• irwin associates home
• website design
• consultancy
• virgo accounts
• computer disaster guide

 

How to Survive a Computer Disaster

 

An IT Security Planning Guide

 

by Irwin Associates

 

Table of Contents

Executive Summary

The Need for Computer Security

Identifying the Threats

Reducing the Risks

Implementing the Plan

Twenty Pointers to Surviving a Computer Disaster

Executive Summary

Computer security is not just for the large corporation with dozens of mainframes or the specialist "high tech" outfit. Any business, whatever its size, that uses computers must be concerned with protecting its investment and ensuring the business can cope when the unexpected occurs.

This is not something to be left to the technologists alone. Computer security affects the business as a whole. As a result it must have support at the highest level and must involve management in all disciplines. Indeed, computer security should be part of the firm’s larger business-wide risk management appraisal.

Surveys have shown that the number of breaches of computer security has risen significantly over the past two years. The types of breach include a variety of incidents such as:

• computer-related theft
• fraud
• hacking
• virus attacks
• operator error
• failure of the air-conditioning system
• software bugs
• power failure.

And there has been at least one incident where a computer failure was caused by rats eating through the cables!

These breaches of security are not simply an inconvenience. Apart from causing a waste of time, there is invariably a financial impact on the business, and they are likely to have a detrimental effect on customer service. To make matters worse, the cost of security breaches is also on the increase; in a 1996 survey the average cost of a system breach was £16,000, up from £9,000 in 1994.

This guide shows how to go about protecting your firm’s investment in information technology. It describes how to go about preparing a security plan for your IT systems and covers:

• the need for computer security
• identifying what threats exist and what possible effect they may have on the business
• the measures that can be taken to reduce the threats
• how to implement and monitor the plan
• a summary of twenty key points to surviving a computer disaster.

The guide provides a number of practical examples of the types of security breaches, the effect these may have on the business, and how to reduce the risks.

The Need for Computer Security

Information systems in the modern business are no longer limited to just a back-office accounting system and secretarial word processing machines. With the growing use of desktop computers by managers as well as staff, firms are becoming increasingly reliant on their computer systems not only for day-to-day operation of their business, but also for communications with business partners. As this dependence on IT continues to grow, so the risks to the health and prosperity of the business increase in the event of the systems being unavailable for any length of time. Therefore the importance of planning the security of the firm’s IT systems cannot be ignored. And it is not just "high tech" companies that are at risk; many traditional service businesses such as solicitors and accountants are becoming more and more dependant upon their computer systems.

Whilst the threat of terrorist bombs has focused the minds in many City firms, businesses in provincial areas cannot afford to ignore other, possibly less high-profile, threats to their computer systems. Surveys have shown the attitude of many firms is that it won’t happen to them. But such ostrich-like complacency is foolish. Computer related theft and other security breaches are on the increase. And the cost to the businesses of these breaches has also risen.

About this guide

This document is a guide to preparing an IT Security Plan for your business. But it is more than just a "how to..." guide. It gives a number of specific recommendations that are applicable to most firms and will help improve the security of their IT systems. It must be remembered, though, that a document such as this, however comprehensive, can only offer general advice on IT security. Each firm will need to evaluate the systems it has installed and tailor the plans to its own particular circumstances.

It is outside the scope of this document to suggest any specific suppliers or software or hardware solutions. There are two main reasons for this; firstly, hardware and software is changing at such a rate that it would very quickly make this guide out-of-date, and secondly, the choice of solution often depends upon the firm’s particular circumstances. There is no "one-size-fits-all" solution in computing!

Preparing an IT security plan

There are four stages in the preparation of an IT Security Plan:

• identifying the areas of risk and their possible effect on the firm’s business
• examining ways in which to reduce the likelihood of a disaster occurring
• investigating options to reduce the effect of a disaster should it occur
• implementing, testing, monitoring and keeping the plan updated.

The following sections of this guide describe each of these stages giving practical and pragmatic advice on ways in which to protect the firm’s IT investment.

For further help

If you require any help in preparing a plan for your particular circumstances, or assistance in managing a recovery please contact us.

Identifying the Threats

The first stage in preparing an effective security plan is to consider what possible threats there may be to the firm’s ICT systems and the effect that each is likely to have on the firm’s business.

