BreachExchange mailing list archives
Dodging disaster: Cybersecurity and business continuity
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 5 May 2014 18:26:55 -0600
http://www.utsandiego.com/sponsored/2014/may/04/disasters-business-continuity-cybersecurity/ You know your company runs on data, and you’ve installed firewalls and antivirus to protect your systems, but could your business keep going if the power went out? Or your Internet connection went down for a day? Or your office was inaccessible due to flooding or if some other disruptive incident occurred? For many organizations the honest answer is: That would depend on the exact nature of the “incident” and how long it lasted. Some companies do go out of business when they are hit with a disaster for which they have not adequately prepared, which is unfortunate because the path to preparedness is well-documented. Any company of any size can improve its chances of coming through a disruptive event in one piece–with its brand intact and its revenue undiminished–by following some tried and trusted strategies collectively known as Business Continuity Management (BCM). We’ve outlined the four main steps here and provided a link to more resources on the web, including templates for a Business Continuity Plan. What is business continuity? Business continuity is the ability of an organization to continue to deliver its product and services at acceptable predefined levels after disruptive incidents have occurred. Identify and rank the threats • List potentially disruptive incidents that are most likely to threaten your business. For example, here in San Diego there is a relatively high level of earthquake and wildfire awareness. But what about a data breach or IT outage? What if a toxic chemical spill puts your premises off limits for several days? • A good technique at this stage is to include people from all departments in a brainstorming session. The goal is a list of scenarios ranked by probability of occurrence and potential for negative impact. Perform a business impact analysis You need to figure out which parts of your business are most critical to its survival. • Begin by detailing the functions, processes, personnel, places and systems that are critical to the functioning of your organization. The BCM project leader can do this by interviewing employees in each department and laying the results out in a table that lists functions and key person(s) and alternate person(s). • You then determine the number of Survival Days for each function. How long can your business endure without that function causing serious impact? • Next you rank the impact of that function not being available. For example, disaster recovery expert Michael Miora suggests using a scale of 1 to 4, where 1 = critical operational impact or fiscal loss, and 4 = no short term impacts. • If you then multiply Impact x Survival Days you can see which functions are most critical. Top of the table will be functions with major impact and just one survival day. Create the response and recovery plan This is where you catalog key data about the assets involved in performing critical functions, including IT systems, personnel, facilities, suppliers, and customers. • Catalog equipment serial numbers, licensing agreements, leases, warranties, contact details. • You will need to determine “who to call” for each category of incident and create a calling tree so the right calls get made, in the right order. • You also need a “who can say what” list to control interaction with the media during an incident. • Any arrangements you have in place for transitioning to temporary locations and IT facilities should be documented. • Don’t forget to document an “all-hands” notification process and a customer advisory procedure. • The steps to recover key operations should be laid out in a sequence that accounts for functional inter-dependencies. • When the plan is ready, make sure you train managers and their reports on the details relevant to each department and the importance of the plan to surviving an incident. Test the plan and refine the analysis • Test your plan at least once a year, with exercises, walk-throughs, or simulations. • If task seems too daunting to undertake on a company-wide basis, consider beginning with a few departments, or one office if you have several. • Apply learnings more broadly to your company as you progress through the test. • Avoid thinking bad things won’t happen, because they do. But being prepared with a plan is a step in the right direction.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Dodging disaster: Cybersecurity and business continuity Audrey McNeil (May 14)