News Column

Security, disaster recovery part of IT best practice

January 24, 2014

This is the third instalment in my series on best practice. I was inspired to write this by a small IT department in a large company outside Paris, a well-oiled operation kept safe by robust procedures, documented processes and stringent security policies.

At first glance, these probably sound anything but inspiring, but for IT geeks like me who often have to spend a weekend sorting out a mess caused by someone else's carelessness, it's a breath of fresh air: an opportunity to work with like-minded professionals. It's a pity I don't speak much French, but the quality of the operation speaks for itself.

In many businesses, management frequently overlook or even deliberately overrule the investment required to establish an effective information technology policy based on best practice. This is a classic case of false economy, as the cost of dealing with an IT disaster can be catastrophic.

I'd like to think that responsible businesses of any size design and implement policies that prepare for any foreseeable risks, but often we hear of yet another one that is fined, chastised or simply collapses because of mistakes that could have been avoided. Make sure your business isn't next!

Information security: Policies are the much-maligned children of a best-practice strategy, but they remain the most effective way of meeting pre-defined standards. An information security policy aims to preserve confidentiality by ensuring that certain information is accessible only to authorised users.

The integrity of the information - in other words, its accuracy and completeness - must also be addressed. Change management is another area requiring defined policies. A version control procedure may be needed if several users change the same document or file during a day.

Where no controls exist, users might inadvertently overwrite someone else's work.

Continued availability ensures that users always have access to information and systems when required, and is accomplished by addressing threats such as virus attacks, power failures or hardware breakdown.

Properly applied information security policies mean your business can reliably access its information assets as needed, confident that the data has not been tampered with.

There is no single solution to achieving complete information security. It is not just about buying computer software or devices to make your business secure. It has to be addressed as part of an overall strategy, requiring the support of your staff, suppliers and management.

Acceptable Use: An acceptable use policy typically defines what an employee can or can't do with the equipment a company provides for their use. The intention is to minimise risk, while addressing legitimate needs.

It's a good idea to integrate this with an employee's employment contract, but keep it updated if this is the case. For example, social networking sites such as Twitter and Facebook have grown exponentially in recent years, fuelled in part by millions of bored office-dwellers, who are funded by the profits of companies like yours! Do you need to update your policies to regulate this sort of access?

Disaster Recovery: This could be the most important thing to address with your IT team. A "DR Plan" defines the risks, responsibilities and actions in the event of an IT disaster, and may be the only reason you survive one. This should encompass more than just your daily back-ups.

Contingency plans need to be made for risks including theft of equipment, fire damage to premises, power outages and even employees leaking company data. I sleep a lot better when these risks are identified and planned for - how about you?

How robust are your policies and procedures? Tell me about them at

The Mercury

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Mercury, The (South Africa)

Story Tools