Want to win an iPad? Click to find out more: http://ping.fm/4vOIZ
Posted at 12:24 PM | Permalink | Comments (0)
Steve Lane, PC PAL franchisee for Leicester South and Market Harborough writes:
It seems that the generation gap these days is also a technology gap. Children these days are often referred to as the “Facebook Generation”. Many parents are not familiar with the technology that children use as part of their daily life. So as an Internet parent these days what should you do?
Steve Lane (PC PAL, South Leicester & Market Harborough)
Posted at 11:16 AM in Leicester South, Market Harborough, Web/Tech, Weblogs | Permalink | Comments (1)
Steve Lane, PC PAL franchisee for Leicester South and Market Harborough writes:
In part one of this blog we looked at a simple method of identifying the information assets most critical to your organisation and the impact of having them made unavailable or corrupted. Having identified the most critical assets in your organisation, how do you determine the risks they are exposed to?
Firstly, let’s look at exactly what risk is. Risk is made up of a threat, a threat agent, vulnerability and a likelihood of occurrence. To give an analogy, what is the risk of your house being burgled? Firstly, the threat agent is the entity that will carry out the threat. In this case this is the burglar. Without the existence of a threat agent the threat cannot exist. So the burglar is the threat agent, the threat is burglary and the assets at risk are your nice flat screen TV and the laptop. What about vulnerabilities? You probably have some security controls in place to reduce vulnerabilities such as locks on windows and doors. Inevitably there are some vulnerabilities in those security controls such as having a weak lock on the front door. Based upon an objective or subjective view an assessment of the vulnerability is made. The assessment must consider all vulnerabilities as a whole. Likelihood of a burglary taking place would take into account any statistics about crime in the area and any other information available to give an assessment of likelihood of occurrence. All you are looking to do in this simplified risk assessment method is give a rating of HIGH, MEDIUM or LOW for vulnerability and likelihood. Using this information it is possible to get a view of risk:
|
LIKELIHOOD |
VULNERABILITY |
|||
|
|
HIGH |
MEDIUM |
LOW |
|
|
HIGH |
HIGH |
HIGH |
MEDIUM |
|
|
MEDIUM |
HIGH |
MEDIUM |
LOW |
|
|
LOW |
MEDIUM |
LOW |
LOW |
|
In other words, for example a likelihood of HIGH but a vulnerability of LOW would lead you to conclude the risk was MEDIUM.
This would then get laid out in a table:
|
Threat |
Threat Agent |
Vulnerability (HIGH / MEDIUM /
LOW) |
Likelihood (HIGH / MEDIUM / LOW) |
Risk Level (HIGH / MEDIUM /
LOW) |
|
Burglary |
Burglar |
LOW |
HIGH |
MEDIUM |
If you apply this method to the most critical and valuable assets to your company, let say for example your customer database you may end up with a table that might look like the following:
|
Asset |
Owner |
Criticality / Impact |
Availability |
Threat agent |
Threat |
Risk Level (HIGH / MEDIUM /
LOW) |
Controls |
|
Customer Database |
Sales Director |
B |
1 Hour |
Fire |
Loss of availability |
LOW |
Fire suppression systems |
|
Customer Database |
Sales Director |
B |
1 Hour |
Flood |
Loss of availability |
LOW |
Server on top floor |
If you take the time to do this to your most valuable assets, you gain a better understanding of the risks that your business is exposed to and the impact of those risks. The next step is to ensure that for each risk you consider if the controls are adequate. Risks can be mitigated, transferred, avoided or insured against. Where controls are inadequate, a program of revising those controls should be implemented unless the risks can be transferred or avoided (e.g. supplier risk by using multiple suppliers).
The final output of this exercise is to develop a business continuity and disaster recovery plan taking into account all of the risks and all of the controls, documenting the assets and ensuring that should the worst happen there is a plan. For example, if your office was to burn down taking with it your accounts system, where would you move to? How would you recover your accounts system, and how would you ensure that your staff could continue your operation?
So now we have an imperfect but better than nothing plan. You should have a better understanding of your business and the assets at risk. However, it does not stop there. Firstly a plan should always be tested and secondly this is a continuous process that requires iteration. Risks change (think 9/11) and your critical assets will change. Good luck!
