Every day, computer systems, networks, and electronic data are under attack. The question is not if, but when a network will be the victim of an attack. A network can be attacked, not only from outside the perimeter, but internally as well, through unsecured access points, rogue user accounts, and disgruntled employees.
More and more personal data is stored in electronic format on servers and hard drives, around the world, for a multitude of reasons. Financial reports, credit card numbers, private health data, legal judgments, intellectual property, client lists, and a variety of proprietary information are just a few examples of what is archived electronically everyday by millions of businesses. In recent years, companies who failed to protect information, faced intimidating charges, expensive lawsuits, increased regulation, and in some cases, financial ruin.
The risks are real and the solutions require a delicate balance between the costs of doing business, and the competitive advantage associated with maintaining efficient data sets that use secure workflows.
Risk Planning requires that attention be paid to the type of information a company must maintain, and the means by which that data is managed. Security and continuity are critical parts of this plan. Answers to the following key questions should be included in such a plan:
Who are the primary contacts in an emergency and in what priority?
What are the critical systems that must be restored first? Who will restore them? How?
What failsafe systems do you still need to implement so the right people have access to the right information when needed?
October 12th, 2009 by Quantech Corp.
Risk response strategies are best defined as the efforts taken to lessen the likelihood or consequences of a threat. A business can use several strategies in order to properly reduce a risk once it has been identified. Risk response strategies depend mostly on a company’s “risk appetite”, which is to say exactly how much risk a firm can reasonably assume. For example, if a company is dependent on critical data warehoused on servers, without which the company cannot operate, the risk of losing that data is great thus a proper strategy must be set into place.
Avoidance
Risk avoidance can be described as the action that avoids any exposure to risk whatsoever. For example, if you wanted to avoid the risk of electronic data loss, you would minimize the amount of data stored electronically and keep traditional paper files. In this example, a risk avoidance strategy can be difficult, expensive, and inefficient, yet effective.
Transference
Risk transference involves passing off risk to an independent third party. The most common implementation of this strategy is encapsulated in an outsourcing relationship. In exchange for transferring risk, another entity is compensated in order to assume any risk. This is this case for any technology company that handles the confidentiality, integrity, and availability of information on behalf of its clients.
Acceptance
Risk acceptance occurs when a company believes that either (1) risk does not pose a significant threat or (2) the predicted consequences of the occurrence of a treat are within a tolerable level. In order to pursue a risk acceptance strategy, due diligence is critical because it is the only means to obtain the razor sharp insight necessary to make use of this strategy. This due diligence includes thorough risk assessment and impact analysis. Risk acceptance in the context of organizational information requires that a company know how much data may be lost within a given window of time between periodic backups of that data. Acceptance does not mean neglect and should be evaluated along with other mitigation options over the long term.
Mitigation
Risk mitigation is the most common risk response strategy. It combines pieces of an avoidance strategy, transference strategy, and acceptance strategy. This combination allows a company to best devise a response given that company’s unique needs. Ultimately, combining strategies lowers the probability of a risk from occurring, reduces the effects of a threat when a risk does occur, and identifies actionable responses to any risk event.
July 28th, 2009 by Quantech Corp.
Over the past three and half decades, the mindset for Business Continuity Management has evolved from technology centric (protection of solely information systems), to audit centric (protection by means of accountability), to value based (protection of general needs both internally and externally as defined by an organization). While no longer the only focal point in Business Continuity Planning, information technology still plays a significant role.
A Business Continuity Plan, the byproduct of Business Continuity Management efforts, is a document defining the processes and procedures an organization will follow in response to interruption of normal operations. The purpose of a Continuity Plan is to minimize an organization’s operational risk.
Although all plans may be similar in structure, the content is entirely unique. The content of a plan depends on an organization’s individual needs. Of course many organizations are subject to the same government regulation; each organization differs in their tolerance for downtime, loss of information, and rework. Careful analysis can help determine an organization’s tolerance by assessing responses to various risk scenarios.
Discontinuity or downtime of mission critical systems can threaten the ability to transact business. This may be intolerable but no less so is the unanticipated additional cost of recovery, in terms of time, money, and resources. Continuity planning provides greater control over the unexpected by documenting mitigation procedures used as a contingency in the event a potential risk becomes a reality.
June 18th, 2009 by Quantech Corp.
