Transcription
Remote Access: A Tool to SupportBusiness Continuity PlanningJune 2011Disclaimer: this document is intended as a general guide only. To the extent permitted by law,the Australian Government makes no representations or warranties of any kind, express orimplied, about the accuracy or completeness of the material contained in the document. Thereliability of any assessment or evaluation based on its content is a matter for the independentjudgement of users. Users should seek professional advice as to their specific risks andneeds. The Australian Government accepts no responsibility for the consequences of any use ofthis document.
Executive SummaryRemote Access: ‘A tool to support business continuity’ was revised in June 2011 by theDepartment of Broadband, Communications and the Digital Economy, on behalf of theCommunication Sector Group (CSG) of the Trusted Information Sharing Network (TISN).This guide seeks to provide senior executives and business continuity planning committeeswith useful and thought-provoking material that covers, at a high level, the range of remoteaccess technical options available today for organisations that are considering the use ofremote access as part of an effective business continuity planning (BCP) strategy. This guidebuilds upon the information contained in a previous version of the guide, originally releasedthrough the TISN website (www.tisn.gov.au) in February 2007.Whilst the guide is aimed towards senior executives, with a responsibility for the governanceover an organisation’s business continuity planning, the guide will also be of particular interestto Business Continuity Managers (BCMs) within organisations seeking to assess their businesspreparedness for both short-term and prolonged emergencies.In preparing the updated guide, a key consideration was how remote-access solutions havematured since the release of the original guide, with organisations utilising remote access notonly in times of emergency but also throughout day-to-day steady state operations.Underpinning this is the concept that, if an organisation designs resilient business processesfor its critical services that require the use of remote-access technologies in the steady state,the business process change for an organisation when faced with an emergency can beminimised.Effective BCP is reliant on both the competence and appropriate levels of expertise fromwithin the organisation—it is the people that understand the organisation—its objectives,processes and risks. Through the use of best-practice tools and methodologies for theidentification and analysis of the threats and risks that have the potential to impact anorganisation in a time of crisis or emergency, organisations can leverage this analysis to assessthe most appropriate remote-access solution for their requirements.At the heart of this guide is a discussion of some of the tools and techniques that anorganisation can use to assist with the development of effective risk management processesand detailed risk and threat assessments that become pivotal to the success of anorganisation’s business continuity or remote-access policy.Whilst there is a plethora of documented and historical scenarios that may require anorganisation to rely upon the use of widespread remote-access capability during an emergencyor crisis, this guide has not sought to exhaustively canvass each and every scenario or threat indetail. Rather than placing a focus on the actual event or cause of the emergency, the guidehas taken an all-hazards approach that places the focus on the potential impact on theorganisation’s critical business processes and services, regardless of the source of the threat.Building upon the tools and techniques for effective business continuity planning and threatand risk assessment, the guide examines both mature and emerging remote-accesstechnologies and how organisations are increasingly benefiting from the extensive use ofconvergent mobile devices such as tablets and smartphones to enhance their remote-accesscapability. The ubiquitous nature of the Internet and the maturity of web-based applicationshave also enabled remote-access opportunities—ranging from simple communication (emailand web browsing) to enabling complex industrial control systems.2
The guide acknowledges that remote-access technologies are widely deployed as part ofbusiness-as-usual operational processes for the majority of organisations today. Underpinningthe pervasive usage of remote-access technologies is the growth of trends includingteleworking, mobile computing device adoption and web-based application delivery. All ofthese trends have shifted the perimeter of an organisation’s enterprise beyond the reach ofthe physical premises, allowing a worker to access business functionality and services in amanner that is consistent with working from the office—anywhere, anytime.The guide concludes with a section that outlines some of the principles and pitfalls that anorganisation should consider prior to and during the implementation of remote-accesssolutions as part of a BCP strategy. The section provides guidance relating to approaching themarket, assessing the capacity and capability of potential service providers, establishing soundcontractual arrangements, information security management principles and maintainingeffective business continuity plans.It should be noted by readers of this guide that the guide is not intended as a detailedtechnical manual for the design of remote-access solutions for an organisation, or as acomprehensive BCP manual. A list of useful resources and references is included in Annex C,along with a business continuity planning checklist in Annex E that may assist an organisationassess its business continuity readiness. Further information on related topics includingbusiness resilience, managing information security in an outsourcing arrangement and generalinformation security principles is available for download from the TISN website.3
