Wednesday, September 29, 2021

Business Continuity Plan (BCP) and BCMS

Business Continuity Plan (BCP)

And

Business Continuity Management System (BCMS)

Today we are going to discuss very critical business function and is very much responsible for any business operation.

Every business is prone to a disaster and threats. No system is 100% secure now a days. These disruptions can come in many forms such as natural disasters, fire, long power outage, losing key employees, delayed deliveries, cyber-attacks, etc.

The capability of an organization to continue the delivery of products and services, within acceptable timeframes, at predefined capacity, during a disruption is known as business continuity. Means no disruption during incidents or recover the system within allowable time. 

Business Continuity Planning (BCP) is a process of creating information systems environment in such a way that it could help in preventing and recovery from business disruptions from disasters or major incidents or threats.

Benefits 

The goal of a BCP is to minimize operational risk in the face of a natural or man-made disruption/ disaster. 

Business Continuity Policy

  • A Business Continuity Policy provides framework for setting business continuity objectives. It is a Commitment to satisfy applicable requirements whether it is regulatory or legal or contractual. It is a commitment to continual improvement.
  • It should be documented, reviewed, approved and signed by a top management. 
  • It should be communicated inside the organization and the interested parties.

Business Continuity Plan

Business Continuity Plan is defining steps that required to restore business processes following a disruption within an agreed time. The plan will also trigger for invocation, people to be involved, communications etc. 

The business continuity plans are the tests/ plans/ strategy for testing the continuity of the system to deal the treats/risks to the organization. Any event that could negatively impact the operation need to be included in the BCP plan. 

To completely define BCP one has to think two aspects;

  • It should be ensured that an organization could continue business as normal, or on an acceptable level in the wake of disaster.
  • IT should be restored/recovered to a state like that before the disaster.

Therefore, an organization should develop Business Continuity Plan (BCP) by below steps:-

  1. Conduct a Business impact analysis (BIA) to identify sensitive and critical functions, processes and resources that support them.
  2. Identify, document and implement to recover critical business functions.
  3. Organize or form a business continuity team and compile a business continuity plan.
  4. Conduct training and awareness for a business continuity team and testing the plans in regular interval.

Procedure for documenting BCP 

  • Identify and document a plan or test or drill to schedule for BCP. In case of of you are running one Data Centre or large network and server infrastructure, you need to identify the possible failures such as ups power failure, Fire at Data Centre, Internet failure, Switch/ Router failure Server failure, Storage Failure, PAC failure, Firewall failure, antivirus failure, etc. each test in a year.
  • Document a Back-up and restore policy for each component or a service before the BCP test or drill.
  • Identify and document emergency contact numbers during any emergency such as difficulties in recovery in case of incident.
  • Before planning for BCP test communicate to stakeholders about the BCP schedule.
  • Form or constitute BCP team such as BCP coordinator, emergency response team, BCP test team, data back-up and restore team.
  • Invoke BCP plan as per the schedule and approved plans. 
  • All BCP plan should be approved earlier to the test by the management representative.
  • Keep back up for the assets/ devices configurations, configuration documents hard copy, policy hard copy, testing method, recovery plans, emergency contact numbers.
  • Keep observations on fail over and load test.
  • Check the restoration after reboot or restart for its normal behavior.
  • Analysis the risks identified during the tests/plans.
  • Document the test results whether fail or success, total time taken for recovery, key personnel involved during the process. 
  • Approve the test result.
  • If the test is not successful, always keep your roll back plan updated and handy. 
  • Conduct awareness and trainings on the improvement if any.

Business Continuity Management System (BCMS)

The international standard that defines the requirements for a BCMS (Business Continuity Management System) is ISO 22301: 2019 standard. It was first introduced at year 2012. It contains:

  • Business continuity objectives and planning to achieve them
  • Planning changes to the business continuity management system
  • Business impact analysis and risk assessment
  • Business continuity plans and procedures

So, this is just a fundamental knowledge on BCP and its procedure. Hope it may have helped in the understanding. 

Please feel free to comment or provide your suggestions. 

-DR
at No comments:

Thursday, September 23, 2021

Encryption or Cryptography basics

Encryption or Cryptography

This is one of life changing technology, ever introduced. It helps in providing data security for sensitive information. Encryption or cryptography both carries same meaning. Cryptography is like secure communications techniques by encoding the message using encryption. Encryption is a process of scrambling data or information so that only authorized receiver can understand the information. 

