3.2 Information Security Preventative Controls 107
Chapter 3
3.1.6 Theft Prevention for Proprietary/Intellectual
A tornado hits one section of your building. CDs, none of which were
secured in locked safes, are strewn across the campus lawn and surround-
ing neighborhoods. Some of the CDs are from corporate HQ and contain
HR files; others are from your R&D lab and contain the latest engineer-
ing drawings for your soon-to-be-released competitive product. Good
Samaritans are everywhere on scene helping you sort through the debris.
Are you sure all those helpers are good folks? Perhaps some of the helpers
are employees from your competitor across the highway, helping them-
selves to your data so later they can sit in the parking lot and glean infor-
mation from your facilities using that “lost” data to gain entry/access to
your corporate information. Or maybe they are identity theft profession-
als, who targeted your company information shortly after hearing of your
companys misfortune. Sound unreal? It is a nightmare spy versus spy sce-
nario that is all too real to an information security manager.
3.2 Information Security Preventative Controls
Preventive controls should be documented in the contingency plan, and the
personnel associated with the system should be trained on how and when to
use the controls. These controls should be maintained in good condition to
ensure their effectiveness in an emergency. In some cases, the outage
impacts identified in the BIA can be mitigated or eliminated through pre-
ventive measures that deter, detect, and/or reduce impacts to the system.
Where they are feasible and cost-effective, preventive methods are prefera-
ble to actions that may be necessary to recover the system after a disruption.
There are a number of information security considerations and risks associ-
ated with BCP in regards to backing up data, restoring data, and archiving
data. Some of the key areas of concerns result from restarting or revering
your system, backing up data on portable computers, managing backup
and recovery procedures, and archiving information.
3.2.1 Restarting or Recovering Your System
Restarting or recovering your system constitutes the facilities and tech-
niques used to ensure that your computer processing restarts successfully
after a voluntary or enforced close down. The unavailability of both your
systems and data following an interruption to normal processing can have
a negative impact on business operations and efficiency. You should ensure
108 3.2 Information Security Preventative Controls
that your backup procedures enable an efficient restore to the most recent
backup state, such as the end of the previous business day, for each of your
key systems. It is also imperative that you safeguard the backup tapes or
disks for such systems. Typically, this is done through an offsite storage
facility. In many cases, critical business data are replicated or stored in a
different region to ensure continuation or resumption of business in the
case of a catastrophic disaster. You should also perform a restore on a peri-
odic basis to ensure that these procedures continue to support a timely
recovery, and modify your procedures if the results indicate it is necessary.
Eliminate procedures that are too general, requiring ad hoc decisions that
could cause problems, and ensure that the procedures consider the specific
environment involved.
The corruption or loss of data following an interruption to normal pro-
cessing can disrupt operations and delay business processing. You should
always create backup files periodically throughout general working hours to
enable a rapid recovery to an earlier version, if needed. It is also important
to ensure that recovery from transaction processing systems disruptions is
fully tested to verify that transactions cannot be lost.
3.2.2 Backing up Data on Portable Computers
Data of significant value held on a laptop computer may be lost, due to
an internal system failure. It is important that data held on portable com-
puting devices be backed up as a means to protect against loss. All com-
puter systems, including portable computers and their associated data
files, must have agreed backup and restore procedures for the data files. It
is important to require and enforce the user of a portable computer to be
personally responsible for backing up stored data and synchronizing it
with the central system.
3.2.3 Managing Backup and Recovery Procedures
End-of-day backup files are critical in maintaining the ability to restore
either the whole system or selected data files to a specified end-of-day posi-
tion. The procedures used to initiate such a recovery must be clearly docu-
mented and tested, because the information security implications of an
inappropriate or incorrect file restore are significant. If the restore proce-
dures have not been tested, a partial or invalid restore can corrupt the
entire system, which may partly or significantly have a negative effect on
(and possibly terminate) business operations. Inadequate or nonexistent
backup procedures may compromise an organizations business processes

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.