ICT Continuity

Many organisations are dangerously unaware of the risks of not having an IT continuity plan in the event of disaster

Many organisations are operating under the dangerous illusion that they will never suffer a major loss of IT systems, or that such a loss will have a relatively low impact, research from the British Standards Institute has warned.

BSI's Publicly Available Specification (PAS) advisory paper, IT Service Continuity Management Code of Practice (reference 77:2006), paints a grim picture of the potential disaster facing ill-prepared organisations. It cautions that while many firms believe that they have invested in adequate systems resilience, in reality most do not have adequate plans to protect themselves from natural disasters or human error.

Briefing BCM - News BCM

CIOs need a well-oiled business continuity plan

The board of directors at Handleman never really considered business continuity to be a priority, until the Warrington-based music distributor was hit by an unexpected flood, which took out a number of servers and rendered its offices temporarily inaccessible.

Mark Bowell, IT support manager at Handleman, admits the firm had historically overlooked business continuity because it was hard to justify serious investment for something that might never be needed. "The problem is that vendors tend to come up with really unrealistic figures and there's a lot of scare-mongering" he says.  "We had a business continuity plan, but it wasn't nearly broad enough."

  When a business continuity plan fails, chances are the blame will land squarely on the IT director's desk, says Simon Mingay, research vice president at analyst Gartner. Mingay argues that chief information officers (CIOs) are increasingly being charged with responsibility for business continuity. but risk failure because they treat the issue as an IT problem. In fact, IT leaders are being given responsibility for business continuity because their skills and experience make them the best person for the job, not because it is a problem that can be solved with technology, says Mingay. "Your average CIO has good project management skills, great risk management and he understands the core business processes at the heart of the organisation" he says. "Who better to take on responsibility for business continuity?"

Mingay says one quick and effective way to make clear the division between IT and business continuity is for the CIO to appoint someone to the business continuity team who is responsible for representing IT.  "Whatever you do, don't go along with your IT T-shirt on, talking about data centres and remote backup that's not what business continuity is about," he says.

Responsibility for business continuity planning at brokerage organisation Close Premium Finance falls to a committee, which is made up of representatives from IT and operations, together with all the main business functions. "It is vital because business continuity plans also cover things such as premises, business assets, employees, training and supplier relationships" says Jonathan Cattle, head of IT and planning with the firm. So, how does the CIO ensure the business continuity plan will get the business and not just its servers back online when disaster strikes?

The most important thing is to do the groundwork before creating a formal plan, says Martin Byrne, who leads Accentures' European business continuity practice. This means a thorough business impact analysis and risk assessment looking at what happens to an organisation if a particular business process cannot be completed for various periods of time. For example, the first job of the business continuity committee at Close Premium Finance was to identify which of the thousands of activities carried out by the firm are most critical. In the event of a disaster, some activities must be restored as quickly as possible, such as customer service and payroll, while other, less critical activities, such as the staff canteen, could be restored over a period of days or weeks.

"We have plans drawn up showing us how to restore the most important activities within an hour, then others within four, 12, 24 or 72 hours" says Cattle. "It is a process that has been refined through experience, as the companys' buildings have been seriously damaged twice by IRA bombs in London. As a CIO/business continuity manager, you will need to speak to business leaders across the company to get this information, although assess the responses in the context of the wider business strategy. "

Realistically, everyone is going to tell you their service is vital, their systems must be up and running in 10 minutes or the business will fail, but not everyone is telling the truth" says Mingay. Only when the impact analysis has been conducted should you begin the next stage, a risk analysis. This means identifying all plausible risks to your business, and the cost to the business of those risks. Once you have identified the risks, consider if it is cost-effective to eliminate or mitigate a risk, rather than planning to recover from a problem later. For example, if you have only one person who can run the payroll system each month, you may want to invest in additional training in case they are taken ill or leave the company.

