Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?
Not really, say a variety of disaster and security recovery experts, including Marko Bourne, who leads Booz Allen’s emergency management, disaster assistance and mission assurance practice. “Security and disaster plans are related, but not always the same thing,” he observes.
The most obvious difference is that disaster recovery is about business continuity, whereas information security is about information asset protection,” he notes. “The less evident aspect is that security incident response often requires detailed root cause analysis, evidence collection, preservation and a coordinated and–often–stealthy response.”
A security recovery plan is designed to stop, learn, and then correct the incident. “A disaster recovery plan may follow similar steps, but nomenclature would not likely use ‘detection’ to describe a fire or flood event, nor would there be much in the way of analytics,” says Peter Fortunato, a manager in the risk and business advisory practice at New England-based accounting firm Baker Newman Noyes.”Further, not many disasters require the collection of evidence.”
Stitching together complex security and disaster recovery rules and procedures can also result in the creation of a needlessly bulky, ambiguous and sometimes contradictory document. “If you try to combine processes and resources into a single plan, it can muddy the waters, oversimplifying or overcomplicating the process,” states Dan Didier, vice president of services for GreyCastle Security, a cybersecurity services provider.
Recovery strategies should be developed to anticipate the loss of one or more of the following system components:
• Computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.)
• Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals)
• Connectivity to a service provider (fiber, cable, wireless, etc.)
• Software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.)
• Data and restoration
As with any Disaster Recovery programme, a Cyber-Compromised Data Recovery programme should be formally established and tested regularly to assure people, processes and capabilities are well understood and will enable a successful recovery when needed. Organisations should establish a discipline of frequent testing with varying scope and situational parameters that would include participation from various business disciplines and stakeholders. A data-compromising cyberattack can happen to any organisation, so it is imperative to establish plans and capabilities in advance that reduce data loss risk and enable timely recovery of the most current data possible.