Encryption is a way of encoding data in secure way so that only authorized parties can understand or read it. Technically, it is the process of converting human readable plaintext to inexplicable text, which is known as ciphertext. In simpler terms, encryption takes readable data and alters it in a way so that it appears random data. 

It can help in protecting the data you send, receive, and store, using a system or device. Such information is including of text messages stored on your smartphone, media files and personal files at your personal systems, running logs in the fitness watch, health data from smart watch and banking information sent through your online account, computer log files etc.

Encryption requires the use of a cryptographic key. There are two types of encryption available in market, i.e. Symmetric key and asymmetric key encryption.

  • Symmetric encryption uses a single password or key to encrypt and decrypt data and all communicating parties use the same secret key.
  • Asymmetric encryption uses two keys for encryption and decryption. one password or key is used for encryption, and a different key is used for decryption. 

A key

A cryptographic key is a string of characters used within an encryption algorithm for altering data so that it appears random. Same as a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it.

Similarly, two types of key used is known as public key and private key. A public key, which is shared among users, encrypts the data. A private key, which is not shared, decrypts the data.

Why needed

It is mostly required for privacy, defending hacking and attacks, regulatory requirements, authentication, availability and data integrity etc. Encryption is essential to help protect your sensitive personal information. Users should always encrypt any messages they send, preferably using a form of public key encryption. It is also a good idea to encrypt critical or sensitive files anything from personal photos, sets of family photos, company data like personnel records or accounting history, health data etc. However, most drawback of encryption is, it can be used against users in form of ransomwares attacks which is presently a trending attack.

Many organizations, technology firms were using encryption since a long time. Big software and application firms have also implemented encryption at multiple environments. Most legitimate websites use what is called secure sockets layer (SSL), which is a form of encrypting data when it is being sent to and from a website. This keeps attackers away from accessing that data in transit. Windows offers full disk encryption with Windows 10 pro edition. Mac OS X Yosemite wants you to set up encryption by default when you install it. Linux distros also provides encryption at the time of installation. Many encryption tools are available to use for disk encryption, os encryption, file encryption etc.

Common Encryption types

There are common encryption types or encryption algorithms used are as; AES, DES, SNOW, Elliptic curve cryptography, RSA, Triple DES, TwoFish and encryption using SSL etc. on a brief lets look below,

DES

Data Encryption Standard (DES) was introduced at 1977 by U.S Govt. a low level encryption standard. DES has a smaller key size which makes it less secure to overcome this triple DES was introduced but it turns out to be slower. DES takes input as 64-bit plain text and 56-bit key to produce 64-bit Ciphertext.

AES

Advanced Encryption Standard introduced in 2001 by NIST and is widely used now a days which is advanced encryption. AES have 128,192, or 256-bit secret key.

RSA 

Rivest-Shamir-Adleman (RSA) is an asymmetric encryption algorithm that is based on the factorization of the product of two large prime numbers.

Twofish

Twofish is considered one of the fastest encryption algorithms and is free to use. It uses the method that ciphers data blocks of 128 bits. 

In this cloud technology era, the cloud platform are also coming with encryption by default. For example: Data stored in AWS is secure by default; only AWS owners have access to the AWS resources they create. However, customers who have sensitive data may require additional protection by encrypting the data when it is stored on AWS.

Finally, this is just basic understanding on encryption. Secure end to end encryption makes life easier and safer for everyone. So use encrypted service and use encryption to protect yourself. 

Many tools are there for the encryption whether for file and folder encryption or full disk encryption. 

Windows pro comes with bitlocker by default encryption standard. 

similarly 96Crypt (shareware), Advanced encryption package, Bitcrypt, PGP, etc. 

Please feel free to share your comments.

-DR


at No comments:
Subscribe to: Posts (Atom)

Network Scanning Tools

Network Scanning through Nmap and Nessus Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities....

  • Basics of Ethernet
    Ethernet   Ethernet is the Media access method in a network where all the device or hosts , that share data or share the bandwidth in betw...
  • Telecom | STM-1/4/16 SDH Multiplexer- Part 2
    STM-1/4/16 SDH Multiplexer In my older post I have covered the basic STM and STM-1. STM1 is a synchronous digital hierarchy (SDH) is standar...
  • Basics of Switching | Switches- part 2
    Basics of Switching Switching is a basic function of networking. Switching breaks up large collision domains in to smaller ones. A Swit...