"For a CIO, getting board backing for investment in business continuity is likely to be the biggest challenge" says Crispin O'Connell, chief ICT officer at Cardiff County Council. "Because you're hopefully never going to use this stuff, there's a view that we're throwing money away by investing in business continuity" says O'Connell.  It's perhaps the biggest grudge spend in any organisation."

"At this stage, you will be left with some risks that cannot be eliminated or reduced. These are the risks a business continuity plan must address. Once you have created a business continuity plan, it is essential to test it thoroughly" says Accenture's Byrne. "Too many firms have an artificial sense of safety because they have a lovely plan on the shelf" he says. "But unless you test the plan, how do you know if your staff will be able to get to the new premises, if the backup tapes work, or if the remote access software works with your new payroll system?"

FORUM STAT - 70% of untested plans fail!

And just because a plan works once does not mean it will work for the rest of time. "Loads of businesses are still coasting along with the business continuity plans they drew up for year 2000," says Mingay.  "The problem is that the world for your partners, customers, employees and the government has moved on since then. There are no hard and fast rules when it comes to continued testing of a business continuity plan it depends on how dynamic your organisation is, and the importance the board places in recovering from a disaster."

He added "In the financial services and retail sectors, companies tend to test business continuity plans at least once a quarter. But in a smaller or less complex company, once a year may suffice. A full-scale test of business continuity plans can be expensive and complex, particularly if it involves partners, suppliers and regulators. But it is possible to conduct smaller tests more frequently. A desk test, where you get the team together and challenge the test by thinking up different scenarios, is quite straightforward" says Byrne.

 For more details on our events, workshops and industry development work, as well as the general activities of the Continuity Forum please contact us directly on +44 208 993 1599 or mail us HERE!

Best Practice a must for Datacentres to prevent avoidable failures

Companies are investing hundreds of thousands of pounds in high-availability systems for datacentres but are failing to follow best practice maintenance procedures to avoid having a single point of failure. Even though the IT within data-centre sites can offer 99.99% availability and no single point of failure, IT directors are failing to assess the risk of human error in mechanical, electrical and IT systems, said Mick Dalton, chairman of the British Institute of Facilities Managers.

Case study: University of Southampton - business continuity

At 6am one Sunday last year, a fire broke out in the University of Southampton computer science department.  "The electronics department clean-room facility was a four-storey building fitted with lots vacuum pumps, which fanned the flames" says Joyce Lewis, IT and communications manager at the university.

Business Continuity Management Briefing BCM - IT Technology

If Information Technology be the foundation of your organisation, then read on

There can be very few modern organisations that do not rely, to a greater or lesser degree, on information, computing and telecoms to assist them in delivering their products and services. 

When the Chartered Management Institute (CMI) asked managers across all sizes and types of organisation what would have the greatest impact on their organisation they replied, the loss of IT. So why is it that major systems still fail?

Firms relying on datacentre service providers should beware, after a spate of high-profile outages

Recent power outages at two separate datacentres have highlighted the necessity for firms to implement effective business continuity measures, and for IT managers to be more discerning about their service providers' back-up plans, according to experts. 

On Sunday a datacentre in North London belonging to service provider Level 3 Communications suffered a power cut which lasted around six hours, while in the US, popular social networking site MySpace went down after the same problem affected its Los Angeles datacentre. 

Thousands of MasterCard and Visa cardholders affected... 

A UK-based online retailer has been identified as the source of a security breach that has resulted in thousands of MasterCard and Visa holders having their credit cards cancelled this week. 

At least 4,000 UK MasterCard holders are believed to have now been affected by the breach which occurred after hackers gained access to credit card details via the as-yet-unnamed e-tailer. 

Extortionists attack business through DoS 

It has become common practise for extortionists to target net firms and threaten to cripple their websites with deluges of data unless they pay a ransom. Not all the e-criminals are able to follow through on their threats but when the Nochex site went down at 8pm it was time to sit up and take notice.

"We get quite a few, maybe once a month so we don't always take it too seriously," he said.

In this instance though Mr Malik did contact his service provider Pipex. "They told us we were being flooded by a zombie attack," he said.

April 26 2005

Security and privacy concerns are becoming the biggest issue for companies considering outsourcing their IT projects to companies offshore. Analyst house Gartner said that this year concerns about job losses will be overshadowed by these security issues. Gartner research director Ian Marriott commented: "This will become the top issue for companies taking their work to other parts of the world."

Security experts attending the Wireless LAN exhibition found that anonymous hackers in the crowd had created a website that looked like a genuine log-in page for a Wi-Fi network, but which actually sent 45 random viruses to computers that accessed it.

HP's business continuity and availability services will be bringing together a set of customisable solutions consisting of people, processes and technologies that are designed to help customers solve business continuity, availability, compliance and operational risk challenges.

SC Magazine

The number of conventional phishing attacks dipped slightly last month but the amount of crimeware designed to steal personal data increased, according to the Anti-Phishing Working Group (APWG). There were 14,135 phishing attacks reported to APWG in July, down from 14,135 in June.

The number of phished brands also dipped to 71 last month, from 74 in July, as attackers shifted from targeting large companies to smaller financial institutions, APWG researchers reported. The number of malicious keylogging applications designed to steal passwords grew to 174 in July, up from 154 in June while the number of password-stealing URLs grew to 918 from 526.

MCI, Inc. has announced that it has expanded its disaster recovery capabilities for government customers to include back-up voice services that will restore incoming communications within minutes.

Computer Weekly 12/7/05 

Your trading partners  plans for business continuity can be as vital as your own. Arif Mohamed looks at positioning yourself for maximum competitive edge Good business continuity planning can give a company an edge over its competitors. 

Apart from the assurance that the business will run regardless of natural disasters or external hacker attacks, a company with a good plan can use it as a selling point. In fact, customers have driven the requirement for good business continuity planning over the past few years, says Gartner research vice-president Simon Mingay.  “One of the biggest drivers has been that customers have asked:  Have you got a plan? Show me the plan. What is the scope of it and how do you aim to keep it up to date? 

Mike Stichbury, head of business continuity services at BT Business, says,  “We frequently come across small and medium-sized companies that are asked for copies of their business continuity plans by clients who want to be assured they have sufficient procedures in place to protect against interruption to service.  

Mingay says most companies are alerted to business continuity planning by a catalyst.  “They might have an incident or a close call, or someone in the supply chain or a competitor has an incident, or a new executive comes in and decides to make it an issue. There could be a change in the regulatory regime, or an auditor who makes a comment, or a customer who starts asking questions, he says. Mingay says the issue of business resilience concerns many customers, and is a particular worry in financial services, with life sciences and pharmaceuticals following closely. One major benefit of business continuity planning is that companies stand to offer customers and potential customers assurance that their business is robust, which may be something their competitors cannot do. 

Business continuity planning can be a selling point for IT internally, and for the business externally, says Chris Stewart, technical consultant at EM C s Solutions Group, which offers business continuity consultancy.  “When you are looking at business continuity you want to make sure you are continuing to provide all the critical services the business relies on. IT services are one of those, but you are also going to have external services that you require from other companies, and you may be providing critical services to other businesses,  he says. With this in mind, an IT department will gain the edge if it can carry out risk assessments from planned or unplanned incidents and calculate how much data can be recovered and the time it will take, says Stewart. In addition, the IT department will get the company s executives onside if it can demonstrate a methodology, showing design and best practice, implementations and testing, and recovery and failover plans, he says. Industry-specific regulatory requirements, such as Sarbanes-Oxley, Turnbull and US healthcare legislation HIPAA, have acted as a significant catalyst for adopting a business continuity plan. 

Callum Sinclair, a solicitor with law firm Maclay Murray & Spens, says,  “Certain bodies deemed vital to running the country such as emergency services, the NHS and certain transport providers, are required to maintain continuity plans under the Civil Contingencies Act 2004.  “Beyond this, there are various additional industry rules and guidance which apply, to a greater or lesser extent, to financial services companies, PFI/PPP providers and others.  But what a company is required to do in terms of having a business continuity plan varies greatly by sector. 

