How the cloud facilitates crisis management
Business continuity information in the cloud holds the key to faster recovery says Matt Gordon-Smith.
One of the most important elements in business continuity planning is ensuring that there is access to the information and data that will guide the crisis management team from the point that an incident is declared.
Access to, and availability of, the crisis management plan can easily be overlooked during the planning process, but it plays a critical role in steering the organization through the initial stages of a crisis. Here we explore the role of cloud solutions to maintain access to this critical information during a crisis and how this can allow organizations to recover faster and more effectively.
Business continuity documents: the basics
This would typically include the communications plan, contact trees and contact details for clients, vendors and suppliers as well as processes for accessing disaster recovery systems and detailed recovery information for different sites. This ensures that plans can be implemented as required and that all necessary communications are made to staff, clients, stakeholders and press, in a timely manner, during the crisis.
In fact, many organizations are reliant on their own infrastructure to store and provide access to this information. In some cases, plans may be printed documentation which is all in one location, or split across multiple locations or, where there is online information, it is all stored on one internal system.
When an incident occurs, be it a region-wide power outage, or where access to the building is restricted, it is critical to get access to the right information and processes to follow. It is all too easy to become complacent and assume that we can access a telephone number on a phone but if that number is held in a central address list on an internal server that is no longer available then we can't access the email or number to call.
Even if data is stored online, a widespread issue affecting both the access point and data location will mean this is unavailable at the time of a crisis. Similarly, any loss or corruption of data on a primary system that is not replicated to an alternative system will severely hinder the recovery process.
The cloud: access, availability and security
Practical consideration also needs to be given to access mechanisms, for example: how will people be able to access this information from different locations, using business PCs, home PCs or mobile devices? If a building is evacuated and all the business PCs and laptops are still in there, how will the information be accessed?
Entrusting this information to a reputable cloud provider will ensure wider availability, and will typically ensure that there is no single point of failure or shared reliance between the primary system and cloud-based document storage. This is to provide as much assurance as possible that it will be available and that, in the event of a failure of the primary system, the secondary system is still available.
As the information within these documents will undoubtedly contain sensitive and personally identifiable information, it is essential that the correct protective mechanisms are in place to maintain the confidentiality and integrity of the data. Critical data of this kind typically contains key business information and personal data such as contact details and highly technical information within business resumption plans for the technology. The more data you need to have available and the more available you make it, the more controls are needed to ensure that this information does not fall into the wrong hands.
Testing the process
However, it is also important to strike a balance between security, availability and awareness. The more security controls that are in place, the more important it is to test that the right staff can access the information they will need in a crisis. With more controls in place, there can be a risk that people know where the data is but cannot access it because, for example, the password has expired and the account is locked. Likewise, you should test the restrictions on which network you can access the data from, as this may change if the primary access point is down or the office is inaccessible.
Further, organizations should ensure that the cloud provider can address their compliance needs. For example, for personal data, UK and EU organizations must ensure that controls are in place to comply with data directives controlling who has access to data and how it is transmitted. Organizations should work with cloud providers that have demonstrated that they take security seriously and can provide full assurance of their security credentials.
Finally, having put these measures in place, how can organizations make sure that staff remember how to access this information in the event of an incident or outage? Critically, all plans should be tested regularly, to make sure the right people know what they're doing, this should include exercises for staff on how to access information in different scenarios. If people managing the crisis don't know where to find the information, then all investments in a resilient solution will be wasted.
The moments after an incident has occurred are critical; the availability and security of the information that will be needed in the immediate aftermath is one of the most important elements in ensuring that the path to recovery is as fast, efficient and effective as possible.
Author: Matt Gordon-Smith is director of security at Attenda.
•Date: 14th March 2013 • World •Type: Article • Topic: Crisis management
To submit news stories to Continuity Central, e-mail the editor.
Want an RSS newsfeed for your website? Click here