It is good news that many organizations are jumping on the disaster recovery bandwagon. Information security and disaster recovery practitioners have clearly scored some impressive successes. Management has become more aware of the need and has begun to allocate funds for security measures that we all knew to be important but found more difficult to sell in the past.
Disaster recovery is clearly an important means of containing loss when a disaster occurs. The key phrase here is “containing loss.” In any disaster, there will be substantial losses, no matter how carefully conceived and implemented the disaster recovery plan and disaster preparedness are.
Despite the increased comfort level we can enjoy with a carefully conceived and implemented contingency plan, something is missing. The barriers to loss are still incomplete. Contingency plans are effective weapons against unmitigated loss from a disaster, but they do absolutely nothing to prevent the disaster from happening. There are also many lesser threats that do not become disasters for which a typical disaster recovery plan is relevant. Misuse/abuse, fraud, theft of data, and data sabotage are only a few of the threats that fall into this “non-disastrous” yet potentially very costly category.
It is unquestionably worthwhile to have a tried and trusted disaster recovery plan in place. We get a warm, fuzzy feeling of security when we conduct successful disaster recovery plan tests and disaster scenarios. We are thus better prepared to cope with the real thing when it happens. But everyone hopes never to have to deal with a real disaster, and that warm, fuzzy feeling obscures the reality of potential losses that will still be incurred. Management is often particularly vulnerable to a false sense of security, especially when it has just spent tens to hundreds of thousands of dollars on disaster recovery planning--with ongoing costs of the same magnitude to keep the plan viable.
A real disaster will be costly in terms of denial-of-use (however well it is limited by the disaster recovery plan), disruption, destruction and human impact, no matter how well prepared we are. Therefore, it is clear that more should be done.
The missing link should be set in place to form a unified barrier to risk.
The missing link is Integrated Risk Management, as viewed from the information security perspective including all organizational and functional activities and controls that serve to assure the availability, integrity and confidentiality of information. Risk management is a familiar term in the insurance industry, but that definition is inadequate for the purposes of the information security practitioner and his interest in “managing” risk.
For information security purposes, risk management is the multifaceted process that includes the following:
- What can happen (threat occurrence)
- How bad will it be if it happens (consequences)
- How often will it happen (frequency)
- How certain the answers are to these questions (uncertainty)
Identifying vulnerabilities that increase risk exposure by allowing threats to occur with greater frequency, greater consequences, or both
Identifying cost-effective safeguards that serve to mitigate or eliminate vulnerabilities and reduce associated risk
This risk reduction is best achieved by first executing a credible risk assessment. The risk assessment supports risk avoidance/acceptance decision-making, i.e. risk management, by identifying probable loss exposures associated with the threats for which there are vulnerabilities at the target site. The complete risk assessment will also include recommendations for safeguards that cost-effectively reduce these loss exposures. The emerging concept of risk management may thus be represented as an organizational integration or coordination of classic risk management (insurance), physical security, data security and disaster recovery that enables a coherent orchestration of these often unconnected activities and their common goal of managing risk.
To make decisions whether to avoid, minimize or accept risk, management must know what the risks are, what their probable consequences (losses) are, what the vulnerabilities to risk are, and what steps can be taken to cost-effectively avoid or minimize risk. Note that risk acceptance is a legitimate management prerogative.
However, risk acceptance through ignorance of the facts has never been an acceptable excuse to executive management, the board, shareholders or constituents. The worst-case result of uninformed risk acceptance in the past has often been an unplanned and abrupt change in responsibilities. In the future, however, we will almost certainly see the Foreign Corrupt Practices Act of 1977 invoked when risks are accepted through ignorance and some substantial loss is suffered.
There is a trend toward greater government interest in the security of information in both the public and private sectors. This trend, as manifest in BC-177 (Disaster Recovery Requirements from the Controller of the Currency for the banking industry), OCC 220 and OCC 229, among other directives and regulations, is driven by a recognition that information processing is often critical to the successful pursuit of American business interests. The Foreign Corrupt Practices Act imposes significant penalties (felony fines and imprisonment) in the prosecution of both responsible management and the company which fail to maintain effective control over resources to the detriment of an organization and its shareholders.
While there are various ways to manage risk, the most effective approach to an Integrated Risk Management program is to establish and maintain a probabilistic risk model of the information processing environment in its broadest context. One of the best and most cost-effective tools for building, analyzing and maintaining a risk model is an automated probable risk assessment system.
Probable risk assessment does not presume to dictate whether management should avoid, minimize or accept risk. It does, however, provide management with reliable decision support information based on a defensible and substantially objective quantification of risk as opposed to a subjective qualitative ranking of risk. Therefore, with an effective Integrated Risk Management program, the information security and disaster recovery practitioner (the “risk manager”) can help management assure that risks (especially avoidable risks that could later result in disasters or other costly experiences) are not accepted through ignorance of the facts.
Yes, the contingency plan may very well “contain” losses arising from risks accepted ignorantly. But what if the disaster could--and should--have been avoided?
Will Ozier is President of Ozier, Perry & Associates.
This article adapted from Vol. 3 No. 1, p. 40.