Identifying the risks requires the application of a certain amount of lateral thinking in order that the security plan should include not just the most obvious systems and events but also the less commonly used systems and the less likely events. In fact the entire process of risk assessment – which is what this is all about – requires you to step outside your normal frame of reference and consider things from a different perspective.

For many firms the main threats will be as follows. Each of these is described in some detail below.

• equipment failure
• theft
• computer viruses
• unauthorised access/misuse
• fire, flood and similar hazards
• other threats.

The effect of any incident may range from relatively innocuous or pernicious. It may result in nothing more than just a minor irritation. However, at the other extreme it could result in a critical date being missed or some other error being made, which in turn leads to a legal action being brought against the firm for professional negligence, or the loss of an important client or customer. But when planning you need at least to consider the "worst case" even if this is later discounted as being too unlikely. One effect of any breach of security (if it were to become widely known) is that it could cause embarrassment and/or loss of credibility for the firm. You will need to decide whether the business could live with this or whether it warrants any special consideration.

Equipment failure

This category includes not only the obvious – the accounting system, word processing, network servers and workstations – but also the less obvious systems such as the telephone switchboard, network infrastructure (cabling, hubs, routers, firewalls and the like), stand-alone PCs, links to the firm’s bank and information providers, network fax, electronic personal organisers and other communications equipment. This also includes power failure, air-conditioning equipment failure and software faults which result in the system being unavailable.

The effect of an equipment failure will be that some or all users will experience a reduced availability of systems – or no systems at all. The result of this will almost certainly be a disruption to the work of all those using the affected computer systems; for example, an inability to get out client documents and letters, to raise bills, the loss of customers’ orders. This may simply be inconvenient if the failure lasts for up an hour, but if it lasts for several hours or even days it is likely to cause a major disruption to the firm and have a detrimental effect on client service, profits and even the viability of the business.

Whereas a computer failure usually only effects one system, the effect of a power failure will be that all systems are unavailable for all users and therefore the effect of a power failure is even greater.

Theft

Theft of PCs is arguably becoming less common as the theft of computer memory (RAM) is on the increase, but this is not to say that theft of PCs themselves should be discounted as a threat. The size of memory chips means that a thief can easily conceal many £000s worth of memory taken in a single raid. "RAM raiders", as they are termed can get into a PC very quickly and remove the RAM, often damaging other parts of the machine in the process. A thief may also take any floppy disks, CDs or USB drives that are lying around in the hope that they contain something of value.

A further effect of the theft of a PC may be the loss of any data that is held on the PC’s hard disk. The data may or may not be of any interest to a thief, but rarely will its loss be of any consequence to the firm. However, for many businesses, theft of, say, a customer list could be disastrous and of great value to a competitor; for others, where a customer list alone is of no particular value, the loss may be no more than an embarrassment.

Computer viruses

A computer virus is a program that is designed to replicate itself on as many machines as it can. It is invariably transmitted via "infected" disks or files. The most common source of viruses is CDs or diskettes brought in from outside the firm, from users’ home PCs or clients or suppliers. But viruses may also be found in files transmitted via electronic mail or through access to public systems such as the Internet.

There are so many thousands of different computer viruses and variants, and the effect (or "payload" as it is often called) of a virus can vary enormously depending on what it was designed to do. Many are benign and cause no more than a minor irritation in technology terms – although any virus attack is likely to cause more than just a little concern to the user. Others can wipe clean an entire hard disk, erasing all the programs and data there, having already copied itself to another computer so that it can continue its destruction elsewhere. Some viruses can be present on a machine for some time before they are activated, perhaps by a particular set of circumstances or a particular date (e.g. Friday the thirteenth or 24th December). The growing use of PC networks make an ideal "breeding ground" for viruses to replicate themselves.

Unauthorised access/misuse

The growing use of email, the Internet and remote access for managers and staff has certainly increased the opportunities for unauthorised users to gain access to a firm’s systems from outside ("hacking"). However, firms should not be paranoid about this threat. There is arguably a greater risk of unauthorised access from within the firm’s offices. Where PCs are left switched on all day and often logged in to the network or central computer, the opportunity for other people to access documents, confidential email messages or other information to which they are not entitled is greatly increased. And, of course, one of the greatest opportunities for computer misuse is by the office cleaners, contractors or indeed anyone who is in the building unsupervised – this is not to suggest that contractors are likely to be computer criminals, just that the opportunity is there.

