Business Continuity Planning : Be Prepared for the Unexpected!.

By


Image : wallstreetmojo

What happens when a  major data breach occurs? or a data center network switch failed? How will you act when a ransomware attacked your ERP server? What will you do if your system administrator suffered a heart attack? They are everyday potential disasters. Have you ever planned to face such disasters?

Practically, all risks associated with a business function cannot be totally eliminated. Despite every efforts, the residual risks can always remain, and incidents might still occur.

Unavoidable situations or unexpected threats and vulnerabilities may bypass  your security controls to effect confidentiality, integrity or availability of your information assets.  


Business Continuity Plan (BCP) objective is to restore business operations while recovering from a significant disruption after an incident. Business continuity policy defines what the top management wants to achieve with business continuity. ISO 22301 requires Business continuity policy to be compatible with the strategic direction of the organization.

BCP is contingency planning aims to prepare for major incidents and disasters by making plans, assigning responsibilities and allocating resources resources to minimize the adverse consequences and recover fast to the normal state.


BCP aimed to keep important business processes running. It directs making supporting information systems operational and available to business  functions. The measures may involve recovery from backups, redundancy with automated fail over, ensure off-site operations, having alternative suppliers,  fallback equipment and networks etc. BCP require IT infrastructure and processes in operation despite disasters to recover and resumption of critical business functions.This may include planning for office relocation, manual processing, online working, third party arrangements etc.  The process of Disaster Recovery may  involve manual restoring of data, use of standby equipment, alternative  communications facilities etc. 


Incident Respinse, Disaster Recovery, and Crisis Management

are key processes in BCP. Incident Response (IR) evaluates events and responds to  information security incidents.  It's a continues process dealing with  minor incidents to update systems and controls to improve resilience. 


Disaster Recovery is a plan to recover affected functions. Disaster Recovery Plan (DRP) is activated anytime as a result of an incident. 

ISO 27001 Annex A.17.1 provides controls  for information security continuity. It’s an important part of your  ISMS) for ISO 27001 certification. 


Crisis Management (CM) is mainly related to health and safety issues. CM include preliminary assessment of the situation and liaison with emergency services. 

Establishing of Information Security Continuity, require documenting and maintaining relevant processes, procedures, physical, administrative and physical controls to mitigate  a disruptive situation. The documentation should include BC activities and owners, their responsibilities, timescales, mitigating measures, communications strategy, resources including a management structure with authority to manage the BC to make business return to normality.


Each individual organization must determine how often to test its BCP, but it should be tested at predefined intervals as well as when significant changes happen within the business environment. Regular internal audits must verify the information security continuity controls in order to test and ensure that they are effective during incidents.  During ISO 27001 accreditation process an auditor will seek evidence of plans and results of periodic testing of BC controls.


Components of a BCP

  • Members from all business units involved 
  • The technology must align with the business needs
  • Contact numbers of all BCP team members
  • Contact numbers of all backup members
  • Immediate response procedures and checklists
  • Notification systems and call trees
  • Guidelines for management
  • Designation of authority to enact the plan
  • Contacts of supply chain
  • Redbook - a printed manual stored outside 

Business Continuity Checklist

  • Alert Top Management for Approval 
  • Activate the business continuity plan.
  • Communication is priority 
  • Communicate with critical contacts
  • Communicate with supply chain
  • Execute BC procedures
  • Ensure accounting of all systems and processes
Niranjan Meegammana

Comments

Post a Comment

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

By
Image
Source : wallarm The OSI network  communications model is made of  7 layers. Each layer  handles a specific process to enable reliable communication between two or more devices. When the Internet was designed, its focus was on ensuring of reliable communications. The challenges of communication security emerged later.  These 7 layers act like a chain of links. If one lnk breaks, the whole chain of communication breaks. Hence security threat can happen at any of the 7 layers.  These layers are named as Application, Presentation, Session, Transport, Network, Data link and Physical layer. The application layer is your email application, physical layer is your communication cable, and everything else is in between help you communicate. In abstract the application layer provides user interface, while presentation layer handle formating, encoding and encryption. The session layer manages connections. The transport layer handles segmentation, sequencing, and establishing virtual circuits. The
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more