Protection Strategies

Many times, risk assessment teams produce a report that prioritizes the organization's assets, threats, vulnerabilities, and safeguard effectiveness, but they do not complete the next logical step and produce a critical asset protection strategy. Executives and managers will want to know the steps they should take to protect critical assets. It is strongly suggested that protection strategies should be drafted addressing the three asset pillars: personnel, data, and physical facilities.

Personnel

Too often, the overlooked area of critical asset protection strategy is human resources: the employees needed to restore profitable operations after a critical incident. What if a critical employee is impacted by an incident? Could this event create a single point of failure? In order to raise our level of human resource fault tolerance, there is a need to have redundant critical employee resources. Protection strategies could include cross-training employees to fill positions deemed important avoiding single points of failure.

Another viable alternative is the emergency contractor. For example, a qualified engineer is hired to assist on an important system's project that always seems to elude completion. Such a project could be the requisite documentation of a wide area network, WAN. With the completion of this project, the company may want to continue with the engineering contractor for several days each month to clean up other necessary projects. The services could cover periods of regular employee vacation or other absences such as family leave. This contract employee would guarantee that a qualified, well-versed engineer could complete projects, fill in during scheduled employee absences, and handle emergencies.

Another consideration is the use of outsourcing. If a business outsources certain critical functions, then continuing these services, postcritical incident, is merely integrating them into the business recovery and restoration program. The risk team would be well advised to consider protection strategies composed of a series of controls addressing each category of critical assets in broad terms rather than being limited to specific critical assets.

Data

Protection strategies relating to data must consider data classification and backup. Data by itself is critical only as it supports critical business functions or it satisfies legal or financial business requirements. It is noteworthy that data includes files stored electronically or on paper. This means data must be identified relative to its nature as well as its storage. Data classification will identify the criticality and sensitivity of data for business restoration processes as well as provide levels of security.

Data Classification

The U.S. government uses an information classification schedule similar to the one shown in Exhibit 6. Of course, if terms like "top secret" are by nature too military for your company, feel free to change them to terms such as "absolutely essential."

Exhibit 6: Information Classification Schedule

Accompanying data classification is access control. There are many different types of theories in this area, some with complex relational matrices and mathematical progressions. Keeping with the KISS idea, the overriding concept should be that only authorized personnel should have to access human resources, data, and physical facilities, with their access restricted to those items needed to perform their authorized tasks. There are many different schemes for access control but the overarching concept is "need-to-know."

Need-to-Know

The bottom line is that if someone does not have a legitimate need-to-know, they are denied access. Deny all access unless specifically authorized. When considering access controls, the more critical the data, the more restricted access must be. This is an axiom.

Access controls must extend to personnel, data, and the organization's physical facilities.

It makes good business sense to restrict access to sensitive personnel. For example, organizations are not going to have meetings where outside guests are allowed to ask technical questions of research engineers who are developing sensitive voice encryption devices. It is for this reason that access to critical personnel must be limited while they are in their official capacities. Outsiders do not have a need to know.

The higher the criticality of data, the more restricted the access should be. It must be emphasized that persons having access to sensitive data never share that access with anyone for any reason.

Access sharing is not an employee's choice to make, regardless of position. Granting access can only be performed by either the owner or by a formally designated person. How many times have employees given out their passwords, allowing access to data or facilities because they were just being nice, only to have data or facilities compromised?

Backups

Data backup practices are as varied as organizations. These practices must be based on established and audited company policies identifying critical data and managing that data's integrity. Work and information flow of the business will dictate in large part the type and frequency of backup practices.

In the case of individual workstations, data backup continues to be one of the greatest vulnerabilities. It is a matter of practicality because so much data is created and stored at the workstation with few backup copies made. If employees take the protective step of creating backups, they usually store them next to their workstation or somewhere in their office. By doing this, any harm that befalls the workspace will affect the workstation and the backed-up data. A viable organizational policy is one that requires employees to back up workstation data on two disks: one is picked up and transported for offsite storage at regular intervals, and the other rests with the owner, stored at the secure location of the owner's choosing.

