UPGRADE: Vol. IV, Issue no. 6, December 2003 (IT Contingency Planning & Business Continuity)

Presentation
IT Contingency Plans: More than Technology [HTML] [PDF: 3 pages, 156 KB]
Roberto Moya-Quiles and Stefano Zanero - Guest Editors
Abstract: The guest editors present the issue, explaining what Information Technologies Contingency Plans are and mean, looking not only into their technologic aspects but also into the business continuity and regulatory ones, since computer and network infrastructures are becoming increasingly important for the normal operation of organizations and for the development of our Information Societies as a whole.

Implementation of a Contingency Plan Audit [PDF: 2 pages, 158 KB]
Marina Touriño-Troitiño
Abstract: The auditing of systems and information technologies involves, among other activities, the assessment of a Contingency Plan as a speciﬁc auditable area. However, we need to bear in mind that, according to ISACA (Information Systems Audit and Control Association) standards, business contingency and continuity issues should be addressed in several more areas. It is also important to distinguish between the ‘good management practices’ for information systems and technologies required of the managers of any enterprise, and the ‘good practices’ applicable to the performance of an audit on those practices.

Public Initiatives in Europe and the USA to Protect against Contingencies in Information Infrastructures [PDF: 4 pages, 163 KB]
Miguel García-Menéndez and José Fernando-Carvajal Vión
Abstract: Today, the protection of an organisation’s information assets and related technology is without a doubt fundamental to its business objectives. In the case of government and other public bodies, for which the adoption of an appropriate protection strategy also guarantees citizens a better service, this is of particular importance. In February 2003, US Federal Government and the EU Commission took a major step forward, by each releasing an initiative aimed at ensuring the security of interdependent networks and information technology infrastructures: The National Strategy to Secure Cyberspace and the proposal for a European Network and Information Security Agency (ENISA), respectively.

Business Continuity and IT Contingency Planning in the Mobile Telephony Industry [PDF: 2 pages, 151 KB]
Miguel-Andrés Santisteban-García
Abstract: In recent years the new mobile operators have been striving to acquire market share and expand their networks in terms of capacity and coverage. This rapid growth was essential to try and maintain the unprecedented market capitalisation of the companies involved, which was disproportionate to the proﬁtability of the delivered product. The rapid growth of the telecommunication industry has meant that non-customer focused processes, in particular network protection and availability, have been neglected. This article reviews Business Continuity Plans in the mobile operator industry.

Information Technologies and Privacy Protection in Europe [PDF: 3 pages, 157 KB]
David D'Agostini and Antonio Piva
Abstract: The protection of privacy has progressed in parallel with technological evolution. The European Parliament and Council Directives, 95/46/EC on the processing of personal data, and 2002/58/EC on electronic communications, protect personal data from any kind of undue processing, paying particular attention to the risks derived from automation and the use of telematic networks for commercial purposes as tools to invade personal privacy. This article analyzes the implementation of the ﬁrst directive and addresses the problem of unsolicited commercial communications (spamming), describing the latest regulatory solutions to be drawn up in an attempt to overcome a phenomenon that can have severe negative economic effects and a dangerous impact on the operation and security of Internet.

Legal Analysis of a Case of Cross-border Cyber-crime [PDF: 10 pages, 197 KB]
Nadina Foggetti
Abstract: Computer crime or cyber-crime, that is, unlawful conduct committed over the Internet, is spilling over national borders and causing a huge legal headache, particularly in the matter of deciding which jurisdiction such crime should fall under. The law is not always prepared for meeting the demands of globalisation and new unlawful activities based on the illicit use of ICTs. In this article we analyse, from the perspective of Italian and Swiss Criminal Law, a case of illegal access to a public interest computer system located in Switzerland affecting Italian users, in which the system included an e-mail service for registered users. This case provides an example of a common problem these days, the disparity that exists between different countries’ legislation regarding cyber-crime, and reinforces the need to globalise the law and the way we respond to a problem that transcends national borders.

The European Network and Information Security Agency (ENISA) – Boosting Security and Conﬁdence [PDF: 2 pages, 150 KB]
Erkki Liikanen
Abstract: In this article, the author, member of the European Commission, responsible for Enterprise and the Information Society, underlines the high importance that networks and information systems have, and will increasingly have, in almost every aspect of our societies, and how decisive is therefore to insure their security and continuity. He explains also the role that the recently created European Network and Information Security Agency (ENISA) will play in this respect.