An unauthorised user may or may not have malicious intent. Most hackers want to get into other people’s systems just to prove how clever they are. However, they usually want you to know they’ve been there and in order to do this they may send an email message; alternatively they could delete some files or plant a virus.

This threat also includes email messages not reaching the intended recipient, rather like conventional mail (or "snail mail") or faxes being mis-delivered or going astray (or even being "stolen"). Because the Internet is a network of networks, with servers dotted all over the world, the path taken by any particular message from its sender to recipient is indeterminate, and may even change during transmission. It would not be unusual, for example, for a message from London to Birmingham to travel via America or mainland Europe. As a result there is no guarantee of when – or indeed if – email messages will be received, and there is no foolproof way, as there is in some proprietary email services, of sending messages "recorded delivery".

Fire, flood and similar hazards

It is likely that any computer equipment that is affected as a result of a fire or flood or some similar incident (and this may also include terrorist bombs) will need to be replaced rather than simply repaired. Even if the equipment is not destroyed, it may well be adversely affected by smoke, heat, humidity or vibration.

However, the effect of such an event is liable to be far greater that just the loss of computer systems. The damage to or loss of papers and damage to premises must also be considered. These are likely to be more difficult to resolve than the replacement or repair of the computer hardware.

Other threats

Other threats include damage or disruption caused by software, user error or by problems when upgrading hardware or software.

It is important to recognise that no software can be 100% bug free. It is claimed that software systems are by far the most complex systems built by man. Thus it should come as no surprise to find that all software has some faults, and the more complex the software the more bugs it is likely to contain. Generally speaking, though, the longer the software has been in use the fewer errors it is likely to have, since the more common problems will already have been found by other users and (hopefully) fixed by the supplier. From the viewpoint of security planning the effect of any software error is quite unpredictable as it will depend entirely upon the application and where in the program the fault lies.

An inexperienced or untrained user is most likely to make inefficient use of the software, but depending on the type of system they may be able to wreak havoc. For example, there are innumerable opportunities for an untrained user to make mis-postings in an accounting system, possibly invalidating any financial reports and analyses. Unfortunately this can and does happen all too frequently, and one of the further-reaching results may be an unhappy customer.

Paradoxically, installing new hardware, operating system or application software that may be intended to enhance the firm’s systems, could have just the opposite effect. If an upgrade does not go according to plan it may result in the systems being unavailable for longer than anticipated.

Reducing the Risks

This section considers ways in which the firm may reduce the risks to its business for each of the threats discussed in the previous section. Reducing the risks falls into three categories:

• reducing the chance of the breach occurring in the first place;
• reducing the effect of the breach if it should occur;
• restoration of the systems after the event.

As the Dutch scholar and theologian Erasmus intimated, prevention (where available) is better than cure. One important point to note here is that the cost of preventing or reducing any risk must be commensurate with the probability of the particular breach occurring and its likely effect. This may seem to be stating the obvious, but it can be easy to lose sight of the object of the exercise. There would be no point, for example, in spending £000s to prevent a problem that has little chance of occurring and would only cause minor irritation if it did happen. In almost all situations prevention is going to be partly physical – for example, locks and bolts – partly procedural – rules, guidelines and training – and partly electronic – software and hardware. In any case it should be remembered that no prevention can be 100% effective. It is a question of weighing up the likely cost of a security breach, together with the chance of the breach occurring, and taking the most appropriate steps to avoid the situation happening.

When a security breach does occur, the effect on the business will of course depend to a large extent on the period for which the systems are unavailable, which is something that is seldom known at the outset. If this sounds like stating the obvious, well it should be! But the point is that you should be aware that the job may (and often does) take longer than originally anticipated, and there should be a contingency plan in case the systems are not back up-and-running within one, two, four hours or whatever.

