86 2.8 Information Security, IT and Communications
checking e-mail, the loss of productivity could be quantified as shown in
Figure 2.28:
In the example above, if e-mail were down for 12 hours, then the impact
could be much more severe. Most risk officers use the worst-case scenario
for each time frame, so a B-frame outage would be four times more costly,
or $179,144.00 to the organization.
It is quite easy to see that such outages provide considerable risk to busi-
ness. Being able to quantify such risks by category allows an organization to
plan for contingency and take actions that prevent such outages. For the
example shown above, it is certainly much cheaper to fix the electrical prob-
lem in the power panel than it is to endure another three-hour outage.
2.8 Information Security, IT and Communications
IT contingency planning represents a broad scope of activities designed to
sustain and recover critical IT services following an emergency. IT contin-
gency planning fits into a much broader emergency preparedness environ-
ment that includes organizational and business process continuity and
recovery planning. Ultimately, an organization would use a suite of plans to
properly prepare response, recovery, and continuity activities for disrup-
tions affecting the organizations IT systems, business processes, and the
facility. Because there is an inherent relationship between an IT system and
the business process it supports, there should be coordination between each
Figure 2.28
Example of the
impact of e-mail
downtime.
Figure 2.29
Critical IT system
vendor contact list.
2.8 Information Security, IT and Communications 87
Chapter 2
plan during development and updates to ensure that recovery strategies and
supporting resources neither negate each other nor duplicate efforts.
Data and the electronic and manual systems through which they are
processed have evolved into critical facets of the corporate structure. Data
in these systems is relied on heavily:
To perform routine corporate business;
To supply staff and external organizations with related information;
To comply with legal and contractual requirements; and
As a basis for management decision-making.
Additionally, although increased automation of corporate administrative
operations and research projects provides substantial efficiencies, it also
exposes the operations/research to severe disruption if the electronic data
systems are not available on a continuous basis. Data processing and busi-
ness applications are no longer restricted to mainframe computer environ-
ments. The use of distributed platforms (including midrange computers,
client/server technology, and local and wide area networks) for mission-crit-
ical functions not only expands the scope of business continuity planning
but also makes it more important. This increased importance arises from
the fact that nonoperational areas are finding themselves responsible for sys-
tems that are critical or that highly impact the functioning and reputation
of the corporation.
The level of most organizations’ dependency on IT and communica-
tions systems has steadily increased through the last decade. IT and com-
munication systems are now seen as mission-critical operations.
Organizations provide customer service and support, and the nature of
these customer services often necessitates maintaining a 24/7 operation. For
these reasons, it is essential that businesses be able to keep their IT networks
and communications systems operational at all times. This section exam-
ines some of the issues that should be considered when assessing the level of
risk associated with IT services and communications. To effectively deter-
mine the specific risks to an IT system during service interruption, a risk
assessment of the IT system environment is required. A thorough risk
assessment should identify the system vulnerabilities, threats, and current
controls and attempt to determine the risk based on the threats’ likelihood
and impact. These risks should then be assessed and a risk level assigned
(e.g., high, medium, or low). Because risks can vary over time and new risks

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.