“What keeps you up at night?”
This is a frequently asked question of IT professionals—a favorite asked by those outside the industry. As an IT professional, if the “small stuff” kept you up at night, you would have already expired from exhaustion. It’s the big stuff—security breaches, upcoming audits, lack of capacity during peak periods, continuous availability—that keeps us up.
IT professionals know data security is multi-dimensional. Recent regulations have focused on one dimension of data: data privacy. Media attention has placed data privacy in the spotlight. Several data security standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Gramm Leach Bliley Act (GLBA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act emphasize data privacy. Before any of those existed, however, industry data security best practices had focused on the fundamental needs of ensuring orderly continuation of activities after unplanned negative events, otherwise known as Business Continuity Planning (BCP).
In 1999, the Federal Reserve Bank of New York’s “Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks” presented a focus on ensuring clear, effective, and verifiable business continuity planning, testing, and ongoing improvement as a required best practice for outsourcing back-office processing (see www.newyorkfed.org/newsevents/news_archive/aboutthefed/1999/an991020.html). Section F.13 stated that “… the financial institution needs to verify that the service provider has a prudent business recovery plan in place.” Nearly 10 years later in 2008, The Federal Financial Institutions Examination Council stated in their examiner’s handbook on business continuity, “It is the responsibility of an institution’s board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process” (see www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf).
It’s easy to see that the ability to quickly resume orderly conduct of enterprise commerce in the event of a catastrophe remains every bit as important to today’s overall data security strategy as end-to-end protection of credit card transactions.
BCP involves the analysis of risks, identification of potential impacts, and implementation or mitigations to business disruption that creates the structure for Disaster Recovery (DR) when a significant problem arises. It includes both the “whiteboard” work that involves brainstorming the complete list of all risks, classifying and prioritizing them, and then recommending mitigation and recovery steps. It’s important that the actual exercise of these steps is rehearsed to confirm the planned steps actually result in a recovered state in an appropriate timeframe and for a tolerable cost. The plan must be adjusted or it has no value if it doesn’t help the organization return to an acceptable state of data currency and processing accuracy—the Recovery Point Objective (RPO)—in an appropriate time span—the Recovery Time Objective (RTO).
Originally, BCP needed to focus only on that operational practicality. Planning focused on minimizing impact on daily and monthly batch processing windows and minimizing the expense of extracting, cataloging, and storing the data needed for BCP, while still remaining sufficiently complete and orderly to prove that the RPO and RTO required by internal and external Service Level Agreements (SLAs) was attainable. Planners spent endless effort looking for opportunities to remove complexity, time, and cost from the operations, while still being able to demonstrate a recovery in simulations (usually annually).
The past few decades have repeatedly shown that this work isn’t in vain. During the 1989 earthquake in San Francisco and surrounding areas, major centers for transaction processing were impacted and disaster recovery was required. The 1993 “Storm of the Century” collapsed EDS’ Clifton, NJ, data center, which supported 6 percent of all Automated Teller Machines (ATMs) nationwide, requiring that operations occur in a recovery facility in Franklin Lanes, NJ (see www.drj.com/drworld/content/w2_063.htm). Finally, many companies during the Northeast Blackout of 2003 had their recovery centers in the same region covered by the blackout, making their recovery impossible (see www.cnn.com/2003/US/08/14/power.outage/index.html and www.nytimes.com/2003/08/19/technology/19BACK.html).
Now, however, the term “disaster” has new dimensions. Due to the evolution of markets to electronic identification (e.g., credit cards) for transactions and the broad availability of technology (e.g., software, hardware, skills) required to commit with such data, the content of backups represents a treasure trove for a criminal or disgruntled employee. While before, a disaster resulted from acts of nature, system failure, war, or terrorism, now just the loss of sensitive data can have a disastrous impact on the conduct of business. Seattle-based Providence Health & Services was required to pay a $100,000 fine in 2008 to the Department of Health and Human Services for violation of Health Insurance Portability and Accountability Act (HIPAA) data privacy requirements, even before the HITECH update (see www.fiercehealthit.com/story/seattle-system-will-pay-100k-hipaa-fine-after-repeated-breaches/2008-07-19). Much of the violation resulted from the repeated loss or theft of sensitive data.