Information security and business continuity increasingly commingle. Traditionally, business continuity planning focused on natural occurrences such hurricanes, H1N1, and freak ice storms. However, corporations utilizing information technology or cloud services recognize that internet threats constitute a greater danger to their current business operations than nature.

With this in mind, business continuity plans need to change to reflect this. The SANS Institute noted in its 2002 whitepaper that there were five alternative options for business continuity:

Mutual Backup Two organizations with similar system configuration agreeing to serve as a backup site to each other.

Hot Site A site with hardware, software and network installed and compatible to production site.

Remote Journaling Online transmission of transaction data to backup system periodically (normally a few hours) to minimize loss of data and reduce recovery time

Cold Site An empty facility located offsite with necessary infrastructure ready for installation in the event of a disaster.

Mirrored Site A site equips with a system identical to the production system with mirroring facility. Data is mirrored to a backup system immediately. Recovery is transparent to users.

Two of the five options, remote journaling and mirrored site, are also the most expensive but provide the shortest response time. For companies looking to use efficient business, recovery plans to maintain customer confidence, the information technology policies and processes, as well as the information gleaned from those audits, will serve a double duty.

Information security controls help mitigate the risks associated with the use of technology. When IT audits review an institution’s controls, they are effectively reviewing the knowledge that top management has regarding the information and communication technologies used within a company. John Gatto President of JAG Associates in Florida lists the following components of effective internal controls:

Information and Communication

  • Systems supporting the exchange of information
  • Forms and time frames enabling people to carry out their responsibilities
  • Regular reporting, policies and procedures, intranet sites

Control Activities

  • Ensure management directives are carried out
  • Approvals, authorizations, reconciliations, security, segregation of duties


  • Feedback on strengths and weaknesses in system of internal control.
  • Performance measurements to detect problems early
  • Effect and efficient Management reviews of internal controls

(Gatto 45)

These controls that act as standards to create effective IT policy strategies dovetail with the current trends in business continuity planning.  

What does all this mean to an organization trying to create a business continuity plan that matches its information security plan?

  1. Both require management of information and communication. As companies look to incorporate electronic remote locations into their business continuity programs, greater attention needs to be paid to the manner through which the information is exchanged. In addition, this means that business continuity planning may also incorporate ongoing reporting and review of any information technology vendors.
  2. Both require controls. Whenever a new information system is incorporated, segregation of duties, security, authorizations, and approvals are necessary. For those organizations relying on cloud services for business continuity programs, these controls and authorities may mirror the ones already in existence or may need to be expanded to other individuals. In this sense, the traditional methods of designating a backup person changes to be less about physical proximity to the backup site and more about security permissions when handling information.

Both require ongoing monitoring. Despite signing contracts with remote business continuity services, things change. This means that even though the ongoing monitoring may not be about internal controls, the organization needs to review the manner through which the vendor controls its systems and how it detects weaknesses proactively.