |
|
Verify all architectures are aligned against current SLAs |
Medium |
Six months |
Management, security, IT operations, finance |
Maximum leverage of IT resources and operations |
|
Review current security barriers to ensure they provide reasonable protection against newly defined risks |
High |
Quarterly |
Management, security, IT operations |
Defensible security practices and procedures against current risks |
|
Review all processes concerning the protection of IT resources from internal attack or loss |
High |
Quarterly |
Management, security, IT operations, |
Reduced risk or loss from internal attack |
|
Review and verify all disaster recovery plans are current and
|
High |
Six months |
Management, security, IT operations, finance |
Achievable and deployable disaster recovery plan that
|