The concept of information asset appears
The main purpose of writing a literature review is to help researcher to get deep knowledge and understanding of research. This literature review is to explore the information asset disaster management audit terms, models, methodology and tools by referring to the Internet, magazine, books or references, journals and interview with related personnel.
This chapter will illustrate the literature that relevant to the problem area. Thereby, the literature is expected provide foundation of knowledge in order to conduct a good research in information asset disaster management and development disaster audit model for it. The scope of this study covers in finding the appropriate terminology related to the project scope, exploring similar methodology and disaster audit. Figure 2.1 shows the literature review framework of the project.
Overview Of Information Asset
The concept of information asset appears to be an important issue for an organization in realising the potentials involve in managing its resources. Charles Oppenheim (2001) mentioned that “The concept of information as an asset has its origins in information resource management (IRM). He added that IRM treated information as an organizational resource, which has a life-cycle of creation, distribution, use and disposal, and just like any other resource; information could be assigned a cost and value. This approach was particularly suitable for application to the corporate information resources of organisations where the cost of information is often high and where there was a growing need to justify such costs by the positioning of information as a business asset”.
Definition Of Information Asset
Information has been defined by many professionals as one of the most organizational vital needs in carrying out its business functions. Not all information assets are technology dependent, but the focus of this advice is on electronically held information assets. Care must be taken when applying this advice to non-ICT dependent assets.
According (Choo, 1998) defined information assets as; “Definable piece of information, stored in any manner which is recognized as 'valuable' to the organization.”
Cost of Information Assurance (2002) defined information asset as data critical to daily operations and sustaining competitive differentiation. More so according to ASIS International Commission on Guidelines (2006) information asset is defined in their guideline as “An information asset is a collection of data that has recognised value to an agency in performing its business functions and meeting agency requirements. Information assets can be documents, electronic messages, a row in a database (or the database table itself), collections of metadata, or a table or figure within a document”.
However, it was further mention that “Information assets may include all forms and types of financial, business, and scientific information, customer related information (including identification, preferences, and pricing), business strategies, manufacturing processes, research and development, personnel data, etc. Such information may be electronically generated and processed, stored on some form of storage media, printed on paper or on other mediums whereby information may be recorded and communicated.
As business and commerce becomes increasingly information-based, the need to identify the organizational critical information asset has grown accordingly most especially in education context.
Identification And Classification Asset
The best practice in identifying and classifying of organizational assets is actually to address the assets that need a safeguard for the exciting aspect of information security for business continuity.
According to (Kadam, 2001), the task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets?”
Identifying, understanding and assessing the current information asset status and value have become significant activities of an organisation. This perhaps would assist in making the operational activities to continue functioning.
Critical Information Assets (CIAs)
It is clear that identifying critical information asset should not be treated lightly in any organization like UTM. What should happen when interrupted damage or lost? How would it cost to restore the system in order? To use information effectively in their operations, there is need for UTM e-learning to identify the critical data that yields useful information and must understand why it is important to it day-to-day business functions.
Consider the different forms that information can take. Information at its most basic level is in the form of raw data — ones and zeros in a computer; documents in file cabinets; fax transmissions. Data can come from a variety of sources and can exist in a wide range of formats, such as an employee's handwritten notes, an e-mail message, a customer relationship management (CRM) database, and photographs or drawings that have been scanned into electronic files. This disparate, raw data remains relatively useless and insignificant until it is compiled, interpreted and transformed into relevant information, so its needs to identify the critical data.
According the definition of information assets by (Choo , 1998), critical information asset means essential piece of information, stored in any manner which is absolutely necessary for the success of an organization in order to adapt its changing environment.
Critical information assets requiring protection include critical and sensitive information- financial information, library automation, financial student records, payroll, purchasing and other confidential information- as well as computer-communications system in which they reside.
In the past, critical information asset protection has meant:
- Keeping it confidential, providing access only to those having a legitimate need for it
- Maintaining its integrity, assuring that all changes are authorised and intended.
- Ensuring its availability.
Traditionally, security practitioners concern themselves with the confidentiality, integrity, availability, and auditability of information assets. Information assets vary in how critical they are to the business. Some organizations value confidentiality of data most highly, while others demand integrity and availability. In highly regulated contexts, it might be important to audit access and modification to sensitive information. Without knowing what assets need protection, and without knowing what happens when the protection fails, the rest of the risk analysis techniques cannot produce worthwhile results. An asset is referred to in threat analysis parlance as a threat target.
For the owners of UTM e-learning system need to know the value of its critical information assets and to be aware of its weakness, need to identify, examine and understand the threats facing the information assets. This must be prepared fully to identify those threats post risk to the institution and the security of its information assets by conducting risk analysis.
Risk Analysis/ Assessment
Most of companies rely so much on their systems; they need to ensure that the systems are always available. Risk analysis is important in determining the likelihood of defeat organizational critical information assets will face.
Whitma & Mattord, 2008 defined risk analysis as “An analysis of the probability of loss faced by information assets within its context”. Recognizing and identifying information assets to be protected, and evaluating the risk to those assets could also be regarded as risk analysis.
Risk analysis is the process of defining and analysing the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. In IT, a risk analysis report can be used to align technology-related objectives with a company's business objectives. (Midmerketsecurity.com)
Another definition from OECD SIGMA (1998) stated that risk analysis is a systematic process for assessing and integrating professional judgements about probable adverse conditions and/or events. According to Guidelines for Information Security Policy (2001) risk analysis is identifying the information assets to be protected, and evaluating the risk to those assets.
Johnson & John (1999) mentioned that “Performing a risk analysis involves finding and documenting the vulnerabilities in critical information assets”. They also stated that pinpointing these vulnerabilities can be a time-consuming task that will require the assistance of experts in the hardware and software used (operating systems, communications, and applications). If the analysis or entire assessment is to be performed by a group of people outside the agency, it is important that the agency have realistic expectations about what the process will accomplish. It should be understood that the quality of the assessment will be directly related to the degree of cooperation and participation that the agency provides to the assessment team.
Moreover, they further mentioned that “It is recommended that an organization hold pre-assessment meetings to communicate to the assessors what information is critical to the organization and what systems contain that information and to reach agreement about the expected results.” However, the analysis process examines the adequacy of current agency areas of control to measure the organization's effectiveness in protecting its critical asset elements. The comparison results in the identification areas of potential compromise, serves as categories for a comprehensive list of vulnerabilities and risks for which additional security measures, disaster recovery plans, modifications to security policy, and/or acceptance of risk may be necessary.
When changes are made to the information assets, or if the risk to the information assets is varied, risk analysis is made again for the relevant information assets, and the Policy is reviewed as required. Also in respect to regular review of the Policy, the work should begin with risk analysis. In addition, if vulnerability is found in any information assets, action should be promptly taken if necessary. The figure below illustrating the flow of risk analysis/assessment and is adopted from Guidelines for Information Security Policy (2001).
Risk Analysis Models
There are a number of risk analysis models, including those from NIST, NSA, ISO 17799, and ISO 27001. Another commonly used risk analysis model is Facilitated Risk Analysis Process (FRAP). However, none of these models was designed with the needs of higher education in mind. The NIST methodology was developed for federal government IT systems as indicated by the definition of risk: Whether damage to system would result in high, medium, or low injury to US interests. ISO 27001 is a specification for an Information Security Management System; it is the foundation for third party audit and certification.
Two models developed at universities, called OCTAVE and STAR are summarized here.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method is a risk-based, asset-driven model developed at the CERT Coordination Centre at Carnegie Mellon University. This comprehensive model has been adapted to small organizations (OCTAVE-S).
In OCTAVE, assets are defined quite generally to include people, hardware and software, information, and systems. OCTAVE emphasizes the need to "focus on the critical few," which are identified through a process of ranking key assets based on their importance to the business goal of the organization, likely threats to these assets, any associated vulnerabilities (technical or organizational), and the impact of a problem involving each asset. One aim of the OCTAVE method is to develop a global perspective of security within an organization, involving perspectives from all levels to ensure that solutions are not too narrowly focused or technologically driven.
Although OCTAVE was developed with businesses in mind, it is designed to be flexible and can theoretically be adapted to any environment. This flexibility has the advantage of not being tied to a particular catalogue of best practices, emphasizing the importance of addressing information security independent of the current technology. For instance, if important data is currently stored in Microsoft SQL database but is later moved to an Oracle database, the security requirements relating to the data do not change but the specific technical implementation does.
The Security Targeting and Analysis of Risks (STAR) model, developed and used at Virginia Tech, provides a decision aid to help colleges and universities perform a cursory risk analysis of their IT systems. The aim is to simplify the risk analysis process and help institutions or departments prioritize their IT risks and identify which effective security practices they should concentrate on first (they might find that one priority is to perform a more complete risk assessment). There are seven steps in the STAR process:
- Identify information assets
- Aggregate and prioritize the assets (using an Excel spreadsheet to facilitate voting on the priority of each asset)
- Identify risks
- Prioritize risks (using an Excel spreadsheet to facilitate voting on the priority of risks)
- List and define risks
- Reference risks to critical assets
- Recommendations for resolving risks
An organization typically faces variety of threat and the ultimate goal of risk assessment is to assess the circumstances and setting of each information assets to reveal any vulnerability.
Threats And Vulnerabilities
Cyber vandalism is also a big threat to corporate IT. A hacker is a person who tries to access systems without authorization. But getting access is not the only objective for many of them. Theft of goods and information and destroying or damaging systems or information also occurs. One example is denial of service (DoS) attacks. Here a hacker sends huge amounts of data to a server. The server will not be able to respond to all the data forcing it to halt normal service or crash (Laudon, K. & Laudon, J. 2006 ch.10).
