Tagged in: Untagged
I read a lot of articles on the key benefits of the cloud, and how cloud computing can be used help to ensure business continuity and speed disaster recovery and in some cases the cloud services themselves can become a major component of the disaster recovery plan for on-site systems and services, but cloud services are not perfect, and while they sometimes offer redundancy and data protection, they can also lead to problems caused by updates or network failures.
Remember last year when a disruption at Amazon shut down Instagram, Vine, Airbnb And IFTTT?
Ultimately it is the user’s (data owner) responsibility to address their data as part of the overall business continuity management system.
Refering to ISO 27001:2013 it states:
Planning information security continuity
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
Implementing information security continuity
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
Verify, review and evaluate information security continuity
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
So if you are going to transfer that risk to a cloud provider you need to verify the effectiveness at regular intervals through some sort of testing.
Here are some BCM tips when hosting your data in the cloud:
1.) Understand where your data resides. If your data is in the cloud where is it exactly? Remember it is still in some physical location. You need to perform a risk analysis and understand the landscape and all potential risks related to the location that the data is stored in.
2.) What type of SLA do you have? If you are a small mom and pop shop chances are you will have to live with the canned SLA that come with whatever service you sign up for, so buyer beware and choose a service provider with the best BCM offering. If you are a larger multi-national organization, then you may have the leverage to negotiate an SLA that allows for a plan to easily move data and services to another region in the event of a disaster or disruption.
3.) If you are being hosted in the cloud then you obviously rely on internet service to access your data. Does your ISP provide redundant service? What are the alternative methods for accessing your data if your internet goes down? Remember you are in territory here that does not fall under your cloud service. Your data may be available, but you can’t access it if your ISP fails.
4.) Emergency plans and information should be documented, communicated and tested.
You need to establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures must address the requirements of those who will use them and you should have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident (ISO 22301).
5.) And of course exercising and testing. Sure, all the BCMS pros are rolling their eyes as I state the obvious but consider this. The most recent Disaster Recovery Benchmark survey revealed some startling results:
- More than 60% of those who took the survey do not have a fully documented DR plan and another 40% admitted that the DR plan they currently have did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario.
- One third of all organizations participating in the survey test their DR plans only once or twice a year and fully 23% or one in four never test their DR plans. Without testing and verification of DR plans, most companies have no idea as to whether they can fully recover their IT systems in the event of a disaster or an extended outage.
- When companies do test their DR plans, the results are most disturbing. More than 65% do not pass their own tests! (DISASTER RECOVERY PREPAREDNESS COUNCIL, 2014)
With the increased risk by the use of cloud services and the regular reporting of statistics like those above, there is an obvious lack of guidance, training and legal awareness. If Target can be sued for a security breach when they felt they had a good system in place, what is the potential legal ramifications for organizations that experience disruptions and have documented dismal results as noted above. Being perceived as negligent is a road you don’t want to go down.
ISO 22301:2012 can be adopted by any size organization wishing to implement a formal approach to effective Business Continuity Management. It is for use by internal and external parties, including certification bodies, to assess the organization’s ability to meet regulatory and customer requirements as well as the organization’s own requirements. ISO 22301 contains only those requirements that can be objectively audited and a demonstration of successful implementation can therefore be used by an organization to assure interested parties that an appropriate BCMS is in place.
Implementation of ISO 22301:2012 demonstrates – you are ensuring all applicable laws and regulations are being observed, Also as companies today are deluged with requests for compliance statements from their customers and clients, it is evident that there is a need for a uniform approach to BCM, not only internally but throughout the entire supply-chain.
At least make an attempt to show due diligence and a standard of care.
John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 30 years of successful experience in Management Systems and international standards.
Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.