The first element of a solid corporate information protection program has been identified above as the consistent implementation of the program. To ensure consistency, such a program must be based on documented procedures identifying critical business functions and the associated data and applications supporting these functions. 71% of the surveyed respondents stated that they have identified critical business functions and supporting data. 61% of the respondents indicated that they have documented procedures, with banks having the highest percentage of positive responses at 78%. Yet, only 52% indicated that their procedures are being used to identify critical functions and data. 26% of the organizations report that critical functions are identified without the benefit of standard procedures or a standard evaluation process. In addition, of the 71% having procedures in place, one-third of these state that the procedures are not used.
What Data Requires Protection?
There are two classifications of data that should be protected: critical data and data recognized as sensitive by the Privacy Act of 1974. Critical data is data identified as supporting critical applications. It should also be noted that not all data processed by a critical application are necessarily classified as critical. Classification considers such issues as the data’s necessity as input to other critical jobs within a critical application. For example, data that is created internally within a ‘job’ may not be critical, even though the ‘job’ has been identified as part of a critical application, unless it is input to another critical process.
56% of the respondents indicated that they have documented procedures for identifying sensitive and critical information. Of these, 94% indicated that the procedures are being used. While this percentage is high, results indicate that 44% of those surveyed do not use any procedures.
Off-site storage of data is recognized as a requirement by those surveyed. 89% state that they store ‘critical’ data off-site. With the lack of consistently identified critical data, concern is raised for over and under classified information. The implication is a problem of protecting unnecessary data and not protecting data that is critical to the survival of your business. The results potentially include the loss of truly critical data in the event of a disaster and improper use of corporate funding.
In general, organizations indicate that they classify data, with or without procedures, more frequently than they classify functions. This indicates that existing procedures may not be considering the overall corporate objectives and strategies.
As the criticality of key data is identified, the allowable risk of data loss must also be determined. Consider the loss of electronic funds transfer transactions. A single transaction may be worth millions of dollars. Technology has introduced the concept of on-line vaulting to protect individual transactions in real time. Bulk data transfer is also available to ensure rapid on-line file transfer, for example, in the event that a damaged file is retrieved for recovery purposes at a hot-site.
Of all responses, 51% indicated that they would potentially consider a requirement for on-line vaulting. Concern was noted for the current cost of the technology. As expected the highest percentage of positive responses came from the banking and financial communities, with 74% and 70%, respectively.
Standards for this expensive technology should be based on the volume and value of transactions. An effective cost/benefit analysis should be the basis for the decision to use such technology. In the survey results, only one-third of the respondents have documented procedures to identify critical data. 27% of these organizations estimate that their organization would have a loss of revenue within twenty-four hours of an outage. Of those stating that revenue would not be affected for more than 24 hours after an outage, 31% would still consider on-line vaulting.
This analysis indicates that data security and disaster recovery managers must thoroughly consider risk analysis and cost/benefit analysis prior to the selection of technology to meet their requirements of business survival.
Crisis Management Planning
Crisis management must encompass the ‘big picture’ if the corporation is to survive. Slightly more than half (58%) of those surveyed indicated that they have a documented crisis management plan. The traditional question of how long a business can last in the event of a loss of data processing changes as we learn more about corporate dependency on data systems. The responses to this survey indicated that 36% would experience a revenue impact within 24 hours or less. A total of 61% would have revenue impacted within 72 hours and approximately 70% would be impacted within one week. These statistics have been validated by similar studies.
When considering the elements of a corporate plan, those pieces most frequently addressed are the resumption of the data systems and data communications, with more than one half of the surveys affirming plans. Concern in the corporate realm should be raised by responses indicating that only 38% indicated plans for voice recovery. With the recognition of the requirement to communicate during a disaster in order to facilitate recovery, this percentage needs improvement.
Recoverability of end user centers is being increasingly recognized as critical. To recover data systems functionality without the capability of user access may render the data system useless. Yet only 30% of those surveyed indicated that they have business resumption plans for office facilities.
When considering data systems backup facilities, the largest percentage (36%) of responses indicated the use of subscription vendors for hot-site facilities. Banks topped the list with 61% using hot-site vendors. 7% of the other respondents use internal hot or cold backup sites, with 11% using internal reciprocal agreements. Only 3% utilize external reciprocal agreements.
It has been stated that more is learned from the planning process than from the plan itself. With this in mind, the testing of a contingency plan is a key to the success of its use in the event of a disaster. Of the responding organizations, plans are tested an average of three times annually. 47% of the respondents test their plans at least quarterly, and 27% test their plans twice a year.
In a proactive security environment, the single most important facet of the overall program to ensure effectiveness is employee awareness. Only 44% of the respondents indicated that they have a proactive awareness program in place. It should be noted that several respondents recognized this deficiency in their programs and indicated proposed development activities. Of those having a program, the most frequently listed key components are the existence of policy, employee training and compliance monitoring.
The information identified by this survey can assist organizations in determining how they compare to a sampling of the industry. Areas requiring particular attention include the careful identification of critical business functions and the applications and data supporting these corporate strategies. Responsibility for determining the level of protection of corporate information and systems must be placed with the managers of the business. Crisis management is a strategic business function. As a key element, information protection must be a corporate reflex that is, an integral way of doing business.
Analyzed and prepared by Catherine W. Weyhausen, Senior Data Consultant, AT&T Data Security Services.
This article adapted from Vol. 2 No. 4, p. 18.