Independence is a core requirement for IT Governance and Infrastructure definition.
Depending on Goggle Risky – Depending on Internet, hardware, and software companies is a mistake. Enterprises are impacted as they drop product support, are purchased by other companies, and/or have security breaches and system failures of their own.
For example, Google – Customer who installed Haiku ceiling fans, which were supported with the Nest thermostat device via the “Works with Nest” program were left out in the cold. This was driven by Google’s decision to end the program and go with the “Google Net”. They said this was to focus on supporting its own hardware business. As a result, there was a loss of support for any device on that program. Not a good omen for people who installed them in their homes.
Another similar situation occurred for Comcast email users. Users who had comcast.net email accounts were not made aware of the limitation of services that Comcast’s spam protection process effected. What happens is as an email is sent to a comcast user email account, if the email has multiple recipients, the email is placed on hold (based on the comcast user’s usage). The user is NOT notified that the email was held and not delivered. It is up to the sender to contact the user and re-send it with the email going to a single recipient.
The less that you depend on Internet companies for proprietary offerings, the more you can be assured that you can continue to operate when they change their corporate strategy.
How long will it be before a company like Goggle decides to charge for their free email services. Wait a minute they already do that with their offering G Suite.
Backup Policy includes everthing that is need to be in full compliance with all mandated security requirement.
Backup Policy Updated as well as the CIO IT Infrastructure Policy Bundle. The policy has just been updated to take into account everything from GDPR to cloud storage and security implications.
The Backup Policy addresses the issues that you struggle with including:
How safe are your information assets in transit and at reset?
What protections are in place to prevent hacker access?
Does your backup and retention process meet all of your compliance requirements?
Who can gain access to your data?
What KPI metrics do you have in place?
Will the use of the data ensure successful recovery?
Managing backup and recovery in today’s environment is a multi-dimensional challenge with both near and long term business requirements. Recent technological developments in disk backup have had a positive impact on short term data retention requirements (see also BYOD policy). But these improvements do not replace the need to execute and deliver on a long term data retention strategy which includes:
Business and Regulatory Requirements Demand a Long-term Plan
Manage and Contain Your Total Cost of Ownership (TCO)
Encrypt Your Data for Secure Long-term Retention
Weigh the Environmental Impacts and Minimize Power and Cooling Costs
Simplify Management of the Entire Solution
Best of Breed solution
A “Best of Breed” backup policy and strategy considers how to:
Back up critical application data – across mixed operating systems and storage configurations
Restore desktops and mobile users quickly
Restore systems to dissimilar hardware or virtual systems
Back up data and system information to off site locations, so that you can quickly recover your business even from a total loss of your facility
Leverage new cloud based backup offerings to properly secure, back up,and archive critical data.
10 Point Power Checklist Disaster Recovery and Business Continuity
10 point power checklist that adddresses the issues associated with power after an event that disrupts a network, availability of power to recover and run the network often is critical.
10 Point Power Checklist Disaster Recovery and Business Continuity needs to be incorporated into the disaster recovery – business continuity plan. The Disaster Recovery Business Continuity template contains many checklists and best practices to follow. The checklist includes:
Electricity, water, broken wires do not mix. Review all electrical and plumbing plans in detail.
Understand the minimum power requirements to be operational.
Have an adequate fuel supply to operate backup power sources. If the outage lasts for more than 30 days will the faciulity be ale to continue operations.
Set reasonable response times for standby generator.
Maintain your equipment and test it operations. Test at least once a quarter and review supplies on hand.
Understand your environment and geography.
Set up generators in an “open environment”. Carbon monoxide fumes can build up and poison people.
Compliance Mandates come from multiple sources. How companies are impacted by them varies by size of company and the markets they serve.
Compliance Mandates impact every company that does business on the Internet. Few companies are impacted by all of the mandates. In the U.S. the most impactful is the CaCPA inacted by Califorinia and the GDPR from the EU
The EU has implemented a single privacy and compliance mandate. In the U.S. that is not the case as of yet. The U.S. Congress has talked about it but, as of yet, there is no consensus on what that legislation will look like. Until that occurs the various states, and California in particular, will set the rules.
