Receivable/Accounts - Information for Credit and Collection Issues

Tuesday, December 17, 2013

ISO 27001 – When Everything Goes Wrong





The more moving parts a company has, the more likely (just like a complex machine) it is going to fail at some point.  These moving parts are databases, staff members, branch locations, client requirements, and so on.  Regardless of how robust a company is, bad things will eventually happen (remember Microsoft or Linkedin being hacked and losing millions of passwords?).  So, the best way to protect yourself is have a plan. 

Regardless of whether you are part of the credit industry or not, our next segment of information security policies and meeting ISO 27001 requirements deals with how companies can protect themselves against disasters of varying magnitudes, and what we can do about it. 


Disaster Will Strike … Sooner or Later

I once worked at a small collection agency back in the 90’s that had *never* backed up their database.  Are you kidding me?  And the veteran collectors from the big agency downtown would swap horror stories of that company’s database crashing once a week, and having to work from paper printouts while the tech guys ran around flailing their arms.

I think they were missing the moral of this story.

Because it was a small agency, I had a little more latitude than a big corporation would have given me, so I set up a batch program (this is back in the days of MS Dos, my friends) to back up the system every morning.

And the database corrupted and irretrievably crashed one month later.  Needless to say, without that backup, the company would have shut down for weeks, if not months, while they tried to piece back their accounts.  As it was, the system was down for an hour, and noteline activity from the morning was lost -- but it could have been a lot worse.


Redundancy!

A backup is a failsafe you never want to use.  But it’s not the only thing you should keep copy of.  If you are working off a network, do you have spare terminals ready to swap in, if something breaks?  If you have a phone server do you have a redundant machine sitting around?  If key personnel got hit by a bus, would someone be able to step in and fulfill their role, at least temporarily?

You should also take redundancy beyond a policy that gathers dust in a binder somewhere … if you keep a library of backup files, or copies of important papers, they should be kept in a separate location – either another branch, a safety deposit box, or what have you.


How Bad Is it?

Regardless of whether you have a redundancy in place or not, how bad is the disaster?  Is it a paper cut in the mail room or did the building get hit by a meteor?  You should have some way to measure the problem that strikes your company.  In our other article (http://receivableaccounts.blogspot.ca/2013/09/iso-27001-learning-from-your-mistakes.html) we talked about measuring the problem with a score called RPN (Risk Priority Number).


So, What’s the Plan?

I recently talked to a mid-sized company with almost 50 staff – and no continuity of business plan.  That’s crazy. Everyone should have a plan if something goes wrong.  This plan doesn’t have to be technical or only deal with the big issues. 

Our continuity of business plan is in non-technical language (something the Technical Writers would call ‘Plain English Standards’), and lays out our basic reaction plans for:

=> Data backups and how to deal with data loss
=> Sensitive document copies and how to access them in an emergency
=> Power outages (short-term or long-term}
=> Loss of a staff member
=> Medical emergencies
=> Evacuation of the office (due to fire, flood, power outage, etc)
=> Threats to office equipment (fire, flood, and other mayhem)
=> Loss of a company location (and how to transfer operations from the branch)
=> Threats to data security (network breaches, data theft, etc)

Our continuity of business plan is 6 pages, in plain English, and contains diagrams and illustrations.  That’s it.  And it covers all the major points, as well as a ton of little details, like where the first aid kit is, how to access the staff emergency contact list, or if the IT Manager is fleeing the building and can take only one server machine with him, which one to grab.  It doesn’t need to be daunting to deal with disaster, there just needs to be a plan.

And of course, the most important thing is to share that plan – if your company has a continuity of business plan, is it shared with everyone?  If it isn’t, it should be – after all, everyone needs to know how to deal with issues to be able to pitch in at times of crisis.

Conclusion

If your company doesn’t have a plan, it should get one.  If problems strike repeatedly and every time you are inventing a solution from scratch, that’s probably something that should be in the Continuity of Business Plan.  If you handle sensitive data, how do you protect it from theft or loss?  If you want to have a conversation about building a plan, feel free to reach out –my office number at Kingston Data and Credit is 226-946-1730.

Regards,

Blair DeMarco-Wettlaufer
Kingston Data and Credit
Cambridge, Ontario
226-946-1730