May 2016 SAFE Newsletter
By Shivani Malik
Making the Business Continuity Plan Disaster Ready
Ask C-level executives “What is Business Continuity?” and you are likely to receive various answers with one underlying principle: When disaster strikes, keep the business running. The requirements necessary to implement a disaster-ready enterprise Business Continuity Plan (BCP) that will keep the business running addresses technology, IT readiness, and overall business preparedness. These key elements must work in tandem to formulate a realistic and tangible BCP.
Technological advances like virtualization and cloud technology are making Backup and Disaster Recovery (“BDR”) easier, more reliable, and more economical. Advanced BDR technology automates backups, immediately replicates data off-site, provides current updates to systems and files, decreases BDR cost, and most importantly has monitoring capability that provides alerts when something is not functioning properly and/or failed to function. By utilizing current BDR technology the results of the financial institution’s BCP become more predictable and reliable. Gone are the days where a disaster strikes and the recovery team comes to find out that the backup failed for an extended period of time and/or important backup tapes are lost or misplaced. By implementing advanced BDR solutions financial institutions can be more assured that when a disaster strikes the technology in place to recover key business processes will enhance the ability for the financial institution to resume business quickly and efficiently. Additionally, hiring a qualified managed service provider to manage and monitor BDR technology for the financial institution, allows the organization to gain an additional layer of expertise to recover and resume business quickly after a disaster.
Information Technology (“IT”) Readiness
IT Readiness for Business Continuity articulates each step to recover critical systems to resume business operations during a disaster. The IT Recovery Plan is the document that defines the IT readiness of the financial institution, provides detailed directions on how to restart systems, restore lost data, backup, and prioritize which systems to recover first in accordance with the key business processes as defined in the enterprise BCP. The IT Recovery Plan allows IT to restore systems as aligned with critical business processes during a disaster and is an integral part of the full recovery and resumption of the business. It provides IT with step by step processes that make it more efficient to recover critical systems first.
Overall Business Preparedness
The third and final element of a disaster-ready BCP is overall business preparedness, which goes beyond IT planning and addresses how each department will continue functioning in the event of a disaster. On a micro level every department within the financial institution must realize its criticality during a disaster. If each department realizes its alignment with the enterprise BCP, resumption of normal business operations will become more efficient: IT can concentrate on recovering the most critical systems first, non-critical requests can be triaged and addressed second, and normal operations can resume more quickly.
Aligning technology, IT readiness, and overall business preparedness to the enterprise BCP creates a disaster-ready BCP.
Data classification is the process of organizing data into categories for its most efficient and effective use. Financial institutions need a well-planned data classification scheme for many reasons including a disaster ready BCP, risk assessment, and regulatory requirements. Due to the highly sensitive/confidential data retained at financial institutions, it is important that the organization take the time and effort to develop a logical and clearly defined data classification scheme. Additionally, the financial institution must consider how to implement the data classification scheme in a way that sensitive/confidential files are properly tagged and foldered to receive the proper level of security and so they are easily searchable and retrievable.
There are several steps the financial institution must take when developing and implementing a data classification scheme. The most important step is understanding which pieces of financial institution data are sensitive/confidential and why the information is sensitive/confidential. Once this insight is gained the financial institution can begin to define the data classification scheme and how they would like to organize sensitive/confidential information.
The next step in developing a data classification scheme is to formulate clear definitions for data categories and schema terminology. Then the financial institution should determine the method for implementing the scheme, which can be done through share folders or a data classification application. After this is complete, it is important that end users are trained on the use of the data classification scheme. Training end users is important because if the data classification scheme is not used correctly it will make it difficult for financial institutions to meet some of their compliance obligations, like properly securing files containing customer identifiable information.
Development and implementation of a data classification scheme is important for financial institutions because it forms the basis of securing data within the organization.
True or False:
The Business Continuity Plan is used only for the recovery of information technology.
Information Security Tip of the Month:
A clearly defined data classification scheme assists a financial institution in organization information to ensure proper security protections are in place.