Conectronica Revista Maganize industrial de electronica

The present article is about the management of the continuity of business or BCM, where standards like BS-25999-1/2 (that diminishes the risk of possible upheavals in the operations continued due to a disaster or to a smaller incident and particularly excellent for organizations are used that operates in surroundings of high risk), BS-25777 are analyzed (more specific for the management of the continuity of the TIC).

The BCM presides over the security of the information in crisis situations, is key for all the organizations in the present society where it is due to protect the personnel, to infrastructures, to TIC, is due to preserve the reputation and the capacity is due to provide to be able to continue the operations and the commerce like B2B, B2C, etc. The BCM is a process of integral management that it makes possible to be preparation in this technological world of changes, uncertainties and great turbulence and bears relation to technologies from availability like backups, hot-sites, warm-sites, cold-sites, SAI-UPS, RAID, redundancy, etc. Being preparation to confront incident-you dehorn must be the approach instead of to wait for to possible crises and results of audit. The results of the study of GSISS'08 (Global State of Information Security Survey 2008) realised in Spain by PricewaterhouseCoopers reveal that the investment in security of the information continues mainly being directed by the functions of Continuity of Business and Recovery before Disasters with a 40% in 2008 and a 55% in 2007. Also, in relation to the associated directive positions with the security: CEO (Chief Executive Officer), CFO (Chief Financial Officer) and I BACK WATER (Chief Information Officer; manager that feels next to YOU of the table) indicates like main factor that conditions the investment in security of the information to the Continuity of Business and Recovery before Disasters, however the CISO (Responsible for Security of the Information) indicate like main factor the regulatory fulfillment. Therefore between the main preoccupations of they have the CEOs and CIOs, the continuity of businesses is a priority. It has gotten to be a key necessity to survive in the present turbulent economy based on technology. Consequently the continuity of businesses must make sure to be not only implanted like a discipline and like an audit requirement. Some common reasons that they are possible to be identified before the nonpreparation of some organizations against crisis situations are: the deficiency of awareness of the potential damage, the incapacity to learn of the experiences of others or own and the negation of the reality where day to day grows the number of vulnerabilities and threats. Everything what prevents the accomplishment with the objectives of business of an organization is a risk and measures from prevention, detection are due to take and reaction. Some reasons of the continuity of businesses are: continuous necessity of delivery on watch, protection of people and assets, growth of the vulnerabilities of materialization of threats and regime of fulfillments. According to a IDC report the cost of an incident in the security of the information can oscillate between 15,000 and 6 million Euros, given the increasing sophistication of the attackers, this cost will grow during the next years, the cost of the problem fully surpasses the cost of its solution. According to the IDC the market of the security will increase its volume of business until the 7,300 million dollars at the end of the 2010, which means an annual average of growth of 11%.

Service life of a program BCP and relation between plans.

. Terminology. Characterization of the countermeasures An incident is an event that if it is not controlled will lead to multiple impacts. A disaster is an event nonpredictable, disastrous, not planned and sudden that causes to a great damage or loss or also any event that creates an incapacity of a part of the organizations to provide functions of businesses critics, for example earthquakes, hurricanes, pumps on the part of terrorists, loss massive of personal data of the clients of a financial organization, DDoS, etc. As possible characteristics of a disaster: (i) He is unpredictable. (II) It can destroy of human lives or negatively affect the health of the people. (III) It can generate loss of properties, infrastructures, facilities, software, data, hardware, etc. (IV) Generates impact financial. (v) The impact can be at different levels: individuals, organizational, of community, international national and. The management of the continuity of businesses or BCM (Business Continuity Management) has to do with the availability of processes and resources to assure a continued accomplishment the especially important targets; methods can be used like: BS-25999, BS-25777, HB 292 (it allows to realise the service life BCM, includes groups), FEMA 141 (one focuses in BCM with a planning of emergencies, includes a very detailed section on management of incidents), BCI GPG, APS 232, TR 19. The BCM is the process of integral management that identifies the potential impacts that threaten an organization and provides a frame to construct organizational resiliciencia with capacity of an effective answer that safeguard the interests of his key stakeholders, brain and value that creates activities. The BCM must be totally integrated in the organizations like a contracted process of management. The planning of the continuity of businesses or BCP (Business Continuity Planning) makes reference to the capacity to maintain the availability constant of systems, applications and critical information through the organization; also it can be defined as a set of documented procedures and of information that is developed it compiles and it maintains to point for his use in an incident for allows that an organization continues realising the activities critics at an acceptable predefined level. The BCP focuses strongly in the businesses.

Types of test BCP/DRP and mechanisms of availability.

