I attended an event last week. You know the kind where everyone was required to go around the room and introduce themselves and describe what position and responsibilities they had at their company. When it was my turn, I mentioned I was responsible for Information Security, Disaster Recovery, IT Risk Management and IT Compliance. Later on, during a networking break, an individual came up to me and was curious why Disaster Recovery responsibilities were included in a department that focused on Information Security and Risk Management type activities.
I have had this one asked of me before so I had my answer ready. I explained that the term "Information Security" is really an umbrella of activities that are focused on three areas commonly referred to as CIA or Confidentiality, Integrity and Availability.
The Confidentiality piece is easy to understand as Information should only be accessible to the people who are authorized to access to it.
Integrity is also an easy one to follow as only the appropriate people should be able to update information. Preserving the integrity of information is important so that good business decisions can be made from it and that it can be trusted.
But when it comes to Availability, the reason that it is included under the Information Security umbrella is not always obvious. Basically, information security is providing accurate information only to the appropriate people when they need it. In a business interruption, this is still the case (and arguably even more important!). Also, during a business interruption when things become chaotic, controls that allow only the authorized people access to information they can trust at the time they need it, can save your business. Protecting the Confidentiality, Integrity and Availability of information at all times, regardless of the situation is what Information Security all about.
On a side note, in the unfortunate event of a business interruption, the same laws that govern protecting your company’s information still apply. For example, if a company has an interruption that requires them to execute their disaster recovery plans, they will still need to comply with the regulations that they normally do during regular operations such as GLBA, HIPAA, PCI, State Breach Disclosure and other laws. This means that systems and processes that protect access to information such as ACF2, RACF, Active Directory, LDAP, etc... must be included in recovery plans. Often, information security controls are overlooked during business interruption situations. This approach really can get you into trouble.
After talking a little while, my new friend understood the alignment of Disaster Recovery and Information Security a little better.
I definitely agree with this. As a DoD contractor we are now required to be trained in disaster recovery and intrusion prevention and detection. Were obligated by our contract to maintain the confidentiality standards during a breach.
Posted by: IT Sec Guy | 19 May 2009 at 10:12