Incident management processes, business continuity and disaster recovery planning are the fundamental concepts required of any business entity. Incident management is a coordinated practice at the corporate level that is dependent on round the clock reporting line and quick assessment and escalation for severity. A sound and formal protocol and procedure should be adhered to in relation to incident resolution and recovery. This may include 24 hour incident response team and incident communication procedures. In addition, virtual meeting rooms may be designed to bring together all the required personnel with regular status update.
Business continuity planning is best practices tailored by an organization to ensure the delivery of services and resume normal operations after an incident. A plan is required to detail the necessary resources, vital documents and critical conducts and applications necessary to revive disrupted activities to its normal states.
Finally, disaster recovery mechanisms are the mechanisms and procedures that an organization engages in while trying to restore the complete functioning of the technical environment including software and tools for meeting production applications to their previous states. In a case of a data center disaster, critical workload need to be restored at the disaster recovery sites considering minimum disruption of services to guarantee data integrity, availability and confidentiality.
The case study provides an insight into the risks exposed by Bank solutions in their operations and services. Interviews conducted with Douglas Smith, data center managers, system engineers, and network architects, as well as the documentation related to Bank Solutions, reveal a number of vulnerabilities in respect to their security incident management, disaster recovery and business continuity processes and planning policies.
First, the Bank Solutions DRBCP policy was written in 2007. An update was conducted in 2009. However, only the five largest item processing facilities have the DRBCP while the remaining facilities have a template last customized in 2010 with uncompleted customization in the last four. The lack of a complete DRBCP is a significant vulnerability in the four item processing facilities because it does not conclusively define the terms of service. Employees at the unit might handle data access rights in the most inappropriate manner leading to data compromise.
DRBCP is comprised of a host of factors including emergency response procedures, business recovery and return to normal procedures. Incomplete DRBCP implies that the above mentioned activities cannot be handled according to a defined standard in case of an incident. It is evident that the item processing facility DRBCP have not been tested, and for that matter, it is as good as non-existent. The fact that recovery time objectives and recovery point objectives for mission critical business operations imply that, under an emergency, there is no established timeframe to gauge the success of the recovery and business continuity process.
A DRBCP customization usually takes a period of up to a year in maximum. Considering the time the last customization was conducted (June 2010) it is of utmost importance to ensure that the practice is completed in the future probably in the next six months.
DRBC policy is an influential document that must be availed to all employees and participants in a company. The lack of distribution and awareness of the policy tends to compromise its adherence. It is difficult for employees to adhere to what they do not know. Therefore, the fact that the copy of the policy is found on the company’s network does not guarantee universal knowledge of it. The policy must be published in the company website as well as avail it in all other communication boards and bulletins in the shortest time possible to increase awareness and improve the level of adherence.
Finally, the lack of training on the part of the participants on DRBCP is a principal setback to the practice of the policy. Unskilled staffs are not efficient in handling the DRBC exercises and, as a result, will not deliver the best results in case of an incident. Teaching programs on the use of DRBCP needs to be rolled out immediately with special focus on the technical staff involved in disaster recovery and business continuity procedures. Bank Solution should roll out the process starting with few personnel after which training is replicated to all other staff.
The fact that the company has deployment robust host-based IDS is a positive move towards detecting and management of threats. However, the lack of standards, guidelines, procedures to address any attacks is a bottleneck in the management of network security. In case of an attack, companies employ forensic experts to determine the weak points and reach down to perpetrators. Forensic audit is necessary to develop stringent preventive measures while forensic evidence is used in court of laws to pursue legal redress. The procedures and concepts for handling forensic evidence are of utmost importance in order to sustain legal pursuits. Therefore, the company should lay down procedures and mechanism for internal and external forensic auditors in order to produce credible and uncompromised evidence.
Event logging is an important practice that details the inputs to the production servers and administrative systems. The data involved is of highest priority in terms of security since it involves banking details of numerous institutions. The read and write rights should be separated to avoid a case of internal compromise. Power users with privileges on the event logs should not possess write access to the logs themselves. Thus, a policy review and update is needed in the shortest instance to define event logging systems. The policy defining the log system events, operations and activities, are used to determine if the system is used correctly and diagnose error conditions.
A review of the DRBCP is required to gather for processing responsibilities and backup facilities for item processing facilities. A review will ensure that the additions are in line with DR/BC program. Since each data center serves as the other processing location, a failure in one data center may negatively impact on the operations of others if nor restored efficiently.
It is evident that backup facilities have routinely failed due to unexplained causes. A probe on the causes of the failure needs to be conclusively determined at the item processing facility and relevant software and hardware installed. Backups at the data center and at the item processing facilities are performed on a weekly basis for critical data files, configurations and software programs. Considering the fact that each item facility act as others processing sites, a complete failure on the affected facility will impact on the back up exercise of its dependent thereby affecting the operations.
Bank Solution has contracted a deposit box on a bank across the street to store its backup tapes. The practice of storage external backup tapes in remote locations is intended to restore the bank to its normal operation in case of a disaster. However, the storage of the tapes just across the street does not guarantee the safety of backup information in case of a disaster such as fire. This is because both Bank Solution and the bank across the street might be the victims and fail to survive such as disaster. In that sense, the backup tapes should be located far away from the Banks Solutions premises. It is also evident that, at another processing facility, the tapes are kept by night Operation Managers.
Restore tapes should not be handled by staff and most importantly at their homes because they are exposed to all kinds of risks. They can be damaged due to bad environmental conditions, physical damage among other vulnerabilities. The tapes stored, in a shade in the back of a building, are exposed to the same risks as the whole facility. In case of fire damage or collapse they will be destroyed with the building and will be of no good. Other adverse effects such as environmental and physical damage are predisposing factors that need to be handled. The tapes should be stored in distant safety vaults with the right conditions.
Finally, the bank does not have an outline of public relation and communication procedure and protocols. In case of emergencies, the company will be faced by lack of inquiry and response teams. This might negatively portray its image and lead to client mistrust. The company should constitute an emergency public relation unit in its administration department to deal with such issues when it arises. The timeline for such an initiative should be immediate to safeguard the company from any unforeseeable danger.
In conclusion, an all inclusive disaster recovery, and business continuity plan is desired to safeguard the company against the identified risks. The plan should encompass both technological, process and people solutions. Technological solutions include backup and restore programs while processes involve policy procedures and standards of engagement. People-based solutions involve such activities such as awareness, controls and access rights and privileges.
References
Bace, R. (2009). Vulnerability assessment: Computer Security Handbook . John Wiley & Sons.
Brian Caswell, J. B. (2008). Snort 2.1 Intrusion Detection, Second Edition. Syngress.
Nye, J. S. (2008, Decenber). Cyber insecurity. Project Sindicate .