In spite of an organization’s best efforts to prevent down time and avoid compromises, failures will still happen from time to time. Former FBI Director Robert Mueller said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” So, what is your organization doing about it? How do you plan for failures and security breaches?
Business Impact Analysis
Many organizations have considered risk in their efforts to establish their initial security stance as defined by their organizational security policy. However, few have taken the advanced step of performing risk assessment on a business process basis. The concept of business impact analysis is the application of quantitative and qualitative risk analysis on business processes rather than individual assets. The goal is to understand which processes are mission critical, important, necessary, or desired/optional as well as each process’s dependencies and requirements. Once understood, the findings of business impact analysis can lead an organization into proper business continuity and disaster recovery planning.
Communication is an essential part of being a successful business. It is critical to communicate effectively within the organization and with external entities. A communication plan helps clarify lines and methods of communication. It establishes classification or valuation criteria for all data items and information sources. It clarifies where information can be freely exchanged, and it defines the limitations, restrictions, and boundaries to protect information when it cannot be freely exchanged, such as personally identifiable information (PII), intellectual property (IP), trade secrets, or other forms of private or proprietary information. A communication plan also focuses the public relations of an organization and establishes a “face” or image when communicating with the public.
Continuity of Operations Plan
A continuity of operation plan (COOP) is an integrated policy designed to protect the organization from slipping into a disaster in the event of a minor or modest compromise or failure occur. The COOP addresses two primary issues:
- It focuses on the means to restore normalcy when business operations are under threat. While the organization is operating on limited capacity, on reduced capabilities, or within restricted resources, the COOP strives to prevent a full interruption while working to resolve problems and return to normal, stable, full capacity. This aspect of the COOP is often referred to as the business continuity plan.
- The COOP implements additional protections and preventative measures to prevent such forms of near-disaster issues from actually affecting the business in the first place. With a properly maintained COOP, organizations can avoid many instances of loss or reduced productivity while being able to efficiently restore full operations in the event an incident still occurs.
Disaster Recovery Plan
A disaster is the full and complete interruption of any mission-critical business task. Once a mission-critical task is offline, the life of the organization is at stake. Without swift recovery to at least partial operations, a disaster could mean the business must close its doors permanently. Disaster recovery typically includes preparation of an alternate operations site, which could be a duplicate of the primary site, use of multiple locations instead of a single location, use of cloud services, or many other options. The idea is to provide a means to perform mission-critical business tasks while the primary site is repaired. There are many essential elements in a functional disaster recovery plan, including backup and recovery, hardware replacements, facility management, personnel management, training, drill and simulation, and plan maintenance.
The six cybersecurity competencies of asset protection, threat management, access control, incident management, configuration management, and contingency planning address all of the core concerns of an organization when designing and developing a security stance. However, there are a few other important related concerns you should include in your overall assessment and preparedness plans:
- Security Awareness
- Certification and Accreditation
Having a plan is helpful, but when your employees know the plan and understand their responsibilities, then your plan can be successful. Security awareness is a business operations issue and a training issue. It is the goal of a business to have all of its members working toward a common and consistent goal: efficient and productive operations that provide competent products and services. To accomplish that goal, workers, managers, administrators, and even C-level executives all need security training specific to their job tasks and work requirements. Security awareness and training should begin with foundational ideas that are common and static across the organization, such as:
- Don’t share passwords
- If you unlock a door, you should close and relock it
- Report any suspicious event or behavior
Once awareness is established, job-specific training can build upon that foundation to enable everyone to perform their work tasks with greater efficiency and skill within the boundaries of security.
Certification and Accreditation
Whether you are a government agency, a military division, a government/military contractor, a financial institution, a medical organization, or a retail outlet, just about every organization has laws, regulations, and/or contractual obligations to fulfill. Compliance failure is often grounds for loss of approval to operate, loss of contract and funding, legal actions, and/or fines. Certification and accreditation help to make sure that your organization is not only secured in terms of general best business practices, but also focused on real cybersecurity threats and in compliance with known requirements based on your industry or affiliation. The process of certification often starts with a self-analysis process to assess the level of compliance or lack thereof.
Once you have addressed all known gaps or failures in your compliance, you can seek certification performed by a designated and approved appraiser (internal or external/third party). Once certification is achieved, accreditation is the formal signed acceptance by management. As the number of laws, regulations, and contractual obligations to which your organization must align increases, a solid understanding of the requirements and the assessment processes becomes more essential to stay in compliance and in operation.