Business Owner vs Business IT vs IT Supplier - disaster recovery fun#2

Few weeks ago, I shared a story about the impact of not having Disaster Recovery. And I mentioned that there will be a sequel to it. So, here it goes.... the saga shall continue....
 

Business Owner guy: <* Addressing VIP business users *> It is very unfortunate that we were badly hit by the quake. As it was an act of God, we have to accept the loses etc etc.... . Nevertheless, we have come out with a great disaster recovery plan to ensure business continuity in the event of disaster. This time, we WILL be ready to face it!

Information Security lad: <* This guy is surely a great politician.... I wonder how he saved his ass, survived and resurrected from that gigantic mess... Last I heard, he even got a promotion*>  

5 months later......

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.


The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>

Business IT vs IT Supplier Fun#1 - who should set security expectations?

IT Demand vs IT Supply

 
Business IT bloke: Security? I thought you as our IT Supplier supposes to provide all this security protections by default. I paid you guys lots of money!
IT Supplier chap:  Security? We only provide the basic one. That project manager of yours didn't tell us he wanted more. Furthermore, it's not in the SLA. So, we are not obliged to do so.
Information Security lad:  <*smirking....and having fun inside*>

Deja vu! Right? I'm sure, many of you as a CISO, Information Security Manager, Consultant or Professional have had the luxury to witness this kind of argument within your organization, especially when you are working for a conglomerate that adopt IT Demand and IT Supply model (yeah...Mckinsey's stuff).

Now, as a season Information Security Professional, what would be your advice? What would be the best practice (ain't we all infosec guyz like to quote best practice?)