ContentsJune 2011 . 1Executive Summary . 21Introduction . 61.1234The Role of Remote Access in Business Continuity Planning . 92.1‘Remote Access’ and ‘Business Continuity Planning’ defined . 92.2Enabling effective Business Continuity Planning and Business Resilience through theuse of Remote Access—benefits and outcomes . 10Remote access and Business Continuity Planning, issues and areas of focus . 113.1Establishing appropriate governance mechanisms. 113.2Understanding the threat and risk landscape . 113.3Designing resilient critical business processes . 123.4Business as usual, immediate threat and prolonged emergency scenarios . 143.5Capability, capacity and availability management principles . 15Remote Access, trends and emerging technology options . 174.1Mature remote-access options . 174.1.1Wired services . 184.1.2Wireless Services . 184.1.3Virtual Private Networks (VPN) . 194.1.4Managed network services . 194.1.5Evaluated products. 204.2Emerging remote-access technologies and their potential application . 204.2.1Cloud Computing . 214.2.24G Mobile Services . 214.2.3Wi-Fi . 224.2.4Tablets and Smart phones. 224.2.5Thin Client Computing . 234.35Structure and purpose of the guide . 7Selecting the most appropriate technologies to enable BCP within an organisation. 23Implementing Remote Access in a Business Continuity Planning strategy, principles andpitfalls . 245.1Approaching the market . 245.2Assessing the capability and capacity of suppliers. 245.3Establishing sound contractual arrangements and service-level agreements . 254
5.3.1Information Security Management Principles . 255.3.2The importance of maintaining the desired security posture . 265.3.3Maintaining effective Business Continuity Plans . 26Annex A: Consultation summary . 27Annex B: Glossary of terms . 28Annex C: References and useful resources . 31Annex D: Remote Access Technology Components . 33Annex E: Business Continuity Planning Checklist . 475
1 IntroductionRemote-access services have evolved beyond after-hours or emergency business tools tobecome integral parts of day-to-day business operations. Similarly, the types of mobile devicesused to access corporate data and information have also evolved to provide highly-capablemultifunctional devices that deliver voice, video and data to the user. This guide examinesemerging remote-access technologies and how organisations are increasingly benefiting fromthe extensive use of convergent mobile devices such as tablets and smartphones to enhancetheir remote-access capability. The ubiquitous nature of the Internet and many web-basedapplications are also creating remote-access opportunities ranging from simplecommunication (email and web browsing) to enabling complex industrial control systems.This guide will be of particular interest to Business Continuity Managers (BCMs) withinorganisations seeking to assess their business preparedness for both short-term and prolongedemergencies. The guide also seeks to provide useful information that BCMs can use whencritically reviewing, aligning and improving existing business continuity planning practiceswithin their organisations.This guide is not intended as a detailed technical manual for the design of remote-accesssolutions for an organisation, or as a comprehensive business continuity planning manual. Forfurther information on both topics, a list of useful resources and references is included inAnnex C, along with a business continuity planning checklist in Annex E.In approaching this important topic, the guide has sought to consider how remote access isused not only in times of emergency but also throughout day-to-day steady state operationsfor an organisation. Underpinning this is the concept that, if an organisation designs resilientbusiness processes for its critical services that require the use of remote-access technologies inthe steady state, the business process change for an organisation when faced with anemergency can be minimised (issues such as congestion and scalability of connectivity stillremain).The Department of Broadband, Communications and the Digital Economy, on behalf of theCommunication Sector Group (CSG) of the Trusted Information Sharing Network, reviewed andupdated the guide that was originally written in February 2007. Key stakeholders from the CSGand the Information Technology Security Expert Advisory Group were consulted as part of thepreparation of this report. A list of the individuals consulted is provided at Annex A.Figure 1 shows the transition from the steady state through to an event/emergency and therelationship between available bandwidth and the number of users accessing remote access asan organisational business continuity strategy. The graph shows how the aggregatedbandwidth supplied collectively by providers in the marketplace would be reduced during anevent or immediately thereafter. However, at the same time, the number of remote usersneeding access to maintain critical business services and processes would suddenly increase.This scenario has the potential to be further impacted if telecommunications providers haveoversubscribed services to their clients. They would have done that on the basis that undernormal conditions it would be unlikely that all of their customers would use the services at thesame time. The graph also indicates how the slow restoration of services and bandwidth topre-event levels would help stabilise and lessen the impact of critical remote-access usersacross the board.6