In some sectors there ire few regulations, and in others, such as financial services, requirements are manifold, says Richard Chapman, solicitor at law firm Berwin Leighton Paisner.  “Regardless of sector, directors always have o act in the best interests of the company, and make appropriate measures to protect the company s assets,  he says.  “One way is to take out in insurance policy to cover databases, communications or customer records. All businesses should see what appropriate ways :here are to protect their assets.  One major issue surrounding business continuity is the involvement of business partners and suppliers, which often play a key role in the supply or business chain. Medium-sized as well as large companies are increasingly integrating their IT systems into their partners  systems, says Mingay.  “Organisations are much more tightly integrated into a trading ecosystem, and IT is fulfilling much more of that role than it did previously. Information is now being largely transferred automatically through the supply chain,  he says. 

Companies should therefore demand from their suppliers a high level of preparation for interruptions to business.  “Business interruptions will affect customers far more quickly than before,  says Mingay.  “You should be concerned about your own suppliers, and h~ asking more detailed questions about their business continuity planning. Just because they are big, do not assume they have a plan.  Many companies rely on their business and outsourcing partners to be resilient, as their services are core to the business. Because of this, business continuity issues are often addressed within a contractual framework, to ensure the core business is able to continue if the partner goes down. In creating a contractual framework for business continuity planning,  “Keep it simple and flexible and ensure you get the involvement and commitment from everyone in the business. You need to create the right organisational culture and adopt a holistic approach.  Chapman says,  “In outsourcing transactions, you would commonly put in the contract that your supplier is required to have business continuity in place. You will also want to have a disaster plan in place that links in with yours.  

Stichbury says,  “To get the best possible protection, organisations need to consider which elements of their business and supply chain are mission-critical and the potential impact should one of these fail or be hindered in any way. Armed with this information it is easier to negotiate service level guarantees with subsequent compensation should your supplier s services fail.  Sinclair adds,  “Where the strategy involves working with a partner - handling off-site IT back-ups and disaster recovery, for example be certain the contract includes assurances in relation to service levels. 

These should include specific requirements for response times and service availability.  “However, it is also important to have a good working relationship with such partners, with regular meetings and updates to help foster in-depth knowledge of processes and systems.  “There are data protection implications around using a third party for disaster recovery, as the information held in off-site backups may fall within the remit of the Data Protection Act 1998. Details of any third party providers should be included in information such as privacy statements and fair use notices.  

Chapman says that where a disaster recovery location is situated abroad, transferring personal information across national boundaries may also have data protection implications, being subject to international data protection laws. But Mingay says,  “Regardless of onshore or offshore, the issue is the same. As we move towards outsourcing, from an IT point of view, organisations absolutely need to concern themselves with the business continuity and disaster recovery plans that the provider has, and not assume that because they are going with an external service provider, that they have made provision for them, if there is nothing in the contract.  “It is a common problem that people have made assumptions of the level of capabilities of their partner. It is not always the fault of the provider. It is sometimes the fault of the client, who is looking at ways they can take costs out of the deal, and that may involve reducing their business continuity. You pay for what you get.  

CASE STUDY 

Carphone Warehouse mirrors its datacenters 

Retailer Carphone Warehouse wanted to ensure it had effective business continuity. It offered consumers services that required its communications network to be up and running around the clock, each day of the week Last year the company built a new datacenter that mirrored its core environment, but is also capable of running live services. 

Carphone Warehouses’ infrastructure and operations director Attiq Qureshi, says the company now regularly switches key services between the sites, whenever they add capacity or carry out maintenance. The firm signed a 10-year deal in September 2004 with business continuity service provider Globix to ensure the datacentre and its networks run at all times. The contract included service level agreements that cover network performance at 99.99% uptime, hardware failure response, and round-the-clock application monitoring. I think it has given us a competitive advantage, We now have two large datacentres, so we can move between the sites. It has given us growth and raised the profile of business continuity systems in the business,  says Qureshi Carphone Warehouse has an audit committee made up of some of its most senior executives, who are now very interested in the company s business continuity plans. 

