It is not just about size. When we mention a Business Continuity Plan - BCP, what comes into mind is the large enterprise. But those, in general, do not represent more than 15% of a country's officially registered business . The small and mid-size companies do have its share on the local economy, and a big one.
So, independently of the size of the business,a BCP comes in handy.
First of all, a series of question to be responded by CEO's, Co-Founders and Startup's head managers: Do we need it? Do we want it? And most of all, what for?
The needs of a small or mid-market company to invest in business continuity plans must be totally related to the risks it takes given the business they are in.
- In some areas, regulatory demands are very important and business continuity is required. Let us take for example, the banking and and insurance companies.
- Sometimes, the PCA may be required by a customer, as well as BCP, or Information Security Policies: we have to bear in mind that large enterprises are increasingly dependent on their sub-contractors on major contracts, which may represent a risk for them. So, in order to protect themselves, they force their partners - by contract - to set up a BCP.
- Some organizations that counsel or finance Startups also require assurance for business continuity. They want to be sure that the company, in the misshapen of facing a loss, it will have what it takes to keep on going.
- Last but not least, there are firms that are more motivated to implement a BCP: those who have already had a personal claim, or that have come into contact with a company close to them which has been affected by a BCP, or worse, those who have already experienced some sort of brake down on any area of its business.
How should a BCP be designed?
Before setting up a BCP, the company must ask simple, effective questions:
- What should be protected: Data? Information? Know-how? Collaborators? The information system? Production?
- What is the maximum loss of data or information admitted?
- What is the longest period of interruption acceptable?
The key is to determine the criticality of the elements.
The BCP should reflect the result of all consideration of risk, and according to these criteria, it will be able to adapt its level of sureness to the company.
But this is but part of the process. To be effective, the device must evolve at all times, not to become ineffective. It must adapt to changes that take place in the company - for example, if it merged - in the environment - a drastic example, a TNT industry sets up its business in the same area.
Most important though,it should also take into account the evolution of risks. Who would think of cyber security as a major risk, say, 10 or 15 years ago? Risks today have evolved to the point we must tell a physical from a virtual one. A BCP's characteristics must follow the risks all along.
Implementation
When the decision to move on to a BCP is taken, next comes the doubt whether to do it on its own or rely on a third party for the task. All business will be better off with external help.
Many reasons justify the use of an outside provider.
- Experience. Business are rarely confronted with major physical disasters such as fire, floods or any destruction. Inside teams, so, have a lack of experience when there is such an incident.
On the other hand, third party have this expertise. Its special teams specially suited for the job know not only how to organize full checklists to re conduct operations, but also for restarting the the core functions of the business in the shortest gap of time.
In addition, small and medium business do not have the necessary additional room - located far from its original site - to accommodate their back up data centers and storage solutions.
Companies have to change their beliefs about local backup. Medias are not reliable after a period of time, resulting in restorability issues.
Finally, using third party services for a BCP grants real time update for both system and data, other than its protection. This aspect is very important because small business setting up BCPt often run into the problem of outdating. The ones responsible for business continuity plan are either switched to other activities or the focus towards the BCP diminishes and becomes irrelevant.
Nevertheless,to succeed, even with a third party coaching, the project must be culturally accepted internally at all levels: it is a decision by the company as a whole.
Sources: ABNT, MS, HP
jeudi 27 mai 2010
vendredi 23 avril 2010
Information Security Team
It is known that CI professionals, watchers of all calibers, lobbyists and advocators are after valuable information within and without their companies.
Once the information is taken for granted and becomes part of the immaterial assets of the company, it is absolutely necessary to set up policies to protect the good handling of it and its protection.
Who will do it?
A team specifically dedicated to the Information security.
Next questions comes up, how to set such a team? Who will lead it?
Some aspects to take into consideration when setting up a department of information security must be taken into account.
Knowledge in information security is contained in different models currently available: among them we have those of ISO / IEC series 27000 (information security).
The knowledge relating to Management of System Information Security (ISO 27001) and the Code of Practice for the Management of Information Security (ISO 27002) should be disseminated throughout the organization. However, at the time of structuring a department of information security, companies find themselves in a worrying scenario.
1 - The information security analyst should have a high technical knowledge. I'm not referring to the certifications, I'm talking about practical knowledge and experience in the subject.
