Contingency Planning: How Do You Plan for Failures?

Despite an organization's best efforts to prevent downtime and avoid compromises, failures will still happen from time to time.

“I am convinced that there are only two types of companies: those that have been hacked, and those that will be,” said Robert Mueller, former FBI Director, in a statement. “Even that is merging into one category: those that have been hacked and will be again.”

So, what is your organization doing about it? How do you plan for failures and security breaches?

Business Impact Analysis

While many organizations have evaluated risk in efforts to establish their initial security stance as defined by their organizational security policy, few have taken the advanced step of performing risk assessment on a business process basis.

The concept of business impact analysis is the application of quantitative and qualitative risk analysis on business processes rather than individual assets. The goal is to understand which processes are mission-critical, important, necessary, or desired/optional as well as each process's dependencies and requirements.

Once understood, the findings of business impact analysis can lead an organization into proper business continuity and disaster recovery planning.

Communication Plan

Communication is an essential part of a successful business. It is critical to communicate within the organization and with external entities effectively. A communication plan helps clarify lines and methods of communication. It establishes a classification or valuation criteria for all data items and information sources.

It clarifies where information can be freely exchanged as well as defines the limitations, restrictions, and boundaries to protect information when it cannot be freely exchanged (such as PII (personally identifiable information), PHI (protected health information), IP (intellectual property), trade secrets, or other forms of private or proprietary information). A communication plan also focuses on the public relations of an organization and establishes a "face" or image when communicating with the public.

Continuity of Operations Plan

A COOP (continuity of operation plan) is an integrated policy designed to protect the organization from slipping into a disaster in the event of a minor or modest compromise or failure occurs. The COOP addresses two primary issues:

• First, it focuses on the means to restore normalcy when business operations are under threat. While the organization is operating on limited capacity, on reduced capabilities, or within restricted resources, the COOP strives to prevent a full interruption while working to resolve problems and return to normal, stable, full capacity. This aspect of the COOP is often referred to as the business continuity plan (BCP).
• Second, the COOP implements additional protections and preventative measures to prevent such forms of near-disaster issues from actually affecting the business in the first place. With a properly maintained COOP, organizations can avoid many instances of loss or reduced productivity while being able to efficiently restore full operations in the event an incident still occurs.

Disaster Recovery Plan

A disaster is the complete interruption of any mission-critical business task. Once a mission-critical task is offline, the life of the organization is at stake. Without swift recovery to at least partial operations, a disaster could mean the business must close its doors permanently.

A disaster recovery plan (DRP) typically includes the preparation of an alternate operations site. An alternate operations site could be a duplicate of the primary, use of multiple locations instead of a single location, use of cloud services, or many other options.

The idea is to provide a means to perform mission-critical business tasks while the primary site is repaired. There are many essential elements in a functional disaster recovery plan including backup and recovery, hardware replacements, facility management, personnel management, training, drill and simulation, plan maintenance, and others.

Related Concerns

The core cybersecurity competencies of asset protection, threat management, access control, incident management, configuration management, and contingency planning address all of the essential concerns to an organization when designing and developing a security stance.

However, there are a few other important related concerns you should include in your overall assessment and preparedness plans:

Security Awareness

Security awareness is a business operations issue and a training issue. It is the goal of a business to have all of its members work toward a common and consistent goal — namely efficient and productive operations toward providing competent products and services. To accomplish that goal, workers, managers, administrators, and even C-level executives all need security training specific to their job tasks and work requirements.

Security awareness and training should begin with foundational ideas that are common and static across the organization, such as don't share passwords, if you unlock a door you should close and re-lock it, and report any suspicious event or behavior. Once awareness is established, job-specific training can build upon that foundation to enable everyone to perform their work tasks with greater efficiency and skill within the boundaries of security..

Certification & Accreditation

Whether you are a government agency, a military division, a government/military contractor, a financial institution, a medical organization, or a retail outlet, just about every organization has laws, regulations, and/or contractual obligations to fulfill. Compliance failure is often grounds for loss of approval to operate, loss of contract and funding, legal actions, and/or fines. Regular periodic self and third-party compliance verifications or audits help to make sure that your organization is not only secured in terms of general best business practices, but also focused on real cybersecurity threats, and are in compliance with known requirements based on your industry or affiliation.

This process often starts with self-analysis to assess the level of compliance or lack thereof to a security policy, framework, standard, or regulation. Once you have addressed all known gaps or failures in your compliance, you can seek verification performed by a designated and approved appraiser or auditor (internal or external/third party).

As the number of laws, regulations, and contractual obligations to which your organization must align increases, a solid understanding of the requirements as well as the assessment processes is even more of an essential business skill necessary to stay in compliance and operation.

Take Action

Now that you know more about contingency planning you should recognize that this is just a starting point of obtaining security knowledge. There are many other important security concerns that you need to be aware of. Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out the means to gain more knowledge.

One source of additional knowledge is the educational materials made available from Global Knowledge. Global Knowledge offers a wealth of online resources such as this white paper and other online materials. Global Knowledge is also a world leader in training, both live and on-demand courses.

Related Courses

• CISSP Certification Prep Course
• Security+ Certification Prep Course
• Certified Network Defender (CND) Certification Prep Course
• CEH Certification Prep Course
• CHFI Certification Prep Course
• CySA+ Certification Prep Course
• CASP+ Certification Prep Course
• PenTest+ Certification Prep Course
• CISM Certification Prep Course