Category Archives: Business Continuity Management

Outsourcing IT in the Third Sector

Information security in the 3rd Sector: does outsourcing IT represent a benefit or a risk?

While most of AMDS Consultants Ltd’s clients operate in the defence, security, transport and generic business process transformation markets some of our recent information security work has been with the 3rd Sector. Our 3rd Sector practice includes: charitable endeavours, the arts and civic organisations.

We recently concluded a major information security audit for an arts organisation. The main purpose of which was to assess their position against the PCI DSS framework for the management of debit and credit card transactions. Like many organisations in the 3rd Sector this particular community had chosen to outsource their information technology function to a third party provider and this is a common approach across the entire market segment.

Important elements of such an approach are shown below:

a. Retaining sufficient expertise in-house, to be an intelligent IT service buyer

b. Ensuring that requisite SLAs (Service Level Agreements) are in place

c. Negotiating robust and effective contracts

d. Clearly annunciating the third party’s place in your supply chain, and their responsibilities

e. Most importantly, ensuring that the third party will fully support you in information security

With these elements in place any information security assessment should go smoothly, provide significant benefit and present limited risk.

If, however, the IT provider chooses a different philosophy, as they did in our most recent 3rd Sector contract, then the possibility of a breach of the PCI DSS regulations becomes real as do the concomitant fines. In particular, we found it remarkable that any third party paid to provide comprehensive IT support to an organisation in the 3rd Sector would see an information security audit as an opportunity to make a profit. By refusing to supply responses to questions about their approach to information security without receipt of a fee not only did they raise concerns over the robustness of their information management systems but also placed one of their most high profile customers at increased risk of a breach. If the level of PCI DSS fines being discussed rwee implemented then our client would face financial ruin.

The question that exercises us now is how typical of 3rd Sector IT providers is this behaviour? Does the generic IT service company see this market segment as easy pickings dependent, as it it often is, on a mixture of employed ofIicers, administrative staff and willing volunteers?  Perhaps it is that the IT providers consider the 3rd Sector lacks the commercial nous to properly manage the services these providers supply and so use the 3rd Sector as a highly profitable dupe. Alternatively, we may have merely encountered a “bad” company and the broader base of IT service providers are committed to comprehensive support to 3rd Sector clients.

Whichever scenario represents a true reflection of these relationships, before choosing to follow this route, the 3rd Sector must consider how much of a risk their provider presents.

In an information security context, risk is vested with the owning organisation, i.e. the buyer of the service, not the outsourced IT provider. It is the responsibility of the buyer to ensure that sufIicient precautions are utilised by their IT providers to protect personal data in both storage and transmission. The buyer should also make sure that the supplier adheres to the appropriate information security standards as well as established best practice in their industry.

In the worst case scenario, where there has been a breach in data protection, any investigation would look first at the information security arrangements put in place by the buying organisation. If it is apparent that the buyer has not set appropriate information security standards and targets or has failed in their due diligence of the supplier then they will receive any penalty.

However, if it is clear that the buyer has done everything that is reasonably practical and the failure to protect information lies with their supplier then it will be the IT provider who will incur any fines deemed necessary.

Returning to the question posed at the outset. The ability of the 3rd Sector to successfully outsource IT services, in a world where the fines for information security breaches could cause financial ruin, is no longer just dependent on making a well-founded choice of supplier. Successful supplier selection is not merely a combination of: running a competition, setting generic performance standards, and placing the contract. In an increasingly connected world, where all IT service buyers carry data security responsibilities the following additional essentials must be considered:

a. Buying intelligently

b. Addressing information security and data protection from the outset

c. Setting genuine information security performance targets

d. Clearly delineating responsibilities

e. Creating and managing a robust but collaborative relationship with the IT provider

The absence of any of these factors in the provision of IT supply increaes risk and limits benefits.

Where’s my data?

Moving corporate data off-site to a cloud provider can make good sense; it will have levels of security, resilience and availability that it would not get in a local server room and at a lower cost. However, talking to a colleague yesterday reminded me that I have often spoken to businesses that do not know where their data is held. At least their IT department might know but the C-suite decision makers answer the question with: “It is in the cloud”. Asked to define the cloud many are surprised when they realise that cloud storage just means putting your data on somebody else’s server or servers.

Where those servers are physically sited can be an issue. I remember one CEO who threw a wobbler when he learned that his precious data was sitting in a datacentre in China. That was an extreme reaction but if you are possibly going to have your data stored on multiple sites in different countries and backed up elsewhere then you need to know where those locations are and to satisfy yourself that you are happy with the risk strategies, insurance and legal safeguards in place at these locations.

When working as a systems or solution architect among the questions I ask clients are: “Is your cloud provider reliable and trustworthy?” “Have you looked into their track record, size, stability?” “What insurance have they got in place?” “Has the provider been hacked or otherwise compromised?” (They will provide levels of security and resilience beyond the resources of most local datacentres but they are not invulnerable). “Can they provide 24/7 cover and support?” (If your business operates over the weekend you do not want your operating data stored with an organisation that goes home at five on Fridays).

There is a danger, too, in excessive reliance on a single supplier. Once your data is embedded with the supplier the cost and inconvenience of moving it to another supplier can make it impractical or you might end up running in parallel with two suppliers for a time. Some organisations get round this by having a primary cloud provider and a deep storage supplier.

If we accept that an organisation’s data is its most valuable resource then handing it over to another organisation should only be done after a good deal of due diligence, investigation, visits to the datacentre, talking to other customers of the provider, the entire process. It might also be worth calling in a consultancy to review or design your cloud storage. A little extra up-front cost but a lot of extra peace of mind.

Nine errors of process with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of process, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

There are a series of essential steps in implementing business continuity management, this includes development, maintenance and implementation of business continuity plans.  Errors of process are evident where there is no framework used to guide the implementation of business continuity management, where experienced business continuity professionals are not called upon to share their experience, and where the organisation loses focus.  This can give rise to errors such as:

  1. “We’ve got business continuity plans… now let me see, where are they?”
  2. “Head office created some plans last year so I think we’ve got it covered”.
  3. “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”
  4. “Great communication plan, but what happens when your communications infrastructure is lost?”
  5. “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”.
  6. “We back up our data regularly but have never tested the backups in anger”.
  7. “We’ve got very strong IT security controls in place”.
  8. “We invested in a fantastic DR facility about 5 years ago”.
  9. “A grab bag is a waste of money”.
  Fallacy

Fix

1     “We’ve got business continuity plans…   now let me see, where are they?”
Plans that are created and then left to gather dust will quickly be   out-of-date and forgotten.  If they’re   not relevant and readily available you might as well not bother having   them. Make business continuity a consideration   in every strategic decision that you make.    In addition to highlighting the importance of business continuity,   because considering business continuity involves the identification of   organisation weaknesses, points of potential failure and dependencies that   affect an organisation’s ability to manage and recover from incidents it will   result in more robust strategic decision-making.  Review the plans quarterly.
2     “Head office created some plans last   year so I think we’ve got it covered”
Planning that does not involve the staff affected and plans which are   not tested are usually flawed.  They   are not ‘owned’ by the people who may have to implement them and they will   have key procedural weaknesses. Engage relevant staff in the planning process   and test the plans either in a desktop or blue-light exercise.
3     “I’m not sure who’s in charge during an   incident… it’s the CEO isn’t it?”
Unclear and un-communicated roles and responsibilities result in   confusion and delays during an incident. Identify, document and communicate the   incident ‘command structure’ and the associated roles and responsibilities.
4     “Great communication plan, but what   happens when your communications infrastructure is    lost?”
Communication is often a serious challenge during an incident.  There are numerous scenarios where things   go wrong.  If you lose power on an   unmanned site or when no one is in, how will you be informed?  If your telephone network goes down   (including mobile as can happen in some companies and some disaster   situations), how will you communicate? Document your communication plan and think   through numerous, relevant scenarios.    Depending on your circumstances there are options available for every   situation; like installing a failover system or contracting with a third   party to monitor your unmanned site; and giving alternative communication   tools to key staff members.
5     “Jimmy and Dave know the passwords to   all our systems, plus they’re stored in a key-code safe in the server room”
Unfortunately Jimmy, Dave and the server room might all become   unavailable at the same time and in an instant your business is   crippled. Store passwords in at least two   geographically distinct locations and make sure details of those locations   and access to them is known to people who don’t usually work in the same   place together.
6     “We back up our data regularly but have   never tested the backups in anger”
Unfortunately backups do fail, and so do recovery procedures.  Also, backups can be lost or inaccessible   during a disaster situation. Design a thorough backup testing procedure   that covers all of your systems and run tests at regular intervals.  Also test scenarios where backups from your   normal backup site are not available.
7     “We’ve got very strong IT security   controls in place”
These days this is indeed the case in most organisations.  It is important though not to take your eye   off the ball during an incident; when you are vulnerable you are likely to be   attacked, and the threats may be internal and external. Include in your business continuity plans,   plans to maintain high levels of IT security during an incident.  Appoint an IT security officer to your   disaster recovery team and make sure that you continue to monitor your systems for threats.
8     “We invested in a fantastic DR facility   about 5 years ago”
Disaster Recovery facilities need to be kept up-to-date just as any   other normal office facility does.    Outdated assets like computers, printers, electronic screens and   telephony systems might not work when you need them – either because they’re   old or they’re no longer compatible with your infrastructure. Keep an inventory of DR facility assets,   update and test them on the same schedule as all other office equipment.
9     “A grab bag is a waste of money”
Incidents can happen at any time of the day or night and whether or not   key business continuity people are in the office.  Even with the advent of mobile technology,   hard copies may come in handy.  The   important thing is that somebody will need to ‘grab’ a copy of the business   continuity plan, essential contact details, directions to recovery sites and   other emergency reference material and supplies so that your well thought out   plans can be implemented. Put a grab bag with all the contents   mentioned above next to the main emergency exit of every building.

