Business Continuity Planning

When your business faces a disaster it is key to address the issue head on. You must first understand who's problem it is to solve and create an effective disaster recovery (DR) plan. Both business and ICT need to be comfortable that the DR plan has been verified to ensure a reasonable expectation that recovery will be successful. IBRS has created a 4 part series to help organisations plan for and recover from disasters successfully. Download the 'disaster recovery must work ebook' and prepare your organisation.

Conclusion:

Part four in this series of advisories looks at how to improve the disaster recovery (DR) planning maturity of your organisation. The focus of improving maturity in DR planning is to improve your probability of successfully meeting the needs of your business in the event of a disaster. Ensuring your DR plan (DRP) and business continuity planning (BCP) are fully integrated and that all elements of the organisation have a high degree of familiarity with DR processes.

Importantly, your organisation must understand that maturity is both a journey and a target. To maintain the target maturity, your organisation must put in place a number of strategies that will be continually repeated to ensure the target is both met and maintained.

Conclusion:

The rapid adoption of Cloud services and the increasing and well publicised cyber security compromises have added to the security concerns within many organisations. The Australian Cyber Security Centre (ACSC) has recently published a set of Cloud computing security considerations whereby organisations are able to undertake a high level self-assessment of their cyber risks as they transition to Cloud services. IBRS has recently hosted a roundtable with senior ICT and security professionals to highlight some hands-on lessons for managing cyber security in a Cloud environment.

Conclusion:

Part three of this four part series looks at how the disaster recovery (DR) plan can be verified. The DR plan is in effect a contingency plan to deal with risk of a disaster. The DR test plan is a validation of the preparedness of the organisation to address these risks.

The need to have a DR plan verified is therefore essential if the contingency is to be effective. Just having a plan in place is not enough to mitigate the risk. The plan must be tested and verified as part of business as usual (BAU) to both increase familiarity with the plan, its standard operating procedures (SOPs) and processes, and most importantly, improve the likelihood of success.

Conclusion:

There is no denying that the incidence and severity of ransomware cyber attacks, both real and fake, are on the rise. Whether the attacks are State-based or purely criminal in nature, organisations need to address their ability to both defend against such attacks and respond appropriately when they occur. The impact of a successful breach can have a high cost in the areas of productivity, reputation and the potential for financial losses. A good defensive posture against cyber attacks will make your organisation a harder nut to crack for the attackers.

Conclusion: 

The need to have a disaster recovery (DR) plan that is understood, agreed, and jointly owned by all elements of the organisation is essential in preparing for a disaster event. An effective DR plan will focus on managing the risk associated with completing a successful restoration and recovery in a time, and to a level of effectiveness, acceptable to business.

To ensure the plan is effective at mitigating the risks associated with completion of restoration and resumption of services after a disaster event; the DR plan must also clearly identify how the plan is to be verified and therefore reduce the risk of not completing a successful disaster recovery.

The key focus of the DR plan must always be about the restoring delivery of business functions. The technical delivery may be from ICT services on-premise, outsourced providers, or Cloud. Regardless of technical delivery to business, the impact of an ICT disaster event needs a verified plan!

Conclusion

With the growth of dependence on ICT for business to perform effectively, many organisations have increased risk associated with the ability of ICT to provide service continuity. ICT downtime means business is negatively impacted. Many organisations believe the DRP is a problem that is ICTs to solve. Whilst ICT will lead the planning and do a lot of the heavy lifting when a disaster occurs, it can only be successful with the assistance and collaboration of its business partners. It will be the business that sets the priorities for restoration and accepts the risk.

Both business and ICT need to be comfortable that the disaster recovery (DR) plan has been verified to ensure a reasonable expectation that recovery will be successful.

The Latest

29 April 2021: Microsoft briefed analysts on its expansion of Azure data centres throughout Asia. By the end of 2021, Microsoft will have multiple availability zones in every market where it has a data centre.

The expansion is driven in part by a need for additional Cloud capacity to meet greenfield growth. Each new availability zone is, in effect, an additional data centre of Cloud services capability.

However, the true focus is on providing existing Azure clients with expanded options for deploying services over multiple zones within a country.  

Microsoft expects to see strong growth in organisations re-architecting solutions that had been deployed to the Cloud through a simple ‘lift and shift’ approach to take advantage of the resilience granted by multiple zones. Of course, there is a corresponding uplift in revenue for Microsoft as more clients take up multiple availability zones.