The company was required to communicate its capabilities and plans to telecoms regulator Ofcom. Carphone Warehouse also informed the Financial Services Authority, for insurance purposes.  “We were urged on by our insurers, and now that we have business continuity, we have got some fantastic savings on our insurance as a business,  says Qureshi.  “From an insurance point of view, customers need to know that we can continue to provide telecoms services and billing, can activate a new phone and bar it if the phone is stolen, and can give them accurate and timely bills,  he says. 

Continuity Forum Comment 

Recent events have added impetus and focus to the management issues surrounding BCM and we are already seeing a reaction similar to that following 9/11 where organisations rushed to show that they were active and positive towards Business Continuity Management and Security. However, this knee-jerk reaction to events needs to be considered against a broader backdrop of resistance and partial planning. 

The tendency to improve the 'easy' side BCM planning, the one with a host of suppliers - IT must be balanced by the other side. We have spoken with probably more people and organisations than any other in the sector and the consistent theme is that there are STILL significant issues in getting organisations to develop broad enough plans. 

Artificial parameters are being set on the BIA phase of the planning limiting the scope and effectiveness of the process and often huge omissions are left unaddressed by both Public and Private Sector organisations. The issues outlined above are great to plan for and resolve, but they represent only a proportion of the planning needed. What about your people? do they know what to do? What about the Supply Chain and key partners? Has a critical dependency been left unresolved? Has effective  liaison with Emergency Services, Local Authorities and the Insurance companies been undertaken? When was the last Rehearsal or full BCM plan review? 

Remember, Business Continuity Management is an ongoing process and needs regular review and update, it should cover all critical processes, not just IT ones and connect with the people working within the organisation. 

Our Benchmarking study shows that even amongst the best of breed adopters of BCM there are areas consistently left out and according to Murphy’s law you can bet that is where disaster will strike - life tends to be like that! On speaking with one Public Authority recently we were told that they were confident of being fully compliant with the Civil Contingencies Act, due to come into effect in November, yet when we asked about how they had handled some of the key local services, such as Care for the elderly and those in schools etc, we were told that they had 'concentrated only on the Authorities Buildings.

It came as a shock to them to find out that the scope of the Act goes far beyond a bit of Facilities Management, but it was a greater shock to us to hear that after 2 years (of notice) people had still failed to actually understand the importance and scope of Business Continuity Management to the Organisation. 

By the way the only IT system that was within the plan was that dealing with Council Tax! Business Continuity Management is a tremendously powerful and effective process, but there does need to be an honest and COMPLETE assessment of the organisations responsibilities and needs for it to be truly effective. 

We are working hard to address these issues and progress is being made, but please do realise that it is the executives responsibility NOW not to artificially limit the scope of activities involved in the BCM process, but rather develop an integrated, structured understanding of how ALL the processes and resources will be affected during an event and then link them back to the needs and responsibilities of the Stakeholders. Failure to do this will only leave you high and dry when you need Continuity most! 

END  

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. 

source SC Magazine

Phishing email reached a new high in July, according to email security company Postini, which tracked more than 19 million phishing attempts last month. That number is the highest monthly total since Postini began tracking phishing in January.

July's total breaks June's record of 16.7 million phishing emails, the company said. While phishing attacks increased, the number of emails containing viruses decreased in July by 20 percent compared to June, Postini said.

The amount of spam remained stable at 88 percent of the total number of emails sent. The company processed more than 14 billion emails last month. Directory harvest attacks decreased 8 percent from June.

Gartner researchers have estimated that online debit card fraud, perpetrated via phishing and keystroke logging attacks, has resulted in $2.75 billion in losses in the past year.

END 

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.