2 - Some companies insist on promoting someone internal to the IT Department to the position of Manager of Information Security. The professional would actually have a very different profile compared to that necessary to take responsibility.
As an example, I will describe the profile found among those who are promoted to the position of Manager of Information Security described on the above paragraph:
• He has experience in broader subjects such as database and software development, using security features of the very basic information.
• He does not have a history of participation in lectures / events or trainings on information security.
• He is not acquainted with international standards of information security (e.g. ISO 27002) and does not follow the bulletins about new threats on the Internet.
• He performs reading only on books related to database technologies and languages of software development.
• He has a degree on technology in database, MBA in Information Technology and certifications from Microsoft and Oracle.
- You could guess what was his role in the company? That's right! He was responsible for managing the database. Now he is the Manager of Information Security. He has lots of ground to cover up to reach the necessary profile.
3 - Some companies create a department of information security management to access computing environment. It creates users, changes passwords, sets permissions on directories etc... All this to comply with regulations or audits.
4 - Creating a department of information security subordinated to the area of Information Technology is the most common mistake organizations make.
The security area should be aligned to the legal department and audit on the organization chart. The area of information security subordinated to the director of IT functions more as technical support rather than an area responsible for the whole Management of System Information Security.
Success factors
The success of your company is not connected to the technological arsenal. There are some factors that should be considered when deciding to create a team of information security and implement a Management of System Information Security - MSIS. The first factor is to obtain approval from the organization's managers to launch the project of implementation of the MSIS.
At this stage the project team presents the priorities, objectives and scope for deploying the MSIS. It should also discuss a change in the company's organizational structure, including responsibilities, to meet the project objectives and business needs.
The output of this phase is the approval and commitment of managers to implement the Management of System Information Security.
The second factor is the development of diagnosis and analysis on the level of maturity. During this phase, we map the current situation of the organization and present a list of needed improvements in the processes of information security to set up a link between the organization's strategic planning and implementation of security systems.
The third aspect is the creation of an Interdepartmental Committee for the development of policy and standards for information security, including support of the board and / or senior management, based on guidelines from the Information Security Governance, business needs and regulations.
With the support of the CEO
The creation of a team of information security and the defining of their responsibilities depend mainly on the guidelines established by the board and / or directors. These guidelines should be documented in the policy of Information Security Governance.
Governance of Information Security will clarify for managers the company's strategic objectives in relation to information security. Down the line it will present a list of legal requirements / regulations and contractual requirements involving information security applicable to the business.
The combination of these three factors will help your company in creating a team of information security and implementation of a Management System Information Security.
Sources: ISO/IEC 27001,27002; ABNT
Once the information is taken for granted and becomes part of the immaterial assets of the company, it is absolutely necessary to set up policies to protect the good handling of it and its protection.
Who will do it?
A team specifically dedicated to the Information security.
Next questions comes up, how to set such a team? Who will lead it?
Some aspects to take into consideration when setting up a department of information security must be taken into account.
Knowledge in information security is contained in different models currently available: among them we have those of ISO / IEC series 27000 (information security).
The knowledge relating to Management of System Information Security (ISO 27001) and the Code of Practice for the Management of Information Security (ISO 27002) should be disseminated throughout the organization. However, at the time of structuring a department of information security, companies find themselves in a worrying scenario.
1 - The information security analyst should have a high technical knowledge. I'm not referring to the certifications, I'm talking about practical knowledge and experience in the subject.
2 - Some companies insist on promoting someone internal to the IT Department to the position of Manager of Information Security. The professional would actually have a very different profile compared to that necessary to take responsibility.
As an example, I will describe the profile found among those who are promoted to the position of Manager of Information Security described on the above paragraph:
• He has experience in broader subjects such as database and software development, using security features of the very basic information.
• He does not have a history of participation in lectures / events or trainings on information security.
• He is not acquainted with international standards of information security (e.g. ISO 27002) and does not follow the bulletins about new threats on the Internet.
• He performs reading only on books related to database technologies and languages of software development.
• He has a degree on technology in database, MBA in Information Technology and certifications from Microsoft and Oracle.
- You could guess what was his role in the company? That's right! He was responsible for managing the database. Now he is the Manager of Information Security. He has lots of ground to cover up to reach the necessary profile.
3 - Some companies create a department of information security management to access computing environment. It creates users, changes passwords, sets permissions on directories etc... All this to comply with regulations or audits.