Why it’s Important

While there is an argument that moving workloads to Cloud services, such as Azure, has the potential to improve service levels and availability, the reality is that Cloud data centres do fail. Both AWS and Microsoft Azure have seen outages in their Sydney Australia data centres. What history shows is organisations that had adopted a multiple availability zone architecture tended to have minimal, if any, operational impact when a Cloud data centre goes down.

It is clear that a multiple availability zone approach is essential for any mission critical application in the Cloud. However, such applications are often geographically bound by compliance or legislative requirements. By adding additional availability zones within countries throughout the region, Microsoft is removing a barrier for migrating critical applications to the Cloud, as well as driving more revenue from existing clients.

Who’s impacted

  • Cloud architecture teams
  • Cloud cost / procurement teams

What’s Next?

Multiple available zone architecture can be considered on the basis of future business resilience in the Cloud. It is not the same thing as ‘a hot disaster recovery site’ and should be viewed as a foundational design consideration for Cloud migrations.

Related IBRS Advisory

  1. VENDORiQ: Amazon Lowers Storage Costs… But at What Cost?
  2. Vendor Lock-in Using Cloud: Golden Handcuffs or Ball and Chain?
  3. Running IT-as-a-Service Part 49: The case for hybrid Cloud migration

Conclusion

Even well-articulated and documented cyber incident response plans can go astray when a cyber incident actually happens. Experience shows the best plans can fail spectacularly. In this special report, IBRS interviews two Australian experts of startups in the field of cyber incident response, and uncovered the better practices for keeping your incident response plans real.

The Latest

18 March 2021: Veeam released a report which suggests that 58% of backups fail. After validating these claims, and from the direct experiences of our advisors who have been CIOs or infrastructure managers in previous years, IBRS accepts there is merit in Veeam’s claim.

The real question is, what to do about it, other than buying into Veeam’s sales pitch that its backups give greater reliability?

Why it’s Important

Sophisticated ransomware attacks are on the rise. So much so that IBRS issued a special alert on the increasing risks in late March 2021. Such ransomware attacks specifically target backup repositories. This means creating disconnected, or highly-protected backups is more important than ever. The only guarantee for recovery from ransomware is a combination of well-structured backups, coupled with a well-rehearsed cyber incident response plan. 

However, protecting the backups is only useful if those backups can be recovered. IBRS estimates around 10-12% of backups fail to fully recover, which is measuring a slightly different, but more important situation than touted by Veeam. Even so, this failure rate is still far too high, given heightened risk from financially-motivated ransomware attacks.

Who’s impacted

  • CIO
  • Risk Officers reporting to the board
  • CISCO
  • Infrastructure leads

What’s Next?

IBRS has identified the ‘better-practice’ from backup must include regular and unannounced, practice runs to recover critical systems from backups. These tests should be run to simulate as closely as possible to events that could lead to a recovery situation: critical system failures, malicious insider and ransomware. Just as organisations need to rehearse cyber incident responses, they also need to thoroughly test their recovery regime. 

Related IBRS Advisory

  1. Maintaining disaster recovery plans
  2. Ransomware: Don’t just defend, plan to recover
  3. Running IT-as-a-Service Part 59: Recovery from ransomware attacks
  4. Ransomware, to pay or not to pay?
  5. ICT disaster recovery plan challenges
  6. Testing your business continuity plan

The Latest

28 March 2021: AWS has a history of periodically lowering the costs of storage. But even with this typical behaviour, its recent announcement of an elastic storage option that shaves 47% off current service prices is impressive. Or is it?

The first thing to realise is that the touted savings are not apples for apples. AWS’s new storage offering is cheaper because it resides in a single-zone, rather than being replicated across multiple zones. In short, the storage has a higher risk of being unavailable, or even being lost by an outright failure. 

Why it’s Important

AWS has not hidden this difference. It makes it clear that the lower cost comes from less redundancy. Yet this architectural nuance may be overlooked when looking at ways to optimise Cloud costs.

One of the major benefits of moving to Platform-as-a-Service offerings is the increased resilience and availability of the architecture. Cloud vendors, including AWS, do suffer periodic failures within zones. Examples include the AWS Sydney outage in early 2020 and the Sydney outage in 2016 which impacted banking and e-commerce services.  

But it is important to note that even though some of Australia’s top companies were effectively taken offline by the 2016 outage, others just sailed on as if little had happened. The difference is how these companies had leveraged the redundancies available within Cloud platforms. Those that saw little impact to operations when the AWS Sydney went down had selected redundancies in all aspects of their solutions.

