Recognize demand!

Dhe risks associated with the increasing use of IT resources in any business are very often underestimated. This is due in no small part to the power of IT, which largely operates in the background without users noticing.

Uninterrupted IT operations?

One of the most important tasks is to ensure that systems and applications can be operated without interruption and that the data contained therein can be accessed without data loss.

Everything under control without interruption

available in compliance with the law. It is precisely in these important points that there is often a lack of clarity as to what concrete backup and storage requirements the organization places on IT resources. Rough process requirements for IT may still be familiar to employees in small, manageable companies. In medium-sized and large organizations, the situation is often quite different due to the division of labor: users assume utopian availability requirements. A failure of the computer workstation or a single important application has never occurred. The reason is seen in the fact that IT has completely ruled out such scenarios through system design and product selection.

Know the risks

If IT wants to minimize failure risks in a targeted manner and align itself with the needs of the company, then the requirements for the processes and the applications and IT resources used in them must be known. Especially in large companies or administrations, where the range of different applications and data is very large, it is important to know the requirements regarding the security dimensions. Key figures on availability, data existence, integrity and confidentiality should be recorded systematically and reproducibly by the IT department. This enables them to adapt the systems, processes and emergency scenarios of IT to the requirements.

Targeted identification of default risks

of the organization accordingly. Risks are thus minimized in a targeted manner and legal requirements can be better implemented. Finally, the goal is to know the requirements for backup and archiving for the organization, to quantify the consequences of failures and their temporal effects, and consequently to offer IT services adapted to the protection needs.

Define procedure

The need for protection can be procured in various ways and with varying quality. The established and tried and tested risk dialogue in the form of interviews is the best way to obtain the key parameters. Individual risks can be specifically filtered out on the basis of the questions and reactions of the persons interviewed. The relevant variables for IT are systematically determined with the questions.

There are many stumbling blocks in the procedure during this risk dialogue. If, for example, the respondents are only asked about the key indicators of security and storage without more detailed background knowledge, the results obtained cannot be easily understood. No business-critical factors can be identified that justify the implementation of the surveyed requirement. The risk dialogue must therefore not be aimed directly at the performance indicators, but must be carried out with questions based on the "what if?" principle. Questions about the consequences of failures or errors aimed at impairing task performance, public reputation or legal consequences must be addressed. To this end, it is advantageous if comprehensible damage scenarios are used specifically as examples

Consider environment

In smaller and medium-sized companies, requirements can be met directly with the risk dialogue described. In the case of fewer than seven departments, it is advisable to hold personal discussions with the responsible persons and the employees involved. If hundreds of analyses are to be carried out in large, heterogeneous organisations, this can no longer be done with personal risk dialogues.

For this purpose, for example, an electronic survey is more suitable. Any number of addressees can be defined. It takes significantly less time than face-to-face risk dialogues. Such a business impact analysis covers the entire inventory of applications. Of course, there are also disadvantages

le connected with a questionnaire. Due to the lack of personal contact, there is a lack of intuition to check certain statements for their relevance. In the follow-up to the analysis, this can be

PersonalRiskDialogue

The problem can be countered by seeking dialogue in isolated cases where extreme manifestations appear or where there is a suspicion of inconsistencies.

Enter requirements

The backup and retention requirements were recorded using a multiple-choice questionnaire adapted to the backup guidelines, consisting of 25 questions divided into three chapters: data backup, data retention and information security.

1. data backup - – the most important values for the backup are requested. The maximum acceptable interruption time or the maximum tolerable data loss are values that flow directly into the backup policy. This procedure is based on ISO 22301, the leading business continuity standard. Because these statements are often answered in a distorted way by the respondents from their subjective point of view, it is necessary to also include the consequences of system failures or data loss. The consequences are recorded in the form of the temporal progression of the severity. With the help of this progression, the absolute data can be verified. This also provides IT with the most important parameter for data protection: the average recovery time of a system. This is determined from the results of the survey.

2. data retention - In contrast to the backup, this aims at designing the retention period and thus the retention time of the backups. Important compliance requirements such as the legal minimum retention period are queried and, as already in the chapter on data backup, time-related effects are elicited in the event of non-compliance. Data retention requires a great deal of sensitivity due to the exploding amount of data and the varying but sometimes long retention periods. Anyone who thinks they can derive a 1:1 retention guideline from the survey will be disappointed. Not even IT experts can give a conclusive answer to the question of how long backups need to be retained - in relation to their own data. In addition to the theoretical requirements, economic aspects and the strategic orientation of IT always play a role in the topic of retention.

3. data security - In the last part of the questionnaire, aspects of data security are addressed and, for example, the consequences of unintentional information leakage are included. In addition to protection requirements for backups and archives, answers in this topic area also provide information on how IT should handle information from the applications.

Finally, the questionnaire provides information on the requirements for backup and storage from the perspective of the service recipient and the consequences of failure, loss and compliance violations. The results are used to quantify the priorities for security and storage. In this specific case, the results were used to create a backup and retention guideline and a backup concept based on the requirements of over 100 applications.

Conclusion

The requirements elicitation approach described above is particularly attractive for medium-sized and large IT organizations. With manageable effort for IT, the needs of the service recipients for the applications are assessed. The method provides those responsible for security with an overview of what is expected of crisis management (BCM) and efficient security. The person responsible for security has

Efficient securing as a goal

The CIO, in turn, can use this information to perform a repeatable impact analysis based on the ISO 27001 and ISO 22301 standards. The CIO, in turn, has a comprehensible and repeatable impact analysis based on the ISO 27001 and ISO 22301 standards. Armed with this knowledge, IT knows what is effectively required of it in terms of security and storage. Nothing more stands in the way of implementation.