Chapter 9: Avoiding And Preparing For The Worst

Chapter objectives

In this chapter we shall:

  • Provide you with some tips on insuring your equipment.
  • Set out some basic guidelines, checklists and templates to help you with the physical security of your systems.
  • Scare you into backing up your data, including pragmatic advice on taking data backups and ensuring that those backups are effective.
  • Discuss IT catastrophe and related subjects.
  • Help you to think through some of the issues involved in trying to ensure that your organisation's show stays on the road even if the worst does happen.

Insurance

You will normally insure your office-based computer equipment under your standard office policies. You might choose to have cover for consequential loss (e.g. loss of revenue in the event of business interruption or high value data loss). Your insurance company is likely to have rules and exclusions for higher value items. Normally, insurance company stipulations are common-sense, minimum requirements, such as:

  • Security marking devices.
  • Physically lock-securing devices (e.g. in a cage or cabinet).
  • Restricted physical access to key equipment.
  • Electrical spike protection and uninterruptable power supply to key devices.
  • Appropriate back up devices and policies for their use (regularity, off-site storage procedure) to minimise the risk of high value data loss and/or lengthy business interruption (see below).

If you are using portable computers (laptops, palmtops, hand-held computers etc.) you will also need some form of “all risks” policy to ensure that the equipment is covered away from your premises. It often makes sense to have the all risks policy separate from your office policy, to ensure that your claims record on one does not taint your claims record on the other type. In any event, at the time of writing it is nigh on impossible to get any insurer to cover portable computing devices in certain circumstances. Our advice with regard to portable computers therefore is - do not leave portable computing devices unattended in:

  • An unlocked place.
  • A locked place if the device is visible to passers by (e.g. through a window or glass door).
  • A motor vehicle, even if the vehicle is locked and the device is not visible to passers by (motor insurance won’t cover this either.)

Physical security

It is part of your trustees' fiduciary duty to ensure that you properly protect the assets of your not-for-profit organisation. It is also a legal requirement under the Data Protection Act (see chapter 11) that you maintain reasonable levels of security for the data you hold.

Strangely, people sometimes put a great deal of effort into having high levels of data (or logical) security and forget about some of the basics for maintaining physical security. Many of the severest and most likely risks to your equipment and the information on it stem from physical security risks. The main categories of risk are:

  • Natural disasters such as fire, flood, earthquake, storm damage.
  • Failure of or disruption to essential services, such as power cuts.
  • Malicious or criminal damage to equipment and/or associated facilities.
  • Accidental damage to equipment and/or associated facilities.
  • Unauthorised use of equipment.

In order to implement sound physical security procedures, you need to consider the following main questions:

  • Do you know exactly what equipment you have and where it is located.
  • Have you implemented physical and environmental security measures to protect that equipment.
  • Do you have appropriate administrative controls in place to ensure that the physical security of your equipment is maintained?

As always with areas of risk, you need to assess the severity and likelihood of the risks in order to decide the extent to which you should protect yourselves. Especially with smaller not-for-profit organisations, these can be tricky decisions. You probably don't have enough time or money to implement all of the ideas in the checklist below, but similarly you might not have enough money to replace machines if they are stolen and not insured.

The following table sets out key risk factors for physical security in not-for-profit organisations, which you can use to help you assess the risks you face.

Table 9.1 Physical Security Risk Factors
Risk factor Notes and comments for not-for-profits
Is the equipment spread across many different sites? each site will have physical security risks of its own
To what extent do you use portable computers? portables are especially high risk - see comments above on insurance
Does the public have easy access to areas where equipment is kept? can be especially high risk for some not-for-profit organisations, e.g. a drop in centre for young people who are in trouble
Is some of the equipment located in places with particular propensities to natural disasters and/or malicious damage? not-for-profit organisations often work in places with high risks of natural disasters, political or social upheaval
Is the information on the equipment especially sensitive and/or confidential? some not-for-profit organisations handle very high risk information, e.g. a fostering and adoption placement charity. Although logical security should mitigate much of this risk, the existence of that sensitive data within the system increases the physical security risks also
Does the equipment potentially have the capability of authorising or making financial payments? although logical security should mitigate much of this risk, the existence of that capability within the system increases the physical security risks also
Have you had an incident or circumstances that might lead you to believe that a disaffected person or organisation has malicious intent towards your organisation? disaffected former staff members are a common example of this risk. In not-for-profit organisations, there are often additional risk factors. For example, equipment in a shelter for survivors of physical abuse might be at physical risk from physical abusers. Another example, a medical research charity's equipment might be at risk from militant animal rights campaigners.

