There are many risks associated with keeping a business running. In this video, you’ll learn about business risk and some of the continuity plans that should be included in a comprehensive business risk analysis.
<< Previous: Using Wireless NetworksNext: Single Point of Failure >>
As a network professional, we also have to be very aware of network security. So in this video, we’ll look at some of the things that you have to keep in mind when dealing with the risk associated with your business.
One of the most important aspects of your job is to keep the business running. The continuity of your business becomes extremely important across every part of what you do as an organization. Many of these business processes that we use are completely interrelated with each other, especially when we talk about how the technology affects them. For example, HR is going to drive payroll. Your IT systems provide the payroll system in use. And, of course, accounting is providing the money that’s going into that payroll system. All of those systems have to work together so that you’re able to pay people every couple of weeks. This is just one example of the ways that you have to keep your business systems running all the time.
It’s relatively obvious that, these days, practically every part of the organization has some type of connection back to information technology. So if you want to build a business continuity plan, you’re going to need to involve every different department in the organization to make sure that all of their systems remain up and running.
This isn’t going to be an easy process. Every organization is a little bit different in how it’s organized and how it works, but you’re going to need to document everything that the company does and find out how you can keep that up and running from a technology perspective. These business continuity plans really become valuable when there’s a disaster. Whether it’s a small disaster or large disaster, you’re going to need some way to keep the business up and running. If you’re a relatively large organization, and you’ve got locations in other cities or even other countries, you might need to even use third parties to help you manage this disaster recovery process.
In most cases, you follow this disaster recovery plan when a disaster is called. Whether it’s a small disaster or large disaster, somebody has to make the decision to put this disaster recovery plan into action. And if this is a relatively large disaster, you may be dispatched to another facility. You may have to get that facility up and running with all of your IT systems so that your business can continue operating.
Recovering from a disaster can be one of the most challenging things you do in technology. That’s why it makes sense to plan ahead so that all of these different variables can be covered during this disaster recovery process.
Perhaps one of the most common disasters that can occur, and perhaps one of the easiest ones to circumvent, is a power outage. The way that we get around power outages is with an uninterruptible power supply, or a UPS. This will provide you with backup power for a certain amount of time, and that will depend on just how large the UPS system happens to be. This will protect you against outages, brownouts, surges, or anything relating to power-related issues.
You’ll generally have three different kinds of UPS’s to choose from. The first is the standby UPS. With the standby UPS, the UPS is not operating at all, and if power is lost, it recognizes there’s no more power, and the batteries then kick in. So there’s a time delay between the time when you lose power and the time that power’s being provided with the battery.
A more flexible type of UPS is the line interactive UPS. With a line interactive UPS, you’re able to cover brownouts and surges, because it’s able to adjust the power output based on what it’s seeing on the power line itself.
And a UPS that is always on and available is the online UPS. It’s one that’s always providing you with power through the batteries of the UPS and is constantly recharging the batteries based on the power that’s coming in line. That way, if you have a power outage, there’s no converting over to the battery back up, since you’re always running on that battery power.
There are many different functions and features available on UPS’s, depending on which one you buy. Many come with an auto shutdown function. If the UPS recognizes that there’s no power coming from the power line, it can send a message to your servers to automatically and gracefully shut down before you run out of power with the batteries.
You can get different battery capacities for these UPS’s. There might be a different number of outlets, depending on the model you choose. Some even will also provide phone line suppression or cable modem suppression so that you can prevent spikes or surges coming through those particular links, as well.
When you’re thinking about business risk, one of the things that you have to consider is what you do when an incident occurs. One of the most important people that responds to an incident is the one that gets there first. That first responder will have some very specific roles tasked to them, and you’re usually documenting this in your incident response policy.
One of the roles of the first responder is to limit the amount of damage in a particular incident, whether that’s limiting it at a technological level or even at a physical level, so there will be some type of perimeter around the incident. But the first responder also has to be very careful not to damage anything. There’s important evidence that may be inside of this particular incident area, and you want to be sure that that remains intact for the investigation.
The first responder is also responsible for informing others of the incident. So there’s generally a formal process of who gets notified first, and there’s usually a formal call sheet of exactly who to contact in case of an incident.
In our networks today, data breaches are unfortunately becoming much too common. This data that’s inside of your organization is valuable. It may be valuable to many different people. It may be valuable to different companies. But the bad guys want that information, and they’re going to get inside of your network, grab that data, and take that data outside of your control. It’s very difficult to recover data once it gets outside of your control. Once the data breach has happened, the data will be copied. It will be transferred to other third parties. So it’s difficult to bring all of that back and now prevent that from occurring. Once it’s out, it’s out, and there’s no going back.
If you identify a data breach, you then need to understand the scope of that breach. Was it just a few records of data, or was it your entire customer database? And that may be difficult to determine until you look through log information and try to piece together exactly how that person got into the network and how the data was able to be removed.
For your security team to be able to do their job, they need very specific policies– not just policies that they are setting inside of their part of the organization, but policies that will be followed by the entire company. Your security policies are going to be very broad. It’s going to cover not just the technologies in place, but the processes in place. What do you do when someone’s hired? What happens when someone leaves the organization? How do you handle people that are connecting to the network from outside using a VPN? How do you handle communications to other third parties? These policies can be very, very broad, and so you’ll want to spend a lot of time going through the specifics of how you want to set the policies in your organization.
There will generally be policies for our human resources so we know what to do when someone is hired or when they leave the organization, or what happens to the user’s data once they’re working for the company. Might also want to consider the business policies. We’ll want to understand how we control and manage our business data. We also want to think about things like certificate policies, which are very technical, but they handle all of the encryption for our web servers and therefore have to be managed in a particular way. And we’ve already talked about the importance of incident policies so that we know if there is a security incident, we know exactly how to handle it.
It doesn’t do any good if we create all these policies, and then nobody knows what the policies are. We can, of course, put all of the policies out on our intranet. They can be available for PDF. People can download and read them, but nobody’s really going to go through that process. Instead, perhaps, some formal training would be in order. You can get people into a room and give them a summary of the policies and what is expected of them as an employee. Plus, they get to meet you as a security professional or a network team person so that they know who to talk to if they ever have questions about the security of the organization.
You’ll want to provide them with best practices, how to handle viruses and malware, what the company policy might be when a visitor comes, and any other policies that might affect them when they’re working in their particular role. If this is something that is specific to them, you may even want to have one on one training, especially if it’s a mobile user, or training by department, because the HR department might have different security requirements than the accounting department.
But the important part is that you’re able to provide the end users with an expectation of what’s needed and the importance of keeping their eye on the security of their data.