This is the first of a series of articles concerning Business Continuity, Disaster Recovery and Information systems.
Many of us are very conscious of what information we require to make decisions, carry out business functions and the value of that information. Others are less aware of what information is required and its value. Nevertheless, we cannot deny the value of information as a precious form of asset. That is why we are prepared to exchange other assets (usually money) for good and reliable information.
One of the most important goals of individuals and organizations is to ensure continuity. To ensure continuity (going concern) we make use of many resources. The unavailability or impairment of some resources will threaten continuity and affect our chances of success and sometimes our chances of survival. One of these important resources is information.
The subject of information and sources of information is vast. Here we are only going to address one important aspect and source of information: Computer Information Systems.
Most assets used in ensuring continuity have two values. The intrinsic and the "consequential" value. The intrinsic value is the cost of acquiring and maintaining the asset. The "consequential" value is the loss that could be incurred if the asset was impaired or destroyed. The intrinsic value of computerised information is made up of:
· The cost of acquiring the means for storing, structuring, maintaining and delivering the information (computer systems).
· The cost of gathering, analyzing, maintaining and delivering the information on an ongoing basis (business functions).
The "consequential" value of computerised information is the potential loss (revenue, ability to service) if the information was destroyed/corrupted or could not be delivered on time.
We can insure the intrinsic value by purchasing insurance policies which will finance replacement of assets. We can also insure the "consequential" value by estimating loss of revenue and purchasing insurance. Most tangible assets can be replaced but we cannot buy information to replace destroyed or lost information. We have to reconstruct lost or corrupted information. This affects continuity.
Apart from insurance, there are some peculiarities in the protection of information systems. It is essential that crucial or important information systems be secured so that they can be recovered. Definite measures must be put in place to protect information systems against corruption. While most people can read and interpret written, audio or visual information, computerised information requires sophisticated equipment and systems for interpretation and delivery. Contingency plans must be developed to ensure the means of recovering, maintaining and delivering the information in cases of failure.
Although computerised information systems are crucial to the survival of many organizations, it is surprising how little attention is given to their protection by top management in certain organizations. The reasons for lack of contingency plans and firm policies are often as follows: No time or resources, no money, ignorance of potential hazards, ignorance from top management as to potential consequences etc... This stems from the failure in identifying threats and measuring risks which lead to objective decision making. It is definitely a responsibility of the Executive to ensure adequate protection.
When we look at an organization, we study annual reports, look at balance sheets, study profit margins and look at liquidity ratios to reassure ourselves that the "going concern" principle is followed. However, we take for granted that the organization has adequate measures to protect its information assets. Apart from studying the balance sheet etc… we should also ask how critical the computerised information systems are and how well protected they are.
There can be definite legal implications if organizations are proved to be negligent in protecting important assets. The same applies to information and information systems. There is a definite responsibility to the public, shareholders and customers to ensure continuity of business.
Establishing contingency plans to ensure business continuity and instituting measures to minimise the risk of disasters and loss or corruption of information can be expensive and complex. How much is too much? How much is not enough? The questions cannot be meaningfully answered by theoretical assumptions and gut feel. A rational approach must be adopted through proper risk analysis. Only if we know what the information is worth and how high the risks are can we decide how much to pay to protect it.
The risk analysis should be carried out as follows:
· Establish the intrinsic value of the information by identifying the costs incurred in producing, maintaining and delivering it (e.g.: developing systems, programming, collection, computer hardware and software etc...).
· Establish the "consequential" value of the information by quantifying the loss (e.g.: revenue, services, market share) that would be incurred if the information was unavailable, lost or corrupted. Here it is important to measure loss over a time period. How long after the loss, unavailability or corruption of information does the loss become unacceptable?
· Add the two results together and the value of the information is obtained.
· Establish the threats to the integrity, loss or inability to deliver the information. Threats are not a measurement of the risks. Threats are potential incidents that could affect the information. Different threats exists in different physical and business environments. For example, the potential flooding by a river situated ten kilometres away would not be a threat unless the flood could bring down network communication lines.
· Quantify the risks attached to the identified threats. In other words, how likely is the occurrence of a threatening incident? How high is the risk? Historical information relating to the actual or similar environments can be helpful.
At this stage we have the correct information that should remove the uncertainty of theoretical assumptions and we can focus on the problem at hand. This will definitely lead to more effective management decisions and allow us to be cost effective.
Since we have now established the value of the information, the potential threats and quantified the risks we can identify and assess potential solutions.
The next goal to be achieved is to develop preventative solutions that could remove the threats or minimise the risks. These solutions can take different forms. Solutions such as: defensive systems (fire etc...), protection systems (logical and physical access control), change control procedures, development and enforcement of policies, regular audits and effective information backup, should be considered. The often used "prevention is better than cure" is very appropriate in minimising risks.
Once we have removed threats or minimised risks at an acceptable cost, we must consider contingency plans to address scenarios where preventative measures have failed. Here the time criticality of information and the availability of delivery systems are of crucial importance. Each organization will have different needs and complexities to be addressed. This is where the disaster recovery planning process will begin and address worst case scenarios. This is sometimes the more complex and costly exercise but is a key component of the overall strategy for protecting assets and ensuring business continuity.
