Just when you think everything is humming along nicely in your environment, it hits. That dreaded disaster that you have been thinking about, had only affected other people so far. Well, be it a natural disaster impacting the region or a local power outage impacting your building, something is bound to happen that impacts your business in a negative way.
Sure, we have heard a million times that the failure to plan is planning for failure. But there is one area that many in IT responsible for business continuity may not have thought about: the physical security environment.
In one of my previous columns, “Contingency Planning” (www.securityinfowatch.com/10855630), I addressed the essential elements of understanding what you have, documenting the details and related bits for fleshing out your business continuity program. But there’s another component that you need to make sure you — or your IT department — has in check: the resiliency of your technology.
Our focus has been on the uptime of traditional systems and applications uptime on LAN/WAN/Internet connections; however, you cannot afford to overlook your physical security systems, as they are arguably some of the most important systems. From access controls, to IP video, and every sensor in between, if it is on your network, then it is fair game for an outage.
Certain physical security controls still are (and may always be) in an air-gapped environment or off the network entirely. But, do you know what will happen if the power goes out and water floods the building? Or the building goes away altogether? Given the shift to converged security controls on the internal LAN, you have multiple environments for which you must ensure resilience and uptime — even more if you count cloud-based services that are creeping into the physical security realm.
Technology outages are not “computer glitches” like many people in the news media like to call them; instead, they are failures in design, implementation and system management. You are not going to be able to think of, or prevent every possible scenario; but, you can reduce the impact to your physical; security environment when something does go awry.
Here are five questions you need to ask yourself to ensure you are not caught off guard:
1. How is your access control and video data being stored? Is the configuration as resilient as other business critical systems such as your ERP application or email sever?
2. Where are data backups stored? Onsite? In a vault offsite? Perhaps in the cloud? You need to know this not only for recovery purposes, but also for e-discovery in the event logs and video are needed.
3. How resilient is your directory service environment (i.e. Active Directory, LDAP, and the oldie but goodie, eDirectory)? If it goes down or has trouble, how is that going to impact your physical security controls?
4. When hardware fails over to redundant systems, where’s it failing to? How long will the process take? When and how can you and your team get involved to see it through?
5. How accessible will your physical security systems be in the event of a failure or failover? How do you go about accessing them?
All in all, you have to work with your IT and business continuity staff to ensure everyone is on the same page with what “uptime” and “resilience” actually mean — ditto for system accessibility during an outage. As it stands right now, your top priorities might very well be at the bottom of their lists. And the people with all the answers might not be available when you need them most.
Today’s Homework: Get Everyone on Board
In your particular situation, there may even be different people or departments that manage varying areas of IT and business continuity. Be an advocate for yourself and your systems.
At a minimum, consider the following:
• How do you define an outage? From business executives to IT staff, everyone is going to have a different answer.
• Are the right people talking to one another so they are ready to respond when a storage system or network infrastructure outage occurs?
• Have you taken the proper steps to ensure that your business critical physical security controls are going to be there when you need them?
Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including Hacking for Dummies, Implementation Strategies for Fulfilling and Maintaining IT Compliance, and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.