Nine errors of understanding with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of understanding, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Comprehension of business continuity management is related to a person’s knowledge of or familiarity with the subject.  Most people charged with responsibility for an organisations’ business continuity management are not trained or experienced in it and hence errors of understanding are common.  Such as:

  1.  “Skip the business impact analysis, let’s get on with planning!”
  2. “Why did you get that system up-and-running first when this one is more important!?”
  3. “Business continuity is someone else’s department”.
  4. “The IT department is responsible for our business continuity plans”.
  5. “Only a few people need to know what our business continuity plans are”.
  6. “In business continuity planning, you can’t overdo the detail”.
  7. “A disaster in our organisation won’t attract media attention”.
  8. “Our insurance policy gives us adequate cover”.
  9. “Business continuity management does not affect our business insurance premium”.

 

 

Fallacy

Fix

1      “Skip the business impact analysis, let’s get on with planning!” 
If you don’t identify and assess critical business activities before   creating your plans you will create plans that do not give you the best   chance of speedy recovery.  Business   leaders are often surprised by the outcomes of the business impact analysis,   learning what really makes the business tick and how long activities could be   interrupted for before business shuts down. Give the business impact analysis your   full attention!
2     “Why did you get that system   up-and-running first when this one is more important!?”
  This is a very common issue usually resulting from non-existent or poor   business impact assessment, a lack of communication between the business and   IT, or political issues clouding decision making. It is important to be   selective about which IT systems to bring back online first, and it should be   those that are required by the most important business functions – the ones   that need to be recovered the fastest in order to ensure business   continuity.  Get buy-in from the business into business   continuity management, conduct thorough business impact analyses, assess and   invest in closing the gap between the business requirements and the IT   department’s capability and keep plans up-to-date.
3       “Business continuity is someone else’s department”
  1. 1.      
The less obvious flaw in this   logic is that if you leave business continuity planning to others then your   department priorities will not be properly understood and accounted for in   the plans.  Your department might be   the one department that if not up-and-running first after an incident brings   the whole business down.  Treat business continuity as a discipline in its own right, make the   process of planning and management collaborative, and put the most senior   executive in charge.
4     “The   IT department is responsible for our business continuity plans”
The priorities of the whole business need to be understood before   business continuity plans are created.    You’ve got to consider the true resilience of your organisation to   determine where and in what order to channel your resources following an   incident.  Individual departments are   unlikely to understand the full picture.   Treat business continuity as a discipline   in its own right (for example, don’t make it a part of risk management), make   the process of planning and management collaborative, and put the most senior   executive in charge.
5     “Only   a few people need to know what our business continuity plans are”
Almost every employee should be familiar with the elements of business   continuity plans that affect them.    This should not only include emergency procedures, but also for   example social media policies that govern communication during an   incident.  It is often useful to let   clients, partners and suppliers have access to your continuity plans.  And there are even situations when you   should share continuity plans with your competitors. In your business continuity communication   plan assess the stakeholders and willingly and openly share relevant   information.
6     “In business continuity planning, you   can’t overdo the detail” 
It is very easy to get bogged down in detail, trying to identify every   eventuality and to plan for its occurrence.    You then end up with a massive plan, a tome of a document that is   impossible to use effectively.  Of course   do mitigate key risks with sensible solutions (for example, if you’re in a   flood plain, build flood defences) but for business continuity plans, keep   things simple.  There are three main incident types that   you can plan for generically: 1. Denial of access to buildings and   facilities.  2. Loss of people.  3. Loss of IT and communications.  It rarely matters what has caused the   issue, the key thing is for you to plan your response
7     “A disaster in our organisation won’t   attract media attention” 
Your business may be small and uninteresting to the public, but some   disasters because of their very nature will always attract media   attention.  Significantly though,   social media enables almost instant communication to millions of people and   as a result your disaster might very quickly become national news Include in your business continuity plans   a public relations plan that includes coverage of all media (press and   social).  Build an organisation culture   of healthy respect for the use of social media.  Put policies in place, update employment   terms and conditions, educate staff, lead by example and correct   inappropriate behaviour. Know the social media landscape.  Find out what Twitter, Facebook and other   social media platforms have connections to your organisation, who updates   them and what they are saying?  Keep   this information up-to-date in your business continuity plans because you   might need it when a disaster strikes.    Monitor the landscape and respond to trends where appropriate.  Develop a clear social media strategy to be   implemented in the event of a disaster.    This strategy should be part of your business continuity plans and   should include actions and persons responsible for monitoring trends, communicating   messages and rapidly addressing non-compliance to policies.
8     “Our insurance policy gives us adequate   cover”
This may indeed be true, but financial support might not be all you   need from your insurer.  Rapid response   (minimum red tape, quick decision making, and fast release of cash) is not   always forthcoming from insurers and this may be the difference between survival   and failure for your organisation. In your business continuity plans address   how re-imbursement occurs (how and when will loss assessments be done and how   quickly will payments be made).    Wherever possible and relevant, pre-agree scenarios and decisions so   that you can take action without seeking approval.
9     “Business continuity management does not   affect our business insurance premium”
It is not unheard of but is unlikely that implementing business   continuity management will lead to an agreement from an insurer to reduce you   current premium.  What is likely is   that when next your insurer assesses your business your premium will not   increase as much as it would have done.    Some insurers will even pay for or contribute to your cost of implementing   business continuity management. Discuss with your broker the impact of   business continuity management on their assessment of your business’ risk.