Figure 1: Remote-access bandwidth availability during emergencies1.1 Structure and purpose of the guideThis document is intended as a guide only. It is strongly advised that the standards andstrategies referenced be considered carefully before use in the creation, and/or review, of theorganisation’s Business Resilience, and Continuity Strategies and Policies. Organisations withexisting processes, policies and strategies may consider the use of this document to assist inthe critical review, alignment and improvement of their existing practices.This guide is structured into four sections:1.Role of Remote Access in Business Continuity Planning (BCP)—this section provides anoverview of remote access and its interrelationship with BCP and management.2.Remote access and BCP, issues and areas of focus—this section provides advice onidentifying key business processes and personnel for a remote-access capability by takinga look at the various technical, operational and business continuity issues.3.Remote access: trends and emerging technology option—this section provides anoverview of remote-access technologies that can support an organisation’s remote-accessstrategy and discusses the issues BCMs and Chief Information Officers (CIOs) may considerin implementing a remote-access solution. It also considers a number of factors pertainingto the selection of remote-access communication channels based on trade-offs betweencost, security and functionality.7
4.Implementing remote access in a BCP, strategy, principles and pitfalls—this sectiondiscusses practical advice that may assist an organisation with its consideration of remoteaccess capabilities. This should help maintain the availability of key business processesand functions for a prolonged period during an emergency situation.This guide is not intended as a technical resource on remote access. Technical guidance isavailable from a wide range of sources that are listed in Annex C.8
2 The Role of Remote Access in Business ContinuityPlanning2.1 ‘Remote Access’ and ‘Business Continuity Planning’ definedA fundamental objective for business owners and operators is business continuity during animmediate or prolonged emergency. It is important that organisations anticipate a variety ofdisruptions and have appropriate contingency plans that are designed with rigour andappropriately tested on a regular basis. Regardless of the cause of the business disruption,business owners, clients and regulatory authorities expect a quick restoration to criticalbusiness services. For this reason, a remote-access capability that can be easily transitionedfrom a steady state to an emergency state catering to a variety of scenarios of varying degreesof interruption should be considered an important component of effective Business ContinuityPlanning (BCP).For the purposes of this guide, BCP is defined as the planning actions taken by an organisationrelating to the development, implementation and maintenance of policies, frameworks andprograms to assist an entity to manage a business disruption, as well as build entity resilience.It is the capability that assists in preventing, preparing for, responding to, managing andrecovering from the impacts of a disruptive event 1.In the context of BCP, remote access provides the ability to use information andcommunications technology (ICT) systems to sustain key business processes or functions froma remote location, for a short or extended period of time.A remote location is defined as a place other than the principle place of employment for theemployee. This may include: alternative offices or a disaster recovery site in accordance with business continuityarrangementsfield staff operating critical business functions via mobile communication devicesan employee’s home environmenta hotelpublic access sites such as internet cafes.An organisation’s remote-access requirements may differ markedly due to remote-accesscapability being a continuum and dependent on the nature of the organisation. Generally, adistinction can be drawn between a basic and an advanced capability where: basic remote-access capability is restricted to a small number of basic business processessuch as email and data access, and limited to a defined group of staff with low-priorityaccessadvanced remote-access capability provides for key business processes and includes asubset of the organisation’s personnel (that is, executives, infrastructure specialists, etc.)who require a higher priority level of access to email and data as well as to other advancedservices such as voice, video and emergency management services.This guide does not limit the consideration of remote access purely to the facilitation of accessto the enterprise systems and services for employees and other trusted third parties. It alsoconsiders that remote access includes device to device connections between the enterpriseand a remote location.1Australian National Audit Office, Business Continuity Management, Better Practice Guide, June 2009.9