The standards for user privacy and control drove the released of an update to its Security Manual Template which identifies mandated user rights and enterprise responsibilities related to privacy protection. Janco reviewed in detail the California Consumer Privacy Act of 2018 (CaCPA) and generated a detail list of user rights and business responsibilities that are mandated. The CaCPA requirements are very complex and significant resources will have to be allocated for organizations to comply with these new mandates. These mandates will impact all organizations that have an Internet presence in the U.S. and California in particular. The compliance deadline is January 1, 2020.
What is HIPAA and how can an enerprise comply with the mandated requirements
What is HIPAA Privacy Rule – provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
There also is a HIPAA Security Rule – It specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. This places unique challenges to the Business Continuity and Disaster Recovery Planning processes.
What is HIPAA and how does it impact overall Compliance Management?
Federal and state government regulations (see state compliance requirements) can be a big problem for today’s organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it’s serious.
Top 10 Reasons Disaster Recovery Fails have been identified by Janco.Over 90% of all mid-sized to large enterprises have disaster recovery and business continuity plans in place — that is not enough to avert disaster as only 40% of those plans have not major defects. The top 10 causes for those failures are:
Disaster Recovery and Business Continuity are necessary enterprise infrastructure processes that have correctable defects that can make plans fail.
Backups do not work
Not identifying every potential event that can jeopardize the infrastructure and data that the enterprise depends
Forgetting or ignoring the cross-training of personnel in disaster recovery and business continuity
Not including a communication processes which will work when your communication infrastructure is lost
Not having sufficient backup power – both capacity and durations
Having a recovery plan in place but not listing priorities of which resources need to be restored first
No physical documentation of your Disaster Recovery and Business Continuity plan
Disaster Recovery and Business Continuity plan that has not been tested adequately
Passwords are not available to the Disaster Recovery and Business Continuity team
Disaster Recovery and Business Continuity plan is not up to date
Top 10 Disaster Recovery Best Practices every organization needs to follow
DR / BC planning requires a robust program that is constantly updated and monitored
Top 10 Disaster Recovery Best Practices as defined by over three decades of DR and BC practice by Janco Associates. Experience is based on having operated in earthquake zones, hurricanes, and terrorist attacks.
Janco’s principles created the Disaster Recovery Plan that was implemented by Merrill Lynch (ML) on 911. The plan was activated within minutes of the attack and only 52 seconds of transactions were lost. The top 10 best practices that are followed in all DR/BC plans that have been created by us are.
Focus on operations – people and process that drive the enterprise are the primary issues that DR and BC are controllable. Implementing a planning and recovery environment is an ideal time to define an approach based on best practices that address the process and people issues effectively. In the case of ML the plan was activated in the computer room while the CIO was on a plane over the Atlantic.
Have at least one recovery site in place – Before an event there need to be plans in place for not only operation of computer but also for location of operations staff. Cloud managed computer operations can work when a disaster is in a limited ares. However it is is wide ranged like a hurricane the issues can be problematic.
Train everyone on how to execute the DR and BC – People are the front line when it comes to supporting the enterprise. A staff that has not been properly trained in the use of the DR and BC when an event occurs will we hindrance. Everyone must have the knowledge and skills to provide the right support. The primary focus is to reduce downtime, it also delivers better performance and a faster ROI through better and wiser use of IT assets.
Have a clear definition for declaring when a disaster or business interruption occurs that will set the DR and BC process into motion – There needs to be a clear processes for allocating resources based on their criticality and availability requirements. This will define the “rules of the road” for who does what and when while minimizing the factors that can negatively impact enterprise operations.
Integrate DRP and BCP with change management – Changes are inevitable in any sizable environment. It is difficult to keep up with the flood of new applications, technologies, and new tools. That is why it is essential to design, implement, and continuously improve change and configuration management processes.
Focus on addressing issues BEFORE they impact the enterprise – When you are aiming to operate at the speed of business, after-the-fact fixes do not make the grade. These days, you need to anticipate trouble and head it off before it happens. It is important to identify risks across people, process, and technology so that appropriate countermeasures can be implemented. You should also make sure that vendors provide an appropriate level of support including proactive features such as critical patch analysis and change management support.