Four errors of judgement with Business Continuity Management

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected four of the most common errors of judgement, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Making decisions about business continuity management is often clouded by a lack of appreciation for its importance and relevance, particularly when considered in respect to other decisions that have to be made or business activities that have to be carried out, and objectivity can be compromised in highly political environments.  That leads to errors such as:

  1. “Scare tactics will engage senior management in business continuity management”.
  2. “Business continuity planning and management is not important right now”.
  3. “We’re only a small business; we don’t need business continuity plans”.
  4. “Business continuity management should be justified like all other investments”.

Fallacy

Fix

1 “Scare tactics will engage senior   management in business continuity management”
Senior managers are usually busy people and getting their attention can   be very difficult, particularly for activities like business continuity   management which is often perceived to be unimportant right now.  Scare tactics sometimes work, but more   successful approaches are available. Educate senior managers by   emphasising that business continuity management is an element of good   governance which aims to increase resilience, minimise down time and reduce   the risk of organisational failure.    Keep the discussion practical by describing the impact of down time on   their objectives and the usefulness of business continuity management in   preventing and keeping downtime to a minimum.    Explain that when tendering for new business you can achieve   competitive advantage by demonstrating your resilience.  Run a short, simple and realistic   desk-based scenario to highlight your arguments.
2 “Business continuity planning and management is not important right now”
This   could not be further from the truth.    You cannot predict when disaster will strike.  Something could be happening right now   whilst you’re reading this.  If you’re   not prepared you will have nothing but regrets  (visit us at : http://continuity.charteris.com/about-business-continuity-management/what-could-happen/   to read what happened to other people). Make time for business continuity planning.
3 “We’re only a small business; we don’t need business continuity plans”
Small businesses tend to be the least resilient because   there are more single points of failure.    Loss of one member of staff with important knowledge, failure of one   key item of equipment, loss of one key customer due to loss of one key   supplier can all spell disaster.    Simple plans can mitigate these risks, reducing the chance of the loss   but also ensuring that you’re properly covered, for example, with the right   insurance. No business is too small to give business   continuity management some consideration.
4 “Business continuity management should be justified like all other   investments” 
Business continuity should be regarded as a cost of doing   business.  Like risk management, it   does not in itself deliver business benefits but there is an opportunity cost   of not doing it.  The good news is that   in many organisations the implementation of business continuity management   results in the identification of process improvements, over-commitment to   insurance cover and excessive disaster recovery assets.  In some organisations where business   continuity software is introduced the introduction of business continuity   management can even lead to headcount reduction. Use the introduction of, and the   process of, business continuity management as an opportunity to identify   organisation weaknesses and overspend on risk mitigation but don’t expect it   to show a return on investment as you would from other investments.

Leave a Reply »