DATA SYSTEMS SECURITY AND

CONTINGENCY PLANNING

Survey Results from the First International Disaster Recovery Symposium & Exhibition, Atlanta - September, 1989

By Catherine W. Weyhausen

Approximately 450 surveys were distributed to the attendees at the conference. The following is the outcome of the survey analysis.

Corporate Crisis Management is based on a solid program of information protection, strategic business continuity planning, and identification, organization, and protection of communications links.
Each element of corporate crisis management must be addressed as a component of an overall strategy to ensure business survival. Protection of critical information includes the backup of critical functions and supporting data, as well as the securing of sensitive information. Business planning recognizes and addresses all critical business components. This includes traditional data center recovery and also the end user office environment, particularly information communications centers. Such centers provide voice and data communications both within a company and to customers. For example, a clerk who answers incoming customer phone inquiries and provides responses to the status of a client account via on-line data base queries uses both voice and data communications. And the third component, communications links, ensures both internal communications channels for subject matter experts, public relations, and executive decision makers to coordinate and assist with potential crises, as well as links to the public to ensure an intentional, accurate flow of information. Of course, the inclusion of the actual voice and data communications links is the key to this component.
During the September Disaster Recovery Conference in Atlanta, AT&T Data Security Services conducted a survey of more than one hundred and forty attendees focusing on data systems security and contingency planning. Organizations participating in the survey represented manufacturing, banking, financial, service, various levels of government, telecommunications, medical, education, research and a variety of other fields. The largest group of responses were from the first five categories. The statistics and resulting analysis that follow will allow organizations to compare their data security and contingency planning programs to the cross section of organizations that responded to this survey.
The first element of a solid corporate information protection program has been identified above as the consistent implementation of the program. To ensure consistency, such a program must be based on documented procedures identifying critical business functions and the associated data and applications supporting these functions. 71% of the surveyed respondents stated that they have identified critical business functions and supporting data. 61% of the respondents indicated that they have documented procedures, with banks having the highest percentage of positive responses at 78%. Yet, only 52% indicated that their procedures are being used to identify critical functions and data. 26% of the organizations report that critical functions are identified without the benefit of standard procedures or a standard evaluation process. In addition, of the 71% having procedures in place, one-third of these state that the procedures are not used.

What Data Requires Protection?

There are two classifications of data that should be protected: critical data and data recognized as sensitive by the Privacy Act of 1974. Critical data is data identified as supporting critical applications. It should also be noted that not all data processed by a critical application are necessarily classified as critical. Classification considers such issues as the data’s necessity as input to other critical jobs within a critical application. For example, data that is created internally within a ‘job’ may not be critical, even though the ‘job’ has been identified as part of a critical application, unless it is input to another critical process.
56% of the respondents indicated that they have documented procedures for identifying sensitive and critical information. Of these, 94% indicated that the procedures are being used. While this percentage is high, results indicate that 44% of those surveyed do not use any procedures.
Off-site storage of data is recognized as a requirement by those surveyed. 89% state that they store ‘critical’ data off-site. With the lack of consistently identified critical data, concern is raised for over and under classified information. The implication is a problem of protecting unnecessary data and not protecting data that is critical to the survival of your business. The results potentially include the loss of truly critical data in the event of a disaster and improper use of corporate funding.
In general, organizations indicate that they classify data, with or without procedures, more frequently than they classify functions. This indicates that existing procedures may not be considering the overall corporate objectives and strategies.

On-line Vaulting

As the criticality of key data is identified, the allowable risk of data loss must also be determined. Consider the loss of electronic funds transfer transactions. A single transaction may be worth millions of dollars. Technology has introduced the concept of on-line vaulting to protect individual transactions in real time. Bulk data transfer is also available to ensure rapid on-line file transfer, for example, in the event that a damaged file is retrieved for recovery purposes at a hot-site.
Of all responses, 51% indicated that they would potentially consider a requirement for on-line vaulting. Concern was noted for the current cost of the technology. As expected the highest percentage of positive responses came from the banking and financial communities, with 74% and 70%, respectively.
Standards for this expensive technology should be based on the volume and value of transactions. An effective cost/benefit analysis should be the basis for the decision to use such technology. In the survey results, only one-third of the respondents have documented procedures to identify critical data. 27% of these organizations estimate that their organization would have a loss of revenue within twenty-four hours of an outage. Of those stating that revenue would not be affected for more than 24 hours after an outage, 31% would still consider on-line vaulting.
This analysis indicates that data security and disaster recovery managers must thoroughly consider risk analysis and cost/benefit analysis prior to the selection of technology to meet their requirements of business survival.

Crisis Management Planning

Crisis management must encompass the ‘big picture’ if the corporation is to survive. Slightly more than half (58%) of those surveyed indicated that they have a documented crisis management plan. The traditional question of how long a business can last in the event of a loss of data processing changes as we learn more about corporate dependency on data systems. The responses to this survey indicated that 36% would experience a revenue impact within 24 hours or less. A total of 61% would have revenue impacted within 72 hours and approximately 70% would be impacted within one week. These statistics have been validated by similar studies.
When considering the elements of a corporate plan, those pieces most frequently addressed are the resumption of the data systems and data communications, with more than one half of the surveys affirming plans. Concern in the corporate realm should be raised by responses indicating that only 38% indicated plans for voice recovery. With the recognition of the requirement to communicate during a disaster in order to facilitate recovery, this percentage needs improvement.
Recoverability of end user centers is being increasingly recognized as critical. To recover data systems functionality without the capability of user access may render the data system useless. Yet only 30% of those surveyed indicated that they have business resumption plans for office facilities.
When considering data systems backup facilities, the largest percentage (36%) of responses indicated the use of subscription vendors for hot-site facilities. Banks topped the list with 61% using hot-site vendors. 7% of the other respondents use internal hot or cold backup sites, with 11% using internal reciprocal agreements. Only 3% utilize external reciprocal agreements.
It has been stated that more is learned from the planning process than from the plan itself. With this in mind, the testing of a contingency plan is a key to the success of its use in the event of a disaster. Of the responding organizations, plans are tested an average of three times annually. 47% of the respondents test their plans at least quarterly, and 27% test their plans twice a year.

Employee Awareness

In a proactive security environment, the single most important facet of the overall program to ensure effectiveness is employee awareness. Only 44% of the respondents indicated that they have a proactive awareness program in place. It should be noted that several respondents recognized this deficiency in their programs and indicated proposed development activities. Of those having a program, the most frequently listed key components are the existence of policy, employee training and compliance monitoring.

Summary

The information identified by this survey can assist organizations in determining how they compare to a sampling of the industry. Areas requiring particular attention include the careful identification of critical business functions and the applications and data supporting these corporate strategies. Responsibility for determining the level of protection of corporate information and systems must be placed with the managers of the business. Crisis management is a strategic business function. As a key element, information protection must be a corporate reflex that is, an integral way of doing business.

Analyzed and prepared by Catherine W. Weyhausen, Senior Data Consultant, AT&T Data Security Services.

This article adapted from Vol. 2 No. 4, p. 18.

Disaster Recovery Worldİ 1999, and Disaster Recovery Journalİ 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.