Identify, Analyze, and Prioritize Business
Continuity Requirements
Business continuity (BC) and disaster recovery (DR) planning provide organizations with a structure to prepare for major disruptions. Under the more general heading of business continuity management (BCM), these separate, but related, activities ensure that the organization identifies its critical business functions, assesses the risk to those functions, and applies the appropriate level of control to the risks to ensure the efficient restoration of services.
While organizations operate under different compliance requirements, one thing is clear: the number and severity of disaster events are both increasing. The increasing risk can be attributed to many factors, including climate change, increasing urbanization, or the ability of threat actors to achieve broad effects with minimal resources. Regardless of the cause, a prudent organization would take steps in advance to minimize the likelihood and consequence of disaster and return the organization as quickly as possible to normal operations.
Develop and Document Scope and Plan Recognizing the organization’s obligations and risks is an essential part of governance. Whether this is accomplished through a formal governance, risk management, and compliance (GRC) process or through a more informal means, identification allows the management to take appropriate steps to respond to the risks. Ultimately, this will lead the governing body to establish policies and set an organizational expectation for resilience.
Compliance Requirements
There are many independently developed bodies of practice to assist organizations in developing BCM programs. Inevitably, one organization will define terms or use language in a manner that is not consistent with other organizations. The purpose of the CISSP CBK is to provide a base of good practice, recognizing that there is going to be some divergence in implementation based on the business models, compliance expectations, and the standards and practices of different organizations. To become overly wedded to one dogmatic interpretation of BCM practice is to exclude the potentially valuable perspectives of other organizations.
Business continuity is not simply a technology problem. Rather, BC involves the people, processes, and systems that are necessary to deliver the organization’s services or meet compliance requirements. Business continuity is inherently proactive, as the research, analysis, and development of the organizational response are done before the disruption occurs.
The intent of BCM is to build organizational resilience. Resilience is the ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning. A resilient organization will be able to address a broad range of disruptions efficiently and minimize the likelihood and effects of a disaster.
Not every disruption in service is a disaster. For the purposes of the CISSP CBK, a disaster occurs when the organization is not able to restore normal services/functions before reaching the maximum tolerable downtime (MTD) set by the business. The MTD expresses in business language the total length of time a process can be unavailable without causing significant harm to the business. The MTDs are identified by the business owners through the business impact analysis process. Control is applied to ensure the people, processes, and systems are available and functioning to deliver the organization’s services to its customers. If an event occurs but the organization is still able to deliver on its commitments, it is not a disaster.
Note Maximum tolerable downtime (MTD), maximum acceptable outage (MAO), maximum allowable disruption (MAD), minimum business continuity objective (MBCO), maximum acceptable outage time (MAOT), and other similar terms have created great confusion in the industry. Certain terms are preferred within certain frameworks. Semantic differences aside, the overarching concept is the important thing to remember: the business must decide how long it can be without the system/process/information and still meet its mission, contractual, and compliance expectations.
Compliance Frameworks
Most information security compliance frameworks, including the NIST Risk Management Framework and the ISO 27000 framework, expect the organization to perform some level of business continuity planning. In many regulated sectors, such as healthcare or financial services, specific levels of planning and verification are required by the regulatory organizations.
Further compliance expectations may come from contractual obligations that the organization assumes. Both the PCI-DSS framework and circumstances where the organization has negotiated service level agreements (SLAs) with its customers would fall under this category.
Healthcare
The HIPAA Security Rule requires all covered entities to have performed an appropriate level of contingency planning. The Contingency Plan standard includes five implementation specifications:
- Data Backup Plan (Required)
- Disaster Recovery Plan (Required)
- Emergency Mode Operation Plan (Required)
- Testing and Revision Procedures (Addressable)
- Applications and Data Criticality Analysis (Addressable)
In the United Kingdom, the Civil Contingencies Act of 2004 places contingency planning expectations on all Category 1 responders, which includes healthcare organizations and the National Health Service. The legislation expects that entities will follow good practice and relies heavily on the British Standard for Business Continuity Management, BS25999*.
Note British Standard for Business Continuity Management (BS25999) was withdrawn by the British Standards Institute (BSI) with the 2012 publication of ISO 22301, “Societal Security – Business continuity management systems – Requirements.” The ISO standard heavily reflects the influence of the BSI work. As of 2018, Cabinet Office guidance continues to reference the BS25999 standard.