Have an Incident Communications Plan in place – The incident communication plan should cover all interested parties from customers to employees and investors.
Validate that all technology is properly installed and configured right from the start – a technology solution that is properly implemented in terms of its hardware, firmware, and software will dramatically reduce problems and downtime in the future. Proper initial configuration can also save time and reduce issues with upgrades, hot patches, and other changes.
Monitor the processes and people to know what critical – many of today’s enterprises are experiencing a capacity crisis as they reach the limits of reduced budgets, older facilities and legacy infrastructures. Space is tight. Power and cooling resources are over-burdened. Implementing new solutions in inefficient environments may limit their ability to recover from an event. An assessment that examines and analyzes the enterprises environment’s capabilities and requirements can provide valuable information to help improve efficiency.
Test often – a DR BC plan is not a static document. Things change and new individuals are involved as staff changes.
Disaster Recovery Business Continuity Template – 2019 Version Released
Disaster Recovery Business Continuity has just been updated and the 2019 Version has just been released. The changes to this version are:
Updated all included job descriptions
Updated all included forms
Disaster Recovery electronic forms
Safety Program electronic forms
Added co-location checklist
Audit Program Updated
2019 Version now available for immediate download
Changed core document to exclude job descriptions and forms which are delivered in their own directories
Business and IT Impact Questionnaire is delivered in its own and comes as a MS WORD, pdf, and eBook electronic format
3 included job descriptions are delivered in their own directory
The chapters of the template are:
Business Impact Analysis
Disaster Recover Organization
Disaster Recovery Organizational Procedures
Appendix – Full of tools and checklists
Also included as separate MS Word and/or eBook electronic files in thier own directories:
Job Descriptions – Disaster Recovery Manager, Manager Disaster Recovery and Business Continuity
Disaster Recovery electronic forms – Business Continuity Site Evaluation Checklist, Business Continuity LAN Node Inventory, Business Continuity Location Contact Numbers, Business Continuity Off-Site Inventory, Business Continuity Personnel Location, Business Continuity Plan Distribution, Business Continuity Remote Location Contact Information, Business Continuity Server Registration, Business Continuity Team Call List, and Business Continuity Vendor List
Safety Program electronic forms – Area Safety Inspection, Employee Job Hazard Analysis, First Report of Injury, Inspection Checklist – Alternative Locations, Inspection Checklist – Computer Server Data Center, Inspection Checklist – Office Locations, New Employee Safety Checklist,Safety Program Contact List, and Training Record
Business Imact Analysis Questionnaire – PDF and MS WORD Formats
Business Impact Analysis electronic form – Application and File Server Inventory
eBook versions – Disaster Recovery Business Continuity Template and the DPR Audit Program
DRP BCP Audit Update Released with updates that have been implemented to see that the latest mandated requirements of ISO, the U.S., and the EU are complied with.
This Disaster Recovery / Business Continuity Audit program identifies control objectives that are meet by the audit program. There are approximately 50 specific items that the audit covers in the 17 page audit program. Included are references to specific tools that will assist you in addressing any defects or shortcoming the audit uncovers.
The Audit program covers the following control objectives:
Ensure that adequate and effective contingency plans have been established to support the prompt recovery of crucial enterprise functions.
Ensure that all mandated disaster recovery, business continuity, and security requirements have adequate compliance policies.
Ensure the survival of the business and to minimize the implications of a major enterprise and/or I T failure.
Ensure that all the potential risks to the enterprise are identified and assessed.
Ensure the optimum contingency arrangements are selected and cost effectively provided.
Ensure that an authorized and documented disaster recovery / business continuity plan is created, maintained up-to-date, and securely stored.
Ensure that the recovery plan is periodically tested.
Ensure that all internal and external parties are fully aware of their responsibilities and commitments.
Ensure that appropriate liaison is maintained with external parties (i.e. insurers, emergency services, suppliers, etc. ).
Ensure that both the damaged and recovery sites are secure and that systems are securely operated.
Ensure that systems and procedures are adequately and accurately documented.
Ensure that public and media relations would be effectively addressed.
The audit programs is available as a standalone item. In addition it is included with several of Janco’s offerings. They are: