E-Book, Englisch, 620 Seiten
Snedaker Business Continuity and Disaster Recovery Planning for IT Professionals
2. Auflage 2013
ISBN: 978-0-12-411451-7
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 620 Seiten
ISBN: 978-0-12-411451-7
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Powerful Earthquake Triggers Tsunami in Pacific. Hurricane Isaac Makes Landfall in the Gulf Coast. Wildfires Burn Hundreds of Houses and Businesses in Colorado. Tornado Touches Down in Missouri. These headlines not only have caught the attention of people around the world, they have had a significant effect on IT professionals as well. The new 2nd Edition of Business Continuity and Disaster Recovery for IT Professionals gives you the most up-to-date planning and risk management techniques for business continuity and disaster recovery (BCDR). With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Author Susan Snedaker shares her expertise with you, including the most current options for disaster recovery and communication, BCDR for mobile devices, and the latest infrastructure considerations including cloud, virtualization, clustering, and more. Snedaker also provides you with new case studies in several business areas, along with a review of high availability and information security in healthcare IT. Don't be caught off guard-Business Continuity and Disaster Recovery for IT Professionals, 2nd Edition , is required reading for anyone in the IT field charged with keeping information secure and systems up and running. - Complete coverage of the 3 categories of disaster: natural hazards, human-caused hazards, and accidental / technical hazards - Extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops - Clear guidance on developing alternate work and computing sites and emergency facilities - Actionable advice on emergency readiness and response - Up-to-date information on the legal implications of data loss following a security breach or disaster
Susan Snedaker, currently Director of IT and Information Security Officer at a large community hospital in Arizona, which has achieved HIMSS Analytics Stage 7 (EMR) certification and has been voted 100 Most Wired Hospitals two years in a row. Susan has over 20 years' experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and VirtualTeam Consulting. Her experience in executive roles has honed her extensive strategic and operational experience in managing data centers, core infrastructure, hardware, software and IT projects involving both small and large teams. Susan holds a Master's degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Certified Professional in Healthcare Information Management Systems (CPHIMS), Certified Information Security Manager (CISM), and was previously certified as a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT). Susan also holds a certificate in Advanced Project Management from Stanford University and an Executive Certificate in International Management from Thunderbird University's Garvin School of International Management. She is the author of six books and numerous chapters on a variety of technical and IT subjects.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Business Continuity and Disaster Recovery Planning for IT Professionals;4
3;Copyright;5
4;Contents;6
5;Acknowledgments;20
6;About the Authors;22
7;Introduction;24
8;Chapter 1: Business Continuity and Disaster Recovery Overview;26
8.1;Introduction;26
8.2;Business continuity and disaster recovery defined;28
8.3;Components of business;29
8.3.1;People in BC/DR planning;31
8.3.2;Process in BC/DR planning;33
8.3.3;Technology in BC/DR planning;35
8.4;The cost of planning versus the cost of failure;36
8.4.1;People;40
8.4.2;Process;41
8.4.3;Technology;42
8.5;Types of disasters to consider;43
8.6;Business continuity and disaster recovery planning basics;44
8.6.1;Project initiation;46
8.6.2;Risk assessment;47
8.6.3;Business impact analysis;47
8.6.4;Mitigation strategy development;47
8.6.5;Plan development;48
8.6.6;Training, testing, and auditing;48
8.6.7;Plan maintenance;48
8.7;Summary;49
8.8;Key concepts;50
8.8.1;BC/DR defined;50
8.8.2;Components of business;51
8.8.3;The cost of planning versus the cost of failure;51
8.8.4;Types of disasters to consider;52
8.8.5;BC/DR planning basics;52
8.9;References;52
9;Chapter 2: Legal and Regulatory Obligations Regarding Data and Information Security;54
9.1;Introduction;54
9.2;Impact of recent history;56
9.3;Current regulatory environment;58
9.3.1;Source of legal obligations;58
9.3.2;Scope of legal obligations;60
9.3.2.1;Provide ``reasonable security´´;60
9.3.2.2;Provide security breach notification;61
9.4;Information security management;62
9.4.1;Responsibility lies at the top;62