Who’s impacted

  • Cloud architects
  • Cloud cost/contract specialists
  • Applications architects
  • Procurement leads

What’s Next?

The lesson from previous Australian AWS outages is that organisations need to carefully match the risk of specific application downtime. This new announcement shows that significant savings (in this case 47%) are possible by accepting a greater risk profile. However, while this may be attractive from a pure cost optimisation/procurement perspective, it also needs to be tempered with an analysis of the worst case scenario, such as multiple banks being unable to process credit card payments in supermarkets for an extended period.

Related IBRS Advisory

  1. VENDORiQ: AWS second data centre in Australia
  2. Post COVID-19: Four new BCP considerations
  3. Running IT-as-a-Service Part 55: IBRS Infrastructure Maturity Model

Conclusion

Many security incidents are having major impacts on organisations. In too many cases these are left to the information technology teams to handle.

Yet the group most responsible for an organisation’s continued survival and growth is the chief officer (CxO) group. Incident response therefore ultimately resides with this group. In order to develop the ability to handle a major attack on an organisation, it is imperative that the CxO group also become familiar with responding to cyber security events.

This can be done by running tabletop exercises that then become the basis for building more detailed plans around communications, crisis management, and the organisation’s preparedness.

Conclusion:

While some bots may be benign, many are engaged in unscrupulous behaviour, such as stealing valuable commercial data or attempting to obtain access illegitimately. At best, bots are a drain on an organisation's resources, increase demands on infrastructure and causing the expenditure of resources, pushing up costs. In the worst case, they represent a significant cyber threat.

IBRS interviewed experts in the field of bot defence: Craig Templeton, CISO and GM Tech Platforms with REA Group and Sam Crowther, developer of the Kasada bot defence platform.

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

The Latest

16 February 2021: Veeam continues to expand its footprint across the hyperscale Cloud vendors with the introduction of Veeam Backup for Google Cloud Platform. This follows its December 2020 announcement when Veeam announced the general availability of AWS v3 Backup and Azure v4 Backup. As a result, Veeam now provides backup and recover capabilities across - and just as importantly between - the three major hyperscale Cloud vendors. 

Why it’s Important

During a briefing with IBRS, Veeam detailed its strong growth in the Asia Pacific region. It also discussed its strategy for providing backup and recovery capabilities over the major hyperscale Cloud services: Azure, AWS and Google. The demand for Cloud backup and recovery is growing with greater recognition organisations adopting hybrid Cloud (the most likely future state for many organisations) demands more consistent and consolidated approaches to management - including backup and migration of data between Clouds. VMWare is seeing growth in its hybrid Cloud management capabilities as well, and the synergy between Veeam and VMWare productions is no coincidence.  

Who’s Impacted

  • Cloud architects
  • Business continuity teams

What’s Next?

Backing up Cloud resources appears to be a simple process. Taken on as service-by-service, this might be true. However, in reality the backup becomes increasingly challenging. As more and more applications are made up of a myriad of components, this leads to a rapidly evolving ecosystem of solutions. Hence, data recovery and restoration are also getting more complex. This is further exacerbated by the growing adoption of hybrid Cloud. 

Organisations need to explore backup and recovery based on not only current state Cloud architecture, but possible migration between Cloud services and where different integrated applications reside on different Cloud platforms.

Related IBRS Advisory

The latest

14 December 2020: FireEye announced it had been breached. An extremely comprehensive overview is available from FireEye. This blog post includes timelines, technical recommendations, and IoCs (indicators of compromise). 

FireEye, a company that exists to track and thwart advanced and persistent adversaries, was itself compromised by an advanced and persistent adversary. FireEye was compromised through a product from SolarWinds. 

What now?

There are four main areas worth exploring. 

1) Check your SolarWinds instance(s) 

The FireEye blog post includes instructions for what to look for. Good asset management will be useful in this verification process. One CISO noted they found an unmaintained SolarWinds instance in one of their OT environments. 

A core lesson that many security executives drew from the MobileIron vulnerability (CVE-2020-15505) was that anything an organisation has that is internet facing needs to consistently receive critical patches quickly, even out of cycle. 

This will require a process to identify critical patches, but for the process to actually be executed. Citrix, VPNs, staff home routers (see FF no.02), and now MDMs have all been leveraged this year for compromise. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained. This relates to patching but also asset management. 

Further, it's an opportunity to review privilege. Just because a product can do something, doesn't mean it should. Does SolarWinds really need to talk to the Internet? There are technical controls like host firewalls and properly profiled application allow-listing that will significantly frustrate an adversary in this scenario. It’s a great example where a zero trust architecture would make a big difference.

