Business Continuity Management – beyond the last line of defence; by Brian Davey.
As security professionals we are well versed in the concept of using an ‘onion skin’ approach for protecting our organisation’s assets so that there is more than a single line of defence to be breached.<br><br>But what do we do when the last line of defence is breached and the asset is then damaged beyond repair, misused, stolen, illicitly altered or copied, destroyed or otherwise successfully attacked?<br><br>Clearly two things need to happen. Firstly we need to mount a response which aims to limit resultant damage arising from the incident, prevent further such incidents from occurring and manage stakeholder expectations. This should be the standard response after any security breach. But we also cannot forget that we have an organisation to run and we must maintain continuity of those critical activities which allow the organisation to meet its objectives. This is where business continuity management (BCM) comes in.<br><br>Security management and business continuity management must work hand in glove. It is of limited value to mount an excellent response to a security breach only to find that the organisation misses a major deadline or loses a significant opportunity because we forgot in the heat of the moment, with the adrenaline flowing, that we still had an organisation to run. So what can you do personally about business continuity management at a practical level, bearing in mind that budgets are very tight?<br><br>If you already have a business continuity manager, or equivalent role, within your organisation then I highly recommend that you get your heads together at the earliest opportunity and agree how best to ensure continuity of business following a security breach. If you don’t have anyone giving focus to business continuity management then I implore you to take control of it yourself otherwise your security breach response procedures could all be in vain. Who knows, your board of directors may thank you one day for taking the initiative now. Are you ready to be a hero? OK read on …. <br><br>First implement an incident response structure. Set up a team responsible for handling abnormal situations which occur, whether they are security breaches or not. My advice is that any event which derails, or threatens to derail, ‘business as usual’ should be treated as an incident. Call the team the crisis management team or incident management team (the name is less important than the role). This should be a team of senior people able to take key decisions on behalf of the organisation following an incident. The team has responsibility for initial assessment, directing emergency response actions, communicating with stakeholders and keeping the organisation running or getting it back to running mode.<br><br>The team should be supplemented by specialists who can provide input to the decision making process eg company lawyer, facilities manager, IT manager, HR manager etc. Don’t forget the security manager! Introduce an escalation procedure so that security staff, technology workers, premises and facilities personnel etc, who are most likely to come across an incident first, can alert the team members to an adverse situation (actual or potential). You need to exercise the crisis management team so that if there is a serious incident they will be better prepared to handle it, with or without a plan. Get them into a meeting room for two to three hours. Provide the team with a scenario to respond to, such as “At 4am a fire broke out at our office premises at (address) as the result of an arson attack. It is understood that the complete contents of the office have been destroyed and it is likely that the premises will be unusable for at least two months. Please consider the situation and how you will maintain continuity of business for xyz company.”<br> <br>Document the agreed actions – these can form the basis of your business continuity plan. Challenge any assumptions made by those present and don’t let them gloss over issues which they don’t have an answer for. If you don’t feel comfortable in running such an exercise, call in help as the cost may be less than you think and you will benefit from the consultant’s experience to make the session more productive.<br><br>This exercise will raise the awareness levels of those present and will almost certainly result in management supporting the need for a business continuity (BC) plan to be developed. Hopefully they may even give you a budget!<br><br>Next you need to understand the business. Here is a practical, quick way of doing what is called a Business Impact Analysis, which provides the cornerstone for BC planning.<br><br>a) Before you start the analysis, ensure you determine feasible recovery speeds for loss of premises, technology, information and supplies, where these are available and understood. This helps you to identify where there is a gap between recovery need and current capability.<br><br>b) It is best to agree with senior management how to scope the work. Maybe one location at a time? Anyway, refer to the organisational reporting lines to help determine how to analyse the organisation under scope. Interview a representative from each function being included in the analysis.<br><br>c) During the interview: <br><br>a. Jot down the number of people employed in the function, where they are located and the main responsibilities.<br><br>b. From the various responsibilities of the function agree which are the most critical activities to perform given their relative importance to the function meeting its objectives.