9.4.2;Written Information Security Program (WISP);63
9.4.2.1;Categories that must be addressed;64
9.4.2.2;Third-party service provider arrangements;64
9.4.2.3;Education;64
9.5;Did you know?;65
9.6;Summary;65
9.7;Key concepts;66
9.7.1;Impact of recent history;66
9.7.2;Current regulatory environment;66
9.7.3;Information security management;66
9.8;References;67
10;Case Study: Legal Obligations Regarding Data Security;68
10.1;Contributor profile;68
10.1.1;Deanna Conn, Partner, Quarles & Brady, LLP;68
10.2;Background;69
10.3;The Sony PlayStation incident;69
10.4;State laws regarding data security;70
10.4.1;Notice of security breach laws;70
10.4.1.1;Definition of personal information;70
10.4.1.2;Notification procedure;71
10.4.1.3;Penalties;71
10.4.2;Safeguarding personal data state laws;72
10.5;Federal laws regarding data security;72
10.5.1;U.S. House of representatives proposed bill;73
10.5.2;U.S. Senate response;74
10.5.3;Executive order-improving critical infrastructure cyber security;74
10.6;Conclusion;74
10.7;References;75
11;Chapter 3: Project Initiation;76
11.1;Introduction;76
11.2;Elements of project success;77
11.2.1;Executive support;78
11.2.2;User involvement;81
11.2.3;Experienced project manager;81
11.2.4;Clearly defined project objectives;82
11.2.5;Clearly defined project requirements;83
11.2.6;Clearly defined scope;84
11.2.7;Shorter schedule, multiple milestones;86
11.2.8;Clearly defined project management process;86
11.3;Project plan components;88
11.3.1;Project initiation or project definition;89
11.3.1.1;Problem and mission statement;90
11.3.1.2;Potential solutions;91
11.3.1.3;Requirements and constraints;91
11.3.1.4;Success criteria;92
11.3.1.5;Project proposal;93
11.3.1.6;Estimates;94
11.3.1.7;Project sponsor;95
11.3.2;Forming the project team;96
11.3.2.1;Organizational;97
11.3.2.2;Technical;97
11.3.2.3;Logistical;98
11.3.2.4;Political;98
11.4;Project organization;99
11.4.1;Project objectives;99
11.4.1.1;Business continuity plan;99
11.4.1.2;Continuity of operations plan;100
11.4.1.3;Disaster recovery plan;100
11.4.1.4;Crisis communication plan;100
11.4.1.5;Cyber incident response plan;101
11.4.1.6;Occupant emergency plan;101
11.4.2;Project stakeholders;102
11.4.3;Project requirements;103
11.4.4;Project parameters;105
11.4.5;Project infrastructure;109
11.4.6;Project processes;110
11.4.6.1;Team meetings;111
11.4.6.2;Reporting;111
11.4.6.3;Escalation;112
11.4.6.4;Project progress;113
11.4.6.5;Change control;113
11.4.6.6;Quality control;114
11.4.7;Project communication plan;114
11.5;Project planning;116
11.5.1;Work breakdown structure;116
11.5.2;Critical path;116
11.6;Project implementation;117
11.6.1;Managing progress;118
11.6.2;Managing change;119
11.7;Project tracking;119
11.8;Project close out;120
11.9;Key contributors and responsibilities;121
11.9.1;Information technology;121
11.9.1.1;Experience working on a cross-departmental team;122
11.9.1.2;Ability to communicate effectively;122
11.9.1.3;Ability to work well with a wide variety of people;122
11.9.1.4;Experience with critical business and technology systems;123
11.9.1.5;IT project management leadership;124
11.9.2;Human resources;124
11.9.3;Facilities/security;124
11.9.4;Finance/legal;125
11.9.5;Warehouse/inventory/manufacturing/research;126
11.9.6;Purchasing/logistics;127
11.9.7;Marketing and sales;127
11.9.8;Public relations;128
11.9.9;Operations;130
11.10;Project definition;131
11.11;Business requirements;132
11.12;Functional requirements;134
11.13;Technical requirements;136
11.14;Business continuity and disaster recovery project plan;137
11.14.1;Project definition, risk assessment;138
11.14.2;Business impact analysis;138
11.14.3;Risk mitigation strategies;139
11.14.4;Plan development;139
11.14.5;Emergency preparation;139
11.14.6;Training, testing, auditing;139
11.14.7;Plan maintenance;140
11.15;Summary;140
11.16;Key concepts;142
11.16.1;Elements of project success;142
11.16.2;Project plan components;142
11.16.3;Key contributors and responsibilities;143
11.16.4;Project definition;143
11.16.5;Business continuity and disaster recovery plan;144
11.17;References;144
12;Business Continuity and Disaster Recovery in Energy/Utilities;146
12.1;Introduction;146
12.2;Integrating BC/DR requirements into IT governance;148
12.2.1;BC/DR requirements definition;149
12.2.2;IT service level definition;150
12.2.3;Application recovery procedures;151
12.2.4;Summary of integrating BC/DR requirements into IT governance;152
12.3;Improving BC/DR recovery and risk mitigation strategies;153
12.3.1;Ensuring access to BC/DR documentation in a disaster;153
12.3.2;Change approval board and technical change review committees;155
12.3.3;Security control testing;156
12.3.4;Separation of duties;157
12.3.5;Centralized security vulnerability assessment;157
12.3.6;IT network vulnerability assessment;158
12.3.7;Security control baselines and change detection;159
12.3.8;Data center and network;159
12.3.9;Compute and data;160
12.3.10;Self-service application failover and failback;164
12.3.11;Industrial control systems;165
12.3.12;Summary of improving BC/DR recovery and risk mitigation strategies;167
12.4;Improving BC/DR testing;168
12.4.1;Recovery from actual incidents: Postmortems and documenting lessons learned;168
12.4.2;Scheduled BC/DR tests;169
12.4.2.1;Corporate data center redundancy testing;170
12.4.2.2;EMS SCADA EOC testing;171
12.4.2.3;SOx 404 application recovery testing;172
12.4.2.4;NERC CIP-009 recovery testing;173
12.4.2.5;Enterprise business continuity testing;174
12.4.3;Summary of scheduled BC/DR testing;174
12.5;Summary of best practices and key concepts;175
12.6;References;175
13;Chapter 4: Risk Assessment;176
13.1;Introduction;176
13.2;Risk management basics;178
13.2.1;Risk management process;180
13.2.1.1;Threat assessment;181
13.2.1.2;Vulnerability assessment;182
13.2.1.3;Impact assessment;183
13.2.1.4;Risk mitigation strategy development;183
13.3;People, process, technology, and infrastructure in risk management;184
13.3.1;People;184
13.3.2;Process;185
13.3.3;Technology;185
13.3.4;Infrastructure;186
13.4;IT-Specific risk management;186
13.4.1;IT Risk management objectives;187
13.4.2;The system development lifecycle model;188
13.5;Risk assessment components;191
13.5.1;Information gathering methods;193
13.5.2;Natural and environmental threats;194
13.5.2.1;Fire;194
13.5.2.2;Floods;196
13.5.2.3;Severe winter storms;198
13.5.2.4;Electrical storms;200
13.5.2.5;Drought;202
13.5.2.6;Earthquake;203
13.5.2.7;Tornados;205
13.5.2.8;Hurricanes/typhoons/cyclones;205
13.5.2.9;Tsunamis;207
13.5.2.10;Volcanoes;207
13.5.2.11;Avian Flu/pandemics;208
13.5.3;Human threats;210
13.5.3.1;Fire;210
13.5.3.2;Theft, sabotage, and vandalism;211
13.5.3.3;Labor disputes;212
13.5.3.4;Workplace violence;212
13.5.3.5;Terrorism;213
13.5.3.6;Chemical or biological hazards;214
13.5.3.7;War;215
13.5.3.8;Cyber threats;215
13.5.3.8.1;Cyber crime;217
13.5.3.8.2;Loss of records or data-theft, sabotage, vandalism;219
13.5.3.8.3;IT system failure-theft, sabotage, vandalism;220
13.5.4;Infrastructure threats;220
13.5.4.1;Building-specific failures;220
13.5.4.2;Public transportation disruption;221
13.5.4.3;Loss of utilities;221
13.5.4.4;Disruption to oil or petroleum supplies;222
13.5.4.5;Food or water contamination;222
13.5.4.6;Regulatory or legal changes;223
13.5.5;Threat checklist;224
13.6;Threat assessment methodology;227
13.6.1;Quantitative threat assessment;228
13.6.2;Qualitative threat assessment;232
13.7;Vulnerability assessment;236
13.7.1;People, process, technology, and infrastructure;239
13.7.1.1;People;239
13.7.1.2;Process;240
13.7.1.3;Technology;241
13.7.1.4;Infrastructure;241
13.7.2;Vulnerability assessment;241
13.8;Summary;244
13.9;Key concepts;246
13.9.1;Risk management basics;246
13.9.2;Risk assessment components;247
13.9.3;Threat assessment methodology;247
13.9.4;Vulnerability assessment;248
13.10;References;248
14;Business Continuity and Disaster Recovery in Healthcare;300
14.1;Introduction to healthcare IT;300
14.1.1;Types of healthcare organizations;302
14.1.1.1;Hospitals;303
14.1.1.2;Skilled nursing facility;303
14.1.1.3;Physician offices;303
14.1.1.4;Ambulatory clinics;304
14.1.1.5;Pharmacies;304
14.1.1.6;Other types of organizations;305
14.1.1.7;Summary of healthcare organizations;305
14.1.2;The rising cost of healthcare;305
14.1.3;Governmental incentives and penalties;306
14.1.4;HIEs and Accountable Care Organizations;308
14.1.4.1;Health information exchanges;308
14.1.4.2;Accountable Care Organizations;309
14.1.5;Integration of healthcare IT and medical equipment;310
14.1.6;Consumer-driven healthcare;311
14.1.7;Real-time data;312
14.1.8;Summary;313
14.2;Regulatory environment;314
14.2.1;Centers for Medicare and Medicaid Services/Joint Commission on Accreditation of Healthcare Organizations;314
14.2.2;U.S. Food and Drug Administration;315
14.2.3;Health Insurance Portability and Accountability Act;317
14.2.4;Health Information Technology for Economic and Clinical Health;319
14.2.5;Payment Card Industry;320
14.2.6;State and local requirements;321
14.3;Healthcare IT risk management;321
14.3.1;Patient safety;322
14.3.2;Patient care;323
14.3.3;Organizational solvency;323
14.3.4;Facility management;324
14.4;Technical needs-Healthcare IT architecture;324
14.4.1;Clinical systems;325
14.4.2;Business systems;326
14.4.3;Types of data;327
14.4.3.1;Structured;328
14.4.3.2;Unstructured;328
14.4.3.3;Semi-structured;328