Roberto Moya-Quiles is a Doctor of Physical Sciences, specialising in Computational Science, and is also a graduate in Computer Science and a CISA (Certiﬁed Information Systems Auditor) auditor. He has 34 years’ experience in a variety of managerial roles in the ﬁeld of Information Systems (IT management, consulting, training, security and control, auditing, and computer applications, etc.) in major computer manufacturing and software companies as well as energy supply enterprises. He takes part as a speaker in seminars and participates in forums related to the Information Technology Security in private institutions and in public universities. He is on the Sub-Committee of ISO/IEC SC 27 (Security Techniques for Information Technology) and coordinates the IT Security Interest Group (GISI, <http://www.ati.es/gt/security/>) of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática). <rmoya AT dimasoft DOT es>

Stefano Zanero has a MSc in Computer Engineering, and graduated “cum laude” from the Politecnico of Milano school of engineering, with a BSc thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Dipartimento di Elettronica e Informazione of the same university. Among his current research interests, besides Intrusion Detection Systems, are the performances of security systems and the behaviour engineering techniques. He is a member of the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery). He is Information Security Analyst for IDG Corporation, and as such participated in national and international conferences. He is the author of the weekly “Security Manager's Journal” on Computer World Italy, and has been recently awarded a journalism award. In addition, he has experience as network and information security consultant.
<zanero AT elet DOT polimi DOT it>

1 Introduction

ICT Contingency Plans have become one of the common concerns of all organisations, especially those of a certain size – medium to large – which, like practically every organisation these days, base their business processes on information systems and technologies. The scope of these plans, which in the past were often erroneously considered as being the sole responsibility of the operations section of Data Processing Centres (largely due to the negligence or ignorance of the management of the enterprises) has undergone a major evolution and they are now an integral part of Business Recovery Plans and Business Continuity Plans.

Nevertheless, the basic conceptual aims of Contingency Plans have remained unchanged over the years: assessment of speciﬁc risks, response time to a wide range of incidents, tolerance to data loss and to the time service is degraded, reliability of processes with regard to transaction and information integrity in the event of interruptions or incidents, synchronization and backup of data, cost of implementing and maintaining the plan, etc. SLA (Service Level Agreement) contracts with Backup Services, and Service Continuity using outsourced technology and communications suppliers are also becoming increasingly more important.

However, the many and far-reaching changes in available technologies have been shaping these plans and making them harder to implement, due to the need to take into account a huge and ever growing number of details for each particular application conﬁguration and architecture. Furthermore, regulations at a number of different levels are adding their requirements to these plans. There are not only Directives and Regulations, but also sectorial rules, the most important of which come from the ﬁnancial sector, such as the Bank for International Settlements in Basle (<http://www.bis.org/>) and the US Federal Reserve, or the Fed as it is popularly known, (<http://www.federalreserve.gov/>).

2 Three Scenarios

We can break down the kind of situations currently emerging into at least three typical scenarios:

1. In the ﬁrst scenario, data processing centres make their backup copies in duplicate and keep one of the copies in a purpose built outsourced centre at an appropriately secure site. The most important obligation of the contract (Service Level Agreement) signed with the Alternative Centre service provider is basically that of restoring the copies stored in the purpose built outsourced centre and restart services when required. This scenario is typical of centres dealing mostly with batch processes.

2. A second scenario consists of adding permanent communication to the alternative centre via lines (VLANs, Internet, ISDN, etc.), thereby keeping the most critical databases up to date and enabling a faster response for services involving communication, as tends to be reﬂected in the contract.

3. Finally, the third scenario could be the use of multiplatform disk technology with direct connection by optical ﬁbre between the two centres, something which is not always possible as limitations imposed by distance may mean that the backup centre faces similar risks to the one it is backing up, for example natural disasters. This scenario is the one which is best suited to responding to serious incidents in major operational centres with front-end web services.

The subject we are dealing with in this issue contains a long list of references, which has doubtless grown as a result of the fateful events of September 11, 2001 (as a search by Google or Altavista will conﬁrm), as has the bibliography related to both draft plans, and the resulting plans themselves. The main sources are computer manufacturers and specialist consultancy ﬁrms. At this juncture we should perhaps mention the Spanish MAGERIT methodology which provides a model for drawing up a recovery plan (available at <http://www.csi.map.es/csi/pg5m20.htm>, in Spanish.)

In order to draw up a plan and put it in place, the choice of which solution to implement depends unquestionably on the services available (both in terms of processes and communications) at each geographical location, since although we may live in a global world, clearly services are not the same all over the world, neither in terms of availability, quality, nor price. The great many small details that need to be taken into account, some apparently trivial (such as where to keep the keys to cupboard where the safety copies are kept, changing the passwords on a real production machine after it has been tested, and so on and so forth) together with others which are not so simple (such as nominating the people authorised to give the order to put the plan into action or test it), should lead us to the conclusion that testing is an absolute necessity, however much it costs.

