BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Dodging disaster: Cybersecurity and business continuity

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 5 May 2014 18:26:55 -0600
http://www.utsandiego.com/sponsored/2014/may/04/disasters-business-continuity-cybersecurity/

You know your company runs on data, and you’ve installed firewalls and
antivirus to protect your systems, but could your business keep going if
the power went out? Or your Internet connection went down for a day? Or
your office was inaccessible due to flooding or if some other disruptive
incident occurred? For many organizations the honest answer is: That would
depend on the exact nature of the “incident” and how long it lasted.

Some companies do go out of business when they are hit with a disaster for
which they have not adequately prepared, which is unfortunate because the
path to preparedness is well-documented. Any company of any size can
improve its chances of coming through a disruptive event in one piece–with
its brand intact and its revenue undiminished–by following some tried and
trusted strategies collectively known as Business Continuity Management
(BCM). We’ve outlined the four main steps here and provided a link to more
resources on the web, including templates for a Business Continuity Plan.

What is business continuity? Business continuity is the ability of an
organization to continue to deliver its product and services at acceptable
predefined levels after disruptive incidents have occurred.

Identify and rank the threats

• List potentially disruptive incidents that are most likely to threaten
your business. For example, here in San Diego there is a relatively high
level of earthquake and wildfire awareness. But what about a data breach or
IT outage? What if a toxic chemical spill puts your premises off limits for
several days?

• A good technique at this stage is to include people from all departments
in a brainstorming session. The goal is a list of scenarios ranked by
probability of occurrence and potential for negative impact.

Perform a business impact analysis

You need to figure out which parts of your business are most critical to
its survival.

• Begin by detailing the functions, processes, personnel, places and
systems that are critical to the functioning of your organization. The BCM
project leader can do this by interviewing employees in each department and
laying the results out in a table that lists functions and key person(s)
and alternate person(s).

• You then determine the number of Survival Days for each function. How
long can your business endure without that function causing serious impact?

• Next you rank the impact of that function not being available. For
example, disaster recovery expert Michael Miora suggests using a scale of 1
to 4, where 1 = critical operational impact or fiscal loss, and 4 = no
short term impacts.

• If you then multiply Impact x Survival Days you can see which functions
are most critical. Top of the table will be functions with major impact and
just one survival day.

Create the response and recovery plan

This is where you catalog key data about the assets involved in performing
critical functions, including IT systems, personnel, facilities, suppliers,
and customers.

• Catalog equipment serial numbers, licensing agreements, leases,
warranties, contact details.

• You will need to determine “who to call” for each category of incident
and create a calling tree so the right calls get made, in the right order.

• You also need a “who can say what” list to control interaction with the
media during an incident.

• Any arrangements you have in place for transitioning to temporary
locations and IT facilities should be documented.

• Don’t forget to document an “all-hands” notification process and a
customer advisory procedure.

• The steps to recover key operations should be laid out in a sequence that
accounts for functional inter-dependencies.

• When the plan is ready, make sure you train managers and their reports on
the details relevant to each department and the importance of the plan to
surviving an incident.

Test the plan and refine the analysis

• Test your plan at least once a year, with exercises, walk-throughs, or
simulations.

• If task seems too daunting to undertake on a company-wide basis, consider
beginning with a few departments, or one office if you have several.

• Apply learnings more broadly to your company as you progress through the
test.

• Avoid thinking bad things won’t happen, because they do. But being
prepared with a plan is a step in the right direction.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: