The more moving parts a company has, the more likely (just
like a complex machine) it is going to fail at some point. These moving parts are databases, staff
members, branch locations, client requirements, and so on. Regardless of how robust a company is, bad
things will eventually happen (remember Microsoft or Linkedin being hacked and
losing millions of passwords?). So, the
best way to protect yourself is have a plan.
Regardless of whether you are part of the credit industry or
not, our next segment of information security policies and meeting ISO 27001 requirements
deals with how companies can protect themselves against disasters of varying magnitudes,
and what we can do about it.
Disaster Will Strike …
Sooner or Later
I once worked at a small collection agency back in the 90’s
that had *never* backed up their database.
Are you kidding me? And the
veteran collectors from the big agency downtown would swap horror stories of
that company’s database crashing once a week, and having to work from paper
printouts while the tech guys ran around flailing their arms.
I think they were missing the moral of this story.
Because it was a small agency, I had a little more latitude
than a big corporation would have given me, so I set up a batch program (this
is back in the days of MS Dos, my friends) to back up the system every morning.
And the database corrupted and irretrievably crashed one
month later. Needless to say, without
that backup, the company would have shut down for weeks, if not months, while
they tried to piece back their accounts.
As it was, the system was down for an hour, and noteline activity from
the morning was lost -- but it could have been
a lot worse.
Redundancy!
A backup is a failsafe you never want to use. But it’s not the only thing you should keep
copy of. If you are working off a
network, do you have spare terminals ready to swap in, if something
breaks? If you have a phone server do you
have a redundant machine sitting around?
If key personnel got hit by a bus, would someone be able to step in and
fulfill their role, at least temporarily?
You should also take redundancy beyond a policy that gathers
dust in a binder somewhere … if you keep a library of backup files, or copies
of important papers, they should be kept in a separate location – either another
branch, a safety deposit box, or what have you.
How Bad Is it?
Regardless of whether you have a redundancy in place or not,
how bad is the disaster? Is it a paper
cut in the mail room or did the building get hit by a meteor? You should have some way to measure the
problem that strikes your company. In
our other article (http://receivableaccounts.blogspot.ca/2013/09/iso-27001-learning-from-your-mistakes.html)
we talked about measuring the problem with a score called RPN (Risk Priority
Number).
So, What’s the Plan?
I recently talked to a mid-sized company with almost 50
staff – and no continuity of business plan.
That’s crazy. Everyone should have a plan if something goes wrong. This plan doesn’t have to be technical or
only deal with the big issues.
Our continuity of business plan is in non-technical language
(something the Technical Writers would call ‘Plain English Standards’), and
lays out our basic reaction plans for:
=> Data backups and how to deal with data loss
=> Sensitive document copies and how to access them in an emergency
=> Power outages (short-term or long-term}
=> Loss of a staff member
=> Medical emergencies
=> Evacuation of the office (due to fire, flood, power outage, etc)
=> Threats to office equipment (fire, flood, and other mayhem)
=> Loss of a company location (and how to transfer operations from the branch)
=> Threats to data security (network breaches, data theft, etc)
And of course, the most important thing is to share that
plan – if your company has a continuity of business plan, is it shared with
everyone? If it isn’t, it should be –
after all, everyone needs to know how to deal with issues to be able to pitch
in at times of crisis.
Conclusion
If your company doesn’t have a plan, it should get one. If problems strike repeatedly and every time
you are inventing a solution from scratch, that’s probably something that
should be in the Continuity of Business Plan.
If you handle sensitive data, how do you protect it from theft or
loss? If you want to have a conversation
about building a plan, feel free to reach out –my office number at Kingston
Data and Credit is 226-946-1730.
Regards,
Blair DeMarco-Wettlaufer
Kingston Data and Credit
Cambridge, Ontario
226-946-1730
No comments:
Post a Comment