With regard to the frequency of testing, the standard answer is “once a year is not enough and twice is too much”, but in any event, it is advisable to carry out a test whenever alterations are made either to the conﬁguration of the architecture or to the applications themselves. Our long experience in this ﬁeld has shown us that one of the advantages of having an annual test of the plan is that it becomes incorporated naturally into the culture of an organization’s staff. User area managers and software developers alike take major contingencies and the testing itself into consideration when working on their designs.

As professionals working in this ‘trade’ know only too well, changes invariably tend to suffer from teething troubles, so there is a natural reluctance to make more than a bare minimum of changes to the day to day operational procedures, especially in the case of the alternative centres.

Finally we should bear in mind that no test can be a 100% faithful replica of the real situation since it is simply not feasibleto carry out a TOTAL test, given the major disruption such a test would cause the organization. For this reason, so as not to harm real services, only certain applications and places are chosen, times outside the normal working day are used, segments of network are isolated by changing DNS addresses, etc. Testing, therefore, could be said to have an asymptotic nature, in that it is a necessary requirement but there is never quite enough of it.

3 The Content of this Monograph

Bearing in mind all the above we asked several European experts on the matter (Spanish and Italian) to let us have their points of view, covering a limited but signiﬁcant cross section of some of the most interesting aspects of the subject, including the legal aspect.

In their article “Empirical Study of the Evolution of Computer Security and Auditing in the Spanish Companies”, Francisco-José Martínez-López, Paula Luna-Huertas, Francisco J. Martínez-López, and Luis Martínez-López offer us the fruits of their research into medium size and large enterprises, which although it was conducted in Spain is to a large extent equally applicable to other countries.

Agatino Grillo contributes with his article “Auditing of Information Systems and Business Continuity Plans” in which, with particular reference to the ﬁnancial sector, he describes how these plans are not only a corporate requirement in as much as service continuity is vital to business, but are also gradually becoming a legal requirement.

The detailed comparison between the two most important standards in the world for controlling business continuity from the ICT perspective is the aim of the article “Business Continuity Controls in ISO 17799 and COBIT” by José-Fernando Carvajal-Vión and Miguel García- Menéndez.

“Implementation of a Contingency Plan Audit” is the title of Marina Touriño-Troitiño’s contribution in which she advocates the need for ICT contingency plans to be audited as well, given the important role they play in guaranteeing business continuity.

The article “Public Initiatives from the USA and Europe to Protect against Contingencies in Information Infrastructures”, again by Miguel García-Menéndez and José Fernando-Carvajal Vión, shows the importance that public institutions give to the uninterrupted working of their information infrastructures which are key to the economic and social life of developed countries by describing US and European government plans in this regard.

“Business Continuity and Mobile Telephony Operators” by Miguel-Andrés Santisteban-García, reviews Business Continuity Plans in the mobile operator industry, where the rapid growth of the telecommunication industry has meant that non-customer focused processes, in particular network protection and availability, have been often neglected.

Paloma Llaneza-González’s article “ICT Contingency Plans and Regulatory Legislation of e-Commerce and Data Protection” is based on the fact that any ICT contingency plan must take into consideration applicable legal and regulatory requirements and analyses Spanish standards, which are very similar to those of other EU countries, all of them being based on the same European Directives.

In “Information Technology and the Protection of Privacy in Europe”, David D'Agostini and Antonio Piva give us their assessment of European Directive 95/46/EC on Protection of Personal Data, with special emphasis on spamming, a phenomenon which poses an ever increasing threat to the correct functioning of the Internet.

“Legal Analysis of a Case of Cross-border Cyber-crime” by Nadina Foggetti, in which she reveals in full detail how the divergence of legislations governing system and network intrusions open up legal loopholes for technological criminals.

The monograph finishes with an article written by Erkki Liikanen, member of the European Commission, responsible for Enterprise and the Information Society; in "The European Network and Information Security Agency (ENISA) – Boosting Security and Confidence" he proclaims that security and continuity of ITC resources must be preserved because they are vital for the progress of our Information Society.

And we would like to ﬁnish this presentation by thanking all the authors for their collaboration in the hope that their work, and the work of the editors of UPGRADE and NOVÁTICA, will be of interest and use to readers of both journals.

Translation by Steve Turpin

Last updated on December 30th, 2003	by Rafael Fernández Calvo, François Louis Nicolet, and Roberto Carniel, Editorial Team of Upgrade
	<rfcalvo AT ati DOT es> (E-mail address written with anti-spamming disguise)