Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

Tuesday, 28 April 2015 05:00

Technology Convergence and the Effect on Business Continuity and Operational Security in the Private Sector

Written by  Robby J. Bryant, MSEM, CHPP, ABCP, ITILv3

The convergence of voice, video, and networking technologies continues to drive the consolidation of enterprise technical infrastructures in the private sector, creating significant savings as the total cost of ownership of the data center continues to decline. Mimicking this effect are the operational security and business continuity roles as they continue to be squeezed into a single organizational function thanks to ongoing budget cuts, reduced headcounts, the “do more with less mentality,” and the overlap of common planning and response approaches. The convergence of operational responsibilities and technical infrastructures may be problematic to regulatory compliance efforts and effective risk management, but they can pay dividends to the corporate bottom line if carefully managed across the converged landscape. Organizational continuity may soon be achieved by using holistic incident response, mitigation, recovery, and management techniques that cover security, business process resumption, and technical infrastructure recovery as a single, unified entity.

Increasing Reliance on IT

Rapid advances in networking, voice, and video technology have spearheaded the increasing reliance of organizations on their technical infrastructure, with a typical hybrid infrastructure of voice, data, and security illustrated in Figure 1.

Bryant-HybridIP telephony, IP security cameras, cloud storage, and virtualized infrastructures are now a part of the normal business process landscape. The adoption of these technologies continues to gain momentum as pricing decreases stimulate wholesale acceptance while newer products fill the distribution pipeline. This cycle forces current business continuity practitioners to account for the impact of these technical infrastructure changes and the effect on business processes throughout the enterprise. Will these changes affect the current compliance landscape, and how are these best accounted for using current change management practices? It also requires analyzing the impact on the physical security landscape for potential savings through the increased use of IP-based cameras and infrastructure while managing the corresponding increase in storage requirements to retain recorded video for investigative and compliance purposes. The security manager must evaluate how this convergence can affect the operational risk footprint of the enterprise and the increased exposure to technical risks through IP-based intrusions and attacks. All-hazards planning will need to account for the loss of organizational video surveillance and the threat this may pose to employee safety in the short- and long-term timing of an event.

Cloud-based data, software as a service (SaaS), and hosted solutions can push system recoverability into the single-digit timeframes, greatly reducing the downtime of mission essential functions (MEFs) that rely on this technology. Operational security and business continuity will be forced into strengthening their collaborative relationship with IT in order to account for all of the intricacies of this new environment and the ongoing impacts on recoverability and risk. The need for remote connectivity during a major event is a great example of the convergence of operational roles and technologies based on critical system access by enterprise essential employees. Some may argue these are considerations strictly for the IT department, but operational security and business continuity must be considered because of the impact these decisions and others have on the speed of recoverability, compliance issues, and elevated risks.

Technology Based Threats

The risk to business operations and corporate reputations from technology-based threats continues to grab headlines and keep organizational security and business continuity managers awake at night. According to a 2014 article written by Tiffany Hsu of the Los Angeles Times, the hacking of U.S. retail giant Target in late 2013 resulted in a fourth quarter slide in earnings of 46 percent, the departure of the CIO, and the exposure of more than 70 million customers’ personal data. The vulnerability of technical and communications infrastructures to malicious attacks could potentially bring down business operations for extended periods of time without a solid continuity plan in place, but this risk is not confined to the private sector data center. Public utilities are increasingly exposed to hack attempts seeking to shut down or take over community power and communications infrastructure. The Cisco 2014 Annual Security Report details that the energy, oil, and gas industry was the fourth most targeted industry for Web malware attacks. A focused denial of service attack on an IP-based security infrastructure could disable cameras and access controls enterprise-wide, allowing an attacker to easily gain access into a facility. Converged technology has pushed the security department’s video and access infrastructure into becoming merely a networking endpoint, vulnerable to the same attacks and weaknesses as the technical backbone on which it resides. Operational security and business continuity should incorporate these types of scenarios into their response, recovery, and mitigation planning toolkits to uncover gaps in operational capabilities and readiness. The single point of failure analysis will, by necessity, move into the data center to account for risks and redundancies in network firewalls, storage, system power, network routing, and IP security to close these gaps when found.