4 - Creating a department of information security subordinated to the area of Information Technology is the most common mistake organizations make.
The security area should be aligned to the legal department and audit on the organization chart. The area of information security subordinated to the director of IT functions more as technical support rather than an area responsible for the whole Management of System Information Security.
Success factors
The success of your company is not connected to the technological arsenal. There are some factors that should be considered when deciding to create a team of information security and implement a Management of System Information Security - MSIS. The first factor is to obtain approval from the organization's managers to launch the project of implementation of the MSIS.
At this stage the project team presents the priorities, objectives and scope for deploying the MSIS. It should also discuss a change in the company's organizational structure, including responsibilities, to meet the project objectives and business needs.
The output of this phase is the approval and commitment of managers to implement the Management of System Information Security.
The second factor is the development of diagnosis and analysis on the level of maturity. During this phase, we map the current situation of the organization and present a list of needed improvements in the processes of information security to set up a link between the organization's strategic planning and implementation of security systems.
The third aspect is the creation of an Interdepartmental Committee for the development of policy and standards for information security, including support of the board and / or senior management, based on guidelines from the Information Security Governance, business needs and regulations.
With the support of the CEO
The creation of a team of information security and the defining of their responsibilities depend mainly on the guidelines established by the board and / or directors. These guidelines should be documented in the policy of Information Security Governance.
Governance of Information Security will clarify for managers the company's strategic objectives in relation to information security. Down the line it will present a list of legal requirements / regulations and contractual requirements involving information security applicable to the business.
The combination of these three factors will help your company in creating a team of information security and implementation of a Management System Information Security.
Sources: ISO/IEC 27001,27002; ABNT
mercredi 27 janvier 2010
Checking Figures
After the earthquake that destroyed the poorest country in the Americas, the world has shown the most generous expression of solidarity in history.
In the midst of so many reports and press releases is difficult to know who did what and how much has been given.
At this link you will find the raw numbers of each country, per capita figures, and the most generous nations in relation to their GDP.
To see the details, this spreadsheet shows the numbers more accurately.
To compare with what was done in the 2005 Tsunami in the Indian Ocean, the image below shows what had been promised effectively and delivered by each country:
The numbers of the Tsunami in detail here.
Now if we compare to the spendings of the USA alone in the front in Iraq and Afghanistan, then the feeling of shame is inevitable.
Sources: Information is beautiful, the guardian,reliefweb,OEDC, costofwar
In the midst of so many reports and press releases is difficult to know who did what and how much has been given.
At this link you will find the raw numbers of each country, per capita figures, and the most generous nations in relation to their GDP.
To see the details, this spreadsheet shows the numbers more accurately.
To compare with what was done in the 2005 Tsunami in the Indian Ocean, the image below shows what had been promised effectively and delivered by each country:
The numbers of the Tsunami in detail here.
Now if we compare to the spendings of the USA alone in the front in Iraq and Afghanistan, then the feeling of shame is inevitable.
Sources: Information is beautiful, the guardian,reliefweb,OEDC, costofwar
lundi 18 janvier 2010
HAITI - What we can do as for now
Haiti's tragidy has shocked everyone. The Internet does its part to help.
Here's what we can do at this very moment.
Financial Aid:
Musician Wyclef Jean's website - http://www.yele.org/
Donation page in the site: https://co.clickandpledge.com/advanced/default.aspx?wid=23093
Google's special page (post earthquake Google Earth's images included): http://www.google.com/relief/haitiearthquake/
List of major organizations accepting donations: http://mashable.com/2010/01/13/haiti-earthquake-donate-help/
To be on top of things going on:
Mercycorps' twitter : http://twitter.com/mercycorps
NY Times' twitter (which follows Red Cross's, Catholic Relief Services's e Internet Haiti's)- http://twitter.com/nytimes/haiti-earthquake
CNN (same sources as NY Times' plus bloggers' and local twitter users' updates) - http://twitter.com/CNN/haiti
This blogger posts regularly: http://livesayhaiti.blogspot.com/
Do you want to act?
If you have a special skill and want to help, this ORG is coordenating efforts and accepting help of online work; it also lists some of the disaster's initial figures: http://crisiscommons.org/wiki/index.php?title=Haiti/2010_Earthquake
Inscription à :
Articles (Atom)