Equipment failure

As already mentioned, this includes not just the computers themselves, but also ancillary equipment such as power supplies, air-conditioning equipment and the cabling infrastructure. Reducing the risks or coping with equipment failure can be considered in four areas:

• setting up and maintaining backup systems, where appropriate;
• ensuring there is an adequate hardware maintenance contract in place;
• taking regular security copies of data;
• coping with power failures.

backup systems

For some systems the provision of an alternative backup system in the event of a main system being unavailable will help to reduce the effect of such an event. The problem is that many such backup systems are only required if the main systems are not available for an extended period, and this is not usually known at the outset. Furthermore there may not be a suitable alternative for many systems. However, examples of some simple backup systems include the following:

• for a central fax system a simple cost-effective expedient would be the provision of one or two conventional fax machines;
• a copy of word processing software held on each PC as well as on the network server and a macro to keep a copy of documents on a user’s hard drive can also enable word processing to continue on a stand-alone basis in the event of a major network failure;
• if bank statements are transmitted and reconciled electronically, it may be necessary to request printed statements and perform manual reconciliations.

hardware maintenance

All key hardware should be under a maintenance agreement with the original supplier or a suitable third-party maintenance company. This should include mini-computers and network servers as well as any air-conditioning equipment. Such a support agreement should provide for:

• a guaranteed response time from initially reporting the problem to an engineer turning out on site;
• a guaranteed time to fix the problem;
• the provision of replacement or loan equipment should the problem not be fixed within a specified period.

A guaranteed response time of 4 hours with a guaranteed fix time of 8 hours would be appropriate for many systems, but shorter or longer periods may be more suitable in some circumstances. Naturally, the cost of the maintenance contract is roughly in proportion to the guaranteed response and fix times.

For many businesses it is often not worth having individual PCs on a maintenance agreement. It is often a more cost-effective alternative to retain one or two spare PCs as backups and return the faulty machines for fixing on a "time and materials" basis. Alternatively if a replacement is needed one can usually be obtained very quickly.

One other simple but important measure that will help reduce the risk of malfunction is to keep all computer equipment clean. This is particularly important for PCs which sit not in a controlled environment but on users’ desks. Biscuit crumbs and cigarette smoke can significantly increase the chance of a breakdown. Whilst smoking in the office must be subject to corporate policy, users should be discouraged from eating at their desks if for no other reason than computer security. Furthermore all PCs should be cleaned regularly using approved cleaning materials, preferably by a professional specialising in computer cleaning.

security data copying

Replacement or fixing the hardware is only part of the solution to recovering from a computer system failure. Once the hardware has been fixed, (depending on the problem) you will probably need to reload all your software and data before the system is fully operational. This may not be possible unless the firm has a programme for taking regular security copies of its data. Indeed, taking regular backup security copies of data is probably the single most important element of any security plan. An appropriate programme for taking backups will depend on the firm’s needs, the types of systems installed and the volume of transactions. However, a backup will usually be taken overnight whilst the system is not in use. And as a general rule, the backup programme should include a full daily backup, with an additional copy taken at week-ends, which is kept off-site. Some firms may wish to store all their backups off-site. It is also important that the backup programme should include a verification ("read-after-write") phase to ensure that the backup tapes can actually be read.

Off-site backups may be kept with the firm’s bank, in a safe at another office (if the firm has multiple offices), or with a specialist security company. Seldom would the home of a staff member be an appropriate place. When choosing where to keep off-site backups it should be borne in mind that you may need to get hold of the copies outside normal office hours. It would not be the first time a firm has needed to get hold of the backup copies held at the bank after it has closed on a Friday evening! And it is important that on-site backups should not be kept in the same place as the computer, since they may be destroyed or stolen along with the computer; ideally they should be stored in a fire-proof safe.

When taking backup copies it is important not to forget any data that is stored on a PC’s local hard disk that has not been saved on the network server. Some network systems provide the ability to backup all the individual PCs on the network as well as the servers, but to do this requires the PCs to be left switched on overnight – something that is not usually recommended (see unauthorised access later). The alternatives are for users to download their data to the network server each night, or as often as necessary, so that it may be backed up as part of the overnight processing, or for the users themselves to take their own backups to CD, diskette or tape each evening. These backups, too, should be kept off-site from time to time.