2) Organised crime 

The ACSC has noted that once a vulnerability is disclosed, threat actors can develop an exploit within 48 hours. We've seen this timeline achieved this year, with both F5 and MobileIron vulnerabilities. Now that the advanced and persistent actor has been ejected from FireEye (and hopefully from SolarWinds) it could be a matter of time before organised crime tries to exploit unpatched SolarWinds instances. 

FireEye will recover, and have an even better story to tell. At this early stage it seems that FireEye was the last target compromised by this adversary, and probably compromised for the shortest duration before the adversary was detected and ejected. It sounds like FireEye was targeted as a source for further intel on government agencies.  

I've got no evidence for this, but I wouldn't be surprised if FireEye was the last, trophy, "let's see if we can do this" target. 

3) Supply chain

The critical point about FireEye being breached, is it points to what industry has been saying for years - "it's not if, it's when". What matters after bang (or 'right of bang'), is how the organisation responds and FireEye is giving a master class on how to respond. But FireEye is only able to do this on the back of years of refining their art. 

However, going left of bang will encourage technology and security executives to look at their supply chain. What other products have access to systems, data and privileges that would be a nightmare if you did not have sole occupancy?

What other software has pervasive access like SolarWinds? What protocols are my service providers following when they use tools like SolarWinds on my environment? We cannot boil the ocean but, as Kevin Mandia said at a CISO Lens gathering in 2016, "protect most what matters most". 

4) Cyber insurance

I've not heard anyone talking about cyber insurance regarding this whole hostile campaign. It seems inevitable that public attribution will end up pointing to a particular nation. If this is the case, many insurers will likely point to exclusion clauses that indemnify the insurer from costs incurred through nation-state activity.

If you have cyber insurance, it may be worth getting a position from your insurer on whether you would have been able to make a claim against your policy if your organisation had been compromised.

The Latest

8 Dec 2020: Veeam announced the general availability of AWS v3 Backup. This is a timely endeavour with the continuous growth of multi-faceted Cloud apps built in AWS that necessitates backup and disaster recovery solutions.

Veeam offers automated backup and disaster recovery solutions that provide additional protection and management capabilities for Amazon EC2 and Amazon RDS. There are two options to consider:

  • Veeam Backup for AWS - protects data housed on AWS using its standalone AWS backup and recovery solution.
  • Veeam Backup & Replication™ - safeguards and consolidates AWS backup and recovery with another Cloud, virtual or physical, across different Cloud platforms with unlimited data portability. 

Why it’s Important

Cloud backups are no longer an option. Competition now requires additional redundancy and security for businesses. This ensures that their important data is available and retrievable if and when disasters strike.

Backing up Cloud resources appears to be a simple process. Taken on as service-by-service, this might be true. However, in reality the backup becomes increasingly challenging. As more and more applications are made up of a myriad of components, this leads to a rapidly evolving ecosystem of solutions. Hence, data recovery and restoration are also getting more complex.

Who’s Impacted

  • Cloud architects
  • Business continuity teams

What’s Next?

Tech management should explore which Cloud services, both IaaS and SaaS, need to be backed up. Establish strategies and choose the appropriate interplay between these services. For a growing Cloud usage or a forecast usage growth, evaluate how the services can be backed up reliably. This is possible through knowing beforehand the important parts that may be reconstructed into a recovered state if needed. 

Related IBRS Advisory

IBRS advisor Dr Wissam Raffoul, who specialises in transforming IT groups into service organisations, said legacy tech stacks had a lot of 'single point failures' which could bring whole systems to their knees.

Full story.

Conclusion: The massive shift to working from home since the start of the COVID-19 pandemic has led to upsides for employees: more flexibility, no commute and greater productivity. Many executives have been publicly extolling the virtues of remote working. However, a number of management, cultural and work design issues are now starting to emerge. Organisations need to review their current workplace design and practices and prepare for a hybrid home-office workplace post-pandemic.

Conclusion: The disaster recovery plan (DRP) should be seen as significantly more than a technical document for IT resources to be accessed only in times of crisis restoration. Use regular IT DRP updates and testing as a valuable marketing tool and keep the DRP ready for when disaster strikes.

A recently released survey revealed nearly one-quarter of all respondents cited lack of budget as a major challenge for BCP/DRP funding. This challenge will be even more daunting after the anticipated post-coronavirus budget cuts, so it is critical to remember the DRP is not just required to be technically savvy; it contains useful information to suit the non-technical audience when attaching the DRP to support funding to keep it current.