2.2 Enabling effective Business Continuity Planning and BusinessResilience through the use of Remote Access—benefits andoutcomesThe benefits of remote-access capability extend beyond supporting organisational BCP. Manyjob functions are inextricably linked to an organisation’s enterprise applications and servicesand, as such, having an effective remote-access capability can provide organisations with manytangible benefits by bringing the workplace to the employee. Effective remote-accesscapabilities can provide enhanced productivity and profitability by allowing employees torespond quickly to organisational and client requests. It can also provide more flexible workingarrangements for staff by allowing 24-hour, seven-days-a-week access to job functions. Apartfrom the benefits to an organisation’s workforce, a well-designed and implemented remoteaccess solution can assist an organisation facing an emergency situation to maintain: financial viability through the continued provision of servicesits reputation and brand equity with clientscompliance to regulatory obligationsprotection from risk and security exposures.These tangible benefits have driven the organisational adoption of remote-access solutions asan integral part of an effective BCP strategy.10
3 Remote access and Business Continuity Planning,issues and areas of focus3.1 Establishing appropriate governance mechanismsSuccessful BCP relies on expertise from within the organisation. It is the people thatunderstand the organisation, its objectives, processes and risks. It requires a strongunderstanding of the threats and risks that have the potential to impact an organisation in atime of crisis or emergency. The structure of an organisation’s business continuity governancecommittee should include representatives from both the executive and the operational areasof the business as well as representatives from the risk management and audit committee.To enhance the resilience capacity of the organisation to effectively mitigate the impact of anemergency, there should be regular assessments of both strategic and operational threats andrisks. The outcomes of that assessment can then be used to update the business continuityplan, part of which would include the processes needed to quickly implement remote access toenable the critical business services.3.2 Understanding the threat and risk landscapeEffective risk management processes and detailed risk and threat assessments are pivotal tothe success of any Business Continuity or Remote Access policy. Information security risk canbe closely tied to other business risks, such as reputational or financial. As such, theimportance of gaining a clear understanding of the relationship between information securityrisk and an organisation’s overall corporate risk assessment cannot be understated.In considering the range of threats that may potentially impact the effectiveness of remoteaccess as part of a business continuity solution, an organisation should evaluate the potentiallikelihood and consequences of threats that include but may not be limited to: naturally-occurring hazards– geological hazards– meteorological hazards– biological hazardshuman-caused events– accidental– intentionaltechnological-caused events– computer failure– communications failure– energy/power/utility failure 2.Prior to performing an effective threat and risk assessment related to the inclusion of remoteaccess as a business continuity enabler, an organisation should ensure that an appropriate riskmanagement methodology has been selected to govern the approach to risk and threatanalysis. AS/NZS ISO/IEC 31000 describes a process for managing risk throughout the riskmanagement lifecycle 3:2Further detail on threat sources can be located in Annex A, NFPA 1600, National Fire Protection Association,Standard on Disaster/Emergency Management and Business Continuity Programs 2007.3AS/NZS ISO/IEC 31000:2009, Risk Management—Principles and Guidelines, Standards Australia, Sydney 2009.11
3.3 Designing resilient critical business processesTable 1 outlines some of the high-level strategic, operational and technical questions that needto be considered when planning to reduce the business continuity risk.Table 1: Resilient business process planning and remote What business processes or applications are supported by the remote-access solution?The BCM and ICT Manager should have a clear understanding of all the applications thatare accessible using steady-state remote-access services.WhoWho has access to applications and business processes via remote access? The totalnumber of remote users, what services they have access to, and the equipment they useto connect, such as laptops and handheld devices, must be documented.WhereWhere do users need to access these work environments from? If the majority ofworkers are metropolitan-based, then what range of services will be required to supportthem?WhenWhen do users need to get access to these services? Are service-level agreements inplace that will ensure the provision of sufficient telecommunications capacity to theorganisation and remote users in periods of peak demand during a prolongedemergency?HowHow are the services delivered? There is likely to be a range of services and technologiesthat will deliver the remote-access services. A clear understanding of the variouschannels, capacity and security is critical in design and catering for emergency situations.To help with the planning for the use of remote access, the various considerations can beclassified under three categories—namely the strategic, operational and technical constraintsoutlined in tables 2–4. In other words, determining the why, what, who, where, when and howof remote access are important business planning considerations.12