A less noticeable threat is outsourcing of IT services. This is getting more popular in the western world, thus making it an important factor to consider in information asset disaster management. Off-shoring IT jobs is growing in American and European countries. This means that companies transfers their IT services and information systems along with their assets to other companies that can do the same job cheaper. This will lead to critical issues to address. Businesses will be exposed to the vulnerability of the eternal company and regions where their services are located. Loyalty and commitment from contracted employees will be lower than expected from normal employees. If a critical event should occur it will be harder to get an oversight of all IT activities that is needed in such a situation, and of course geographical distances.
A hacker who threatens organisation's information assets is taking advantage of vulnerabilities in the media and systems which handle them. Vulnerabilities and threats clearly go hand-in-hand: each threat is directed at vulnerability.
The relationship between information assets, threats, vulnerabilities and existing defences is illustrated below, which depicts an information asset that is only partially protected by the defences of the media and systems handling it. Some threats will be defeated by these defences, but other threats can take advantage of unprotected vulnerabilities and, in the worst case, compromise the information asset. The figure 2.2 is adapted from a figure used in a course presented at Stevens Institute of Technology in 2003. (Learning Space 29:08:09)
Identifying Critical Information Asset
At a high-level asset view, a certain system might be identified as being critical. But closer examination reveals that it's actually particular data on the system that is critical. The system is just one of potentially many places where that data is stored, transported, and processed, both inside and outside the organization. These places are referred to as containers. They are usually some type of technical asset; hardware, software, or system but can also be a physical object such as paper or even a person. An information asset's containers can become points of vulnerability where it is at risk. So an important part of the Allegro method is identifying each information asset's containers.
For an organization to be effective, it should be able to establish a security guidelines related to its resources, then identify critical assets, conduct appropriate risk assessments, and review the multitude of possible security enhancement measures, using risk management principles.
According to the Texas Department of Information Resources (2003) guidelines information assets could be every piece of information about your organization falls in this category. This information has been collected, classified, organized and stored in various forms which include:
- Databases: Information about your customers, personnel, production, sales, marketing, finances. This information is critical for your business. It's confidentiality, integrity and availability is of utmost importance.
- Data files: Transactional data giving up-to-date information about each event.
- Operational and support procedures: These have been developed over the years and provide detailed instructions on how to perform various activities.
- Archived information: Old information that may be required to be maintained by law.
- Continuity plans, fallback arrangements: These would be developed to overcome any disaster and maintain the continuity of business. Absence of these will lead to ad-hoc decisions in a crisis.
Identifying the critical information assets is essential for many reasons. An organization will come to know what is critical and essential for the business. It will be able to take appropriate decisions regarding the level of security that should be provided to protect the assets in case of disaster. All of the assets identified may have attributes that have impact on the effectiveness and survival of an organisation in business landscape.
The level to which information assets impacted on the ability of the organisation to become more or less effective depends on the extent to which they encourage specialisation and uniqueness. (Drucker, 1993) describes an effective organisation as a; “Special purpose institution” and also says “organisations are effective because they concentrate on one task”. Therefore, the characteristics or attributes of information as an asset can be identified and perhaps measured.
For the purpose of this research, I am going to adopt the methods of identifying organizational information assets stated in Richard et al (2007) OCTAVE Allegro model.
OCTAVE Allegro Method
OCTAVE Allegro is a streamlined variant of the OCTAVE method that focuses on information assets. Like previous OCTAVE methods, OCTAVE Allegro can be performed in a workshop-style, collaborative setting, but it is also well-suited for individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input.
Because the primary focus of OCTAVE Allegro is the information asset, the organization's other important assets are identified and assessed based on the information assets to which they are connected. This process eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis is performed for assets that are poorly defined, outside of the scope of the assessment, or in need of further decomposition.
There are eight steps of the OCTAVE Allegro methodology according to Richard et' al (2007) and are organized into four phases, as illustrated in Figure below.
From the outputs of each steps mentioned in the process above, it's relevant as for this project to select some steps that best suit the research findings. Thus, begins from step two (2) till five (5) which sequentially assist in identifying critical information asset in UTM e-learning system. This is shown in the figure 2.4 below
Figure 2.5: Comparism between OCTAVE Allegro and Adopted Steps
For any organisation that wants to exploit their information assets and address issues surrounding information overload in order to achieve their efficiency, transparency and differentiation objectives need to coordinate information management strategies in place.
Managing Critical Information Assets
Information is a valuable asset for any organization and it's an important strategic asset for the organization as important as people, capital and technology. Like other corporate assets, information must be managed.
The goal of managing information as an asset is to maximize its value by improving its consistency, accuracy, accessibility, utility, safety and transparency. When managed as an asset, information can improve supply chain performance and strengthen the relationships with customers, suppliers, partners and employees.
Yet for many organizations, information remains a liability, requiring additional rigor and focus at the enterprise level. Often seen during compliance or efficiency drives, information as a liability reflects the lack of coordinated information management actions, resulting in an increase in risk and exposure. Manifestations of information as a liability include inaccurate or unreliable reporting, out-of-date information, or content that is hard to find. Information as a liability acts as a barrier to the successful execution of the business strategy.