It is also recommended that a full set of master installation disks and a copy of the appropriate manuals is kept in a suitable off-site location, so that in the event of a major problem all the software could be reloaded onto new hardware.

power failure

There is usually very little that can be done to prevent a power failure since they occur, if not quite at random, then at least unexpectedly. However, in order to protect the computer systems against damage (to either the equipment or data) it is recommended that all servers and central computers are fitted with uninterruptible power supplies (UPSs). These devices provide backup battery power for a period of time, as well as protection against power surges. The length of backup time provided is roughly proportionate to the cost of the unit. It is unlikely to be cost-effective to provide a UPS that would allow the systems to continue operating for several hours. But the provision of a UPS providing backup power for, say, 15 minutes would enable systems to continue running in the event of a short interruption in power or enable them to be shut down in an orderly fashion if there is a longer break in the power supply.

Short of having its own power generator (which is often not practicable, at least for a small business) the firm has little option but to wait for the fault to be rectified by the power supply company. A guaranteed service level contract with the power supply company is unlikely to be of much help in this context, since a power failure will probably be covered by force majeure. Where the firm does have its own generator, it should ensure that the UPSs provide sufficient time for the generator to be started up.

Theft

The first level of protection against theft is physical access to the premises and to individual offices. The firm should assess the level of protection appropriate for its offices and should at least have a burglar alarm that is linked directly to a control centre or police station. For some firms it may be appropriate to have a card-entry system. In any event, all staff should be educated in the need for security and should challenge anyone on the firm’s premises who is unknown to them. Furthermore, all visitors should be accompanied at all times when in the firm’s offices.

Ideally all central computer equipment such as servers, mini-computer systems and communications equipment should be kept together in a separate room that is locked for added protection. It is important that where this is done the room is kept locked and unlocked only when access is needed; it should not be left open all day. If, for any reason, servers are kept in a number of different places, then it is important that they are at least locked away somewhere and not kept in a general office area.

Probably the most cost-effective protection against theft of PCs or their RAM is by the use of some form of computer lock, probably fastening the PC to the desk. A variety of such devices are available from most PC dealers. Like most anti-theft devices it will not prevent the determined thief, but it may just make life that much more difficult that he decides to try elsewhere. However, there is a contrary view that if a thief finds he is unable to get into a PC easily, he may use force to get the casing off, thus causing further damage to the PC.

As a further deterrent it is recommended that all equipment is security marked or branded. And it would be advisable to keep a register of all computer equipment (and other fixed assets), together with serial numbers.

There is probably little that can be done specifically to avoid the theft of data on a PC if the PC itself is stolen, short of wiping off all data each night – something that is not entirely practicable. The best protection is to prevent theft of the PC itself. However, CDs and diskettes should not be left lying around and should be locked away, perhaps in the users’ desks.

In the event of theft, the replacement of PCs and printers is probably the easiest task. Many stores sell PCs off-the-shelf so that, provided the make is not of the utmost importance, a number of PCs may be acquired fairly quickly. Of course these will only be available as stand-alone machines, with no network facilities until such time as the network has been reinstated (see below).

Replacement of servers and proprietary mini-computer systems, however, may not be obtained quite as quickly. Delivery times for many larger systems, and certain proprietary systems in particular, may be several weeks. In such a situation there are three main options:

• a contract with a computer disaster recovery company to provide the requisite hardware and services should it be necessary, within a guaranteed time of reporting the disaster;
• an informal arrangement with the supplier of the equipment;
• a reciprocal agreement with another user who has a similar hardware and software configuration.

The problems are that a formal contract with a specialist supplier of disaster recovery services tends to be rather costly, partly because the company needs to purchase enough equipment to ensure it can meet the needs of its customers. But with an informal agreement there is no guarantee that the equipment will actually be available when it is needed. It is suggested that the firm obtains quotations from at least two computer disaster recovery companies and/or the original supplier for the provision of a temporary replacement and takes a decision on the basis of the quotations received.

Recovering from a theft, like recovering from an equipment failure, is more than just obtaining replacement equipment. As with coping with equipment failure, the firm will also need to reload all its software and any data held on the system once the new hardware has been installed.

Computer viruses

The main weapon against computer viruses is anti-virus software, which can often detect a virus when it is first introduced to a computer and before it is able to do any harm. Although viruses can affect any computer, PCs tend to be the main target for such attention, and the use of local and wide-area networks has helped to increase the spread of viruses. Anti-virus software should usually be installed on the network servers and on each PC on the network. It is also recommended that any CDs, diskettes or files coming into the firm from outside (even – or perhaps especially – from staff members’ home PCs) must be checked for viruses at some central point, probably the support desk or word processing department. However, it must be recognised that no anti-virus software is 100% foolproof. Virus writers are always trying to create new viruses that cannot be detected by current versions of software; the producers of anti-virus software then have to devise ways in which to detect the new virus. It is basically a cat-and-mouse game for those involved. Many firms go so far as to make it a dismissable offense for users to load games or any other unauthorised software onto a firm’s computer. In some instances it may be feasible to install floppy disk drive locks to help reduce this risk.

In the event that a virus is found the first rule is DO NOT PANIC. More damage can be done as a result of taking a "knee-jerk" reaction when a virus has been detected than by doing nothing and carefully preparing a plan of action. The action you need to take will vary from one virus to another, and the first "port of call" should certainly be your anti-virus software documentation. The anti-virus software may provide a means of removing the virus and "disinfecting" the rogue file or PC. Where this does not work then the firm is advised to contact a specialist anti-virus consultant for advice (often the writers of the anti-virus software provide this service). Be wary of advice from someone who doesn’t ask the name of the particular virus your systems have caught!

Unauthorised access

There are a number of simple precautions that can help to reduce the risk of unauthorised access to systems, in addition to those mentioned above to reduce the risk of theft. These include:

• the use of system passwords which give users access only to those parts of the system they need in order to perform their job;
• ensuring users do not give others their passwords and that they are changed regularly;
• switching off machines when they are not in use, particularly at lunch times and overnight;
• the use of dial-back modems for remote access;
• encoding or encrypting confidential documents.

Additional measures may be provided, usually by specialised software, which can limit for example, the time of day that workstations may be used, or who may use a particular terminal.

passwords

Most computer systems use a set of user names and passwords to provide access to different parts of the system. This feature should be used to give users access only to those parts of the system they actually need to perform their jobs. Users should be prevented from using passwords that would be easy for a hacker to work out, such as spouse’s or children’s names (spelt backwards or forwards), dates of birth, phone numbers, house or road names, postcodes, etc. as well as any word of fewer than five characters. Any word or meaningful series of numbers may be relatively easy to guess; one way in which to make passwords difficult to guess is to embed a few numbers or punctuation characters in a name – for example, da9v*id.

Users should also be made to change their passwords regularly, perhaps once every three months, and they must be actively discouraged from telling others their passwords or writing them down. Arguably passwords should be managed centrally to ensure these standards are followed. If this is done then the system administrator will need to write down all the passwords, in which case the document must be kept very secure.

When a user leaves the firm either their user id and password should be taken off the system, or at least their password should be changed. If it is discovered that a user has learned someone else’s password then this too should be changed immediately, although such a breach may be difficult to discover. If users regularly need to get into other people’s areas then it is probably an indication that the overall access security system needs to be reviewed and revised, perhaps by providing common shared areas for each department.

Additional protection can be provided by having passwords when switching on a PC, and/or screen saver passwords. However, firms should be aware of users having a number of different passwords which may increase the need for them to write down all their passwords. Also be aware that if users are allowed to change their own passwords there is a chance of some PCs being unaccessible if the user is away on holiday or sick.

As already mentioned, users should also be encouraged to switch off their machines when their office or workplace is unattended. At the very least they should log out of the main system when going out for lunch and switch off the machine at night.

remote access

With the increase in the use of portable computers by managers and professional staff visiting clients’ premises or working from home, and the availability of on-line services – particularly the Internet – the chances of unauthorised access by someone dialling into corporate systems have also increased. Although there have been a number of high profile cases of "hacking" reported in the media, the number of cases of hacking into most firms’ computer systems are fairly small. One simple expedient that will help to reduce the risk of a breach of this kind is only to give dial-in phone numbers to those users who actually need to know. Another, if users are only allowed dial-in access during working hours, is to leave the dial-in modems switched off outside working hours.

