IT Disaster Recovery Research Articles

Strategic dilemmas when managing cyber attacks

Cyber attacks have a significant business impact, with the potential to escalate into crises if poorly managed. A recurring pattern is strategic dilemmas that cannot be resolved satisfactorily. Some dilemmas are more pronounced, others less so, and therefore often catch decision-makers unprepared, leaving only bad options for decision-making. Something that all dilemmas have in common is that the associated decisions can have a lasting impact on relationships with stakeholders. This paper introduces four recurring dilemmas; shows the typical considerations; lists options for mitigating these dilemmas; and describes the basic requirements for implementing mitigations. The dilemmas and options, in turn, are rooted in the organisation-specific design of: cyber security incident management and response; IT service continuity and disaster recovery management; business continuity management; and crisis management and communication.

Planning For a Pandemic

Abstract Business continuity planning (BCP) and related IT disaster recovery planning (IT DRP) have become established, respected and important disciplines in business. However, many of the assumptions underlying BCP/DRP planning today will NOT hold in a pandemic, writes technology risk expert Dr Patrick McConnell FBCS CITP CEng.

IT재해복구 연관 프레임워크 비교분석을 통한 ISMS의 통합관리방안

정보화 사회는 컴퓨터 및 통신이 발달하여 데이터를 수동으로 관리하기 어려운 정도로 데이터 양이 방대해져서 데이터 관리에 어려움을 느끼고, 자연재해 및 해커의 공격 등으로 인해 데이터 손실, 서비스 이용 불가 등 다양한 IT 관련 보안사고가 발생하여 이를 원래대로 복구하기 위한 정보보호 관리체계가 필요하다. 정보보호 관리체계는 다양한 프레임워크들이 존재하는데, IT재해에 의해서 발생한 피해를 복구하기 위한 프레임워크는 Cyber Security Framework, Risk Management Framework, ISO/IEC 27001, COBIT 5.0이 존재하며, 각각의 프레임워크들 중에서 IT재해복구에 해당하는 항목들을 비교분석하고, IT재해가 발생한 경우 신속하게 해결하기 위한 하나의 통합적인 관리 방안에 대해 설명한다.

Airline business continuity and IT disaster recovery sites

Business continuity is defined as the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity is fast evolving to become a critical and strategic decision for any organisation. Transportation in general, and airlines in particular, is a unique sector with a specialised set of requirements, challenges and opportunities. Business continuity in the airline sector is a concept that is generally overlooked by the airline managements. This paper reviews different risks related to airline processes and will also propose solutions to these risks based on experiences and good industry practices.

Key Determinant Derivations for Information Technology Disaster Recovery Site Selection by the Multi-Criterion Decision Making Method

Disaster recovery sites are an important mechanism in continuous IT system operations. Such mechanisms can sustain IT availability and reduce business losses during natural or human-made disasters. Concerning the cost and risk aspects, the IT disaster-recovery site selection problems are multi-criterion decision making (MCDM) problems in nature. For such problems, the decision aspects include the availability of the service, recovery time requirements, service performance, and more. The importance and complexities of IT disaster recovery sites increases with advances in IT and the categories of possible disasters. The modern IT disaster recovery site selection process requires further investigation. However, very few researchers tried to study related issues during past years based on the authors’ extremely limited knowledge. Thus, this paper aims to derive the aspects and criteria for evaluating and selecting a modern IT disaster recovery site. A hybrid MCDM framework consisting of the Decision Making Trial and Evaluation Laboratory (DEMATEL) and the Analytic Network Process (ANP) will be proposed to construct the complex influence relations between aspects as well as criteria and further, derive weight associated with each aspect and criteria. The criteria with higher weight can be used for evaluating and selecting the most suitable IT disaster recovery sites. In the future, the proposed analytic framework can be used for evaluating and selecting a disaster recovery site for data centers by public institutes or private firms.

Healthcare system resiliency: The case for taking disaster plans further — Part 2

For the most part, top management is aware of the costs of healthcare downtime. They recognise that minimising downtime while fulfilling risk management standards, namely, ‘duty of care’ and ‘standard of care’, are among the most difficult challenges they face, especially when coupled with the increasing pressure for continued service availability with the frequency of incidents. Through continuous operational availability and greater resiliency demands a new, combined approach has emerged, which necessitates that the disciplines of: (1) enterprise risk management; (2) emergency response planning; (3) business continuity management including IT disaster recovery; (4) crisis communications be addressed with strategies and techniques designed and integrated into a singular, seamless approach. It is no longer feasible to separate these disciplines. By integrating them as the gateway for service continuity, the organisation can enhance its ability to run as a business by helping to identify risks and prepare for change, prioritise work efforts, flag problems and pinpoint important areas that underpin the overarching business continuity processes. The driver of change in staying ahead of the risk curve, and the entry point of a true resiliency strategy, begins with identifying the synergies of the aforementioned disciplines and integrating each of them to jointly contribute to service continuance.