Table 2: Strategic issues when planning for remote accessIssueNotesLegislationThere are many legislative requirements relating to remote-access mechanisms. For example,government classified information must be protected under the Crimes Act 1914, personalinformation must be protected under the Privacy Act 1988, certain types of information mustbe retained under the Archives Act, and certain private sector records must be kept undervarious other Acts relating to corporate operations. Organisations should ensure that anyremote-access mechanisms under consideration are capable of complying with relevant lawsand regulations.BenefitsOrganisations should determine the potential benefits in adopting remote-accesscapabilities. One of the key drivers might be to maintain business continuity during periodswhere employees are unable to physically attend their normal place of work.RiskOrganisations should model their remote-access business processes and determine thepotential risks involved. This will determine the operational security requirements of theremote-access architecture.CostSince remote-access capabilities comes at a cost (new technology, procedures, supportarrangements, etc.), it is important to conduct a thorough cost-benefit analysis to ensure apositive return on investment.StandardsThere are many national and international standards relating to communications protocols,data formats and information technology. Organisations that have not implemented remoteaccess technologies in the past or those that use proprietary mechanisms should consideradopting these standards. This will help to ensure that remote employees, partners, clientsor customers can use off-the-shelf hardware and software to facilitate remote access.PoliciesOrganisations might consider establishing and implementing policies to assist employees towork away from their principal worksites, with appropriate access to applications. Changesmay also be required to corporate security policies and IT security policies, configurationmanagement plans and maintenance plans.TrainingOrganisations might consider cross-training employees to perform essential businessfunctions remotely to improve resiliency. If remote-access mechanisms are new to theorganisation, employees and support/technical staff will require training on the operation ofthe relevant hardware and software components of the remote-access architecture.13
Table 3: Operational issues when planning for remote accessIssueNotesRequirementsThe operational requirements of an organisation’s remote-access architecture should bedriven by the organisation’s overall strategic plan.BandwidthDifferent business processes have varying bandwidth requirements depending on theapplication type and the information structures involved. Organisations should conduct abandwidth audit to ensure there is sufficient capacity on the chosen communicationschannels particularly in periods of peak demand.CoverageNot all communication technologies are available continuously or have complete coverageover Australia. Organisations should determine their geographic and global remote-accessrequirements and select communications appropriately.ResilienceOrganisations should be aware of the reliability and resilience of the varioustelecommunications channels.SupportThe level of support required is usually proportional to the scope of the roll out of remoteaccess mechanisms. New and infrequent users will inevitably experience teething problemsas they familiarise themselves with the new technology and procedures.ProceduresStandard operating procedures will need to be developed for the chosen remote-accessarchitecture. This applies particularly to security.Table 4: Technical issues when planning for remote accessIssueNotesSpecificationsThe functional specifications of the remote-access architecture should be formally derivedfrom the operational requirements. This will avoid stovepipe and proprietary solutions thatmay suffer incompatibility problems both within the organisation, and with external partners,clients or customers.SupportabilityOrganisations should consider whether remote-access support functions will be provided inhouse, contracted, or outsourced. When key personnel move, information security, loss ofcapacity and functionality and the loss of expertise will need to be considered.IntegrationIn all but the simplest remote-access processes (for example, email), organisations may needto consider interfaces to integrate remote-access clients with back-end systems behindremote-access gateways.SecurityOrganisations should select remote-access security controls based on a formal threat and riskassessment of the various architectural options. This will help to determine whether theindividual operational security requirements will be satisfied by technical or proceduralcontrols (or both).3.4 Busin
1. Role of Remote Access in Business Continuity Planning (BCP)—this section provides an overview of remote access and its interrelationship with BCP and management. 2. Remote access and BCP, issues and areas of focus—this section provides advice on identifying key business processes and personnel for a remote-access capability by taking