Steve Lane (PC PAL, South Leicester & Market Harborough)
Posted at 04:45 PM | Permalink | Comments (0)
Posted at 03:11 PM | Permalink | Comments (0)
Posted at 04:51 PM | Permalink | Comments (0)
Posted at 11:15 AM | Permalink | Comments (0)
Steve Lane, PC PAL franchisee for Leicester South and Market Harborough, writes:
'There is a statistic banded around the business continuity and disaster recovery world stating that “80% of businesses affected by a major incident close within 18 months”. It’s a bit of a sweeping statement and I cannot find anything to back it up or justify the figures. It is often used to justify a large spend on preparing for some disaster that may or may not arise. My view is that business owners should take some common sense steps to ensure that should a disaster arise, recovery is easier. Cost should be balanced with a realistic view of the risks. If you are a large business the complexity is greater but the principles are the same. Over the next three blog entries I will focus upon the steps a small business of around 10 – 20 employees should take.
Firstly let’s demystify impact assessments and risk assessments. According the British Standard BS 25999, the starting point of business continuity is to get a good understanding of your business through Business Impact Analysis (BIA) and Risk Assessment (RA). This sounds like something that is hard that you might need an expert for. That might be true in a large complex business but in the small business there is a lot you can do without help, keeping your costs down. If is important that if you do make this an internal process that it is made part of a job for an individual within your organisation so it does not get forgotten.
The first step is to identify the information assets that are critical to the organisation. An information asset is a definable piece of information that has value to your organisation. It may be a single document, such as the release plans for a new product, or it might be a whole database or system such as CRM. I recommend creating an “Assets” spreadsheet including these information assets. We will add some detail and get an idea of value as part of the BIA.
The next step is to create a harm matrix. This is simply a table similar to the following where A is the highest and E is the lowest:
|
Parameter |
A |
B |
C |
D |
E |
|
Financial Impact |
£1m |
£500k |
£100k |
£50k |
None |
|
Man days to correct |
1 Year |
6 Months |
1 Month |
1 Week |
1 Day |
|
Loss of ability to operate |
Total failure of business |
Seriously impaired performance |
Impaired performance |
Inconvenient |
None |
You can add as many rows for the parameters as is relevant to your business but the above is a minimum. Also you may want to adjust the financial figures to be something more representative of your business. It is also important that the table has some tangible rows such as monetary values and some more subjective and intangible rows such as loss of ability to operate.
For each information asset in your table, now create a column that identifies the asset owner and the asset custodian. The asset owner is the most senior person who has responsibility. So for example if the information asset was the accounts database, the asset owner would probably be the financial director. The asset custodian is the person that reports to the asset owner directly or indirectly and is most familiar with the use of the information asset. For example if the asset owner is the finance director, this is often the next person under the financial director in a small company (after all the finance department may just be two people). Add into your asset spreadsheet the contact details of these individuals including mobile phone numbers or home phone numbers.
For each information asset you need to ask the information owner and / or the information custodian the following question:
Using the harm matrix what is the maximum level of harm we would suffer if the information asset was made unavailable for a:
|
An hour |
A |
B |
C |
D |
E |
|
A day |
A |
B |
C |
D |
E |
|
2 days |
A |
B |
C |
D |
E |
|
A week |
A |
B |
C |
D |
E |
|
A month |
A |
B |
C |
D |
E |
|
Forever |
A |
B |
C |
D |
E |
Run down all of the rows in the harm matrix and identify the highest answer. What you are trying to discover is the maximum impact whether tangible such as financial or intangible such as damage to reputation that would occur if an information asset was made unavailable for a particular length of time. Once you have the answer you will discover how quickly an asset must be recovered after loss and have, albeit subjective, a measure of value. A typical profile of an information asset might be:
|
Availability |
Criticality |
Value |
|
An hour |
E |
££££££ - 6 |
|
A day |
E |
£££££ - 5 |
|
2 days |
D |
££££ - 4 |
|
A week |
B |
£££ - 3 |
|
A month |
A |
££ - 2 |
|
Forever |
A |
£ - 1 |
From the profile above we can say that the information asset must be restored in the event of a disaster in under a week and we can give an arbitrary value index of £££ - 3.
