Tip

Audits, maintenance crucial to business continuity policy success

    Requires Free Membership to View

Kevin Beaver

Damage mitigation and business continuity are big IT topics these days as organizations look to ensure they'll continue to run smoothly following a system disruption or outage. Regardless of your approach, events are going to crop up that test how you get back on track after a potentially damaging incident. As famed management consultant Peter Drucker said, the only thing that's inevitable in the life of the leader is the crisis.

To get through such a crisis, it's important to develop a solid business continuity policy and to recognize that business continuity policy development never really ends, but should persist through ongoing oversight and improvement.

A business continuity policy should start with a strong auditing process that uncovers weaknesses. System outages and business disruptions are going to happen no matter what, so the best approach is to expect these issues to happen. I'm not saying to ignore prevention, but you can spend infinite time, effort and money and still not be able to fully prevent damage. But that's OK -- we don't live and work in a perfect world. What counts are the clear, documented procedures you prepare to minimize the damage to your business when these events do occur.

Too many times, people assume that it's someone else's responsibility to look after potentially tenuous IT-related issues.

It's rare, however, to see a proper business continuity audit. Another gap I often see in business continuity is due to improper expectations: The very people who can help minimize the damage of a system outage are often unclear on what it's really going to take to work through the situation.

Ask yourself: Do you fully understand how all areas of IT and your network can influence business operations, especially when something goes wrong? Who's in charge of these areas? Too many times, people assume that it's someone else's responsibility to look after potentially tenuous IT-related issues. It's similar to when two baseball outfielders are running to catch a fly ball but both end up missing it because each assumes the other person is catching it. You cannot afford to take this approach in IT. Make sure you -- and all the key business continuity players -- know what's expected of them.

You also need to audit the effectiveness of your business continuity program. To start, you can find and fix the low-hanging fruit that you know will have an enormous negative influence on your processes when things go awry. Practically every organization has business continuity weaknesses at this very moment, whether it's with cloud providers, hardware service vendors, people management or anything in between. You likely know what they are, but dig deeper if you're unsure. If you're positive that everything's in check, ask an unbiased third party to audit your business continuity plan.

More on business continuity policy

Developing a business continuity and disaster recovery plan

Disaster recovery boosts business continuity

In the near term, make sure you're thinking processes through and looking at all the right management policies. Over the long haul, you'll need to revisit your business continuity policy and procedures and add, remove or tweak the necessary areas to adjust to your changing business and evolving network environment.

If you approach your business continuity policy with these principles for managing information risk, you'll set yourself, your compliance program and your business up for success. If you need some direction, the NIST "Contingency Planning Guide for Federal Information Systems" and ISO/IEC 27002 framework can help. Get started today.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audiobooks and blog.

For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in November 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.