Post-pandemics require changes to IT services, vendors' contracts and service levels. Organisations must re-examine their service foundations to meet business expectations and remain compliant with policies and legislation during and post-pandemics.

Conclusion: Remember, constructive feedback is of benefit to both the employees submitting the form and the staff who provide the services to enable working from home arrangements. Continuous improving is the nature of running IT operations and support services. This feedback can also assist with wider human resources polices as everyone comes to terms with supporting the existing present state and plan for future arrangements that may end up permanent or in a hybrid state.

Conclusion: IT services are critical to reducing the impact of pandemics on public health, jobs and the overall wellbeing of nations. To prepare IT for this challenge, organisations should:

  • Embed pandemics management into their business continuity plans
  • Define fallback strategies to operate during pandemics
  • Plan the transition to the normal mode of operations when the time comes

Conclusion: Risk assessment tools help protect and support staff and minimise business disruptions by following Australian risk management (and health) guidelines.

Conclusion: The phrase ‘People, Process and Technology’ describes the three key elements of a successful business. Business is the why, People the who, Process the what, and Technology the how. No single element of the trilogy can be seen as more important than the others. However, in the post-COVID-19 world, successful businesses will see that the focus of People has changed – they no longer go to work, work goes to them.

In technology terms, this effectively means that everyone is now the core of the system; the old concept of a core that is controlled from a central hub is now questionable. Post-COVID-19 technology design must allow for each worker to be able to work from any location, able to access information, services and data when necessary, and for each location to have surge capability.

Conclusion: Ransomware attacks have been in the news lately with Toll, Talman, Travelex and Manheim Auctions all having their day-to-day operations completely shattered. Many pundits and security product vendors are touting their initiatives to help an organisation defend itself against such an attack.

Despite all best efforts, there is no 100 % guaranteed defence against succumbing to a ransomware attack. So rather than investing still more funds in defensive products, it is well worthwhile creating a strategy to allow a rapid recovery or reestablishment of service after being struck by an attack.

It is possible to develop some strategies, all relatively inexpensive apart from time, that will position an organisation to have an excellent chance of quickly returning to normal productivity after a ransomware attack.

Conclusion: With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. While many organisations have enterprise crisis management and business continuity plans, specific plans to deal with various types of cyberattacks are much less common, even though many of the attack scenarios are well known. Every organisation should have an incident response plan in place and should regularly review and test it. Having a plan in place can dramatically limit damage, improve recovery time and improve the resilience of your business.

Conclusion: With cases of the novel coronavirus (COVID-19) emerging across Australia, many businesses are or should bewell into pandemic planning to ensure they maintain essential services. Teleworking, remote working, or working from home, is a centrepiece of those efforts and will increasingly be implemented by organisations. Cybercrime activity is rising rapidly with actors seeking to exploit the fear and uncertainty in the community. The use of remote working technologies presents additional cyber security challenges that can be different from the more secure on-premise environments. Below is a list of considerations to help guide businesses through these challenges.

Conclusion: Covid-19 has already had severe global impacts even though the total impact is yet to be fully dimensioned. Further restrictions are foreseen in Australia. Its implications will be long term and disrupt the way we conduct business in future and the way we interact socially and a ‘new normal’ will emerge. No business will be immune and during this dislocation both challenges and opportunities will arise.

At IBRS we believe that it is critical to take the long view on how the crisis will evolve and be prepared for the waves of change which will follow.

Download your COVID-19 Survival Kit Covid-19-Survival-Kit.pdf

With the outbreak and continued spread of the recent Coranavirus, or COVID-19, your business continuity plan (BCP) may need to be put in motion.

IBRS has created the Business Continuity Planning: Pandemic Scenario template to test your BCP using the potential COVID-19 pandemic.

Download and use this template to ensure your organisation is well prepared.

Conclusion: Pandemic planning is a strategic approach to business continuity that anticipates and prepares for a widespread outbreak of an infectious disease.

Business continuity planning can have an over-emphasis on short-term technology platforms failing, but as part of business continuity planning consideration needs to be given to the potential risk of an outbreak of a disease that could spread and may not be resolved quickly. The time of risk may go over several months or longer. Some forecasts for the coronavirus speculate it could take 12 to 18 months to come up with a vaccine.

The impact and planning needs to consider both internal and external factors; that is, how the pandemic event may impact employees and the organisation’s ability to keep its business operating. External factors will include the impact of the pandemic event on external service providers, suppliers and customers.