Healthcare system resiliency: The case for taking disaster plans further — Part 1

To establish true healthcare resiliency, and to better position healthcare organisations to provide effective response, continuity, resumption and recovery of fundamental services and operations during serious incidents and disasters, the disaster planning process must evolve into an integrated approach of four contingency planning disciplines that holistically examine the end-to-end, all-hazard response continuum. This process also needs to incorporate and scale multifarious organisational levels and, when required, the health sector. This paper is the first component of two independent, but related, pieces. It will examine the typical state of disaster preparedness and plans in healthcare, examine the worth and value of honing disaster plans, and will introduce two recommended contingency planning disciplines: enterprise risk management and emergency response planning. For each discipline, a case will be made for its inclusion into the overall disaster planning process, including examination of background information, benefits, how it improves disaster planning, and other resources helpful to the reader. The second paper, in a future issue of the Journal of Business Continuity & Emergency Planning, will introduce business continuity management — including IT disaster recovery — and crisis communications as the third and fourth contingency planning disciplines needed for a fully integrated approach. The opinions expressed in this paper are those of the authors and may not be entirely those of the organisation.

정보보호관리체계(ISMS) 항목의 중요도 인식과 투자의 우선순위 비교 연구

최근의 개인정보 유출과 같은 정보보안 사고들이 기업의 매출 감소와 이미지 손실에 직접적인 영향을 주는 심각한 위험 관리 요소가 됨에 따라 체계적인 정보보호 관리를 위해 정보보호관리체계를 도입하는 기업들이 증가하고 있다. 그러나 기업 내 정보보호 인식과 달리 적은 투자로 인해, 한정된 예산으로 다양한 정보보호 요소들을 효과적으로 관리할 수 있는 방안이 중요해지고 있다. 본 연구에서는 정보보호관리체계의 13개 항목들에 대해 정보보호전문가들의 중요도 평가를 통해 우선순위를 도출하여, 단계적으로 정보보호관리체계를 구축할 수 있는 방향을 제공한다. 그리고 각 항목들에 대한 투자 정도도 평가하여 중요도와 투자 간의 우선순위 차이를 비교 분석하였다. 연구 결과 침해사고 관리가 가장 중요한 것으로 나타났으며, 투자 정도에서는 IT 재해복구가 가장 높은 것으로 확인되었다. 그리고 정보보호 중요도와 투자 간의 우선순위 차이가 큰 정보보호 항목은 암호통제, 정보보호정책, 정보보호교육, 인적보안으로 확인되었다. 본 연구 결과는 정보보호관리체계 도입을 고려하거나 운영 중인 기업들이 한정된 예산을 고려하여 효과적인 정보보호 투자에 대한 의사결정 자료로 활용될 수 있을 것으로 기대한다. Recently, organizational efforts to adopt ISMS(Information Security Management System) have been increasingly mandated and demanded due to the rising threat and the heavier cost of security failure. However there is a serious gap between awareness and investment of information security in a company, hence it is very important for the company to control effectively a variety of information security threats within a tight budget. To phase the ISMS, this study suggests the priorities based on evaluating the Importance of 13 areas for the ISMS by the information security experts and then we attempt to see the difference between importance and investment through the assessment of the actual investment in each area. The research findings show that intrusion incident handling is most important and IT disaster recovery is the area that is invested the most. Then, information security areas with the considerable difference between priorities of importance and investment are cryptography control, information security policies, education and training on information security and personnel security. The study results are expected to be used in making a decision for the effective investment of information security when companies with a limited budget are considering to introduce ISMS or operating it.

A Proposed Model for IT Disaster Recovery Plan

A Proposed Model for IT Disaster Recovery Plan

Technical Briefing: Business Continuity Management

This article discusses business continuity management as a risk management activity that extends well beyond the realm of IT Disaster Recovery Planning. It describes a rational, iterative process for assessing the risks, selecting appropriate risk treatments, and implementing various mitigating controls including resilience, recovery and contingency measures. While the IT Department undoubtedly has an important part to play in business continuity management, the article emphasizes that the process should be driven by senior managers since they are ultimately accountable for the organization's health and survival. As such, they have an obvious interest in balancing business risks against business opportunities.

The Relationship between IT Director Values and Extent of IT Disaster Recovery Planning in the Banking Industry

Information technology plays a pivotal role in defining the success of organizations. Given its importance, one might assume that modern organizations take steps to ensure the recovery of IT services following disasters. Unfortunately, this is rarely the case. To understand the variation in degree of IT disaster recovery planning, this research focused on those responsible for managing IT resources and IT directors. For the study, a survey was mailed to 337 financial service institutions in the southeastern United States. Over 150 IT directors completed self-assessments for measuring the extent to which their organization engages in IT disaster recovery planning. In addition, they responded to a number of questions regarding their work-related values, and over 63% of the variance in degree of IT disaster recovery planning was explained by two predictors: uncertainty avoidance and long-term orientation. Results show that firms with IT professionals who prefer to avoid uncertainty and who have long-term outlooks have more developed IT disaster recovery plans.

Key information systems management issues: A comparative study in South Africa

The identification of key Information Systems (IS) management issues is important for all players in the industry. Most academic research has followed the form of the Society for Information Management (SIM) studies, originating in the early 1980’s in the United States of America (USA), and since replicated in many countries, yet no comprehensive recent study had been carried out in South Africa. This study was performed within weeks of September 11, 2001 on a sample of 121 members of the Cape IT Initiative (CITI), and of the Computer Society of South Africa (CSSA), from a range of industries and geographical regions. Highest rated issues were business intelligence, a responsive IT infrastructure and disaster recovery, while Business Relationship and Technical Infrastructure issues were prominent overall. Demographic factors did not significantly influence overall results. Rankings were correlated with an earlier South African study and with 1997 Australian research, but not with a 1995 USA study. The economic developmental status of a country was found to be linked to the key issues that country faces.