Technical

How do I rate / evaluate/ audit my data center?

I would recommend you partner with your internal audit department.  They can help you understand what they would be looking for.

~ Beth Epstein, MA, CBCP, MBCI

The Uptime Institute established the criteria for Data Center ranking. I'd start by reviewing their tier levels and develop an understanding of what the various rankings require. Measure your facility against that criteria and build a gap report from the results. It's also helpful to have an idea of what type of performance you require from your Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP  
ISO 22301 Lead Auditor

My company is considering building a new data center. I may be assigned as the project lead-HELP!

Take a deep breath - you'll do great!

~ Stacie J Herzog, CBCP, MBCI

I have been hearing a lot about ISO certifications and my manager asked me to do some research on the topic. What are the benefits of pursuing a certification for the organization? Which certifications are the most recognized?

This is a tough one.  Make the effort to research what is involved with ISO certification and investigate why the organization is considering certification.  Audit?  Reputation?  Bragging rights?  Insurance?

~ Beth Epstein, MA, CBCP, MBCI

Organizational certifications indicate that you've taken all the necessary steps to embrace an industry standard. An organization making a commitment to this depth has taken the necessary steps to help ensure their commitment will outlast the individual contributers or management. To Beth's point, you should also understand WHY you're considering certification first. Once you're ready to commit, the standards align with specific disciplines within an organization. Areas such as BCM, Data Security, Supply Chain and others all have specific standards that can provide certification options. The International Standards Organization (ISO) is well recognized and provides (for a fee) comprehensive and well documented standards for consideration.

~ Patrick Ridder, MBCP, MBCI, CHPCP
ISO 22301 Lead Auditor

 

What certifications do you see as the most valuable to my career in information security?

The most popular site for certification is http://www.isaca.org

~ Beth Epstein, MA, CBCP, MBCI

I have worked in IT my entire career and now have been assigned to develop business continuity plans. What do I need to consider? Help!

You've gone from the frying pan into the fire my friend. Although IT will remain a focus in your efforts, you'll need to adopt a much broader scope of awareness. When you speak of "business continuity", that responsibility extends well beyond the boundaries of IT and technical solutions. You'll need to consider risks to facilities, personnel, processes, supply chain, basically anything that might interrupt the normal operation of your business. I would suggest you consult with some of the resources available on the DRJ website as a start. Then consider joining up with your local chapter of the Association of Contingency Planners.  These two actions will help move you forward very quickly in terms of knowledge.

~ Patrick Ridder, MBCP, MBCI, CHPCP   ISO 22301 Lead Auditor

Keep it simple.  There are a number of sources you can find on the internet.  Best place to start is https://drii.org/  Check out the “Resources” section and review the “Professional Practices”. It’s a great starting point and you can have the flexibility to evolve and mature your plans.  Another great website is http://www.drj.com

~ Beth Epstein, MA, CBCP, MBCI

Welcome to the world of man vs machine.  You will need to consider anything that can impact what a person does.  What are the threats and vulnerabilities?  Just to get you started, consider what the business processes are that are conducted by the employees, upstream and downstream dependencies, third party risks, required resources, regulatory requirements, types of scenarios, etc...the list goes on.  A great place to start is the DRJ website.  Reach out to the contacts listed!

~ Stacie J Herzog, CBCP, MBCI

Don't feel alone is my first piece of
advice!  Most BC Planners started their career working in IT in some capacity or another.  My second piece of advice is to remember:  IT provides the Technological Resources for the recovery.  Your Business Operational Teams provide the business knowledge requried to accept the recovered environment and get the business back up an running again.  And finally, attend a BC Planning course, such as offerred by BCI or DRII.  Gaining an understanding of the Business Impact Analysis, and making sure your Business Operational Units complete a BIA is a critical step in development of a BC Plan.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

I am new to business continuity. I work for a small company and have been assigned to develop contingency plans for the organization. We have some IT technology plans in place and that seems to be acceptable to our management. So where do I start?

Without knowing it, you just answered your own question. You’re making an assumption that the IT plans “seem” to be adequate to your management. Step one, VALIDATE that assumption. It might be a fact that your management doesn’t understand the depth and complexity of improving your organizations resilience. Meet with your management. Give credit for what has been done and identify for them the gaps in the process. Help them understand that the IT plans might not be adequate when the impact reaches beyond the walls of the Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

IT Disaster Recovery Plans would be a good start in the BCM journey. The company would require additional procedures to supplement that are business and personnel related.

  • Workflow recovery
  • Desktop recovery
  • Physical Documentation recovery
  • Crisis management and communications
  • Emergency response
  • Incident Escalation

~ Andrew Lee

Don’t just view with a technology lense. Look at the people, location and processe. Perhaps an organizational chart will be a good start, so you can build plans from that. The org chart will identify (hopefully) who does what, where, etc.

~ Beth Epstein, MA, CBCP, MBCI

Start looking at what the people do that use this technology. Identify what business processes they do, where they do them, what regulatory requirements they have, SLAs, predecessors, etc. Once you've identified these, continue looking at other areas that may not have an IT technology plan but are dependent on the business areas you started with. Eventually, take a look at the organizational chart and map it out to ensure you have identified all the business processes that are conducted for your company.

~Stacie J Herzog, CBCP, MBCI

Once IT Recovery is complete, the Business Units will need to verify the recovered environment and "accept" the recovery. To accomplish this, Business Units document their Business Resumption Plans, or Business Recovery Plans. A good way to start this is to work with your Business Operations Staff to identify their most Critical Business Processes - these are the processes that need to be back up and running or you could sustain irreparable damage to your organizations Image, Brand or Reputation.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development