Preparing for the CISA exam. Business Continuity Practices
Pashkov Kuzma - Lead InfoSec , EMC trainer @ training.muk.ua
Having understood the past articles with the definitions and benefits of Business Continuity (hereinafter referred to as BC), it is necessary to consider the practice of its implementation.
')
The business owner and / or senior executive determines whether those responsible for BC will focus on Disaster Recovery (hereinafter DR) for the sake of recovery or on BC for profit. The auditor can quickly identify the purpose of the BC plan simply by determining who is responsible, for example:
1) Chief Execution Officer / Chief Operations Officer - on profit
2) Chief Information Officer / Chief Financial Officer - on restoration and COOP (continuity of operations)
3) State regulatory authorities - on EM (emergency management) and COOG (continuity of government)
There are different approaches to the implementation of BC. Most of the states in general and non-profit organizations popularizing BC, such as Disaster Recovery Institute International and Business Continuity Institute in particular, focus only on the DR and EM aspects. In turn, the company’s management is interested in making profit every day, therefore, one can expect their lively participation in the development and implementation of DR only when it comes to backing up their valuable information resources.
Whatever approach is used, any implementation of BC requires the fulfillment of two mandatory conditions:
1) Increase the competence of staff on information security issues. BC plan does not make sense until you train the company staff in the knowledge and skills necessary for its implementation. Explain to them the plan, responsibilities and area of their implementation on a regular basis. It is important to convey to the staff that the BC plan cannot, in principle, cover all that is in the organization. The key to success in covering only critical business processes, everything else can be stopped for a while or even forever. We simply cannot afford to protect everything.
2) Integration with other organizations. No one can exist alone. A good BC plan should be aligned with similar counterparty plans, whether partners, suppliers, customers, or government agencies. Most likely you will have to rely on them at the time of the disaster or vice versa.
As a visual demonstration of the approach to the implementation of BC, you can consider a model developed by the US Federal Agency FEMA (Federal Emergency Management Agency)
It is important to remember that the number one priority is your customers and how you interact with them. Without customers there is no profit. Without profit, the implementation of BC is extremely difficult or impossible. Well, without a constant influx of satisfied customers, investors will also leave.
To be continued…
Video recording and presentation of the webinar “To entrust information security”
Presentation
I am waiting for questions on training and certification in the field of information security at PashkovK@muk.com.ua
The nearest CISA seminar in TC MUK (Kiev) c 03/14/2016
Other author's articles on information security
Preparing for the CISA exam. Business Continuity Definitions
Lost art proof security. Part 1 of 2
CompTIA certifications for IT professionals. CompTIA Security +
Having understood the past articles with the definitions and benefits of Business Continuity (hereinafter referred to as BC), it is necessary to consider the practice of its implementation.
')
The business owner and / or senior executive determines whether those responsible for BC will focus on Disaster Recovery (hereinafter DR) for the sake of recovery or on BC for profit. The auditor can quickly identify the purpose of the BC plan simply by determining who is responsible, for example:
1) Chief Execution Officer / Chief Operations Officer - on profit
2) Chief Information Officer / Chief Financial Officer - on restoration and COOP (continuity of operations)
3) State regulatory authorities - on EM (emergency management) and COOG (continuity of government)
There are different approaches to the implementation of BC. Most of the states in general and non-profit organizations popularizing BC, such as Disaster Recovery Institute International and Business Continuity Institute in particular, focus only on the DR and EM aspects. In turn, the company’s management is interested in making profit every day, therefore, one can expect their lively participation in the development and implementation of DR only when it comes to backing up their valuable information resources.
Whatever approach is used, any implementation of BC requires the fulfillment of two mandatory conditions:
1) Increase the competence of staff on information security issues. BC plan does not make sense until you train the company staff in the knowledge and skills necessary for its implementation. Explain to them the plan, responsibilities and area of their implementation on a regular basis. It is important to convey to the staff that the BC plan cannot, in principle, cover all that is in the organization. The key to success in covering only critical business processes, everything else can be stopped for a while or even forever. We simply cannot afford to protect everything.
2) Integration with other organizations. No one can exist alone. A good BC plan should be aligned with similar counterparty plans, whether partners, suppliers, customers, or government agencies. Most likely you will have to rely on them at the time of the disaster or vice versa.
As a visual demonstration of the approach to the implementation of BC, you can consider a model developed by the US Federal Agency FEMA (Federal Emergency Management Agency)
It is important to remember that the number one priority is your customers and how you interact with them. Without customers there is no profit. Without profit, the implementation of BC is extremely difficult or impossible. Well, without a constant influx of satisfied customers, investors will also leave.
To be continued…
Video recording and presentation of the webinar “To entrust information security”
Presentation
I am waiting for questions on training and certification in the field of information security at PashkovK@muk.com.ua
The nearest CISA seminar in TC MUK (Kiev) c 03/14/2016
Other author's articles on information security
Preparing for the CISA exam. Business Continuity Definitions
Lost art proof security. Part 1 of 2
CompTIA certifications for IT professionals. CompTIA Security +
Source: https://habr.com/ru/post/278539/
All Articles