Effective disaster recovery planning is the subject of my next article http://disaster-recovery-planningcontinuity.blogspot.com/ on business continuity and information systems.
One of the most important goals of individuals and organizations is to ensure continuity. To ensure continuity (going concern) we make use of many resources. The unavailability or impairment of some resources will threaten continuity and affect our chances of success and sometimes our chances of survival. One of these important resources is information.
The subject of information and sources of information is vast. Here we are only going to address one important aspect and source of information: Computer Information Systems.
Most assets used in ensuring continuity have two values. The intrinsic and the "consequential" value. The intrinsic value is the cost of acquiring and maintaining the asset. The "consequential" value is the loss that could be incurred if the asset was impaired or destroyed. The intrinsic value of computerised information is made up of:
· The cost of acquiring the means for storing, structuring, maintaining and delivering the information (computer systems).
· The cost of gathering, analyzing, maintaining and delivering the information on an ongoing basis (business functions).
The "consequential" value of computerised information is the potential loss (revenue, ability to service) if the information was destroyed/corrupted or could not be delivered on time.
We can insure the intrinsic value by purchasing insurance policies which will finance replacement of assets. We can also insure the "consequential" value by estimating loss of revenue and purchasing insurance. Most tangible assets can be replaced but we cannot buy information to replace destroyed or lost information. We have to reconstruct lost or corrupted information. This affects continuity.
Apart from insurance, there are some peculiarities in the protection of information systems. It is essential that crucial or important information systems be secured so that they can be recovered. Definite measures must be put in place to protect information systems against corruption. While most people can read and interpret written, audio or visual information, computerised information requires sophisticated equipment and systems for interpretation and delivery. Contingency plans must be developed to ensure the means of recovering, maintaining and delivering the information in cases of failure.
Although computerised information systems are crucial to the survival of many organizations, it is surprising how little attention is given to their protection by top management in certain organizations. The reasons for lack of contingency plans and firm policies are often as follows: No time or resources, no money, ignorance of potential hazards, ignorance from top management as to potential consequences etc... This stems from the failure in identifying threats and measuring risks which lead to objective decision making. It is definitely a responsibility of the Executive to ensure adequate protection.
When we look at an organization, we study annual reports, look at balance sheets, study profit margins and look at liquidity ratios to reassure ourselves that the "going concern" principle is followed. However, we take for granted that the organization has adequate measures to protect its information assets. Apart from studying the balance sheet etc… we should also ask how critical the computerised information systems are and how well protected they are.
There can be definite legal implications if organizations are proved to be negligent in protecting important assets. The same applies to information and information systems. There is a definite responsibility to the public, shareholders and customers to ensure continuity of business.
Establishing contingency plans to ensure business continuity and instituting measures to minimise the risk of disasters and loss or corruption of information can be expensive and complex. How much is too much? How much is not enough? The questions cannot be meaningfully answered by theoretical assumptions and gut feel. A rational approach must be adopted through proper risk analysis. Only if we know what the information is worth and how high the risks are can we decide how much to pay to protect it.
The risk analysis should be carried out as follows:
· Establish the intrinsic value of the information by identifying the costs incurred in producing, maintaining and delivering it (e.g.: developing systems, programming, collection, computer hardware and software etc...).
· Establish the "consequential" value of the information by quantifying the loss (e.g.: revenue, services, market share) that would be incurred if the information was unavailable, lost or corrupted. Here it is important to measure loss over a time period. How long after the loss, unavailability or corruption of information does the loss become unacceptable?
· Add the two results together and the value of the information is obtained.
· Establish the threats to the integrity, loss or inability to deliver the information. Threats are not a measurement of the risks. Threats are potential incidents that could affect the information. Different threats exists in different physical and business environments. For example, the potential flooding by a river situated ten kilometres away would not be a threat unless the flood could bring down network communication lines.
· Quantify the risks attached to the identified threats. In other words, how likely is the occurrence of a threatening incident? How high is the risk? Historical information relating to the actual or similar environments can be helpful.
At this stage we have the correct information that should remove the uncertainty of theoretical assumptions and we can focus on the problem at hand. This will definitely lead to more effective management decisions and allow us to be cost effective.
Since we have now established the value of the information, the potential threats and quantified the risks we can identify and assess potential solutions.
The next goal to be achieved is to develop preventative solutions that could remove the threats or minimise the risks. These solutions can take different forms. Solutions such as: defensive systems (fire etc...), protection systems (logical and physical access control), change control procedures, development and enforcement of policies, regular audits and effective information backup, should be considered. The often used "prevention is better than cure" is very appropriate in minimising risks.
Once we have removed threats or minimised risks at an acceptable cost, we must consider contingency plans to address scenarios where preventative measures have failed. Here the time criticality of information and the availability of delivery systems are of crucial importance. Each organization will have different needs and complexities to be addressed. This is where the disaster recovery planning process will begin and address worst case scenarios. This is sometimes the more complex and costly exercise but is a key component of the overall strategy for protecting assets and ensuring business continuity.
Effective disaster recovery planning is the subject of my next article http://disaster-recovery-planningcontinuity.blogspot.com/ on business continuity and information systems.
Copyright José Masson All rights reserved. Copying and publishing the content without prior written permission is prohibited.
No comments:
Post a Comment