Physical security risks checklist

You can use the following checklist to help you to manage physical security risks. Check each risk area under the headings 'assessment, impact and mitigation', 'severity' and 'likelihood'. Larger not-for-profit organisations should develop more comprehensive and specific security checklists and procedures, but the following should form a good starting point even for larger not-for-profit organisations embarking on such an exercise.

Table 9.2.1 Physical Security Checklist - What you are securing
Risk area Assessment, impact and mitigation Severity Likelihood
Do you have up to date inventory of all of your computer equipment? (see template 19.1)
Do you have up to date records on the locations of your system documentation?
Do you have up to date inventory of all of your software? (see template 19.2)
Do you have up to date records of your data backup locations?
Do you know the location of your disaster recovery plan?
How you are securing it
Table 9.2.2 Physical Security Checklist - How you are securing it
Risk area Assessment, impact and mitigation Severity Likelihood
Do you keep the main computers (e.g. servers) in a secure room dedicated to computer equipment?
Is access to your main computer room securely restricted to relevant personnel?
Is the main computer room located in a relatively environmentally safe place?
Is the main computer room protected with fire detectors, smoke detectors and/or fire extinguishers?
Do your main computer(s) have a clean power supply, (e.g. special power line or spike removing devices)?
Do your main computer(s) have an uninteruptable power supply?
Are some computers located in places where the public might have access?
Do you security mark the computer equipment?
Do you use power-up passwords on the computers?
Is the equipment physically secured? (e.g. PC's bolted to the desk or housing)
Are portable computers locked away out of sight when unattended?
Are secure access devices (e.g. bank payment transition devices) kept locked away accessible only to authorised personnel?

Table 9.2.3 Physical Security Checklist - Who is securing it

Risk Area Assessment, impact and mitigation Severity Likelihood
Do you have clear roles and responsibilities for IT security?
Are the IT security procedures sufficiently documented?
Is there a segregation of duties between those responsible for IT security and those responsible for processing?
Do you have adequate insurance cover for your IT equipment?
Does your insurance cover for "all risks"?
Does your insurance cover consequential losses?
Template 9.3 A Basic Hardware Inventory
Inventory reference number Date bought Make / model / spec Maker's serial number Cost Location Warranty / maintained by Notes
Template 9.4 A Basic Software Inventory
Inventory reference number Date bought Vendor name Author / package / version Licence serial number Cost Location Notes

Backing up

It's rather a shame, but this subject tends to make people's eyes glaze over. A shame, because actually backing up your data properly is one of the most basic and crucial things you can do to protect your investment in IT. Backing up is the process of making a secure copy of your data and/or programs as a contingency in the event that something goes wrong with the original data. Losing data is a significant risk in using IT, but one of the great benefits of using IT is the relative low cost and ease with which secure copies can be made to protect your investment. Consider the following two horror stories.

Case Example - False economy

A good friend telephoned and asked me if we would do her a favour and help her sister who was going frantic. The sister ran a small community-based membership organisation with one full-time worker (our friend's sister herself). The organisation's computer had been stolen in a burglary overnight. Could we help? "We'll try," we said, and one of us phoned the sister. "Everything was on that machine, everything", she said, "the accounts, the membership records, our community contacts, correspondence going back 5 years….."

"We'll lend you a machine to get you up and running again pdq", we said. "Have they taken your back up device as well. What medium were you using for your backups?"

"I didn't take backups. I didn't have enough budget for a backup device when I first got the computer. In the early days I used to copy stuff on to floppy disks, but when the files all got too big for floppy's I stopped copying. Please help". The only help we could manage in those circumstances was to offer our condolences.

Case Example - Flawed back ups

A large and well known campaigning organisation had an IT department with several people, comprehensive back up procedures and an air of confidence even after the new main server crashed and took all the data with it. They had back ups, everything would be OK. Most things were OK and were up and running again within a day. But one key system (used for the administration of a large proportion of the organisation's fundraising income) was not OK. This system had recently been moved on to the new server, probably in a hurry, and the back ups had not been set up correctly. Worse, even the back ups from the old server (several weeks old, but at least it would have been something) would not restore. No-one had ever tested whether the back ups on that old server could actually be restored and used. In fact, for this particular fundraising system, there was a flaw in the back up. Result: misery for many weeks

Backing up - get the basics right

There are three big lessons from those two horror stories:

  • There is no such thing as "not having enough budget to be equipped to back up". If there isn't enough budget for back ups, there isn't enough budget for a computer and/or there isn't enough budget for staff to work on the computer. There is simply no point investing money in IT and investing effort in running a system if you are going to put all of that investment at undue risk by not backing up.
  • Make sure you are backing up all of your data files - it is easy to overlook the one system that runs on another machine or the system whose data is stored in a separate partition on your hard drive.
  • Regularly ensure that your back ups are effective by testing that you can restore the system from the back ups. Most of us (if we are lucky) take back ups for years without ever really needing to use them, but you need to know that if you ever did need to use them that they really work. Do not confuse running verification routines (which often come as part of back up software - these are useful but only part of the story) with actually testing your ability to restore.
  • Make sure that you have back ups off site, to mitigate the risk of a physical disaster destroying the backup as well as the main storage. The use of wide area networking and/or application service providers (ASP's - see chapter 3)can help you to achieve practical solutions for off-site backup.
  • Backing up is not fun. But it is an essential risk management practice and almost all of the very worst imaginable IT disasters can be largely avoided if you have backed up properly.