14.4.4;Types of systems and storage;329
14.4.4.1;Network core, medical network, and guest network;330
14.4.4.2;Wireless/RFID;332
14.4.4.3;Security infrastructure;333
14.4.4.4;End user devices;334
14.5;Healthcare operational needs;335
14.5.1;Admitting;335
14.5.2;Insurance verification and billing services;336
14.5.3;Clinical care;338
14.5.3.1;Physician;338
14.5.3.2;Nursing;339
14.5.3.3;Support services;339
14.6;Interoperability among disparate systems;340
14.6.1;Electronic medical record;340
14.6.2;Diagnostic imaging;341
14.6.3;Medical equipment;341
14.6.4;Food services;341
14.6.5;Environmental services;341
14.6.6;Billing and payment systems;342
14.6.7;Payroll;342
14.6.8;Human resources;343
14.7;Current environment and new technology;343
14.7.1;Advances in data storage and replication;343
14.7.2;Mobile devices;344
14.7.3;Virtualization and cloud computing;345
14.7.4;Communication systems;347
14.7.5;Current environment and new technology summary;348
14.8;Healthcare IT BC/DR best practices;348
14.8.1;Security frameworks;348
14.8.1.1;National Institute of Standards and Technology;349
14.8.1.2;ISO/IEC 27000 series;349
14.8.1.3;HITRUST common security framework;349
14.8.1.4;Information Technology Information Library;350
14.8.2;Best practices;351
14.9;Summary;353
14.9.1;Overview of healthcare IT;353
14.9.2;Regulatory requirements;353
14.9.3;Healthcare IT risk management;354
14.9.4;Technical needs-Healthcare IT architecture;354
14.9.5;Healthcare operational needs;355
14.9.6;Interoperability among disparate systems-Integration in healthcare IT;355
14.9.7;Current environment and new technology;356
14.9.8;Healthcare IT BC/DR best practices;356
14.10;Key concepts;357
14.11;References;360
15;Chapter 6: Risk Mitigation Strategy Development;362
15.1;Introduction;362
15.2;Types of risk mitigation strategies;364
15.2.1;Risk acceptance;365
15.2.2;Risk avoidance;365
15.2.2.1;Risk limitation;366
15.2.2.2;Risk transference;366
15.3;The risk mitigation process;368
15.3.1;Recovery requirements;368
15.3.2;Recovery options;368
15.3.2.1;As needed;370
15.3.2.2;Prearranged;370
15.3.2.3;Preestablished;370
15.3.3;Recovery time of options;371
15.3.4;Cost versus capability of recovery options;372
15.3.5;Recovery service level agreements;372
15.3.6;Review existing controls;374
15.4;Developing your risk mitigation strategy;375
15.4.1;Sample 1: Section from Mitigation Strategy for Critical Data;376
15.4.2;Sample 2: Section from Mitigation Strategy for Critical Data;377
15.5;People, buildings, and infrastructure;379
15.6;IT risk mitigation;380
15.6.1;Critical data and records;381
15.6.2;Critical systems and infrastructure;381
15.6.2.1;Reviewing critical system priorities;382
15.7;Backup and recovery considerations;383
15.7.1;Alternate business processes;383
15.7.2;IT recovery systems;384
15.7.2.1;Alternate sites;384
15.7.2.1.1;Fully mirrored site;384
15.7.2.1.2;Hot site;385
15.7.2.1.3;Warm site;385
15.7.2.1.4;Mobile site;385
15.7.2.1.5;Cold site;386
15.7.2.1.6;Reciprocal site;386
15.7.2.2;Storage and disk systems;386
15.7.2.3;Desktop solutions;387
15.7.2.4;Software and licensing;388
15.7.2.5;Web sites;388
15.7.3;Documenting Your Risk Mitigation Strategy;389
15.8;Summary;390
15.9;Key concepts;390
15.9.1;Types of risk mitigation strategies;390
15.9.2;Risk mitigation process;391
15.9.3;IT risk mitigation;392
15.9.4;Backup and recovery considerations;392
15.10;References;392
16;Chapter 7: Business Continuity/Disaster Recovery Plan Development;394
16.1;Introduction;394
16.2;Implement risk mitigation strategies;396
16.3;Phases of business continuity and disaster;400
16.3.1;Activation phase;400
16.3.1.1;Minor disaster or disruption;401
16.3.1.2;Intermediate disaster or disruption;402
16.3.1.3;Major disaster or disruption;403
16.3.1.4;Activating BC/DR teams;403
16.3.1.5;Developing triggers;404
16.3.1.6;Transition trigger-Activation to recovery;405
16.3.2;Recovery phase;406
16.3.2.1;Transition trigger-Recovery to continuity;406
16.3.3;Business continuity phase;407
16.3.4;Maintenance/review phase;408
16.4;Defining BC/DR teams and key personnel;408
16.4.1;Crisis management team;409
16.4.2;Management;410
16.4.3;Damage assessment team;410
16.4.4;Operations assessment team;410
16.4.5;IT team;411
16.4.6;Administrative support team;411
16.4.7;Transportation and relocation team;411
16.4.8;Media relations team;412
16.4.9;Human resources team;412
16.4.10;Legal affairs team;412
16.4.11;Physical/personnel security team;413
16.4.12;Procurement team (equipment and supplies);413
16.4.13;General team guidelines;414
16.4.14;BC/DR contact information;415
16.5;Defining tasks and assigning resources;417
16.5.1;Alternate site;418
16.5.1.1;Selection criteria;418
16.5.1.2;Contractual terms;419
