In this Newsletter
- Is Confidential Information Protected in Your Disaster Recovery and Business Continuity Plan?
- Recent Events Highlight Shortcomings in Disaster Recovery and Business Continuity Plans
- Security Policy and ProcedureTemplate
- Records Management Policy Template
Is Confidential Information Protected in Your Disaster Recovery and Business Continuity Plan?
Consider that much of the backup data, resides in the cloud and at off site facilities. How is access to that data controlled?
Most organizations find themselves with overly permissive access controls. Employees join and leave the organization frequently, and roles, responsibilities and project teams change quickly as well. Since it is nearly impossible to manually keep up with the changes, all this leads to more access permission granted than revoked.
Any program to reduce the probability of data loss and misuse has to start with rightful and warranted access controls. Ensuring that only the right people can get to the right data at all times not only reduces the odds of misuse, it also makes any subsequent safeguards and loss prevention techniques more cost effective and pragmatic to deploy. Consider a folder containing confidential data. If it is open to everyone or to a large number of individuals then (1) anyone can access and misuse the data, and (2) access by everyone must be monitored and audited which is not a realistic undertaking. Alternatively, limiting access to those who actually need the data, and reporting on their access patterns, is realistic and a practical way to ensure that data access permissions are not abused.
Recent Events Highlight Shortcomings in Disaster Recovery and Business Continuity Plans
CIOs and individuals responsible for the recovery process have found found there were many partial, outdated, or ineffective disaster and business continuity plans out there. Why was it so difficult to get it right?
Experts say there are 5 main reasons for this:
- Data collection: How was the data collected for the disaster and business continuity plan in the first place? There is was no one single source for everything was needed, particularly when trying to integrate relevant external information such as support dates, power consumption, etc
- Data inconsistency: How organizations handle the inherent inconsistencies in data? For example, OS version numbers are often conflicting; vendors change their product names or renumber versions over time, etc. Normalizing the data (making it adhere to consistent rules and categories) is a cumbersome task and the accuracy and consistency of the data needs to be reassessed at every step.
- Categorization: When CIO want to categorize the information in the disaster and business continuity plan, you have to create the taxonomy (or hierarchical categorization) for the industry data. This alone is a significant task, there are many ways to slice and dice the universe of technology products, and no standards have been defined within the
- Manageability: Any extensive technology disaster and business continuity plan is a large and complex data store. A spreadsheet is insufficient for storing and managing rich structured data for thousands of products and vendors. The disaster and business continuity plan should be able to track and maintain the complex relationships between technologies and categories (parent/child relationships, one-to-many mappings, and so on). Developing an appropriate, extensible data store is a complex undertaking.
- Maintenance: As soon as organizations have finished the disaster and business continuity plan, they have to start updating it. The Information Technology industry is constantly changing, which means that the DRP / BCP work is never done. If companies go through a massive effort to produce a disaster and business continuity plan for a single business function, the value of that investment is lost if you cannot keep it up to date.
Security Policy and ProcedureTemplate
Data Security and Protection are a priority and this template is a must have tool that every CIO and IT department must have. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Compliance.
Records Management Policy Template
Experts Agree You Should Update Your Policy Annually
Records retention and destruction is mandated
Current Rules and Regulations Regarding the Protection and Destruction of Confidential and Sensitive Documents require that any person or company that possesses or maintains such information to take reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.
The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.