The purpose of this research is to addresses the reasons why cyber security should be dealt with in the company and how to integrate the IT service continuity with the IT governance framework that ensures the organization’s IT infrastructure can supports and enable the achievement of the organization’s strategies and objectives. IT Service Continuity aims at reducing the risks that could impact IT services to provide the minimum agreed Service Labels to support business continuity. According to the Avalution’s Perspective on Bussiness Continuity and IT Disaster Recovery, organizations should address cyber security for many reasons, among others, which include:
Preventing Data Breach
When the company’s information ends up in the wrong hands, it may cause lots of disasters and undesirable results which can otherwise be avoided by integrating the disaster recovery framework with the business continuity planning.
Malware is a malicious program which provides an illicit backdoor for sniffing information which could sabotage the company’s image and good will.
Industrialization of Fraud
The tactics of industrialized fraud give malicious people a backdoor access to a wide range of targets ranging from the credentials of account holders to personal data that enables fraudsters and hackers to successfully impersonate victims and organizations in applying for credit or access to tangible assets.
Disaster Recovery / IT Service Continuity planning functions performed by staff members in the Office of the CISO
Disaster recovery is the practice that aims at protecting an organization from the effects that may arise from negative events which may occur due to hacking or other forms of cyber security. CISCO staff members are fully involved in the disaster recovery planning, and their functions include:
Evaluating Physical Factors
The team is responsible for assessing the environmental factors that may have led to the occurrence of the disaster.
Evaluating the Control System
The staff is responsible for assessing their system for glitches that may have led to the occurrence of the error or failure of the same.
Examining their adequacy of the potential threats
The staff is involved in examining how adequate the threat is and the probability of the same occurring.
Impact of the risk
The team has the responsibility of identifying the impact made by the disaster and giving a report on the same.
Best Practices for Implementing Disaster Recovery / IT Service Continuity
According to CISCO(Disaster Recovery: Best Practices), disasters are not only unpredictable but they are abrupt and, therefore, there is a need to have a Disaster Recovery plan in place to counter the same. CISCO recommends that, in summary, the disaster recovery plan should:
Identify and classify the threats/risks that occurred.
At this point, the plan involves identifying the cause, scope, impact and likelihood of occurrence of the risk that took place.
Define the processes that ensure continuity of the business during the catastrophe.
At this phase, the plan should provide alternative ways to ensure the business/organization continues with it is normal activities as the disaster is being resolved.
Define a mechanism to get the business back to normal from the occurred risk after the effects of the disaster are mitigated.
As the final stage, it is purpose is to enable the company to resume to it is normal operations and to create maintenance plans that can use to prevent future or further occurrence of the risk.
Avalution’s Perspective on Bussiness Continuity and IT Disaster Recovery obtained from http://perspectives.avalution.com/2013/integrating-cyber-security-and-business-continuity
Committee on National Security Systems obtained from https://www.ncsc.gov/nittf/docs/CNSSI-4009_National_Information_Assurance.pdf
Continuity Central Archive obtained from http://www.continuitycentral.com/feature1175.html
CISCO(Disaster Recovery: Best Practices) from http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-453495.html
ISACA from https://www.isaca.org/pages/glossary.aspx