The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/80353
The ISO Challenge: Pursuing ISO 27001 certification is not easy. To be successful, efforts necessitate enhancements to internal policies, practices and technology. As part of this, organizations must satisfy multiple requirements, including: • Subjecting their systems and processes to review by accredited external auditors • Conducting their own periodic internal audits to ensure real- world practices align with defined policies • Taking steps to continually improve their information security efforts, including implementing new processes and controls ISO 27001 auditors report, perhaps surprisingly, that there are two reasons organizations commonly fall short: 1. They fail to carry out a thorough internal risk assessment before scoping their own planning process 2. They cannot demonstrate a management-level commitment to their information security program These shortcomings highlight the key philosophy of the ISO standard — it's not just about technical controls (e.g., access restrictions or encryption). Rather, a significant prerequisite of certification is the ability to demonstrate an understanding of the bigger picture and context in order to build a regimen that not only looks good on paper, but will also function well in practice. To be successful with certification, firms must secure management support and carefully consider how it will implement and update measures to protect critical information that are both appropriate and proportionate. And it must do this without needlessly stifling the ability of the organization to function. Trend 3 — Moving Away from the "Open Access" Default Whether driven by a specific initiative to achieve ISO certification or a general desire to enhance information security, some firms Recovery at Risk: Aligning Your DR Plans w by Bob Mellinger of Attainium Corp Your disaster recovery (DR) plan is designed to mitigate risk to the greatest degree possible and to put into place procedures that will enable your organization to get up and running as soon as possible following an outage or disruption. What if your firm's business priority is the billing system, but the DR plan begins with email? Or what if the firm needs immediate access to telephones, and your disaster recovery plan has HR functions leading the way? If your DR plan does not align with your business priorities, your recovery could be compromised. Perform a Business Impact Analysis Conducting a business impact analysis is the first step in establishing those priorities. The firm's key business functions (i.e., functions that must remain viable for the firm to continue to operate) have no doubt been identified. Assess the criticality of your organization's business processes and determine the impact and consequences of a loss in service or a reduction in normal service levels for each of those functions. Determine Your Recovery Time Objectives Your next step should be to determine your recovery time objectives (RTOs) for each key business function. How long can you be without each function before the situation becomes critical? If you must have your scheduling operational within two hours of a disruption, for example, then your RTO is two hours. Determining the RTOs will help you prioritize the functions, so you know which parts of the firm's infrastructure are most critical to your operations. Compare RTOs and ARTs Your disaster recovery plan should mirror those priorities. The DR plan will have to consider the recovery time for each application needed, in the order needed, and determine the actual recovery time (ART) for each application. Compare the RTOs against the ARTs; if the ART is greater than the RTO, you must address the discrepancy. Either re- 68 Peer to Peer