Managing an information asset includes all aspects of its life cycle - from specification, design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, to destruction (Whitman & Mattord, 2008). Information Lifecycle Management refers to a wide-ranging set of strategies for administering storage systems on computing devices (Wikipedia). The figure below shows information management of an organization.
According to Gartner (2006) most organisations manage information in separate silos: system-by-system or department-by-department. The result is a lack of consistency, transparency and quality of information assets across the organisation. Very few have a coordinated strategy or plan that seeks to reduce the cost, complexity and integration difficulties of sharing and exchanging information assets in ICT environment.
In response to this changing environment, the managing of information to promotes the inclusion of ICT in all learning systems and environments (formal, non-formal, informal - school, higher and adult education and training) is being implemented more and more frequently in higher education, creating new and exciting opportunities for both educational institutions and students.
As the study is focusing on the E-Learning system of Universiti Teknologi Malaysia (UTM), identifying the critical information assets and potential disaster as well as check-balance on the disaster audit for the successful running of the system will ensure that the effective and efficiency of the system. This perhaps pronounces the management of UTM e-learning critical information assets.
Electronic learning (or e-Learning or eLearning) is a type of education where the medium of instruction is computer technology. No in-person interaction may take place in some instances.
E-learning, or electronic learning, has been defined as a number of different ways in the literature. In general, e-learning is the expression broadly used to describe “instructional content or learning experience delivered or enabled by electronic technologies” (Ong, Lai and Wang, 2004, page 1).
According to (Catherall, 2004) “E-learning and related systems used to support learning and teaching are quickly becoming an important feature of the rapidly changing climate in HE provision (p. 10)”.
He further mentioned that e-learning has a very valuable role to play in society today, and the importance of e-learning is likely to rise still further in the future, especially as more people undertake part-time study and seek alternative methods of study.
More so, (Liber and Brittain, 2004) mentioned that e-learning in institutions is still dominated by monolithic application components: The VLE [CMS], the Student Records System, the Library System etc. whereas this is increasingly becoming seen as an inappropriate model for developing a flexible cost-effective e-learning environment.
The challenges faced by students, the changing role of the learner, and the impact e-learning can have on students need an understanding of ICT in context of learning.
E-learning can provide better support for the less able, engage students who do not respond well to ‘traditional' classroom learning, provide opportunity for accelerated learning for gifted and talented students, and develop independent learning skills through a personalised learning experience (Helen, 2008).
The new technologies will not only influence the intellectual activities of the university (learning, teaching and research) but also change how the university is organized, financed and governed. Most of the ICT applications will take place in the framework of the campus-based university, and they will add on new functions or substitute part of the activities in classrooms, but altogether they will not replace the face-to-face encounters.
The Introduction Of E-Learning at UTM
E-learning in UTM is generally defined as “the application of ICT to advance the effectiveness of the teaching and learning process” (UTM, 2005). It is a system where course content, lecture notes, communication tools, quizzes, tests and assignments can be accessed through the university computer network. The e-learning application in UTM is the integration between network learning and conventional learning, or in Harasim's terminology, the “adjunct mode” (Harasim, Hiltz, Teles & Turoff, 1995: 78). E-learning in UTM is a shared responsibility between the Centre for Teaching and Learning (CTL) and the Centre for Information and Communication Technology (CICT) via its division, the Academic Computing Unit. CTL provides support for lecturer trainings, and multimedia assistance, and related issues for e-learning adoption into teaching. Students' training, computer facilities, networking problems, server breakdowns and the like are managed by CICT (Marlia 2008).
E-learning in UTM was first introduced in 2001 as a supplement to the traditional teaching of undergraduate students. Initially WebCT was used as the e-learning platform but upgrading it required a substantial investment, which in the long term was not cost effective. As a result, towards the end of 2003, UTM launched Moodle, developed from Free Open Source Software (FOSS). Moodle has various functions such as content management facilities, communication tools, a calendar and a helpdesk.
A review of Moodle was conducted in 2004 to evaluate the adoption of e-learning in UTM faculties. This review analysed the progress of the course materials uploaded to the system, the number of hits (how frequently students have accessed a particular subject) and the most active subject among all faculties. However, a comparison with the effectiveness of the WebCT platform could not be undertaken because such an evaluation was not conducted in 2001. Nevertheless, UTM management has assessed the adoption of e-learning and measured whether e-learning is aligned with the direction of the university.
It was not until 2005 that UTM devised its e-learning policy in enhancing the development and application of e-learning in the university teaching and learning. The policy functions as guidelines for pedagogical improvement through effective e-learning implementation. It outlines the roles of each stakeholder in the application and development of e-learning at UTM. These parties include the University administrators, CTL, CICT, various faculties, lectures and students. Clear guidelines on the responsibilities of each stakeholder are defined. The most important section was on the intellectual property and copyright issues. Currently, the implementation of e-learning in UTM is executed in all levels of instructions including diploma studies, bachelor degree program and postgraduate level.
