In spite of an organization's best efforts to prevent downtime and avoid compromises, failures will still happen from time to time. “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again,” (FBI Director Robert Mueller). So what is your organization doing about it? How do you plan for failures and security breaches?
- Business Impact Analysis
- Communication Plan
- Continuity of Operations Plan
- Disaster Recovery Plan
Business Impact Analysis
While many organizations have considered risk in efforts to establish their initial security stance as defined by their organizational security policy, few have taken the advanced step of performing risk assessment on a business process basis. The concept of business impact analysis is the application of quantitative and qualitative risk analysis on business processes rather than individual assets. The goal is to understand which processes are mission critical, important, necessary, or desired/optional as well as each process's dependencies and requirements. Once understood, the findings of business impact analysis can lead an organization into proper business continuity and disaster recovery planning.
Communication is an essential part of a successful business. It is critical to communicate within the organization and with external entities effectively. A communication plan helps clarify lines and methods of communication. It establishes a classification or valuation criteria for all data items and information sources. It clarifies where information can be freely exchanged as well as defines the limitations, restrictions, and boundaries to protect information when it cannot be freely exchanged (such as PII (personally identifiable information), IP (intellectual property), trade secrets, or other forms of private or proprietary information). A communication plan also focuses the public relations of an organization and establishes a "face" or image when communicating with the public.
Continuity of Operations Plan
A COOP (continuity of operation plan) is an integrated policy designed to protect the organization from slipping into a disaster in the event of a minor or modest compromise or failure occur. The COOP addresses two primary issues.
- First, it focuses on the means to restore normalcy when business operations are under threat. While the organization is operating on limited capacity, on reduced capabilities, or within restricted resources, the COOP strives to prevent a full interruption while working to resolve problems and return to normal, stable, full capacity. This aspect of the COOP is often referred to as the business continuity plan.
- Second, the COOP implements additional protections and preventative measures to prevent such forms of near-disaster issues from actually affecting the business in the first place. With a properly maintained COOP, organizations can avoid many instances of loss or reduced productivity while being able to efficiently restore full operations in the event an incident still occurs.
Disaster Recovery Plan
A disaster is the full and complete interruption of any mission critical business task. Once a mission critical task is offline, the life of the organization is at stake. Without swift recovery to at least partial operations, a disaster could mean the business must close its doors permanently. Disaster recovery typically includes preparation of an alternate operations site. An alternate operations site could be a duplicate of the primary, use of multiple locations instead of a single location, use of cloud services, or many other options. The idea is to provide a means to perform mission critical business tasks while the primary site is repaired. There are many essential elements in a functional disaster recovery plan including backup & recovery, hardware replacements, facility management, personnel management, training, drill & simulation, plan maintenance, etc.
The six cybersecurity competencies of asset protection, threat management, access control, incident management, configuration management, and contingency planning address all of the core concerns to an organization when designing and developing a security stance. However, there are a few other important related concerns you should include in your overall assessment and preparedness plans:
- Security Awareness
- Certification & Accreditation
Having a plan is helpful, but when your employees know the plan and understand their responsibilities, then your plan can be successful. Security awareness is a business operations issue and a training issue. It is the goal of a business to have all of its members work toward a common and consistent goal — namely efficient and productive operations toward providing competent products and services. To accomplish that goal, workers, managers, administrators, and even C-level executives all need security training specific to their job tasks and work requirements. Security awareness and training should begin with foundational ideas that are common and static across the organization, such as don't share passwords, if you unlock a door you should close and re-lock it, and report any suspicious event or behavior. Once awareness is established, job specific training can build upon that foundation to enable everyone to perform their work tasks with greater efficiency and skill within the boundaries of security.
Certification & Accreditation
Whether you are a government agency, a military division, a government/military contractor, a financial institution, a medical organization, or a retail outlet, just about every organization has laws, regulations, and/or contractual obligations to fulfill. Compliance failure is often grounds for loss of approval to operate, loss of contract and funding, legal actions, and/or fines. Certification and accreditation helps to make sure that your organization is not only secured in terms of general best business practices, but also focused on real cybersecurity threats, and are in compliance with known requirements based on your industry or affiliation. The process of certification often starts with a self-analysis process to assess the level of compliance or lack-there-of. Once you have addressed all known gaps or failures in your compliance, you can seek certification performed by a designated and approved appraiser (internal or external/third party). Once certification is achieved, accreditation is the formal signed acceptance by management. As the number of laws, regulations, and contractual obligations to which your organization must align increases, a solid understanding of the requirements as well as the assessment processes is even more of an essential business skill necessary to stay in compliance and in operation.