I’d like to share answers to questions recently asked about disaster recovery.
1. What advice would you give to tie cybersecurity protection and IT disaster recovery together for business continuity?
There are a number of activities performed by the IT operational group within an organization that deal with Disaster Recovery. They include performing data backups, using primary/backup datacenters, and replicating data to backup datacenters. In many situations, determining the criticality of systems to determine what gets backed up and how often it gets backed up is done in an ad hoc manner and not driven by a sound set of risk management principles. Developing and implementing a formalized Business Impact Analysis process will allow a company to get inputs from the business departments (as to what’s important) and help justify all the decisions made with respect to the following:
- Recovery Time Objective (RTO) or how much time before failure of the system hurts business
- Recovery Point Objectives (RPO) or how much data (in time) can the company afford to lose
- Redundancy strategies
- Backup frequencies
The criticality of a given system drives these decisions. So, if a system were to fail or otherwise be impacted by an incident, a sound plan can be established to either:
- Automatically failover to a redundant system with replicated data
- Obtain and restore from backup at a backup datacenter location
- Obtain and restore from backup at the primary datacenter location
2. How can one use Disaster Recovery-as-a-Service to protect against or solve for security incidents?
DRaaS is not necessarily a new thing. Datacenter service providers have other companies have offered DR services like hot sites, warm sites, and even cold sites for years. The problem has always been a balance of the cost of having a hot site or mirrored image of the system and being able to automatically failover versus the cost of having a warm site (location with equipment but the systems and backup data will have to be loaded) or a cold site (building only). Using a DRaaS provider allows a company to utilize a cloud-based virtualized configuration (hot or warm site) with a much less reduced cost. If as particular system were to fail or otherwise be impacted by an incident, the DRaaS provider could be used to bring up the impacted system in a quicker manner than having to go through the manual process to (1) obtain the backup tapes, (2) move them to the backup site, (3) configure the systems, (4) load the backups, (5) test that the backup and system are fully operational, and (6) point all other systems to the backup system.
3. How can IT disaster recovery and a strong cybersecurity plan complement each other to protect sensitive data?
Establishing a formalized Business Continuity and Disaster Recovery process, driven by a well-maintained Business Impact Analysis process, can ensure that all activities associated with a given disaster (i.e., including failed systems, security incidents, or even natural disasters) can be accomplished based on proper planning and sound decision-making.
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.