E-Learning's stakeholders are all stakeholders who are involved in upgrading the system through eLearning program such as in facilitating, giving technical support (hardware and software).
In an organizational context, a stakeholder is a constituency of an organization (Thompson and Strickland, 2001). In the same sense, the stakeholders of e-learning are those that are affected by it. While reviewing the e-learning literature during the development of this study, a list of the main stakeholder groups in the context of higher education was compiled.
A stakeholder is any entity with a declared or conceivable interest or stake in a policy concern. Stakeholder analysis (SA) is a tool for identifying the needs and concerns of different stakeholders. With information on stakeholders, their interests, and their capacity to oppose change, change advocates can choose how to best accommodate them, thus assuring policies adopted are politically realistic and sustainable in e-Learning system.
E-Learning makes it possible for this lifelong learning to occur as a part of the student's every day life, removing the need to travel to a traditional institution or be confined to a specific class schedule. Similar to other technology applications, the success of e-learning is dependant on the extent to which is satisfies the needs and addresses the concerns of its key stakeholders. This analysis is then used to derive a stakeholder-to-stakeholder responsibility matrix for maximizing the chances of e-learning success within institutions of higher education as indicate in the table below;
Eben (2008) highlighted the beneficiaries of e-Learning as a group of stakeholders that aims in building capacity, knowledge, and skills in the use of e-Learning. The stakeholders according to Eben include;
- I. Tutors and administration staff,
- II. The university management and
- III. Students
According to Nicole et' l (2008) the group of e-Learning stakeholder as follows:
Students are the consumers of e-learning. In the context of higher education, they are undergraduates or graduate students enrolled at a university or college.
In e-learning, as in traditional classroom learning, instructors guide the educational experiences of students. Depending on the mode of e-learning delivery, instructors may or may not have face-to-face interaction with their students.
III. Educational Institutions
Educational institutions, in the context of higher education, include colleges and universities. In addition to the traditional list of postsecondary institutions, the rise in popularity of e-learning has lead to the creation of new, online only educational institutions.
IV. Content Providers
In the higher education context, online course content may be created by instructors or acquired from external sources. The growth in e-learning has created a market for commercialized educational content creators, particularly for more introductory courses that are offered consistently at multiple institutions.
V. Technology Providers
Technology providers develop the technology that enables e-learning delivery. This category consists of a broad range of services, from the facilitation of individual distance learning courses, to complete Learning Management Systems (LMS) provided by companies such as Blackboard.
VI. Accreditation Bodies
Accreditation bodies are organizations that assess the quality of education institutions offerings. Those institutions meeting the minimum requirements will be accredited, providing them a level of credibility that non-accredited institutions will not possess.
Employers, in this context, are those organizations that will potentially hire graduates of higher education institutions. Often, there is a tendency for employers to view online education from reputable traditional institutions in a more positive light; however the acceptance of online degrees in general is increasing (Chaney, 2002).
This is a positive trend for e-learning in general and for completely online educational institutions in particular. The various stakeholders in higher education e-learning interact with one another in a variety of ways. The success of e-learning is thus dependant on the cooperation of all of those stakeholder groups. Therefore it is important for any educational institutions to be more flexible and have control over their e-learning community to enable the stakeholders to select and organize the most appropriate e-learning tools suited for teaching and learning.
The aim of e-Learning according Eben is to improve the ability of tutors and trainers who provide lifelong learning courses to make use of e-learning tools to improve the teaching and learning, especially through the use of assessment and feedback. As such, it's cleared that any information asset risk management involves the process of identifying assets and associated risks, determining their magnitude, and identifying what safeguards are needed to ensure the safety of information assets after the event of disaster.
Definition of a disaster seems to be tricky because it is characterized by the urgency in the responses required for its control. To a certain scrutiny, Jintae and Tung (2000) defined a disaster as” a calamity caused by accident, fire, explosion, or technical failure or by the forces of nature that has resulted in serious harm to the health, safety, or welfare of people or widespread damage to property.”
A disaster, either natural or man-made, can smack anytime or anywhere which requires two ways to overcome it.: the first is to prevent them from occurring, and second to have an emergency system and plan of operation prior to the occurrence of any crisis.
Disaster management is nothing but skilful ways and methods of controlling a disaster. Disaster management encompasses all aspects of planning for and responding to disasters, including hazard analysis, vulnerability reduction (preparedness), prevention, mitigation, response, recovery and rehabilitation. It may refer to the management of both the risks and consequences of disasters. Disaster management may be seen as a part of good governance that encompasses all aspects of planning for and responding to disasters.
Adnan et'al (2006) mentioned that “Any disaster management technique involves certain amount of investment. Hence the process of managing disasters and thus increasing safety, involves a balancing act between the cost of reducing the risk of a disaster and the benefits arising from the amount of risk reduced.”
Definition Of Disaster Recovery
With the increasing demand for the persistence of business critical functions, it becomes importance for an organization to protect its system in the event of disorderly circumstances for the survival of the organization. The preparedness should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure to recover from a disaster.
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is ability for a company to recover from a catastrophe and to get the company back to business (Wells e'tl, 2007).
With the increasing importance of information technology for the continuation of business critical functions, combined with a transition to an around-the-clock economy, the importance of protecting an organization's data and IT infrastructure in the event of a disruptive situation has become an increasing and more visible business priority in recent years.
It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term (Wikipedia).
IT Disaster Recovery Management
Businesses of all sizes rely on information technology as a crucial component of their day-to-day operations. Because data availability is a top priority, the need for companies to compile a thorough disaster recovery plan is essential.
According to Continu Data Service (28:08:09) Over the last twenty years, information systems have become increasingly crucial to the operations of organizations of all sizes. The ongoing evolution in this field has resulted in the increase of both the complexity and interdependence of these systems, requiring a formal plan for business continuity in the event of a disaster. The gradual migration away from paper-based systems and the increase of compliance-related have drastically increased organizations' reliance on information systems and responsibility for their data and software.
More so, it was stated that “IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g. short-term power outages, server hardware failures) to severe disruptions (e.g. facility destruction, facility unavailability) resulting from causes ranging from natural disasters to human actions. Though many of these vulnerabilities can be minimized or eliminated through preventive controls and risk management efforts, it is virtually impossible to eliminate all risks”.
In addition, affirmed that intermediate organizations have an even greater risk of brutal IT disruption due to the following circumstances:
- The lack of large IT budgets and IT Disaster Recovery Planning (DRP) expertise
- The lack of geographic dispersion of facilities
- Periods of intense growth which limit available time and money for thoughtful planning of IT systems, much less disaster recovery efforts
IT Plan For Disaster Management
Disaster needs control in recovery of vital critical information assets or records that support the organizational core business processes. It's obvious that a disaster is recognized by it emergency responses needed to clampdown the situation. This immediate action together with one's upshot tend to make a heavy stress on the decision makers, often causing them to make simple errors and sometimes revert to non-optimal behaviour.
In planning for IT disaster in UTM e-learning system, some design principles for an information system for disaster management are mentioned by (Jintae and Tung, 2000), and are as follows;
First, the urgency required by disaster management information processing should be done as information processing during the disaster, delayed possibly by the breakdown in the communication infrastructure or the searching of relevant information, can in turn delay the action required and induce high costs that could be avoided.
Second, information processing should be as case based as possible. The best time to prepare for a disaster is after one has been managed whether successfully or poorly. All the details about what worked, what failed, and what could have been done would be fresh in memory.
Third, both the urgency and the error-prone stress require that the system be automated as much as possible but with constant human monitoring and the ability to override. From the implementation perspective, agents and workflow present an excellent way to automate or semi-automate the tasks and the flows while leaving the critical, judgement-intensive tasks to human beings.
These principles are used to reduce the possibility of a problem. But business continuity planning will permit an organization to recover their information assets quickly and relatively painlessly (though not totally without pain).
Business Continuity And Disaster Recovery
A business recovery plan addresses how assets will be operational after a disaster and is a plan that can be successfully implemented in a disruptive situation to implement basic services needed to resume business operations. Its an attempt to reduce the effects of a disaster by providing smooth, rapid restoration of an organization's critical operations until the loss of information technology can be recovered or restored. It is difficult to quantify the total impact of any single information system loss. A business continuity plan will reduce this possibility.
According to the CISA Review Manual (2006) the “ purpose of business continuity/ disaster recovery is to enable a business to continue offering services in the event of a disruption and to survive a disastrous interruption to their information systems. Rigorous planning and commitment of resources is necessary to adequately plan for such an event”. It is further elaborated on and the term Business continuity Planning (BCP) is defined as “a process designed to reduce the organization's business risk arising from an unexpected disruption of the critical function/operations necessary for the survival of the organization”. More so, it's mentioned that BCPs include the Disaster Recovery Plan (DRP). DRP is defined as “the general plan followed by business units to recover an operational facility” (CISA Review Manual 2006).
A business continuity expert (Paul, 2009) mentioned that; “Having a disaster recovery plan in place is a key step toward making sure your business can recover data and continue operations in the event of a disaster. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls.
It is therefore essential for an information auditor to understand the differences in the terminologies as well as having a BCP and DRP in any organization.
In his article “Holistic Approach is Key to Network and IT Recovery and Security Success”, Damian Walch states that “Post September 11th, companies have seen the terms "security," "cyber-security" and "disaster recovery" uttered in the same breath. They've begun to appreciate the notion that security and business continuity could be aligned in several ways.” Auditors are particularly aware of the need for an adequate and performable disaster recovery plan (DRP) that will provide confidence that the application can be recovered in a reasonable amount of time after a disaster.