The management and planning of emergencias or EP/EM (Emergency Schedule and Management) are the process that turns out from a set of decided procedures to prevent, to reduce, to control, to mitigate and to take other actions in the case from a civil emergencia that it hits in the organization; methods can be used like: VERSUS 25999/UK, NFPA-1600, FEMA-141 and ISO PAS 22399. The continuity of the service of technologies of information or ITSC (Information Technology Service Continuity) supports the BCM assuring that the components YOU (Technologies of the Information) can recover with the required time scales of required and been suitable businesses; methods can be used like: PAS 77, VERSUS 25777, NIST 800-34. The planning of the recovery of disasters or DRP (Disaster Recovery Planning) Integra the procedures to recover the operativity of the system, application or installation of target computers; methods can be used like: NIST 800-34 (focuses in the continuity of the service YOU, includes a good section exceeds VIA. It describes to strategies for the maintenance of the availability YOU). It allows immediate the temporary restoration and of the operations of network or computation within defined temporary marks after it has happened a disaster; also one defines as a set of documented procedures and information necessary to resume the normal capacities of computation associated with processes critics of businesses. The DRP focuses strongly in the technology. The analysis of the impact in the businesses or VIA (Business Impact Analysis) makes reference to the actions necessary to identify the financial impacts of the client, impacts, the impacts of reputation and other impacts of the business related and to value them on the basis of their criticality for the continuity of the business. Importance of the continuity of businesses An increasing number of reasons exists that justify the continuity of businesses: (i) No system is on approval of imprudent. (II) Although the risks of TIC and security of the information have been identified for example loss of data, failure of the system, attacks of virus, etc., although the level of acceptance of risk has been determined, although the risks have been mitigated that can treat, although controls have been implemented, for example mechanisms of coding, prevention of intrusions, monitoring of network and although have managed of proactive form the risks still can trigger in an incident.

Relation between VIA and valuation of risks.

Justification of the necessity and benefits of BCP and DRP Some of the reasons that justify BCP/DRP are: (i) The regulatory fulfillment. An increasing number of regulations and standards exists to fulfill. Normally the sector this based on SOX, PCI DSS, ISO-27001, BS-25999, BS-25777: 2008 (continuity management TIC, is more concrete than the BS-25999 lowering to details like for example speaking of alternative centers and specific procedures of TIC), HIPPA, GLBA, FISMA, CUBG, FERPA, MiFID, LSSI-CE, LOPD-RMS, LISI, etc. (II) the necessity of the businesses. In order to diminish the losses. According to Jim Hoffer de Health Management Technology only 6% of the organizations who suffer a catastrophic loss of data manage to survive, while 43% never return to reopen and 51% close within two years. (III) The protection of people and assets. (IV) Growth of vulnerabilities of materialization of threats. (v) Need Unof the continuous accomplishment of the service. The main benefits that are obtained from BCP/DRP are:

1) It identifies of proactive form the impacts of an operational upheaval. (2) Supply effective answer that diminishes the impact in the organization. (3) Maintain the capacity to manage the noninsurable risks. (4) Heps the work between equipment. (5) It can improve the reputation and competitive advantages of the organizations in his capacity to maintain, to give and to recover of a disaster.

Tools for BCM and VIA.

Phases of a program BCM The phases of a program BCM are: (1) Preparation. The business is identified, in which situation is the organization, what consequences would have a crisis or dehorns probable, the objectives, what would have to be the initial investment (estimated), that would be the people in charge of their initiation and pursuit (CEO, CFO, I BACK WATER, CRO, CEO, person in charge of the business, etc.) and when it would have to start and when it would have to be finalized. A useful approach is VERSUS 259999 with the part 1 of code of practices and part 2 of specification. Model PDCA (Plan) is applied to the BCM. (2) Understand the organization. Appointment of a person for implantation BCM, to develop policy BCM, to realise a ROUTE, to determine the lines mission critics of the business. The objective of the ROUTE is to value throughout the time the impacts (reduction of the yield level) that will happen in the activities that support to the services and products keys. A document VIA has like head; process of businesses, impact, minimum level of waited for yield, RTO, time necessary to reestablish the service to complete and the other dependencies. The form to operate the ROUTE is: (i) To select the organizations that take part. (II) To value the impacts throughout the time that upset to the activity. (III) To establish MTPOD (Maximum Tolerable Period Of Downtime) also denominated MTD (Maximum Tolerable Downtime), RTO (Recovery Time Objetive), TTRNO (Time To Resume Normal Operations) where MTPOD = RTO + TTRNO. (IV) To identify interdependences, for example people, support of the infrastructure, resources. (v) To prioritize recovery process and to gain consensus. (3) To value risks. One is made up of: (i) To determine the defect acceptance numbers of risks. (II) To determine the acceptable level of risk. (III) To analyze the risks to be preparations. (IV) To realise an analysis of gap to mitigate the risks. (4) Decide strategies and options BCM. As a result of a valuation of risks in combination with the ROUTE, the organization would have to identify measures that: (i) They reduce the probability of an upheaval. (II) To shorten the period of upheaval. (III) To limit the impact of the upheaval. Risk treatment of and mitigation of losses are measured of. To consider that all the risks cannot be prepared or be reduced. The strategies of mitigation of losses can be used along with other strategies: continuity of businesses, the acceptance, the transference and the change, suspension or completion. Strategies for the recovery can be needed the following organizational resources: physical people, infrastructures, technical infrastructures, information, processes of businesses, stakeholders (organizations that can affect or be seen affected by the organization). (5) Desarrollar and to implement answers BCM. One is to develop to the plans of answer and documentation. For it: (i) To recognize the incident or incident potential. (II) To come to the climbed one of the incident. (III) To activate the answer of appropriate continuity of businesses. (IV) To consider if resources will have to support the plan. (v) To communicate with stakeholders. The components of an emergency answer are: (a) Scaled procedure of internal. (b) Procedure of notification of emergency. (c) Integrated answer: safety procedures of lives, protection of the property physical security, protection of the technology and protection of the organization. (d) Procedures and responsibilities of formation. The crisis management implies: action of answer concerning earth, scaled of the incident, frame of management of the incident, policy of communication to means, central control, attendance to people and continuity and recovery of activities critics. (6) Embeber BCM in the culture of the organization. Constructing, promoting and to absorb a culture BCM within the organization assure that it becomes a part of the values of the nucleus of the organization and make possible an effective management. It is obtained creating awareness and realising formation. (7) Test-to exercise. To exercise and to train the people, to use evacuation procedures, to create tree of calls. To realise test in equipment, technologies, servants, UPS-SAI, networks of telecommunications, etc. Possible types of test are: checklist, walkthrough structured, simulation, parallel, test of stress, total interruption, of surprise, exhaustive, modulares/de component, functional, etc. (8) Monitoring and maintain (objective of maintenance). The incidents in spite of possible changes in the organization or of the surroundings are due to manage. A revision can activate due to: change of the management process, autovaloración, external internal audit/or by training or test.

Structure BCM according to NIST SP 800-34.

Standards and guides in BCM The NIST in its document SP800-34 describes a guide for the planning of continuity of the systems of technologies of the information, that structure in the following points: (1) Develop a declaration of policy of continuity planning. (2) Llevar to end an analysis of impact in the businesses. (3) Identify preventive controls. (4) Develop recovery strategies. (5) Develop the plan of contingencies. (6) Audi the plan and to carry out formation and exercises. (7) Keep the plan. BSI (British Standards Institute) in their code of good practices BS25999 regarding the management of continuity of businesses establishes the following points: (1) Establish the policy of management of continuity of businesses. (2) Manage program BCM (Business Continuity Management). (3) Understand the organization. (4) Develop and to implement an answer BCM. (5) Exercise, to maintain and to review agreements BCM. (6) Embeber the BCM in the culture of the organization. The standard of ISO 27001 regarding the management of the security of the information includes security of information in the process of management of continuity of the business, makes possible a valuation of risks and of business continuity, it allows to develop and to implement plans of continuity including security of the information. It makes possible a frame of planning of continuity of businesses and allows to verify, to maintain and to revalue the plans of continuity of businesses. Final considerations Our group of investigation takes worked in synthesis-I more design, analysis, implantation, valuation and evaluation of programs BCM from than twelve years using diverse strategies and methods in combination with analysis-management of risks. Identifying risks and impacts and developing countermeasures to all the technical, administrative levels, etc. This article is framed in the activities developed within project LEFIS-APTICE (financed by Socrates 2005-2007. European Commission).

Bibliography - Areitio, J. “Identification and analysis of services and safety mechanisms of the information”. Conectrónica magazine. Nº 97. May 2006. - Areitio, J. “Analysis of the measurement and the metric ones of security of the information”. Conectrónica magazine. Nº 92. November 2005. - Areitio, J. “Implication of the security of the information in the management of services TIC based on ITIL”. Conectrónica magazine. Nº 110. September 2007. - Areitio, J. “solid Integration between the management of incidents and the forensic analysis of security of the information”. Conectrónica magazine. Nº 103. January 2007. - Areitio, J. “Security of the Information: Networks, Computer science and Information systems”. Cengage Learning-Paraninfo. 2008. - Benantar, M. “Access Control Systems: Security, Identity Management and Trust Models”. Springer-Verlag. New York, Inc. 2005. - Hills, A. “Definitive Handbook of Business Continuity Management”. John Wiley and Sons. 2007. - Solms, S.H Bon “Information Security Governance”. Springer. 2008. - Walsh, T.R. “To Manager's Guide to Handling Information Security Incidents”. Auerbach. 2009. - Blyth, M. “Business Continuity Management: Building an Effective Incident Management Plan”. Wiley. 2009. - Hare-Brown, N. “Information Security Incidents Management: To Methodology”. BSI Standards. 2007. - Elliot, D. “Business Continuity Management: To Critical Management”. Routledge. 2009. - Schmidt, K. “High Availability and Disaster Recovery: Concepts, Design, Implementation”. Springer. 2006. - Snedaker, S. “Business Continuity and Disaster Recovery for Schedule IT Professionals”. Syngress. 2007. Author: Prof. Dr. Javier Areitio Bertolín - E.Mail: jareitio@eside.deusto.esEsta direction of electronic mail is protected against robots of Spam, needs to have activated Javascript to be able to see it University professor of the Faculty of Engineering. ESIDE. Director of the Group of Investigation Networks and Systems. University of Deusto.