16.5.1.3;Comparison process;419
16.5.1.4;Acquisition and testing;419
16.5.2;Cloud services;420
16.5.3;Contracts for BC/DR services;422
16.5.3.1;Develop clear functional and technical requirements;422
16.5.3.2;Determine required service levels;422
16.5.3.3;Compare vendor proposal/response to requirements;423
16.5.3.4;Identify requirements not met by vendor proposal;423
16.5.3.5;Identify vendor options not specified in requirements;424
16.6;Communications plans;425
16.6.1;Internal;425
16.6.2;Employee;425
16.6.3;Customers and vendors;426
16.6.4;Shareholders;426
16.6.5;The community and the public;426
16.7;Event logs, change control, and appendices;427
16.7.1;Event logs;428
16.7.2;Change control;429
16.7.3;Distribution;430
16.7.4;Appendices;431
16.7.5;Additional resources;432
16.8;What's next;432
16.9;Summary;433
16.10;Key concepts;434
16.10.1;Phases of business continuity and disaster recovery;434
16.10.2;Defining BC/DR teams and key personnel;434
16.10.3;Defining tasks and assigning resources;435
16.10.4;Communications plans;435
16.10.5;Event logs and change control;436
16.10.6;Appendices;436
16.11;References;436
17;Business Continuity and Disaster Recovery in Financial Services;438
17.1;Overview;438
17.2;Finance industry regulation overview;438
17.2.1;United States financial regulation;439
17.2.2;European financial regulation;440
17.2.3;Other regions financial regulation;440
17.3;Finance industry requirements for business continuity;441
17.4;Industry impact-September 11 attacks;441
17.5;Industry impact-Hurricane Sandy;445
17.6;Industry impact-Cyber threats;447
17.7;Looking forward;449
17.8;Summary;450
17.9;References;450
18;Chapter 8: Emergency Response and Recovery;452
18.1;Introduction;452
18.2;Emergency management overview;453
18.3;Emergency response plans;453
18.4;Emergency response teams;455
18.5;Crisis management team;457
18.5.1;Emergency response and disaster recovery;458
18.5.2;Alternate facilities review and management;458
18.5.3;Crisis communications;458
18.5.4;Human resources;460
18.5.5;Legal;461
18.5.6;Insurance;461
18.5.7;Finance;461
18.6;Disaster recovery;461
18.6.1;Activation and emergency response checklists;462
18.6.2;Recovery checklists;462
18.6.3;IT recovery tasks;463
18.6.3.1;Computer incident response;466
18.6.3.1.1;CIRT responsibilities;467
18.6.3.1.1.1;Monitor;467
18.6.3.1.1.2;Alert and mobilize;467
18.6.3.1.1.3;Assess and stabilize;468
18.6.3.1.1.4;Resolve;468
18.6.3.1.1.5;Review;468
18.7;Business continuity;469
18.8;Summary;471
18.9;Key concepts;472
18.9.1;Emergency management overview;472
18.9.2;Emergency response plans;472
18.9.3;Crisis management team;473
18.9.4;Disaster recovery;473
18.9.5;IT recovery;473
18.9.6;Business continuity;474
18.10;References;474
19;Business Continuity and Disaster Recovery for Small- and Medium-Sized Businesses;476
19.1;Overview of SMB disaster recovery;476
19.2;SMB disaster preparedness: Survey results;478
19.3;On-Premise disaster recovery;478
19.3.1;SMB case studies;480
19.3.1.1;High availability at 24 Seven Talent;480
19.3.1.2;Affigent fails over before the storm;481
19.4;Using a Co-location data center for disaster recovery;481
19.4.1;The value of co-location data centers in a disaster;482
19.4.2;Tips for selecting a co-location provider;482
19.4.3;What does a co-location center cost?;483
19.4.4;SMB case study: Balancing internal capability and cost with co-location data centers for DR;484
19.5;Disaster recovery in the cloud;485
19.5.1;Disaster recovery in the cloud options;487
19.5.1.1;Managed applications and managed DR;489
19.5.1.2;Back up to and restore from the cloud;489
19.5.1.3;Back up to and restore to the cloud;490
19.5.1.4;Replication to VMs in the cloud;490
19.5.2;Protecting branch offices with cloud disaster recovery;490
19.5.2.1;Virtualize and consolidate servers;491
19.5.2.2;Virtualize and streamline data storage and backup;491
19.5.2.3;Virtualize applications and desktops;492
19.5.2.4;Deploy application acceleration and WAN optimization;493
19.5.3;SMB case studies;494
19.5.3.1;Snowmaggedon and Snowpocalypse;494
19.5.3.2;Amazon Web Services to the rescue;494
19.5.3.3;LAUSD implements snapshot-based cloud backup;495
19.5.3.4;Psomas moves DR to the cloud;496
19.5.3.5;Private cloud DR plans help BUMI;496
19.5.3.6;Sprott switches course to cloud DR service provider;497
19.5.3.7;University turns to cloud backup for data protection;498
19.6;Summary;499
19.7;Key concepts;499
19.7.1;Overview of SMB disaster recovery;499
19.7.2;SMB disaster preparedness: Survey results;500
19.7.3;On-premise disaster recovery;500
19.7.4;Using a co-location data center for disaster recovery;501
19.7.5;Disaster recovery in the cloud;501
19.8;References;502
20;Chapter 9: Training, Testing, and Auditing;504
