Secure Recovery
Security during an incident should always be part of the initial Business Continuity Planning process says TMC's Paul Maloney
The process of Business Impact Analysis and Risk Management should be carried out on the final recovery plans to identify the risks should a particular plan be implemented.
When recovering from a disaster that interrupts your business sometimes the last thing on everyone's mind is security. Speed, urgency and the desire to get the business up and running become the main priority and security comes in a lowly fourth place, if at all.
Security during an incident should be part of the initial Business Continuity Planning process. The process of Business Impact Analysis and Risk Management should be carried out on the final recovery plans to identify the risks should a particular plan be implemented.
Start with physical security and identify if the core assets such as buildings, vehicles, IT etc can be protected at the disaster site to prevent theft and further damage. Where a plan requires the relocation of IT equipment all efforts should be made to ensure that this doesn't leave a security hole in the existing infrastructure. Moving a firewall and leaving an Internet connection unprotected can result in an incursion that still exists after normal service restoration.
Once the disaster site is secured the next stage is to secure the transport of assets, including IT hardware and information assets. Is backup media securely transferred from the offsite backup location to the DR site and is a contingency plan in place in case something happens to the data in transit. Is relocated equipment being transport in the appropriate environment and with adequate insurance? Loading servers into the backs of cars increases the risks during transport.
Once the recovery site has been initialised a whole new level of security is required. To keep ongoing costs of the recovery site low most organisations invest very little in the physical security, PC's are installed into common access areas and servers are placed into unsecure rooms and cabinets. Less attention is paid to people coming in and out of the building as the majority of people work on the recovery process and contractors are brought in to help.
If the recovery site contains hot swap equipment ready to start in the event of a disaster is the equipment kept up to date with security patches and firmware upgrades. It's unlikely a hacker would cause a disaster to lower security but one could be monitoring the news to see if they can take advantage of a firewall that hasn't had an update in over a year.
Once the recovery site is functioning then normal daily routines should be applied to it. From the IT side this should cover a backup strategy, anti-virus updates and security monitoring. On the people side the enforcement of employee and visitor security are paramount.
An organisation that recovers to a different site for more than a few hours needs a backup strategy to cope with the data changes. A second incident is unlikely but should be planned for.
A common strategy for smaller companies is to direct their employees to work from home. The security risks for this scenario should be examined in detail. A policy should be available indicating the expected configuration of a home PC in respect to anti-virus and anti-malware. Audits should be taken throughout the year to check compliance.
A plan requiring home working should detail how users can access files and what they are expected to do with them. Without this the tendency will be to copy files locally to work on them. This means they are not being backed up. It also means that the post recovery restore procedure is complex and could result in multiple copies of the same file.
One highly effective way of testing the security of your recovery plans is, during a test of the plan, have the existing security team test the security and not be involved in the plan activation. If this is not possible then third party consultants may be required to either substitute for the security team in the plan activation or to test the security of the plan.
The old saying of lightning doesn't strike the same place twice sounds reassuring during the planning of a disaster recovery plan, but during its activation the fear of another incident will slowly creep up on the teams involved.
Tips:
Run a risk analysis of the plans to identify potential risks and solutions to the actual recovery process
Review transport procedures for security and risk
Setup a sign in process at the recovery site to provide physical security
Ensure change management procedures are in place to update recovery site equipment with patches and security fixes
Create backup procedures for the recovery site
Create a home worker specification
For home workers design a document control procedure
Paul Maloney, TMC
