An important strategy for organizations is to be prepared for any eventuality. A critical element in any security system is a business continuity plan, also known as a disaster recovery plan. Business continuity is the chain of events linking planning to protection and recovery. The purpose of the business continuity plan is to keep the business operating after a disaster occurs. The plan prepares for, reacts to, and recovers from events that affect the security of information assets, and the subsequent restoration to normal business operations. The plan ensures that critical business functions continue.
In any of major disaster, organizations can employ several strategies for business continuity. These strategies include
•Off-site data storage.
A hot site is a fully configured computer facility, with all services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and work stations. Hot sites are fully staffed and include all the equipment, software, and communications capabilities of a primary location. The hot site can take over operations within an hour and some hot sites can take over instantaneously. This is the most expensive of the three types of sites, but it provides the most effective disaster recovery solution. A warm site provides many of the same services and options as the hot site. However, a warm site typically does not include the actual applications the company needs. A warm site does include computing equipment such as servers, but it often does not include user work stations Warm sites are a compromise between hot sites and cold sites. Hot sites are too expensive for most organizations and cold sites often take too long for full operation. Instead, the organization can identify what to stage at the warm site based on their needs. For example, the organization can stage some or all of the equipment at the warm site. They can keep the systems powered on, or power them on when needed. They can have copies of data there, or copy the data after a disaster.
A cold site provides only rudimentary services and facilities, such as a building or room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user work stations.
Cold sites include power and connections, but that’s about all. There isn’t any equipment or data at the site. If a disaster occurs, the organization must send personnel and all the appropriate resources to the cold site to take over services. This is the cheapest to maintain, but it takes the longest to become operational. In some cases, organizations use a cold site if they don’t need to be operational for a few days after a disaster.
Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data center. Also known as vaulting. It is the strategy of sending critical data out of the main location. Data is usually transported off-site using removable storage media such as magnetic tape or optical storage or usb drives
Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.
Information Systems Auditing
Companies implement security controls to ensure that information systems work properly. These controls can be installed in the original system, or they can be added after a system is in operation. Installing controls is necessary but not sufficient to provide adequate security. People responsible for security need to answer questions such as: •Are all controls installed as intended?
•Are the controls effective?
•Has any breach of security occurred?
•If so, what actions are required to prevent future breaches? These questions must...