When disaster recovery's down to you

A look at what BS 25999 could do for your uptime issues

When a discussion turns to disaster recovery and business continuity planning (BCP), the talk of IT staff quickly turns to ensuring that system and service availability is raised "to five nines" -- an allusion to 99.999% annual availability or about 5 minutes of downtime per year.

Ponder, then, the numbering of BS 25999, a revision of the British Standards Institution (BSI)'s Publicly Available Specification 56 (PAS 56:2003) "Guide to business continuity management." No, they couldn't have. Could they? Did they? Oh, my head hurts.

From joke to disaster

It's no joke, however, when the task of disaster recovery planning (DRP) is dropped in the laps of information security managers and IT staff. Justification comes from the last part of the security "C-I-A triad" -- "availability." Following this logic, DRP becomes a security problem, and it's often handed off to an organization's information security officer or IT director with little or no support. The result is usually either a skimpy collection of procedures without a solid foundation in risk assessment, or a long-winded tome that overreaches the high-level governance and compliance requirements that can be predicted by IT.

In this context, a disaster recovery plan might do more harm than good. Thinking that disaster recovery is assured by a novice's tape backup rotation plan and off-site storage in a cabinet down the hall could lead to overconfidence, false attestations during audits or contract negotiations, or even encourage risky data, network, and service management. Confusing a data recovery procedure for a full-blown plan, or cognitively inflating a data-focused plan into a management policy and standards is dangerous stuff for the livelihood of a business.

Worse, there's the possibility that minimal action on the part of IT to protect information assets will cause senior management to cool its support for enterprise risk management, disaster recovery and business continuity. Organizations making the transition from small to medium size occasionally check disaster recovery off the list when they have information asset-preservation policies in hand, and neglect to scale up disaster response decisions and processes where they concern human safety. Therein lies real risk to real people.

A helping hand

What to do then, if an information security officer has DRP dumped on him or her, without requisite support? All is not lost; addressing DRP isn't a completely black art. There are trade magazines, countless books on the topic, and no shortage of consulting and service sales seminars from the likes of Sungard that offer a variation on the the response themes promulgated by the Federal Emergency Management Agency (FEMA). And then there's BS 25999.

In a nutshell, they'll all tell you to think first while you have the luxury of considering management and response options while not in a panic or on the receiving end of user fury. The content of a resulting plan is secondary, as even a poorly-sponsored, weak or untested plan is usually (though not always) better than being frozen in indecision during a disaster. Any plan that starts by making sure people are safe -- presumably deferring to an enterprise plan -- before considering computer systems and data is off to a fine start.

IT saves the company?

But we can do better than that. By understanding how IT disaster recovery fits into the bigger picture of enterprise response, IT and information security managers are in a better position than ever to support -- if not drive -- disaster recovery and business continuity efforts throughout the enterprise. Some might scoff that it's not a reasonable approach, and with good reason; this was a rosy dream until relatively recently. However, even with a light reading the layout and approach of BS 25999 looks very familiar to anyone who's used ISO 27001, and we can take a lesson from the evolution of the latter.

Learning from ISO 27001

A few years ago, a management mandate for IT to implement information security policy without support for enterprise governance would likely result in a mishmash of controls selected from the likes of ISO 17799, the HIPAA security rule, or predecessors of the Payment Card Industry Data Security Standard. Supporting security governance and risk management principles might be drawn from NIST documents or the preambles to the control recommendations, but IT would then be in the position of defending its assertions about how senior management should act. Even good suggestions from IT regarding governance were more likely than not to die for want of executive sponsorship... or even understanding.

It's hard enough to implement a decent risk management and control program without support; disputes between standards didn't help. Remember the rancor between NIST management recommendations (PDF format) and the rushed-to-press ISO 17799? Enter the revised standard, with its explicit separation of management systems and principles in ISO 27001:2005, and security control objectives (performance standards for whatever particular platform or technology one chooses) in ISO 27002. There's been a tremendous amount of harmonization of industry requirements and controls incorporated in these standards, such that it's possible to mix-and-match management and control objectives without fundamental disjoints in operation or auditability.

The key is that you can start at the bottom of the policy hierarchy with less risk than ever before. With increasing cross-industry consensus about the general form of information security management systems, it's quite possible to start defining low-level security policies and their technical implementations from ISO 27002 (or the Annex of ISO 27001) even before senior management considers a management system. In real terms, this means that it's a safe bet, for example, to develop a policy for secure application development using "A.12.2 - Correct processing in applications" from ISO 27001, even if it'll be years before the board is ready to tackle the issue of establishing a formal ISO-compliant Information Security Management System (ISMS). When management does get around to it, there's only a slim chance they won't follow the most common standard.

Moving forward

By the same measure, an IT organization that is given a mandate to implement DRP without any real enterprise DR or BCP context can still set the path and tone for the enterprise. BS 25999 is following the same path as ISO 27001, both in terms of increasingly-probable ubiquity as an ISO standard, and in terms of explicitly separating the management system for business continuity and disaster recovery from the controls.

Like ISO 27001, the "BS 25999-1:2006 Business Continuity Management -- Code of Practice" defines areas of a management system, from policy and program establishment, to audit, training and awareness. The next part, "BS 25999-2:2007 Specification for Business Continuity Management" feels much like ISO 17799 or its new incarnation as ISO 27002, despite the feel-good trappings of the Plan-Do-Check-Act (PDCA) terminology. Those looking for specific actions will spend time in section 4, "Implementing and Operating the BCMS."

Even without support for enterprise business continuity policy and disaster recovery procedures, IT can make progress with reduced risk of having to throw the effort out and re-fit it into another management scheme. The down side of course, is that ISO standards are not often free and available for download. By whatever means is appropriate -- through the materials provided for a class, shoulder-surfing, corporate purchase or a visit to the library -- If you're left on your own for BCP/DRP, have a look at BS 25999 resources and mappings, make an educated guess as to the risks and which controls are appropriate, and then start to address implementation.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon