ebook img

Business Continuity Programs. State of the Industry Report PDF

45 Pages·2014·1.597 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Business Continuity Programs. State of the Industry Report

Business Continuity State of the Industry Report Business Continuity State of the Industry Report Herbert J. Mattord Michael E. Whitman AMSTERDAM(cid:129)BOSTON(cid:129)HEIDELBERG(cid:129)LONDON NEWYORK(cid:129)OXFORD(cid:129)PARIS(cid:129)SANDIEGO SANFRANCISCO(cid:129)SINGAPORE(cid:129)SYDNEY(cid:129)TOKYO Elsevier 225WymanStreet,Waltham,MA02451,USA TheBoulevard,LangfordLane,Kidlington,Oxford,OX51GB,UK Copyrightr2014TheSecurityExecutiveCouncil.PublishedbyElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageand retrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseek permission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangement withorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency, canbefoundatourwebsite:www.elsevier.com/permissions Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand experiencebroadenourunderstanding,changesinresearchmethods,professionalpractices,or medicaltreatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgein evaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein.In usingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafetyof others,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors, assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproducts liability,negligenceorotherwise,orfromanyuseoroperationofanymethods,products, instructions,orideascontainedinthematerialherein. LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ISBN:978-0-12-800845-4 FormorepublicationsintheElsevierRiskManagementandSecurityCollection, visitourwebsiteatstore.elsevier.com/SecurityExecutiveCouncil. WHAT IS A STATE OF THE INDUSTRY REPORT? A state of the industry report is a comprehensive, one-stop overview of a key security topic or issue. It combines the latest information from the Security Executive Council's Knowledge Base, including recent research studies, the latest proven practices used in leading companies, publicly available studies, white papers, and news. It captures the cur- rent “state of the industry” on a topic, for better or worse. State of the industry reports can be used by the practitioner or edu- cator for a quick update on what certain industry segments or issues look like, or to help prepare a proposal or report, make a business case, build a program comparison, or respond to executive-level inqui- ries. When possible they identify and explore what trends exist, where there are gaps, and common strategies for addressing gaps. They can also be used when planning strategy, seeking project approvals, defending a course of action, or educating personnel. These reports are your source for understanding and communicating the critical elements of a security issue and how the industry is responding to it. They bring together what fragmented and unconnected pieces of information are available into one easy-to-read document that paints a total picture. EXECUTIVE SUMMARY The business continuity field has many segments, each performing a vital role for a different constituency. This includes those involved in overall business continuity (BC), and those who focus on the needs to assure information technology (IT) continuity, among others. For the discussion in this report, the term business continuity will address the entire set of activities that an organization undertakes to make sure that it can continue operating in the face of adverse events. The most significant trend in the field is the continued increase in the level of intention to be prepared. This is documented by the growth of the number of organizations with formal BC plans from 80% to 87% over the 6 years ending 2013.1 However, 54% of smaller and medium-sized organizations do not periodically test their business con- tinuity plans.2 The top BC trends identified in a recent survey by the Business Continuity Institute include (cid:129) the use of the Internet for malicious attacks (71%); (cid:129) the use of social media impacts to image or use in crisis communica- tions (60%); and (cid:129) increased regulatory scrutiny (56%).3 The top threats identified as organizational concerns in BC are unplanned IT/telecom outages, data breaches, cyber-attacks, adverse weather, and interruption to utilities.4 The BC industry understands well the need to be ready for natural disasters. Information protection security threats have moved up the BC agenda. An AT&T study found that more than half of executives 1AT&T(2013).2013BusinessContinuityStudy. 2Csaplar, D. (2010). Small & Mid-Sized Organizations Gain Disaster Recovery Advantages Using Cloud Storage, Aberdeen Group Research. Retrieved from http://aberdeen.com/launch/ report/benchmark/6827-RA-disaster-recovery-cloud.asp?lan5US. 3BusinessContinuityInstitute(2013).HorizonScan2013SurveyReport.http://www.bcifiles.com/ BCI_HorizonScan2013.pdf. 4Ibid. x ExecutiveSummary surveyed (63%) cited the threat of security breaches as the most impor- tant security concern for 2013 at their organization.5 Some structural components of the continuity field remain in place to direct the continuity industry in how it operates. Some recent com- mentary in this regard includes: (cid:129) IT-relatedtriggeringeventscontinuetodominateBCeventinitiation.6 (cid:129) Managing risk in information and communications technology (ICT) infrastructures requires robust planning and capability to respond that encompasses prevention, early detection, and rapid response.7 (cid:129) Backup and recovery planning remains the linchpin of continuity planning, response, and recovery. The most reliable indicator of a sound preparation is the robustness of backup and recovery capacity.8 (cid:129) Organizations continue to strive to meet availability goals, with 32% of the organizations surveyed not having met their goals for mission-critical systems service availability in 2012.9 Cost of an interruption was estimated at over $50,000 for over 26% of organi- zations, with 5% estimating losses over $1 million.10 Business continuity has always relied on technology both to prepare for events and as part of the recovery mechanisms employed. Recent trends show this reliance is increasing. Communications channels used in BC evolve along with the methods used in the broader society. A recent dominant shift has been toward the use of social media to better integrate crisis communication plans into the channels used by employees and other stakeholders. Over 43% of surveyed organizations 5AT&T(2013).2013BusinessContinuityStudy. 6KPMG (2012). 2011(cid:1)2012 Global Business Continuity Management Program Benchmarking Study. 7Deloitte(2013).BlurringtheLines:The2013TMTGlobalSecurityStudy. 8Kadlec,C.&Shropshire,J.(2010).BestPracticesinITDisasterRecoveryPlanningAmongUS Banks.JournalofInternetBankingandCommerce,15(1). 9Continuity Software (2013). 2013 Enterprise Service Availability and Business Continuity Benchmark Survey. Retrieved from www.continuitysoftware.com/wp-content/uploads/2013/04/ Service-Availability-Survey-Enterprise-2013.pdf. 10KPMG (2012). 2011(cid:1)2012 Global Business Continuity Management Program Benchmarking Study. ExecutiveSummary xi use or plan to use social media as part of business continuity manage- ment (BCM) programs.11 Thirty-four percent of surveyed organiza- tions consider social media channels as among those on which they rely most.12 Executive engagement in continuity planning continues to grow, while, on the other hand, executive engagement with crisis com- munications continues to lag. Governments seek to legislate and regulate the ICT environment to safeguard the interests of the societies they represent. The most widely used standards are NFPA 1600 (46%), BS 25999-1 and -2 (26% and 27%), and ISO/IEC 27001 (12%).13 11KPMG (2012). 2011(cid:1)2012 Global Business Continuity Management Program Benchmarking Study. 12Balaouraras, S. (2013). The State of Crisis Communications & Risk Management. Forrester Research. 13KPMG (2012). 2011(cid:1)2012 Global Business Continuity Management Program Benchmarking Study. Business Continuity State of the Industry Report OVERVIEW OF BUSINESS CONTINUITY The National Institute of Standards and Technology (NIST), in its Special Publication SP 800-34 Rev. 1, “Contingency Planning Guide for Federal Information Systems” (May 2010), refers to business conti- nuity as contingency planning (CP)—the act of conducting strategic planning for non-normal operations. Under the umbrella for CP, NIST defines four key areas of planning as subordinate to CP: 1. Incident response planning (IRP) 2. Disaster recovery planning (DRP) 3. Business continuity planning (BCP) 4. Crisis management IRP, or the planning for the response to adverse events on a smaller scale and in reaction to unfolding events, is not addressed in this report. DRP addresses the actions of the organization to re-establish operations at the primary site after a disaster. BCP addresses the plan- ning necessary to establish critical operations at an alternate site, until such time as disaster recovery operations have concluded at the pri- mary site, or until executive management makes the decision that the primary site is no longer viable and selects a new primary site for busi- ness operations. Crisis management addresses the human aspects of the other planning functions, focusing on the protection of the health and welfare of organizational personnel during and after adverse events and disasters. However, for the sake of this report, the term business continuity (BC) will be used as a surrogate for CP, as BC is more common in the private sector. See Appendix A for additional BC-related terminology. This report is designed to present news, notes, and perspectives on recenteventsandtrendsinthefieldofBC.Itwillfurnishaglobalperspec- tive intending to inform practitioners and industry observers with an 2 BusinessContinuityStateoftheIndustryReport Organizations with a business continuity plan 2013 2012 2011 2010 2009 2008 76% 78% 80% 82% 84% 86% 88% Figure1.ThischartdepictsthegrowingnumberoforganizationswithformalBCplans.Datasource:AT&T’s 2013BusinessContinuityStudy. awareness of the current state of the industry without preference to any BCindustrysegmentoranyspecifictechnology,methodology,orvendor. Business continuity in 2014 represents a spectrum of specialty skills delivered by professionals drawn from multiple segments of society, each performing a vital role for a different constituency. This includes general business needs as well as actions on behalf of information tech- nology units and government agencies. We believe that the most significant trend in the field is the contin- ued increase in the level of intention to be prepared. Recent events illustrate the degree of readiness and resilience demonstrated by orga- nizations that have needed to implement contingency plans. This is documented by the growing number of organizations with formal BC plans from 80% to 87% over the 6 years ending in 2013 as shown in Figure 1.1 This positive trend is offset by statistics revealing that the mainte- nance and testing of continuity plans continue to lag. One study found that 54% of smaller and medium-sized organizations do not periodi- cally test their business continuity plans.2 1AT&T(2013).2013BusinessContinuityStudy. 2Csaplar, D. (2010). Small & Mid-Sized Organizations Gain Disaster Recovery Advantages Using Cloud Storage, Aberdeen Group Research. Retrieved from aberdeen.com/launch/report/ benchmark/6827-RA-disaster-recovery-cloud.asp?lan5US. BusinessContinuityStateoftheIndustryReport 3 Table1.2013Top10OrganizationalConcernsforThreats3,4 Threat Concern(cid:1)(Seriously 2010Causes(cid:1) ConcernedorConcerned) (ReportedCause) UnplannedITandtelecomoutages 69.7% 50% Databreach 66.0% 1 Cyber-attack 64.7% 1 Adverseweather 52.5% 33% Interruptiontoutilitysupply 49.7% 44% Securityincident/terrorism 47.1% 1% Supplychaindisruption 41.0% 1 Newlawsorregulations 38.1% 1 Healthandsafetyincident 37.8% 1 Transportnetworkdisruption 37.6% 1 Other 12% Didnotreportadisruption 36% (cid:1)Multipleresponsespossible. 1Datanotcollectedbysurvey. EVENTS SHAPING THE INDUSTRY Business continuity, for good or ill, remains a highly reactive indus- try. Events that engage the continuity processes can serve as a means to evaluate how effective the industry is when it comes to assuring operational readiness. A number of events have been noted as affect- ing continuity preparations and operations in recent years. According to the Business Continuity Institute, the top 10 threats that organiza- tions were concerned about in 2013 are shown in Table 1. Where reported causes of plan activation are available, they are provided to contrast what happens to the areas for which the BC industry has concern. In general, disasters can be categorized as natural, economic, or technological. 3Business Continuity Institute. Horizon Scan 2013 Survey Report. http://www.bcifiles.com/BCI_ HorizonScan2013.pdf. 4Dines, R. (2011). The State of Disaster Recovery Preparedness. Disaster Recovery Journal. January6,2011.http://www.drj.com/2011-articles/winter-2011-volume-24-issue-1/the-state-of-disaster- recovery-preparedness.html.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.