This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
The three key tenets of Information Assurance are Confidentiality, Integrity and Availability. All three must be addressed in relation to the needs of the organisation, if IA is to be achieved; IA is not concerned solely with confidentiality.
Business Continuity is a specific area of IA relating to the maintenance of service integrity and information availability.
Business Continuity is defined as those actions designed to prevent or reduce interruptions in business processes. For this reason the process is also known as ‘continuity of operations’. The focus is on business-critical resources, and the process takes a holistic view of business activities and centres on planning before the event.
Disaster Recovery Planning considers the post-incident restoration of infrastructure through a pre-defined set of actions.
Business Continuity may also include an element of Crisis Management, which relates to the overall management of a major incident including aspects such as Public Relations. Crisis Management is not considered to be within the scope of this paper, although further advice can be obtained from the UK Resilience website. [External website]
It can be seen that the requirement for availability of information and services drives the need for Disaster Recovery, and that Disaster Recovery is a component of Business Continuity. These processes are driven by the risk assessment and the identification of critical business processes.
The plans produced as outputs can be considered to be countermeasures in their own right.
The situation is summarised in the diagram below.
ISO/IEC 17799
ISO/IEC 17799 identifies an effective business continuity process as a key element of IA, encompassing a planning framework, the conduct of an impact analysis, and the regular testing and maintenance of plans and the use of backup procedures.
OGC
The OGC [External website] state that ‘Each government department is responsible for ensuring it has robust Business Continuity Plans in place so they can respond effectively to a wide range of problems affecting the organisation's assets; including buildings, people and equipment e.g. computers’.
Best practice guidance is available from a number of sources:
This guidance is issued against a background in which the UK is considering its preparedness in the event of a civil emergency, and also against the background of the recommendations of the Turnbull report [External website], which although not mandatory, nevertheless have significant implications for FTSE-registered companies. Because of this, organisations should keep a watching brief on emerging standards in the commercial sector, and should be prepared to adapt to meet developing best practice.
Proprietary methods are available for the development of business continuity and related plans. When selecting a method, the following aspects should be taken as a minimum set:
Service-based procurements
For government bodies, where a service is being procured then the provision of disaster recovery facilities (or not) may appear to be a decision for the supplier, and therefore the responsibility of the supplier.
However, when establishing disaster recovery facilities, the department (or other organisation) must explicitly state the facilities which are required as part of the service. The service supplier will make their decision based on the specified requirements, as well as the impact to the company.
Security in fallback operation
In some cases the disaster recovery plans may include an element of standby operation, possibly involving a commercial service. In these cases there must be a consideration of:
Risk acceptance
Although most approaches are aimed at developing a plan which will quickly restore services, risk acceptance remains a possibility.
However, where risk acceptance is chosen as the preferred option, this must be clearly documented, justified and accepted by the risk owner.