Being prepared: IBRS has created a BCP checklist to help you create and/or update your business continuity plan.

This diagram is to be used in the following ways:

  • A checklist to ensure all BCP steps have been actioned and/or updated as required
  • An easy reminder to update key supporting documents to the BCP to remain current which include:
    • Enterprise risk frameworks
    • Business impact analysis documents
    • Evacuation and lockdown procedures
    • Recovery plans and testing of these plans
    • IT disaster recovery plans
    • Communication plans
    • Regular executive reporting

Conclusion: Australian organisations must have strong disaster recovery plans, be it for natural disasters or man-made disasters. The plans need to deal with the protection and recovery of facilities, IT systems and equipment. It is also critical that the plan deals with the human side of the impact of a disaster on the workforce. What planning needs to be done, what testing will be done, what will happen during a disaster and what needs to be done after a disaster?

This planning can be complex and confronting. Whilst testing the failover of IT systems can be relatively straightforward, testing the effectiveness of the workforce side of a plan will be difficult, and may even disturb employees who may prefer to think “surely it will never happen to us”.

Conclusion: Two key supporting artefacts in the creation of pragmatic incident response plans are the incident response action flow chart and the severity assessment table. Take time to develop, verify and test these artefacts and they will be greatly appreciated in aiding an orderly and efficient invoking of the DRP/BCP and restoration activities.

Conclusion: The adherence to the recently introduced guidelines under ISO:31000 20181 is key to every ICT manager’s responsibilities and leadership remit as they are key in driving and leading the adoption of risk management guidelines across an organisation due to the overarching responsibilities of creating and protecting value. These new risk management guidelines have been deliberately rewritten to be simplified and based around a new reviewed set of principles, framework and processes. Greater emphasis is now placed on leadership to ensure risk management is more integrated and to ensure more actions and controls are in place at critical stages of projects as well as business operations.

Related Articles:

"Risk management – Tips and techniques" IBRS, 2017-10-02 22:35:45

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to ensure people are part of the planning is critical to success. Often the disaster, whether it be a technology issue, a business issue, such as a fire or denial of access to key sites, or an environmental issue such as a flood or storm, can equally affect the need for expanded operations centres and larger than normal help desk support functions.

Effective planning and testing of the plan, for all aspects of a probable disaster scenario and the ICT Business Resumption Plan (BRP) to support the business as a whole, is necessary. Effective testing of the DRP and BRP for ICT must be a high priority for any CIO to ensure service levels are maintained. Failure to do so will increase the risk of ICT to the business.

Any test of your DRP and ICT BRP should include business and customer involvement to provide your organisation confidence that all known risks have been successfully mitigated. The oversight of the testing of these plans must be planned and conducted by an independent body (preferably a consultancy that has knowledge in the organisation business world, or your ICT advisory service).

Conclusion: ICT disaster recovery plans (DRPs) have been in place for many years. Fortunately, invoking these plans is rare, but just like insurance plans, it is wise to ensure the fine print is valid, up to date and tested on a regular basis to minimise restoration of business services reliant on the complex range of IT enablers in place. Adoption of general Cloud services and the ever-changing ICT asset landscape requires careful alignment with the DRP to be ready when the restoration is required.

Conclusion: In times of business disruption, the value of a pragmatic and accessible incident response plan (IRP) will become the main tool in getting the business back to normal operation, and minimising loss of revenue, services and reputation. This holds true during the time of stress when attempting to get back to normal operations. Using the analogy of taking out insurance, insurance is usually highly recommended or great to have, but hopefully rarely required and of little or no use when you need it to find it is out of date and/or incomplete. The same principle applies when you need to activate the IRP to quickly get that critical business function operating to sufficient levels.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Regular testing of the business continuity plan (BCP) has many benefits which go beyond ticking the mandatory compliance box to keep audit off the back of executives. Effective testing exercises ensure the BCP has been updated and includes sense-checking the completeness of resources required in the recovery strategies of critical business functions. Running regular BCP exercises also has the benefits of raising the importance of identifying weaknesses, aligning restoration time expectations and ensuring continuous improvement.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Conducting effective business impact analysis details the business functions and provides further insight into the relative importance of each function and its criticality. The information is then used as the main source to develop business recovery strategies, the priority of restoration and identification of resources to aid in the restoration of business services. However, there are many challenges in performing this critical step in order to be best prepared when those business disruptions do occur.

