Damage mitigation and business continuity are big IT topics these days as organizations look to ensure they'll continue to run smoothly following a system disruption or outage. Regardless of your approach, events are going to crop up that test how you get back on track after a potentially damaging incident. As famed management consultant Peter Drucker said, the only thing that's inevitable in the life of the leader is the crisis.
To get through such a crisis, it's important to develop a solid business continuity policy and to recognize that business continuity policy development never really ends, but should persist through ongoing oversight and improvement.
A business continuity policy should start with a strong auditing process that uncovers weaknesses. System outages and business disruptions are going to happen no matter what, so the best approach is to expect these issues to happen. I'm not saying to ignore prevention, but you can spend infinite time, effort and money and still not be able to fully prevent damage. But that's OK -- we don't live and work in a perfect world. What counts are the clear, documented procedures you prepare to minimize the damage to your business when these events do occur.
Too many times, people assume that it's someone else's responsibility to look after potentially tenuous IT-related issues.
It's rare, however, to see a proper business continuity audit. Another gap I often see in business continuity is due to improper expectations: The very people who can help minimize the damage of a system outage are often unclear on what it's really going to take to work through the situation.
Ask yourself: Do you fully understand how all areas of IT and your network can influence business operations, especially when something goes wrong? Who's in charge of these areas? Too many times, people assume that it's someone else's responsibility to look after potentially tenuous IT-related issues. It's similar to when two baseball outfielders are running to catch a fly ball but both end up missing it because each assumes the other person is catching it. You cannot afford to take this approach in IT. Make sure you -- and all the key business continuity players -- know what's expected of them.
You also need to audit the effectiveness of your business continuity program. To start, you can find and fix the low-hanging fruit that you know will have an enormous negative influence on your processes when things go awry. Practically every organization has business continuity weaknesses at this very moment, whether it's with cloud providers, hardware service vendors, people management or anything in between. You likely know what they are, but dig deeper if you're unsure. If you're positive that everything's in check, ask an unbiased third party to audit your business continuity plan.
More on business continuity policy
Developing a business continuity and disaster recovery plan
Disaster recovery boosts business continuity
In the near term, make sure you're thinking processes through and looking at all the right management policies. Over the long haul, you'll need to revisit your business continuity policy and procedures and add, remove or tweak the necessary areas to adjust to your changing business and evolving network environment.
If you approach your business continuity policy with these principles for managing information risk, you'll set yourself, your compliance program and your business up for success. If you need some direction, the NIST "Contingency Planning Guide for Federal Information Systems" and ISO/IEC 27002 framework can help. Get started today.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audiobooks and blog.
For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.
This was first published in November 2012