The following checklist should help you to get your back ups right. Again, check each risk area under the headings 'assessments, impact and mitigation', 'severity' and 'likelihood'. Larger not-for-profit organisations should develop more comprehensive and specific back up checklists and procedures, but the following should form a good starting point even for larger organisations.

Table 9.7.1 Back Up Checklist - What you are backing up
Risk area Assessment, impact and mitigation Severity Likelihood
Do you have up to date inventory of all of your computer equipment?
Do you know where all the programs and data are stored?
Do you know which files you need to back up in order to avoid loss of records and/or to avoid losing the ability to function?
Table 9.7.2 Back Up Checklist - How you are backing up
Risk area Assessment, impact and mitigation Severity Likelihood
Are you backing up frequently enough?
Do you have appropriate back up devices and media for those devices?
Are you logging the back ups?
Is someone checking that you following proper procedures each time you back up?
Do you verify you back ups?
Are some or all of your back ups taken off site?
Are your back ups kept in secure and appropriate places?
Do you periodically test that you are able to recover from your back ups?
Table 9.7.3 Back Up Checklist - Who is backing up and restoring
Risk area Assessment, impact and mitigation Severity Likelihood
Do you have clear roles and responsibilities for back up and restore?
Are the back up and restore procedures sufficiently documented?

IT business continuity

It is often difficult to separate IT business continuity from general business continuity planning, as many of the catastrophic risks you are trying to mitigate would have an impact on your organisation beyond IT (e.g. a major flood, fire or failure of public services). However, there are catastrophic risks that are IT specific, the most pressing of which (data loss through hardware or software catastrophe) you try to mitigate in part through back ups.

Having back ups, however, is only part of the story, as you need to think through how you would get your show back on the road in the event of various catastrophes. If your office burns down taking all of your machines with it, you might be able to wave the back up tapes around with a smug grin on your face, but you will need some space and machines as well as those tapes to get up and running again.

You might choose to subscribe to a business continuity, disaster recovery or data recovery service, which is in effect an insurance policy of sorts, as you are paying for the ability to use space and/or equipment in the event of a catastrophe. The "Rolls Royce" form of the service is known as a 'hot site', which is basically a site with equipment of that fits your specification waiting for you to turn up with your back ups and can get you up and running again almost immediately. A 'cold site' is a suitable site with no equipment in it. A 'warm site' is somewhere between, where you would probably have the cabling and some equipment in place, with other equipment being procured or swapped in to the site in the event of the emergency.

Some organisations make formal or informal arrangements with other organisations to help each other out in the event of a catastrophe. A collective approach of this sort is welcome, especially in the impecunious not-for-profit sector, but it is important to realise the limitations of such an approach, especially if the arrangement is entirely informal.

Your decision on the extent to which you make prior arrangements will depend on many factors, including:

  • The extent to which you are insured for consequential loss.
  • The requirements of your insurance policy.
  • What you can realistically afford.
  • The extent to which you believe you are particularly at risk (e.g. your offices are located in a flood risk zone).
  • The loss you think you would actually incur if your operation was down for (e.g. a day, a week, a month, three months).

The important point is that you have a plan and you know how you would deal with the various catastrophic events. You need clear roles and responsibilities for dealing with the disaster and for ensuring IT business continuity after the event. The plan should also cover minimising the risks of catastrophe and (where possible) mitigating any losses arising. You should also test your plan, to satisfy yourselves that the plan would work if the worst did happen.

IT business continuity planning is not the best fun part of this book but it is important that you consider it. We hope you never have to implement your plan.

Summary

  • Make sure you have adequate insurance and that you comply with the requirements of your insurance policy.
  • Think about the specific physical security risks that your organisation faces when considering security measures - use the physical security checklist to help you.
  • Backing up properly is one of the most effective things you can do to minimise the risk of serious data loss, so make sure you back up regularly and make sure that you test restore from back up at reasonable intervals.
  • Think about the catastrophes that might hit you.
  • Within your means and perception of risk, ensure that you have an adequate plan in place to get your show back on the road as quickly and efficiently as possible.
svg.lf_footer_svg{ height: 30px; width: 30px; }