recent developments in disaster recovery planning
TRANSCRIPT
Vol. 11, No. 3, Page 12
However, once cabling leaves the premises, an organization must rely on the
carrier to provide a suitable secure
environment. To some extent carriers do
protect their cables and routes, although there are still a considerable number of weaknesses
in their physical security provisions. While
carriers will seek to assure an organization that any remedial action necessitated by a break in the network will be speedily
undertaken, there will undoubtedly be delays
and disruptions. It is too late to review the
physical security of the network after a breach has occurred, and it is therefore advisable to
examine the total physical network to reduce
the risk of disruption and to enhance resilience
to the level expected of - and required by - the organization. In such instances there will
be a need to review the envisaged risks
against the cost of providing protection and
make a clear decision on the level of risk
acceptable to the organization.
Logical access
Logical Access to the data network cannot realistically be controlled to ensure only valid
authorized users are allowed access. Such
controls can only be imposed at the access node to the computer system software. Even
then, it may not be possible, and a layer of
control to verify logical access may have to be interposed between the operating system and
the application system software. Operating systems currently being developed do
consider the security provision - albeit
superficially in most cases. It is therefore usually the responsibility of the application
system owner to define what access control
limitation he requires and to ensure these are provided.
This requirement is likely to become more important as Personal Computers and distributed processing encourage the development of powerful business computers at insecure locations remote from central controls.
To provide such security will require users
and developers of applications to be more aware of the risks and to develop a corporate security policy which is seen to be beneficial to the organization.
Bill Farquhar
BIS Applied Systems Ltd
UK
CONTINGENCY PLANNING
RECENT DEVELOPMENTS IN DISASTER RECOVERY PLANNING
Some interesting developments have
emerged in the contingency planning area
which seek to address the root cause of some
of the current shortcomings in disaster recovery. These are:
-
-
-
-
assured equipment delivery schedule
off-site backup for PC users
risk analysis in system design
intelligent buildings.
Any victim of a serious physical computer disaster such as fire or explosion knows that it
can be an extremely protracted process
negotiating with the insurance loss adjuster to argue over which equipment should be written off and replaced, which can be cleaned and
recommissioned, and which equipment has
not suffered any physical damage from the
disaster. Moreover, the equipment vendors may not extend their existing maintenance contract to cover any item of equipment in the
disaster location, e.g. computer room, whether or not physical damage is visible, in case the long-term reliability of the electronic
components may have been contaminated by
the products of combustion or the chemicals used in fire fighting.
COMPUTER FRAUD &
SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., England./R9/!$0.00 + 2.20 No part of this publication may be re an
IL tneans, electronic, mechanical, p 1
reduced, stored in a retrieval system, or transmitted by any form orb otocopying, recording or othenvise, without the prior permission oft L
pu bshers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol. 11, No. 3, Page 13
Those victims who have subscribed to a
standby processing service from a commercial
organization may have to settle for a long stay
there before any full scale system recovery can be initiated on their own premises. For
others who have not made such standby
arrangements before hand, potential impact on
business through extended loss of computing
or communications support could prove
extremely damaging.
Help is on hand to break such deadlocks.
A new recovery service is being introduced by a UK company called Barian
Rescue to guarantee timely delivery of the full
replacement configuration of equipment to a designated building location, regardless of
whether some of the equipment involved in a
physical disaster can be reused, cleaned or
not. This would help to reduce the disaster victim’s consequential loss arising from both
extended business interruption and additional operational costs incurred in the interim before
full resumption of system working. Also the
standby processing companies would benefit from a reduced occupancy period on their
standby equipment and may be able to
enlarge their list of subscribers.
But what would happen to the equipment
which then became surplus after the disaster?
Well, these will be resold on the computer broking market and any profit or loss incurred
in the process will be split equally between the
Rescue Service and the disaster victim. Barian intends to serve the medium to large IBM system market initially and will then
extend its service to other hardware products
according to market demand.
Off-site backup for PC users
One of the Achilles heels in most organizations is the difficulty of enforcing the practice of keeping backups of programs and
data files off-site on corporate PC users, whether the PCs are used for standalone applications or connected to the corporate network. A physical disaster which totally
destroys the PC systems on site could render such applications totally irrecoverable, with
associated penalties on their business users.