20.1;Introduction;504
20.2;Training for disaster recovery and business continuity;504
20.2.1;Emergency response;505
20.2.2;Disaster recovery and business continuity training overview;506
20.2.3;Training scope, objectives, timelines, and requirements;506
20.2.4;Performing training needs assessment;507
20.2.5;Developing training;508
20.2.6;Scheduling and delivering training;509
20.2.7;Monitoring and measuring training;510
20.3;Training and testing for your business continuity and disaster recovery plan;510
20.3.1;Paper walk-through;512
20.3.1.1;Develop realistic scenarios;513
20.3.1.2;Develop evaluation criteria;513
20.3.1.3;Provide copies of the plan;514
20.3.1.4;Divide participants by team;515
20.3.1.5;Use checklists;515
20.3.1.6;Take notes;515
20.3.1.7;Identify training needs;515
20.3.1.8;Develop summary and lessons learned;515
20.3.2;Functional exercises;516
20.3.3;Field exercises;517
20.3.4;Full interruption test;517
20.3.5;Training plan implementers;518
20.4;Testing the BC/DR plan;518
20.4.1;Understanding of processes;519
20.4.2;Validation of task integration;520
20.4.3;Confirm steps;520
20.4.4;Confirm resources;520
20.4.5;Familiarize with information flow;520
20.4.6;Identify gaps or weaknesses;521
20.4.7;Determine cost and feasibility;521
20.4.8;Test evaluation criteria;523
20.4.9;Recommendations;524
20.5;Performing IT systems and security audits;524
20.6;IT systems and security audits;524
20.7;Summary;526
20.8;Key concepts;528
20.8.1;Training for emergency response, disaster recovery, and business continuity;528
20.8.2;Testing your business continuity and disaster recovery plan;528
20.8.3;Performing IT systems audits;529
20.9;References;529
21;Chapter 10: BC/DR Plan Maintenance;530
21.1;Introduction;530
21.2;BC/DR plan change management;531
21.2.1;Training, testing, and auditing;532
21.2.2;Changes in information technologies;532
21.2.3;Changes in operations;533
21.2.4;Corporate changes;534
21.2.5;Legal, regulatory, or compliance changes;535
21.2.6;Strategies for managing change;535
21.2.7;Monitor change;536
21.2.7.1;People;536
21.2.7.2;Process;536
21.2.7.3;Technology;536
21.2.8;Evaluate and incorporate change;537
21.3;BC/DR plan audit;538
21.4;Plan maintenance activities;539
21.5;Project close out;540
21.6;Summary;541
21.7;Key concepts;543
21.7.1;BC/DR plan change management;543
21.7.2;Strategies for managing change;543
21.7.3;BC/DR plan audit;544
21.7.4;Plan maintenance activities;544
21.7.5;Project close out;544
22;Appendix A: Risk Management Checklist;546
22.1;Risk assessment;546
22.1.1;Threat and vulnerability checklist;546
22.1.1.1;Natural hazards;546
22.1.1.1.1;Cold weather-related hazards;546
22.1.1.1.2;Warm weather-related hazards;546
22.1.1.1.3;Geological hazards;547
22.1.1.2;Human-caused hazards;547
22.1.1.3;Accidents and technological hazards;548
22.1.2;Threat and vulnerability assessment;549
22.1.3;Business impact analysis;549
22.2;Mitigation strategies;549
23;Appendix B: Crisis Communications Checklist;552
23.1;Communication checklist;552
23.2;Message content;553
24;Appendix C: Emergency Response and Recovery Checklists;554
24.1;High-level checklist;554
24.2;Activation checklists;555
24.2.1;Initial response;555
24.2.2;Damage and situation assessment;555
24.2.3;Disaster declaration and notification;556
24.3;Emergency response checklists;556
24.3.1;Emergency checklist one: General emergency response;556
24.3.2;Emergency checklist two: Evacuation or shelter-in-place response;557
24.3.3;Emergency checklist three: Specific emergency responses;557
24.3.4;Emergency checklist four: Emergency response contact list, maps, and floor plans;557
24.3.5;Emergency checklist five: Emergency supplies and equipment;558
24.4;Recovery checklists;558
24.4.1;Recovery checklist one: General;558
24.4.2;Recovery checklist two: Inspection, assessment, and salvage;559
25;Appendix D: Business Continuity Checklist;562
25.1;Resuming work;562
25.1.1;Resuming operations;562
25.1.2;Human resources;563
25.1.3;Insurance and legal;563
25.2;Manufacturing, warehouse, production, and operations;564
25.3;Resuming normal operations;564
25.3.1;Existing facility;565
25.3.2;New facility;565
25.4;Transition to normalized activities;566
26;Appendix E: IT Recovery Checklists;568
26.1;IT recovery checklist one: Infrastructure;568
26.1.1;Recovery checklist two: Applications;569
26.2;Recovery checklist three: Office area and end-user recovery;569
26.3;Recovery checklist four: Business process recovery;570
26.4;Recovery checklist five: Manufacturing, production, and operations recovery;570
27;Appendix F: Training, Testing, and Auditing Checklists;572
27.1;Training and testing;572
27.2;IT auditing;572
28;Appendix G: BC/DR Plain Maintenance Checklist;574