Information is be recognised as a resource that needs to be managed and accounted for like any other resource. The information resources are those resources which facilitate the acquisition, creation, storage, processing, or provision of information that generates the knowledge or other value required to achieve the goals and objectives of the organisation.
The Information Audit (IA) according to Buchanan & Gibb (1998), extends the concept of auditing holistically from a traditional scope of accounting and finance to the organisational information management system. Information is representative of a resource which requires effective management and this led to the development of interest in the use of an IA.
Definition Of Information Audit
The Information Audit (IA) is also known as a Records and Information Survey, and in older publications may be referred to as a Records Census. Whatever the title, the objective is a comprehensive survey of all records created or held by the institution.
The word 'audit' tends to be intimidating because it is usually associated with the annual financial audit. The information audit may produce financial information, but that is not its prime purpose.
An information audit measures information resources and processes against organisational objectives, in order to diagnose the efficiency of the organisation's use of information. The audit identifies those tasks and activities that contribute to the achievement of organisational goals and objectives as well as the information that is required to support each task or activity. It looks not only at what information is used, but where it originates, who it is created by, how it is used, to whom it is given and what happens to it after use.
An information audit should cover all media: - paper, microfiche and electronic systems. In some guidance a distinction is drawn between an Information Survey which concerns itself only with information processing and current records, and a Records Survey which concerns itself with semi-current and 'old' records.
For many years the information audit process has been promoted by information professionals as a means of identifying the information needs of an organization and matching them against existing services and resources. (Henczel, 2001), defined information audit as “a systematic evaluation of information use, resources and flows, with a verification by reference to both people and existing documents in order to establish the extent to which they are contributing to an organization's objectives.'
Though there is no unanimously conventional definition of an information audit, this definition adopted by ASLIB, the Association for Information Management in the UK is the most appropriate as it incorporates the critical elements of 'information use' and 'people' (Orna, 1999).
Information audit is defined from BusinessDirectory.com as “Analysis and evaluation of a firm's information system (whether manual or computerized) to detect and rectify blockages, duplication, and leakage of information. The objectives of this audit are to improve accuracy, relevance, security, and timeliness of the recorded information”.
An information audit is a systematic process through which an organisation can understand its knowledge and information needs, what it knows, the information flows and gaps. Resulting from an information audit is an ‘information map' which can be used as the basis for designing e-government solutions, as well as for the foundation of a corporate information strategy or a knowledge management strategy.
(Buchanan & Gibb, 1998), in an international journal of information management defined the IA as a process for ‘‘discovering, monitoring and evaluating an organisation's information resources in order to implement, maintain, or improve the organisation's management of information''.
Similarly, ASLIB, describes information auditing as ‘‘A systematic examination of information use, resources and flows, with a verification by reference to both people and existing documents, in order to establish the extent to which they are contributing to an organizations' objectives.
Information audit can also be defined or summarized as a process for ascertaining, monitoring and evaluating an organisation's information flows and resources in order to implement, maintain, or improve the organisation's management of information.
The primary purpose of the information audit is to identify what information exists within the organization, where it resides, who uses it, at what cost and to what effect. It should also seek to establish where information needs exist which are not being adequately catered for, with what consequences for individuals, their departments and for the business as a whole. Where information resources are being maintained but can be shown to have become redundant to either current or future requirement and to be generating unnecessary overheads for the business, the information audit will highlight this and act as a catalyst for corrective action.
Moreover, educational institutions also need to upgrade its knowledge to actively participate in eLearning program, such as though searching learning material, communication with the learning material provider, sharing their knowledge, updating data, etc.
Knowledge is something that comes from information processed by using data. It includes experience, values, insights, and contextual information and helps in evaluation and incorporation of new experiences and creation of new knowledge. Knowledge originates from, and is applied by knowledge workers who are involved in a particular job or task. People use their knowledge in making decisions as well as many other actions. In the last few years, many organizations realize they own a vast amount of knowledge and that this knowledge needs to be managed in order to be useful (Rusli, e'tl 2005).
Obtaining processed information from experienced personals in an organization helps in changing it visualization towards achieving business objectives. Developing a knowledge sharing culture is a change process, and to achieve that change an organisation needs a vision of where they want to be, but also they need an accurate picture of where they are now, that is, their current reality. An information audit is one way of providing that picture (Orna, 1999).
A knowledge audit (an assessment of the way knowledge processes meet an organization's knowledge goals) is to understand the processes that constitute the activities of a knowledge worker, and see how well they address the “knowledge goals” of the organization. Liebowitz (1999) defines a knowledge audit as a tool that assets potential stores of knowledge in this way it assigns a strategic significance to its information and knowledge assets so that management of essential and important information and knowledge can be prioritised.
The consequences of not conducting an information audit prior to conducting knowledge audit or developing a knowledge management strategy can cause significant direct and indirect costs for an organisation. When an organisation is unaware of the strategic significance of its knowledge assets, it manages everything rather than what it is necessary to manage (Henczel, 2001).