Compliance Considerations

The foundation of any good compliance or security program can be found in section 8B2.1 of the 2011 Federal Sentencing Guidelines which states “exercise due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Compliance issues associated with technical convergence should be carefully evaluated before consolidating any existing systems or processes into the enterprise data center. Data storage for video and access control may be enhanced by converging with the corporate data center, but does this require a corresponding change in the data retention policies of the corporate compliance program in an effort to further prevent and detect criminal conduct? NFPA 1600 includes perimeter fencing, access control systems, video surveillance, and patrols as additional prevention considerations for emergency management and business continuity programs. ISO 22301 requires enterprise business continuity plans contain procedures to protect people and facilities during a major incident, directly implying that operational security during a major incident must be maintained. Running afoul of compliance requirements during a major incident or disaster is the result of incomplete or ineffective planning and requires close collaboration between operational security, business continuity, and IT in a converged environment. To avoid issues with compliance, process or operational changes should be implemented using the change management program but documented in the business continuity plan and organizational SOPs. The next major business continuity exercise would be an ideal time to gauge the effectiveness of the process changes and the impact on operational security using real-world scenarios.

Risk Management in a Converged Environment

Bryant-convergedThe temptation to expand existing security infrastructure in a converged environment may initially be extremely high. Cheaper storage and cameras and an enterprise infrastructure now managed by IT provide the impression the sky may certainly be the limit for operational security technology. Adding technology for technology’s sake can add additional layers of complexity to the converged environment while increasing the exposure to risk. Figure 2 illustrates how the converged environment has increased the risk exposure for the voice and security systems if a network attack or failure was to occur.

A strategic approach to this dilemma would balance the gains to be made by implementing newer technologies with providing the security and safety that business continuity plans require during an incident. Business continuity, operational security, and IT can conduct a joint risk analysis on the transition to a converged environment and may decide that keeping a mix of newer and older technologies is a better tactic. A mixed environment will allow the use of the corporate backbone for newer IP-based cameras running in parallel with existing CCTV cameras. If a disaster strikes the converged network backbone, video surveillance will continue using the CCTV technology while avoiding continuity and compliance issues. Technology convergence decisions should seek to strike a balance between costs, risks, and compliance. The only way to ensure the correct balance is achieved is through open communication between the business units impacted by the change and the business units implementing the change.

Conclusion

Technology convergence allows organizations to consolidate multiple technical environments into a unified infrastructure capable of supporting video, voice, and data. Business continuity and operational security will certainly benefit from the advantages convergence provides, but a planned, deliberate approach will provide the greatest ROI in these operational areas. Improved RTOs and RPOs for each convergence opportunity must be evaluated against enterprise compliance, financial, and risk concerns to avoid implementation failures, unnecessary costs, or regulatory lapse. Technology convergence demands open communication and planning between business continuity, operational security, and IT to satisfy competing goals and requirements. Removing operational and information silos among competing interests provides a clearer picture of the changes technology convergence demands and the abundant benefits it may also bring.

About the Author

Bryant-RobbyRobby J. Bryant is a senior IC consultant with Lorillard Tobacco Company who has gained more than 20 years of experience in business continuity, disaster recovery, and operational security while serving in various technical and leadership roles in the manufacturing, healthcare, emergency services, and consulting industries. He has a master’s degree in emergency management with a focus on business continuity and has attained CHPP, ABCP and ITILv3 certifications. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

References

Hsu, Tiffany. (2014, March 5). Target’s Tech chief Quits After Data Breach. Los Angeles Times. Retrieved from http://articles.latimes.com/2014/mar/05/business/la-fi-target-technology-20140306.

Cisco. (2014). Cisco 2014 Annual Security Report. Retrieved from http://www.isssource.com/wp-content/uploads/2014/04/042514Cisco_2014_ASR.pdf.

United States Sentencing Commission. (2011). 2011 Federal Sentencing Guidelines Manual – Chapter 8. Retrieved from http://www.ussc.gov/guidelines-manual/2011-federal-sentencing-guidelines-manual.

National Fire Protection Association. (2007). NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs. Retrieved from http://www.nfpa.org/1600.

ISO (International Organization for Standardization). (2012). Societal security – Business continuity management systems – Requirements. Retrieved from https://www.pea.co.th/BCM/DocLib/ISO_22301_2012.pdf.