Off-site file backup offered by commercial
service companies such as Citidata in London
are now being extended to cover the storage
of PC diskettes for companies already using
their off-site storage facilities to hold backup
tapes and disks for their host computers. This
is a major step forward when planning for the
entire organization’s contingency and business
continuity in the face of a major building
disaster.
For the service to work, individual
organizations would need to coordinate their
data processing off-site storage practice and
procedures with their PC users to ensure the
latter understand and appreciate the rationale
behind off-site file storage. These may be supplemented by the provision of containers to receive diskettes at a number of collection
points in the building. Proper control
procedure would need to be instituted to issue regular reminders, e.g. weekly, to PC users to
take backups and to liaise with the Data Processing Department for their remote
storage.
Risk analysis in system design
The traditional approach of contingency
planning is to rely on Computer Operations to
make the necessary provisions for existing
production systems, while new system developments rarely take into account the
needs for data and system backup and disaster standby in the various stages of
logical and physical design and implementation. In actual fact, a simpler and
easier approach would be to carry out detailed design and specification, to explore the
security and backup needs of any time-critical business requirements on the system, and then to determine the relative priorities for
protection and backup of the various key business processes, system processors,
datasets, communication circuits, lines, and modems.
COMPUTER FRAUD &
SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., Engiand./89/$MKt + 2.Zll No part of this publication may be re an means, electronic, mechanical, p
reduced. stored in a retrieval system, or transmitted by any form orb
6. 1 otocopying. recording or otherwise, without the prior permission of t L
pu Ilshers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol. 11, No. 3, Page 14
BIS consultants have successfully applied the CRAMM risk analysis and management
methodology (developed by BIS for the CCTA for use in the government sector) on a number
of development projects involving the
stipulation of an appropriate security policy
and the necessary security and control framework for new business systems or
communications networks in their early phases
of design and development. We have found in
each case that the results of our risk analysis have enabled us to cost-justify many of the
system resilience features as well as the
various operational backup and disaster
recovery provisions stipulated in the control framework as being required for the system or
network.
The same process should also apply to
the area of change control and management of
computer systems. The original system may
be extended or enhanced beyond recognition
to serve a much enlarged and diverse
international user community, with connections
to other external networks and services, when
the original system or network was only designed with controls intended to serve a
limited number of internal users in a closed
network within the UK.
In some cases, we have emphasized to our clients the need to review their change control procedures to ensure any major changes to hardware, software, communications facilities or user communities must be carefully reviewed with all parties concerned, i.e. operations, systems, users, communications support, international audit, etc., regarding their perception of new risks and new control and recovery requirements. There should be control mechanisms built into the change control procedures on when to trigger off a risk analysis and when to conduct a security review to check the satisfactory implementation of new controls and disaster standby provisions.
Intelligent building
This is the concept of applying a proactive approach to cable management in the interior
design of high-tech buildings by ascertaining the office and data communication requirements of various office and support areas and their interconnection and diverse routing in advance of the building and structural design. By incorporating the need for inter-connectivity, not simply to meet current business needs and projected growth, but also to incorporate system resilience features, one can group cables into small units to serve individual groups of users so that the disruption of one group will not affect the workings of other peer groups, or so that any isolated unit or single point failure can be rerouted or backed up by built-in inter-connected links.
Similarly other redundancy features can be incorporated in the building design, including the diverse routing of external cabling to separate telephone exchanges, dual power supply from different parts of the national electricity grid, 100% independent backup capacity and full modularity of all environmental control units, with secure location of pipe-work and conduits. This would be supplemented by the provision of diverse cable risers, and cable closets for the building’s local area networks arranged in some tree structure formation to enhance their resilience to single point disruptions.
The physical security requirements of the building can be more readily catered for by working closely with the building architects and structural engineers in the early stages of planning and design, to withstand brute force attack, facilitate physical access control, fire protection and defence against other environment hazards on location or in the immediate vicinity.
Dr Ken Wong
BOOK REVIEWS
Title: Security of Premises: a manual for
managers Author: Stanley L. Lyons
COMPUTER FRAUD &
SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., England./89/!$0.00 + 2.20 No part of this publication may be re roduced, stored in a retrieval system, or transmitted by any form or b an pu 6.
means, electronic, mechanical, p lotocopying, recording or otherwise, witbout the prior permission oft P L bsbers. (Readers in the U.S.A.-please see special regulations listed on back cover.)