Now that we have this done for information assets, we need to abstract a little and consider premises. Create another tab in your asset spreadsheet and ask the same questions of your premises. What would be the impact that would occur if your staff were not able to get into your premises an hour, a day, 2 days, a week etc. For example what if it was snow bound? The asset owner and custodian in this case should be the key holder(s). You should come up with answers to just how critical your premises are to your operations.
Now add some more tabs and consider in turn the impact of disaster at suppliers. Also consider the technology that is critical to your business such as Internet and mobile phone networks. Keep going and if necessary add parameters that are relevant to your organisation. Eventually you should end up with a picture of the critical assets and processes that make up your business. In essence you have now created a complete business impact analysis.
You should now understand the critical assets that are essential to the survival of your business, the time scales that they must be recovered in, the people that are impacted by the loss of the asset, the external factors such as suppliers, the dependence on technology and the basic resources that must be assembled to maintain a minimum level of operations for survival. If you have got this far then give yourself a round of applause. It’s a big achievement (but we not at the final destination yet!). The important thing is that even if you have not got a complete picture, you have made a start. Even getting a partial picture is most probably better than take the head in the sand approach.
In next week’s blog we will look at the risk assessment
process and how you might mitigate, transfer, avoid or insure the risk. Putting controls into place and ensuring that
planning for a disaster is a priority, is time (and possibly money) well
spent. '
Steve Lane (PC PAL, South Leicester & Market Harborough)
Posted at 11:16 AM | Permalink | Comments (0)
A few weeks ago a customer asked me how a hard drive might become corrupted. I answered that it could be a number of things from power spikes to cosmic rays. He retorted some comment about cosmic rays and I think he thought I was pulling his leg a little. But the truth is that cosmic rays are energy particles originating from outer space that can have an effect on electronics. Our sun emits low energy cosmic rays which increase in intensity during solar flares.
The effect on computer electronics can be quite considerable. The computer works by using states to indicate if a bit is storing a one or a zero. You can think of it like a light switch. When the light is on the state is said to be representing one. When it is off it is said to be representing a zero. By using a series of ones and zeros we can represent something like this document I am typing. The letter “A” for example is represented by the binary number “01000001”. Cosmic rays although low energy have the ability to flip the switch. So it could transform a letter such as changing the word “tender” to “sender”.
In October 2008 cosmic rays may have been responsible for causing a Quantas aircraft to nosedive twice leaving eleven passengers injured. The wrong data was sent to the main computer from the “data inertial reference unit”. The consequences of the wrong data being sent could have been much more serious. Computers these days are ubiquitous such as controlling engines in our cars, controlling the flow of electricity, air traffic control or equipment in operating theatres. Computer information is relied on to make life or death decisions. So flipping the switch and changing the data in a safety critical system may cause a catastrophe. Fortunately, most of these systems do have a way of checking and recovering from spurious data. However most home computers do not use these error checking routines, so cosmic rays are a fact of our computing life.
In the home or small business computer there is not much we can do to stop the cosmic rays. We can however be prepared for data corruption or loss by implementing a best practice backup and recovery strategy. Here are 5 best practices that I recommend: -
1. Decide what you need to backup and how often. A question you could ask yourself is “What data could I not do without for a day/week/month or if I could not ever get it back?”The answers to these questions can determine how often you backup.
2. Backup to a local source such as an external hard disk, USB key or to a rewritable DVD
3. Use an online backup service that automatically backs your data up so that you have an offsite copy of your data – we can advise you on a suitable service for your home PC or your small business
4. From time to time, test if you can restore. Make sure you the files that you think are safe are really safe.
5.
If you are a small business, start to think
about disaster recovery and business continuity planning. What would you do if you suffered major data
loss? In my next blog entry I will be
looking at the whole subject of disaster recovery and the common steps that any
business can take to ensure that after disaster strikes business can continue.'
Steve Lane (PC
PAL, South Leicester & Market Harborough)
Posted at 11:54 PM in Market Harborough, Web/Tech | Permalink | Comments (0)
Technorati Tags: backup, cosmic ray, data, leicester south, market harborough, pcpal, steve lane
Posted at 01:09 PM | Permalink | Comments (0)
Posted at 12:06 PM | Permalink | Comments (0)