Auditing a Disaster Plan
UTM e-learning disaster recovery plan is a very valuable document for the department that needs to be audited as closely as any other important department asset. It is of course necessary for any organization to put controls in place to prevent this type of disaster. As an auditor, it is one of the responsibilities to investigate, evaluate and verify the controls in place which could help in reducing the risks associated with any kind of disaster. As threats are making headlines almost daily, technical and physical defensive reaction against information assets have to be available.
Audit Of An Existing Emergency Business Plan
All business are dynamic, whether it be taking on new staff, moving to different premises or moving into new business ventures. These changes could also mean a change in potential hazards, or the level or emergency preparedness of your business. Therefore it is important for your Business Emergency Plan to change as your business changes.
Corporate Disaster Recovery Plan is a very valuable document. It needs to be audited as closely as any other important company asset. Disaster avoidance is always better than Disaster Recovery. Putting together a good plan and auditing it regularly can go a long way towards preventing a disaster in an organization.
Universities have become increasingly aware of their extreme dependence on their information storage, communication and processing systems and networks. Paper based systems have become incomplete records as reliance on technology has increased. Teaching functions rely more on course management systems to provide grade books, teaching materials and portfolios. Disasters such as fire, eco-terrorism vandalism and tornados have impacted several universities increasing the awareness of risk among university administrators.
Disaster Recovery Audit
It is obvious that disasters do not occur often; even the best disaster recovery plan is subject to an immediate smoothing process. Therefore, in addition to developing a test plan to ensure the effectiveness of your DRP, it is necessary to develop an audit procedure to survey the plan for its effectiveness. The audit process ensures that the plan is adequate as well as current.
The effectiveness of a Disaster Recovery Plan is diminished by changes in the environment that the plan was created to protect. These changes can take many forms ( Bruce, 1999).
Starting by reviewing IT audits, since a disaster recovery (DR) audit may be an area addressed in the IT audit process. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, procedures, operations and governance. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. (Paul, 2009).
These reviews according to Paul may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits focus on determining risks that are relevant to information assets, and in assessing controls so as to reduce or mitigate these risks. By implementing controls, the impact of risks can be minimized, but controls, no matter how comprehensive, cannot completely eliminate all risks.
He added that the key to successful disaster recovery is to have a plan (such as an emergency plan, technology recovery plan, business continuity plan) well before disaster ever strikes. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls so that the plan is likely to work as anticipated, especially when faced with a real emergency.
The key to successful disaster recovery is to have a plan (emergency plan, disaster recovery plan, and continuity plan) well before disaster ever strikes. When conducting an audit of a disaster recovery plan several factors should be considered.
The following are items that should be addressed in a disaster recovery audit according to (Paul 2009).
- Disaster recovery policies, mission statement
- Written disaster recovery plan with continual updating
- Designated hot site or cold site
- Ability to recover data and systems
- Processes for frequent backup of systems and data
- Tests and drills of disaster procedures
- Data and system backups stored offsite
- Appointed disaster recovery committee and chairperson
- Visibly listed emergency telephone numbers
- Procedures allowing effective communication
- Updated and validated system and operational documentation
- Emergency procedures
- Backup of key personnel positions
- Hardware and software vendor lists
- Both manual and automated procedures in place
- Contractual agreements with external agencies/companies, such as service-level agreements (SLAs).
The audit should be an independent and objective appraisal of the Disaster Recovery Plan for both the Data Centre and Business Units as time, technology and logistics change. The audit process according to Bruce (1999) should be expected to accomplish the following:
- Identify and evaluate security controls (both physical and data)
- Provide management an opportunity to improve and update the plan
- Provide a stimulus to keep management from becoming complacent
- Uncover areas of vulnerability as they relate to management planning, controls and information security, etc.
Frequency Of Audits
It is further stated that the factors to be considered when defining frequency include the following:
- Rate of change in the Information Systems Facility (vendor and own site)
- Frequency of other audits
- Number of problems that occur while testing the plan
- Level of outside threat to the operation
The most important challenge is to have senior management support for the audit (this includes facilitating access to key staff as well as funding); otherwise, recommended actions from the audit may not be implemented, putting the organization at continued risk. Additional challenges include securing interviews and follow-up meetings with key staff, obtaining the information required by the audit, ensuring that the information is the most current available, and ensuring that the BC/DR program addresses the most critical technology and business-related issues.
This chapter presents saying and reviews on the concept of information asset, disaster management, information audit as well as disaster management audit from different authors. It also highlighted some models in which organization like UTM will use in identifying its critical information asset and how to present the asset from disaster that might affect the assets and auditing to ensure that it addresses people, process and technology issues and relevant controls so that the plan is likely to work as anticipated, especially when faced with a real emergency. This is done later in the research by adopting one of the models as highlighted in the OCTAVE Allegro section. The model is going to be used in constructing some questions for the purpose of achieving the research objectives.
Many thanks to ABUBAKAR AMINU MUAZU
PhD Research Fellow,
Dept of Computer & Information Sciences