28.1;Change management;574
29;Glossary of Terms;576
30;Index;590
Chapter 2 Legal and Regulatory Obligations Regarding Data and Information Security
Abstract
This chapter discusses the historical background, sources, and scope of the current definitive legal standard for information technology security practices at most U.S. companies, regardless of size or industry sector. In addition, this chapter includes discussion of the requirement for a process-oriented written information security program (WISP) and the minimum required elements of a WISP, including the requirements to provide both “reasonable security” and security breach notification. Keywords
Information security; Security measures; Information technology; Legal; Regulatory; Law; Statute; Compliance; Security breach; Plan; Risk; Best practices In this chapter
• Impact of recent history • Sources of legal obligations • Scope of legal obligations • Definitive legal standard • Responsibility for compliance • Required elements of a written information security plan Warning The information presented in this chapter is intended to inform readers of potential issues, responsibilities, and requirements of the law with regard to data security. It is not legal advice and should not be construed in any manner as such. The publisher and the author make no legal warranties of any kind and nothing in this chapter should be taken as legal advice. For more information, contact your firm’s legal counsel or an attorney who specializes in Internet, e-commerce, and electronic data security law. Introduction
The privacy and security of personal information first became an area of concern in the 1960s and 1970s with military-based security data and the passage of the 1970 Fair Credit Reporting Act (FCRA). Since then, the emergence of the Internet and the proliferation of networked information systems, while providing businesses and governments with far-reaching economic benefits, has resulted in widespread abuse and theft of personal information as well as acts of cyber terrorism that have exposed grave risk to the nation’s critical infrastructure and defense. The reaction to these incidents has been a significant expansion of government oversight into the information technology (IT) systems and data maintained by both businesses and government. As of the writing of this book, no single federal law or regulation governed the security of all types of personal or other sensitive information. As a result, states have stepped in with their own laws resulting in a complex patchwork of federal and state requirements that affect nearly all businesses. Until the 1990s, legislative regulation was largely limited to specific sectors of the economy (e.g., credit reporting, government, healthcare, education). However, with the significant rise in security breaches over the past 10 years, the United States has implemented many federally based security protection laws, with most state-mandated regulations proliferating since 2008. From this complex patchwork of laws and regulations, a definitive legal standard is emerging which mandates nearly all businesses in the United States be subject to two key legal requirements: 1. The requirement to provide reasonable security for their corporate data and information systems; 2. The requirement to disclose security breaches to those who may be adversely affected by such breaches. Within the first requirement, a legal definition of “reasonable security” has emerged from applicable law. All of the major security-related statutes, regulations, and government enforcement actions over the past few years show an amazing consistency in approach. When viewed as a whole, they establish a clearly defined standard for legal compliance—one that requires a process-oriented approach to the development and maintenance of a written information security program (WISP). In addition, the emerging legal standard has helped to clarify the scope and extent of a company’s obligation to implement an information security program. Under the standard, the obligation to provide reasonable security requires both (1) implementation of an ongoing process and (2) addressing certain categories of security measures. Moreover, evidence suggests that even in cases not subject to such laws, this process-oriented approach is the definitive standard against which legal compliance is measured. The second requirement, which has also received extensive legislative support, is a legal corollary to the requirement to provide reasonable security. Born out of years of data breaches involving sensitive personal information and resulting cases of identity theft, this requirement primarily stipulates that