Security of the company's data is important. There are data storage companies that use unmarked vehicles to transport data to secure facilities. It is important that these data storage facilities are sufficiently secure and separated from the original site so they do not fall victim to widespread threats. Another concern is how much advance notice will be required to locate and deliver the data to a designated site.

In recent times, offsite storage area networks have gained popularity, allowing organizations to back up their data via very large-capacity transmission lines to sites that store the data many miles from the clients. These facilities may be owned by the organization or contracted as outsourced companies. Data backup can take place many times during a 24-hour period, and that data can be subsequently downloaded to any site designated by the organization. It is also a common practice for these data transmissions to be encrypted so they are secure in transit, authentication, and storage.

Something to consider are laws governing the encryption of certain types of transmitted and stored data, so consult with your legal counsel before implementing any policies and procedures. Backed-up data is a required business practice; you cannot recover and restore what you do not have, and the longer you are without data, the greater are the odds your business will not survive. Remember, backing up data includes electronic and paper-based documents.

Physical Facilities

Protection strategies concerning physical facilities encompass such items as physical safety of personnel, data and systems, HVAC (heating, ventilation, air conditioning), uninterruptible electrical power, conditioned electrical power (restricting electrical power to 120 volts), secure restrooms, and adequate lighting. There are laws and regulations governing conditions under which your employees may safely and reasonably work. For example, according to recent legislation, it is a requirement for employees handling heavy loads to be provided with back supports and safety equipment.

Another area of concern is the physically challenged employee or client. It is a legal requirement that reasonable accommodations must be made for these folks to function in the workspace.

Redundant Physical Facilities

As with other critical assets, redundancy of physical facilities can go a long way to business resumption in the face of disasters. As far as the extent of these facilities, here are some observations and recommendations. In a perfect world, optimum conditions would be having exactly duplicated facilities. Balance in this arena can be achieved in several ways.

Consider the expense of duplicating your facilities. Now consider entering a partnership with someone that has similar facilities and sharing the expense with them.

Because the partners were not located near one another, the possibility of the same natural disaster striking both of them simultaneously was very small. It occurred that these facilities were actually engaged during an actual disaster. They worked very well, despite the fact that one of the partners had suffered almost a complete loss of primary facilities. Critical business functions were restored within a few hours.

Facilities Outsourcing

Another viable alternative is facilities outsourcing. Vendors offer mobile facilities equipped with office equipment, hardware, and software tailored to the needs of their clients. Delays are minimal in arriving at the designated site, setting up, and having the client's employees arrive for operation.

Other alternatives involve hot, warm, and cold facilities. Organizations may wish to have their own facilities; how well these facilities are equipped determines their readiness. Hot sites are facilities where complete facilities including office equipment, communications, hardware, software, and other critical items are ready for use. Installing current data and transporting employees are the only tasks remaining before these facilities can be activated. Essentially, these are turnkey operations. Their greatest advantage is that they require very little preparation before they are ready to go online. The cost is going to be high and must be weighed against the benefits. Organizations with low fault tolerance will want to look at such alternatives.

Warm sites are less equipped than hot sites. They contain a minimum of facilities and require substantially more preparation than hot sites. As a general case, they require the installation of some equipment and software. It is not unusual for their preparation to require anywhere from one to two days before they are made operational. The advantage is that they are not as expensive as other alternatives.

Cold sites are building shells with heating, air conditioning, and flooring; telephone lines may not be connected. Facilities of this type require substantial preparation before they can be made functional, taking two to five days. Cold sites have the advantage of costing less than other alternatives, but should be considered only for organizations that are very fault tolerant.

Get Organized

After the risk management plan has been developed, implementation should begin by addressing the critical assets in each relevant business unit. Exhibit 7 is a sample schedule.

Exhibit 7: Asset Protection Schedule