For information systems operated by the U.S. government, NIST Special Publication 800-34, “Contingency Planning Guide for Federal Information Systems,” provides a base of practice for the development of resilience in information systems operations. NIST, through its collaborative process of standards development, took into account a broad range of industry and nongovernmental BCM practices. As a result of this process, the framework has been widely adopted by non-U.S. government organizations.
Related Product : Certified Information System Security Professional | CISSP
Financial Services
The Financial Industry Regulatory Authority (FINRA) Rule 4370 requires that all financial institutions operating in the United States must create and maintain a BC plan, reasonably designed to enable the member to meet its existing obligations to customers. Each plan must be tailored to meet the specific needs of the company but must include provisions for the following elements:
- Data backup and recovery (hard copy and electronic)
- All mission-critical systems
- Financial and operational assessments
- Alternate communications between customers and the firm and between the firm and employees
- Alternate physical location of employees
- Critical business constituent, bank, and counterparty impact
- Regulatory reporting
- Communications with regulators
How the firm will assure customers’ prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business The Basel II Accords were developed to provide an international framework for addressing financial and operational risk in the banking industry. The Basel Committee on Banking Supervision in 2003 published “Sound Practices for Management and Supervision,” which requires that banks put in place disaster recovery and business continuity plans to ensure continuous operation and to limit losses. The Basel Accord views these activities as being among the tasks that management would perform to limit residual risk.
International Standards
A number of international standards exist to support business continuity practices. ISO 22301, “Societal Security — Business continuity management systems — Requirements,” specifies requirements to “plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents….” The ISO standard is a generic process intended to apply to any type of organization, but it has also been adopted as a standard by the EU standards body CEN, and as an EU standard it places an obligation on member states to implement at a national level.
ISO 22301 places an emphasis on early planning, leadership, and understanding the context in which the organization operates. The standard also recognizes that organizational competence hinges on people—trained, knowledgeable, and experienced—to both develop the BC processes and support the organization during incidents. As with all ISO standards, the business continuity management activities integrate a continuous process improvement model that ensures that the organization refines its BCM processes to meet changing conditions. While ISO 22301 identifies the high-level processes, ISO 22313:2012, “Societal Security — Business continuity management systems — Guidance,” provides best-practice perspective for organizations implementing BCM processes.
ANSI/ASIS SPC.1-2009, “Organizational Resilience Maturity Model American National Standard,” is the codification of one of several voluntary industry bodies that have developed independent standards for BCM practice. This particular ANSI/ASIS standard provides adoptees with generic auditable criteria on which to structure a BCM practice, addressing prevention, preparedness, mitigation, and response. Other industry organizations that have well-structured business continuity practices include the Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII). These organizations also provide training and certification to their members in BC/DR practice.
Business Continuity Policy
A reasonable person would recognize that bad things happen and that taking steps to minimize the likelihood and consequence of those bad circumstances is a prudent course of action. The responsibility for the development of the BCM policy rests with the board of directors or governing body. Failing to have a BCM policy may well violate the fiduciary standard of due care. A business continuity policy sets the tone for the organization’s management to place an appropriate emphasis on developing and maintaining a resilient organization. At a minimum, the policy will identify the organization’s compliance obligations; assign responsibility for planning, executing, and evaluating the organization’s state of readiness; and establish a routine review process to ensure that the policy remains relevant to the business context.
Planning Processes for Business Continuity
Planning for resilience must take into account the people, processes, and systems necessary for the organization to achieve its mission. It is not simply a technology exercise. The business leadership must be actively engaged to identify organizational priorities, properly resource the BCM work, and ensure the organization is prepared to address disruption. A holistic approach to addressing organizational resilience minimizes the risk that disruptions will occur and, in responding to disruption, ensures that the right people are doing the right things at the right time.
Initiate Planning
Most people come to work every day and do the work their boss wants them to do. If it’s not important to the organizational leadership—whatever the task—no organizational resources will be applied to address the issue. The breadth of skills and range of processes that are necessary to recover even simple services or capabilities demands high-level management support to effectively plan for and implement BCM practices.
For some organizations, particularly private-sector organizations, the primary goals of the senior management is to grow the organization and to protect the brand. BCM is generally not seen as an activity that grows the organization. It is an expense the organization incurs as part of doing business.
Instead, BCM is focused on protecting the brand. Organizations that value their customers want those customers to know that the organization will reliably and predictably deliver their goods and services, while protecting information that has been entrusted to the care of the organization by the customers. Failing to do so will have devastating consequences to the organization’s reputation and ability to convince potential customers that they should do business with the organization.
