Within the IT community, governance is an increasingly important part of the management process. Good governance assumes some level of compliance with established procedures, controls or standards. But how does governance apply when the subject is disasters?
Business continuity standards that link to the IT community
Early disaster recovery (DR)/business continuity standards were written to address IT issues such as data storage, protecting hardware and software, security, data center operations, alternate site selection and staffing. Initial IT standards were developed by such entities as the American National Standards Institute (ANSI), International Organization for Standardization (ISO) and the National Bureau of Standards (today the National Institute for Standards and Technology, or NIST).
The Federal government published numerous technology standards under the Federal Information Processing Standards (FIPS) banner; most of these have been updated by NIST standards, particularly the 800 Series of Special Publications. Within the banking and finance sectors, the Federal Reserve Bank, Office of the Comptroller of the Currency and the Securities and Exchange Commission have all issued standards addressing DR. Many are still in place today to ensure that information systems are protected. This table lists the 10 most widely used standards for IT disaster recovery and business continuity
Standards are largely prescriptive, in that they describe what should be done to protect IT assets, but not how a particular activity should be performed. Among the standards listed, NFPA 1600 is the American National Standard for business continuity and emergency management. BS 25999 is the British National Standard and is quickly becoming a leading standard in this country. Within the IT space, the newest global IT DR standard is ISO 24762:2008. This is based on the familiar IT security standards ISO 27001 and 27002, and can supplement existing IT security efforts using those documents.
How IT managers can effectively utilize business continuity standards
Since many of the most widely used IT business continuity and DR standards, such as NIST SP 800-34 and the Federal Financial Institutions Examination Council (FFIEC) Business Continuity Handbook, are available for free, it's easy to obtain a standard and use it as a benchmark for existing DR/business continuity (BC) plans.
Simply map the standard's content to existing plans and procedures and identify where matches exist and where they do not. This is an easy and time-efficient method for validating the content of existing plans. Often, the standard's language can be used to formulate a plan's content, especially policies and procedures. Of course, the actual process-level actions to be taken in an emergency will be unique for each IT organization. But, so long as the overall structure of the plan can be proven consistent with one or more standards, the plans should be able to pass an audit or other such scrutiny.
By obtaining an audit-focused standard, such as Information Systems Audit and Control Association (ISACA) Document G32, IT managers can obtain useful guidance as to how their DR/BC plans may be audited, and can use that guidance to ensure that their plans properly address operational control issues. This is particularly important to ensure compliance with Sarbanes-Oxley requirements.
Today's IT managers have numerous standards against which their DR and business continuity activities can be assessed. Assuming the company has made a commitment to protecting its IT assets and infrastructure, IT managers should adopt one or more standards as baselines for ensuring the robustness of their data protection efforts.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of business continuity projects, authored dozens of articles, conducted seminars worldwide, and spoken to hundreds of people on the subject. Mr. Kirvan is a Fellow of the Business Continuity Institute (FBCI), a Certified Information Systems Security Professional (CISSP), a Certified Business Continuity Professional (CBCP), and is on the Board of Directors of the Business Continuity Institute. In 2001 he was awarded the Industry Achievement Award by the International Disaster Recovery Association (IDRA). He is also secretary of the Business Continuity Institute USA Chapter.