security breaches be disclosed to individuals whose personal information has been compromised. In addition, the requirement also dictates that security breaches be disclosed to the government by certain entities, such as those involved in certain types of financial transactions or critical infrastructure. As of 2012, the requirement to disclose security breaches is the law in 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, and is likely to become federal law in the near future, as well. In addition to direct financial losses that stem from the data breach itself, noncompliance of either of these legal requirements has resulted in high costs in litigation, settlement fees, and fines imposed by government regulatory agencies. Lawsuits may be filed by customers, company shareholders, vendors, and other business partners. Even more costly (and more difficult to quantify) is the loss of public goodwill arising from a breach of data security. The only thing that can make a major security breach even worse is a regulatory investigation or civil action alleging that you failed to meet your obligations under applicable law, and that such a failure resulted in the breach. —Pros Auer Rose LLP (Neuburger and Newman, 2010) For both the requirement to provide “reasonable security” and the requirement to disclose breaches, this chapter will examine (1) recent history which has resulted in broad regulatory change, (2) the current regulatory environment, including the nature and scope of requirements, and (3) what companies should do to manage their information security in order to address their compliance obligations. In terms of BC/DR planning efforts, it is important to understand that security breaches, including theft of personal or other sensitive data, are a significant cause of disasters and this risk includes both direct financial losses as well as losses from a tarnished reputation and potential legal action. As you develop your BC/DR plan, you’ll need to pay special attention to the types of data your company deals with and how those types of data need to be managed, particularly in terms of mitigating (avoiding) the risk and recovering from an incident. More information on risk and impact assessment, including how to properly evaluate security threats and determine their potential impact, can be found in Chapters 4 and 5. In addition, more information on recent legal developments surrounding data privacy and security can be found in the Case Study from Deanna Conn following this chapter. Impact of recent history
Several recent highly publicized data security breaches involving the loss or disclosure of sensitive personal information have put added pressure on federal and state lawmakers to continue to enhance federal and corporate legal obligations to implement security safeguards. It all began on February 15, 2005, when data broker Choice Point Inc. disclosed that sensitive personal information it had collected on 145,000 individuals had been compromised. In the 5 months that followed, over 60 additional companies, educational institutions, and federal and state government agencies, almost all household names, also disclosed breaches of the security of sensitive personal information in their possession, affecting a cumulative 50 million records. Among the records compromised, perhaps the most significant were the chairman of the Federal Trade Commission (FTC) and as many as 60 U.S. Senators (Federal Trade Commission, 2006). More recently, it appeared as if things went from bad to worse. In 2007, TJX, which owns and operates over 2500 retail outlets including Maxx, Marshalls, and Bob’s Stores, disclosed that in 2005, an unknown intruder illegally accessed one of the company’s payment systems and stole the credit and debit card information of 94 million customers across the United States, Canada, Puerto Rico, as well as the United Kingdom and Ireland over an 18-month period (Federal Trade Commission, 2008). This made the TJX breach the worst up until that time in terms of compromising consumer personal information. In June of 2009, TJX announced that it agreed to pay $9.75 million to settle investigations by 41 states attorneys general who were examining the company’s data security policies and practices. Under the agreement, TIC will pay $45.5 million in settlement fees, plus $41.75 million to cover the fees associated with the investigations. Additionally, the company agreed to contribute $2.5 million toward the creation of a data security fund that states will use to create a number of security-related initiatives such as developing best practice models, new legislations, and establishing consumer information and outreach...