In the public sector, the motivation is somewhat different. Damage to the brand, while still an issue, is also of lesser importance, since public-sector organizations usually have a monopoly on the delivery of service within a jurisdiction. Similarly, the need to grow the business is much less important, as the boundaries of service are generally established through a political process. The primary driver for BCM services becomes ensuring the predictable delivery of services to the constituents.
Understanding the organizational motivations allows the BCM professionals to communicate the value of BCM to the business leadership in their terms. The organization generally recognizes that, as senior leadership often has so many issues pressing on their time, when they do spend time on an issue, that issue is of importance to the organization. A BCM strategy that does not address the interests of governance (compliance and strategy) and management (growing the business and protecting the brand) is unlikely to have the resources or organizational emphasis to succeed.
Scope, Objectives, Assumptions, and Constraints
Once the organization has committed to increasing its resilience, it is essential to determine the scope of the work. Limiting the scope in BCM planning is essential, as the number of potential disruptive events and circumstances is vast. Planning control for each potential event that could affect an organization is well beyond the capabilities of any organization. Reasonable limits on scope might include defining which disruptive events should be included in the analysis, the resources to be devoted to the planning effort, and the amount of time to be devoted to planning. The end result of this is to create a charter establishing the parameters for the planning activities.
Clear objectives will have to be defined for the planners. An objective is an end state to be achieved in the planning process without specifying the means by which it will be accomplished. For example, an objective might be “Reestablish minimum services to support communications for first responders within 1 hour of disruption ” or“ Develop annual training events in which the organization’s response capability can be demonstrated.” This type of statement gives the planners a degree of latitude in the planning process, while focusing the planning on larger compliance expectations or management goals.
Often, additional constraints will be placed on the planning activities. Resources (limited budget, key personnel), time, or areas that will require specific attention are often defined in the initiation process. These statements of fact are often more specific than the objectives and also represent an expression of acceptable risk by the management.
Assumptions made during the planning process will also have to be explicitly defined. An assumption is a statement believed to be true to allow planning to continue. “The plan assumes that the primary data center will not be usable” is an example of an assumption. The planning process reduces uncertainty by documenting the assumptions and then working to prove their validity.
The scope, objectives, constraints, and assumptions will be documented in the charter and formally acknowledged by the senior leadership. This process makes clear to the entire organization the importance of the BCM activities. Finally, the charter is the tool by which the end result of the planning will be measured.
Resources for Planning
Comprehensive BCM efforts span the entire organization. Getting the right people in the process, however, to provide sufficient information and effectively address organizational issues within the planning cycle is often a challenge. Since getting timely, appropriate input into the planning process is so important, often the planning team will include representatives from each of the affected areas of business.
Finding the right people is made more difficult because of the personal and group dynamics at work in the planning process. Having wildly different levels of supervisors and workers on the same planning team often inhibits free and open communication— the senior people don’t participate because they are guarding turf or don’t want make a foolish statement in front of their juniors, and the juniors are often reluctant to disagree with the statements made by the seniors for fear of offending them. Creating a team dynamic that encourages open collaboration and interpersonal trust is one of the most challenging aspects of the planning process.
There are areas of expertise that should be integrated into the planning process. Areas represented must include the lines of business, human resources, legal, compliance, information technologists, and, of course, information security professionals. Finding the right balance is always difficult, however. As teams get larger, the speed with which they generate results tends to increase.
Deliverables and Timeline
The outputs of the planning process should be defined in the charter. These outputs will include a risk assessment identifying the likelihood and consequence of threats; a business impact analysis (BIA), identifying the critical business functions, recovery priorities, and the recovery strategy; and the business continuity plan itself. These materials, along with additional materials that may be specified to meet specific compliance requirements, will allow the organization to approve the plan. Subsequent implementation of the plan, conducting training and awareness activities, incident response, plan activation, and recovery will be discussed in Chapter 7.
The charter should also be clear on when the results of the planning process are to be completed. The complex, interconnected nature of many systems can become an analytic nightmare, with endless dependencies to be considered. The planning team should know they must deliver their plan on a schedule so that the concrete actions to mitigate risk can be implemented.
This is often disconcerting for the perfectionists in the group—they want the final answer. However, resilience is not an end—it is a characteristic that an organization exhibits. The process of improving an organization’s resilience is never-ending: systems change, people come and go, and compliance expectations change. Thus, no plan is ever complete, and no plan is perfect. It just has to be good enough.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