Conclusion: IT organisations responding to mergers & acquisitions or migrating to multi-sourced environments of Cloud and service contracts should establish service providers governance frameworks that favour federated organisations’ principles. It requires maintaining central consistency (e. g. policymaking) whilst allowing local autonomy in certain areas (e. g. hardware purchases). This will leverage the economy of scale, allow the acquisition of local services and products more efficiently, and permit the introduction of new geographies whenever needed in a consistent manner.

Conclusion: Organisations need to plan to quickly and successfully recover business operations by creating and updating business continuity plans (BCPs) supported by disaster recovery plans (DRPs). However, there are many challenges to overcome in order to keep these plans useful in readiness when business disruption eventuates.

Conclusion: Keeping business continuity plans (BCP) succinct, up to date and easy to read will reap rewards when they are required during a business disruption.

Related Articles:

"Astute Leadership needed in a crisis" IBRS, 2017-01-01 10:35:45

"Investing in Business Resilience Planning - the CIOs hardest sell" IBRS, 2012-08-31 00:00:00

"Running IT-as-a-Service Part 40: Aligning business continuity and IT disaster recovery plans" IBRS, 2018-03-31 06:56:00

Conclusion: Effective risk management, whether it is for a change initiative or for ongoing business operations, will ameliorate harm or at the very least reduce the impact of harm. Leaders must understand risk management, and plan and engage with risks and mitigate the risks as appropriate on an ongoing basis.

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

Conclusion: Over the last five years the market of crisis management and emergency response systems has undergone a rapid evolution. Innovative solutions exploit the proliferation of smart mobile devices, the continuously growing number of available data feeds, the simplicity of the deployment models afforded by the Web, and powerful geographic information system functionality. Given the maturity of some of the available solutions, it makes sense for larger organisations in the public sector and for utility organisations to consider the deployment of a modern crisis management and incident response system.

Conclusion: Today organisations need to adapt swiftly to changes in their external environment. Brittleness and inflexibility are characteristic of complex systems that lack modularity and redundancy. Resilient systems offer an appropriate level of redundancy at all levels of abstraction: from replicated skill sets within organisational structures to physical redundancy of hardware. In other words, a simplistic focus on efficiency may introduce more risks than benefits.

Conclusion: As discussed in “Backup is not Archive!1 all IT organisations should evaluate the deployment of an archival platform to reduce storage costs and improve unstructured data management. Our 2008 survey found archiving in ANZ organisations to be immature and with many risks. A follow-up survey in 2011, and on-going client discussion, shows this situation has improved as evidenced by higher implementation success rates and customer satisfaction scores.

We found the products most commonly used in production were Symantec Enterprise Vault and Commvault Simpana. These products were very well rated by the organisations that used them while EMC on the other hand continues to struggle.

Conclusion: Most branch office data is poorly protected by the organisation’s existing backup strategy. Recent improvements in network connectivity, and the commoditisation of advanced deduplication techniques, fundamentally change the landscape and make highly automated, reliable and cost effective branch office affordable to most organisations.

Organisations with extensive branch office data that is not adequately protected should revaluate their branch office backup strategy.

Conclusion: Today business knowhow is mainly stored in two places: in human brains and in software systems. Both forms of storage share the problem that raw knowhow is not easily transferable from one context to another. Valuable knowledge is repeatedly lost through staff turnover and through technology replacements. Minimising knowledge loss requires determination and an understanding of the mechanisms that lead to unnecessarily strong coupling between business knowhow and implementation technology.

Conclusion: From adversity springs creativity. History shows straitened economic times can serve as a greenhouse, rapidly germinating seeds of ideas that may otherwise have taken longer to establish themselves. Six clear trends have emerged from the Global Financial Crisis (GFC) providing business advantage to early adopters. The common thread is their potential to deliver organisational efficiencies, savings, or both. IBRS believe these trends are likely to deserve a place in the IT firmament for a considerable time. CIOs should defensively review these trends; the outcome may be selective adoption or deferral, but their potency cannot be ignored.

Conclusion: Organisations with existing Business Continuity Plans (BCPs) may find them to be a poor fit when dealing with the unique circumstances surrounding a pandemic. The chief characteristic is massively depleted numbers of available workers, with as many as 25-40% of staff absent throughout the entire government and business eco-system. Those without effective plans face the prospect of severe disablement that may take many months of recovery. For them, urgent action is required to draft pandemic-specific BCPs or to modify, then test, existing BCPs.

Conclusion: Consistent with its belief that the global financial crisis has heralded a new era in IT, IBRS has identified a series of management maxims to serve as a source of reference for IT executives navigating economic uncertainty.

Conclusion: IBRS believes the global financial crisis has heralded a new era in IT. Cost sensitivity will remain a key theme; cautious behaviour will predominate and the margin for error allowed by senior management in key areas such as IT project and service delivery will drop to unprecedented lows. To assist the CIO and others responsible for managing IT, IBRS has identified a series of maxims to serve as a source of reference to IT executives navigating through economic uncertainty.

Conclusion: In recessionary economies, as in war, values and behaviours change in response to the times. Formerly valued business success factors may no longer apply; management thinking once considered outmoded may now have new relevance. At an organisational level, focus is likely to be on the lower strata of Maslow’s hierarchy of needs1. Indeed, C-level executives will be appraised on their ability to contribute to meeting these needs.

Conclusion: Economic downturns alter organisational dynamics and can herald changes in the executive power hierarchy. IT can be particularly vulnerable if seen as a cost centre and order taker. As economic forecasts darken, a common scenario is for the balance of power to swing to the CFO. Then, an economic austerity agenda is usually pursued, characterised by a program of across-the-board cost cuts that have Chief Executive imprimatur.

The financial press has begun using the term GFC as a short form for the Global Financial Crisis. Whilst outside the scope of this paper to speculate on the length and socio-economic effects of the GFC, there is no doubt that its impact will be experienced widely across business sectors and indeed within government. As consumer confidence recedes, corporate earnings shrink and revenue forecasts are revised downward, nothing is more certain than IT budgets being trimmed in 2009.

Conclusion: The International Standards Organisation has just released a new International Standard that focuses on Disaster Planning for IT1. This new standard reflects the changed/outsourced IT world. It provides guidelines for information technology disaster recovery services as part of business continuity management that apply to both “in-house” and “outsourced” ICT environments. This new approach for Disaster Recovery (DR) Standards should stimulate organisations to re-examine their IT DR plans to ensure that they meet current best practice and that the processes they are using to maintain their DR planning are satisfactory.

Conclusion: Dramatically increasing energy costs means that organisations must explore and implement approaches that ensure they reduce or contain the energy demands of their data centres. While ostensibly long term green driven, the short term real drivers will are economic.

Conclusions:When an organisation needs to trigger its Business Continuity Plan (BCP), and: it does not exist, or is untested, or is non viable, or it fails when activated..... the results are likely to be catastrophic. It is probable that its operations will not recover smoothly, if at all, and the business will be severely impacted, possibly unable to continue operations.

Conclusions: While there is now an increasing emphasis on Business Continuity Management (BCM), many organisations still focus on disaster recovery planning. Unwisely they restrict their focus to restoring IT infrastructure, giving only a “cursory nod” towards a more holistic business orientation that focuses on all critical business operations. Some create an artificial air of confidence by developing their business continuity plans and then not proving them. Others have little appreciation of the quality of their Business Continuity Plans (BCP) and whether or not they meet good practice. In all these cases there can be no assurance that the BCPs will be of any practical use if and when they are needed. The outcome will be, at least, serious and could be catastrophic.

Conclusion: Large companies can expect a significant business crisis once every four to five years and, if the disruption is significant, the organisation will be seriously affected or may never recover sufficiently to resume business.

The focus on what were once considered separate activities, business continuity, and disaster recovery, has changed and both are now considered an integral part of corporate governance. This integrated approach is now called Business Continuity Management (BCM) and should be the lynch pin in any organisation’s risk management.

In most businesses, regardless of size or industry, formal business continuity and/or disaster recovery planning is consistently under-funded and generally neglected by management. The business risks associated with this attitude can be very high but are not understood. Those plans that are in place simply don’t work. This is not surprising since disaster recovery hasn''t been given sufficient consideration, ensuring that plans are rarely tested (if ever) and equally rarely updated to reflect changes in process, technology or applications. In an emergency, there are many continuity requirements within an organisation’s business and services covering processes, facilities, and personnel. IT and a range of business units across the whole organisation must work together, both in planning for continuity and in its execution.

Conclusion: Short-term targets have affected planning but many companies will want to ensure that a qualified planning procedure will remove any shocks. This process can be isolated into various scenarios depending on market conditions. Scenarios minimise risk while maintaining the firm’s potential for reward relative to competitors.

The status of a market is affected by the number of competitors. This a major variable which could change rapidly, so it is significant to create a scenario for such a possibility and plot the effects and outcomes on the firm.