The use of dial-back modems, which will only accept incoming calls from recognised telephone numbers will also help to reduce the risk of hacking. This also has the benefit of providing the firm with much better control of its telephone costs. However, these will not be of much use in those firms where staff may be dialling in from hotel rooms around the world, or nationwide.

encoding and encrypting documents

Many documents prepared by most firms, whilst probably of a confidential nature, would not be of any value or interest to anyone else if they fell into the wrong hands. Those documents that are strictly confidential may be encoded or encrypted using either the password protection feature provided within most word processing and spreadsheet programs, or special encryption software. Encrypting files is probably most appropriate when sending confidential documents by email. Although some users may require certain documents to be password protected even when stored on the firm’s file servers.

It may also be worth considering prefacing all email messages in a similar manner to the confidentiality clauses that many firms place on their faxes. That is, words to the effect of: "This message is intended only for the named addressee as it may contain confidential information. If you have received it in error, please let us know by phone or fax and confirm that all copies of the message have been destroyed."

Fire, flood and similar hazards

So-called "acts of God" are the most difficult to predict, and therefore prevent. However, some obvious preventative measures should be employed such as ensuring that power supplies are not overloaded and regular checks by the Fire Brigade. Fire and smoke alarms are also recommended. It may be worth noting that a "flood" may be caused through leaking water pipes within the building, and thus good building maintenance has a part to play in preventing disasters. Also, more damage is often caused to computer equipment by the use of water sprinklers than by the fire from which the sprinklers were intended to protect the systems. For this reason, sprinklers are not recommended in computer rooms; inert gas makes a better fire extinguisher in these circumstances.

In the event of such a disaster actually occurring the firm will have to contend with a number of issues, which may include some or all of the following, depending on the event (not necessarily in this order):

• notifying staff of the situation and any altered work arrangements;
• arranging replacement or repair of computer hardware and restoration of the computer systems (as discussed above);
• restoration of paper-based systems;
• acquisition of temporary work space;
• repair of buildings;
• provision of temporary telephone and fax lines;
• notifying clients of any new arrangements.

Most firms keep a list of all key personnel in any event. However, it is recommended that this list should also include a list of all those with home PCs, fax machines, mobile phones and/or any other office equipment, and those who may be able to work at home if necessary. This list will need to be updated regularly and kept off-site somewhere where it may be easily accessed when needed.

Other threats

Three other threats considered here are software errors, user error and unexpected problems caused when upgrading systems.

The most likely effect of a software error, other than causing irritation to users or failing to do what is expected, is going to be damage to data, and this can often only be fixed by the software vendor. As already mentioned, no software is completely free of errors. The best way in which to reduce the risk of software errors is to ensure that only thoroughly tested software is installed on the firm’s systems – and this includes popular software such as word processing packages and operating systems. This wont eliminate errors entirely, but it should certainly reduce the number, or at least make users aware of where problems may arise. Despite the trumpeting of major software vendors, there are seldom any compelling business reasons to take a new release of software as soon as it is announced. It is usually far better to wait for at least six months after a product launch to enable others to find the "teething problems". But where it is desired to try a new product or new release, it is recommended that this is done as a pilot with a limited number of users, in order to reduce the effect of any unexpected "features" of the new software. In cases where the firm has bespoke software it should ensure that an adequate testing programme is in place for any new releases, including having a controlled test environment (that is not on the firm’s live data).

To ensure the most effective use of the firm’s systems and reduce the chance of user error it is essential that adequate training is given to all users, including (or perhaps, especially, managers). Allowing – or even worse – encouraging, users to teach themselves from the manuals may be a tempting way to save money. However, in the long run it may prove to be a false economy as support staff or suppliers have to spend time sorting out problems caused by users who don’t understand the product. Not only is on-the-job self-training an inefficient use of people’s time, it also leads to an inefficient use of the products. Furthermore, there is little chance of instilling in users a corporate style, or the use of corporate standards.

Upgrades to systems must be carefully planned to ensure the chance of any unexpected problems arising is kept to a minimum. The need for thorough software testing has already been mentioned. However, it is equally important to plan the installation of new hardware. For instance, the lack of a single component inadvertently forgotten could result in the systems being unavailable for several hours longer than planned; especially if the upgrade was being undertaken at a weekend to ensure minimal disruption to users and the forgotten part is not available until the Monday morning.

Insurance

It should also be remembered that insurance has an important part to play in damage limitation. However, by itself, without any contingency plans, insurance may be of limited benefit. It should not be an excuse for not taking preventative measures, but should be considered, perhaps, more of a back-stop. There is little point, for example, in the insurance coughing up for a replacement Wombat2000 if the machines ceased being made ten years ago and are no longer available.

The firm should ensure that its insurance policies cover the most likely risks. These will probably include, in the event of fire, theft or flood:

• provision of temporary equipment;
• repair or replacement of equipment;
• provision of temporary accommodation;
• the hire of temporary staff;
• loss of income.

Implementing the Plan

Having prepared an IT Security Plan is not the end of things. It is just the beginning. Now the plan must be put into action. You should go through the previous section in detail identifying any actions that are pertinent to your situation, together with any additional measures that may be appropriate. Your action plan is likely to include the following:

• arrange for alternative backup systems where appropriate;
• check that all key hardware is under a maintenance contract and that the contracts provide adequate guaranteed response and fix times for your circumstances;
• arrange off-site storage for security copies of all data;
• ensure that a set of master program CDs or diskettes is kept off-site;
• ensure that all key hardware is attached to an uninterruptible power supply;
• check the security arrangements for the firm’s offices and tighten it up if necessary;
• ensure that all central computer equipment is kept in a locked room;
• obtain quotations for the temporary replacement of any proprietary systems;
• acquire anti-virus software for all PCs and network servers;
• ensure that system passwords are used according to the guidelines set out earlier;
• prepare a list of all staff with PCs, faxes, mobile phones and other equipment that might be used in an emergency – and keep it off-site;
• prepare a list of possible office accommodation that may be used in an emergency;
• check that the firm’s insurance covers all the required risks;
• prepare a set of procedures to be followed in the event of a disaster.

Monitoring the plan

No plan should be considered as something to be put away on the shelf and forgotten, and this one is no different. Your security plan is a working document. The preventative measures and procedures needed if the plan is to work must be put into operation as soon as possible. And it is important to keep the plan up-to-date as the firm’s IT systems change, and to reassess the possible threats from time to time.

It is also important to put each part of the plan to the test from time to time, just as you would test your fire alarms and evacuation procedures. It would be more than a little unfortunate if having taken all these elaborate precautions you then find the plan doesn’t work the first time it’s needed! For example, it wouldn’t be the first time a firm has religiously been taking regular backups only to find that the computer is unable to read the backup tape or disk when it was needed. And it is also vital to check that the uninterruptible power supplies do in fact "cut-in" when they are needed and that the batteries are fully charged. Testing the backup and restoration systems will take time, and almost certainly cannot be done whilst the systems are in use. The best time to put the plans to the test will probably be during a weekend. And it would be wise to put your hardware maintenance company on standby in case they are needed over that weekend. One final point is to time each recovery process; these things inevitably take longer than originally anticipated.

That said, here’s hoping you never need to make use of your plan!

Twenty Pointers to Surviving a Computer Disaster

The key to surviving any disaster is planning. You should carefully consider what disasters may befall your systems and then have a plan to help cope with each type of disaster.

Here are twenty points to surviving a disaster:

• prepare a contingency plan to cater for all eventualities and all computer systems
• test the plan from time to time
• keep your plan updated
• take regular security backup copies of all data
• verify that the backup tapes (or disks) are readable
• keep copies of the backups off-site
• install anti-virus software and keep it up-to-date
• check all incoming CDs, diskettes and emails for viruses
• ensure that all parts of the system are password protected
• give users access only to those parts of the system they need to do their job
• avoid commonly used passwords
• change passwords regularly
• always fully plan any hardware and software upgrades
• ensure that all new hardware and software is fully tested
• ensure that all users are fully trained in the software they use
• check the physical security of the premises
• install intruder alarms linked to the police station or a central control centre
• ensure that all key hardware and software is covered by a maintenance agreement and that this provides guaranteed response and fix times
• keep on good terms with your supplier – you never know when you may need his help!
• verify that insurance policies are in place to cover all required risks.