<br><br>c. Agree what the most significant potential impacts would be if the critical activities could not operate due to a serious incident occurring, such as loss of income, loss of business, reputational damage, legal breach etc. Try to assign ££s to the impacts and note at what point (eg four hours, 24 hours, three days, one week etc) the impacts would become intolerable, which is referred to as the maximum tolerable period of disruption (MTPoD). Then set a recovery time objective (RTO) sooner than that time. For example if the impacts would be intolerable if the function couldn’t operate for three days, then the RTO for the function needs to be set at a point less than three days to help prevent the intolerable impacts from materialising.<br><br>d. Explore the workarounds available, or which could be developed, to keep the function going, for example, move production to another site, divert telephone calls to another office, have staff work from home, issue manual cheques etc.<br><br>e. Determine the minimum number of people required to operate the function during the first month, bearing in mind the focus is on priority work only.<br><br>f. Determine the non-people resources required to perform the priority work using the minimum number of people and at what time these are needed. List the IT systems and services required, land-lines or mobiles, supplies, access to paper-based information such as contact details, pro-formas, procedures etc.<br><br>After the interviews:<br><br>a) Review the actual number of alternative work places available for staff to use and the actual recovery times for rebuilding IT systems and services. This will provide you with a list of gaps which cannot be satisfied currently should an incident arise.<br><br>b) Conduct a risk assessment. Call on your in-house risk expert, if you have one, for help. Otherwise consider calling in a specialist. Examine the risks to business continuity such as loss of premises and contents, loss of key people, loss of IT or telephony or data communications. Note any obvious actions which could be taken to better control the risks.<br><br>c) Review the list of gaps with facilities and IT representatives to determine the actions required to meet the recovery needs of the business, including the costs which would be incurred. Consider clever use of in-house resources to satisfy requirements (eg splitting IT across two computer rooms, satellite office to act as business recovery site etc.) before considering more expensive third party solutions (eg server ship-in IT recovery, business recovery site contract). This is called strategy development.<br><br>d) Present findings to senior management, including the most appropriate recovery strategy options and sufficient justification (ie current implications of an incident) to aid decision making. They can then validate the recovery requirements, consider the strategy options and any actions required to address risks. If they choose not to take action or choose an option that still leaves some risk exposure, then you will have at least discharged your duty by making them aware of the current capability against that required by the business.<br><br>e) Implement the agreed strategy option. Make sure that any technical IT solutions are properly documented. Also develop any workarounds required by the business to enable them to keep going whilst resources lost due to the incident are being repaired or replaced. <br><br>f) Write the BC plan/s using the notes from the exercise and based on the agreed strategy option. Include roles and responsibilities post-incident and task checklists – what to do and when – to provide real guidance to the responders. Also include reference information such as building layouts, travel directions, critical activities and their RTOs, resource recovery requirements over a timeline, agreed recovery strategies for loss of people, premises, technology, information and supplies. I always advise that emergency contact details are held separately and given out on a need to know basis as this prevents the need for the BC plan to be updated and reissued whenever someone’s contact details change and also avoids the BC plan being treated as confidential. My recommendation is that you develop one BC plan for each unique location. Write a separate incident management plan to cover the immediate post-incident response actions and emergency activities for safeguarding human life, engaging with emergency services, insurers etc. or combine these into the BC plan if you are a small organisation operating from one location.<br><br>g) Exercise, maintain, review and revise the plan/s on at least an annual basis. Remember to change the plan/s to reflect any organisational changes, new technology etc. Make good use of the table top exercise approach mentioned earlier and ensure that the IT disaster recovery procedures are tested regularly to ensure you could depend on these in a crisis.<br><br>h) Finally, don’t forget that people do things, not plans. Engage with your employees across the organisation and ensure that they know what the organisation’s expectations of them are should an adverse situation arise, in particular if they come across something which could cause the organisation harm, or already has.<br><br>For further information<br><br>The Business Continuity Institute (BCI) is an excellent resource – see their web site at www.thebci.org or contact the author via [email protected].<br><br>Brian Davey MSc MBCI CISSP is Principal Consultant with Davey Continuity Limited. About the author: Among his qualifications, he has a masters degree in security management from the University of Leicester; a PgD in Information Security from Royal Holloway, University of London; and is a Certified Information Systems Security Professional (CISSP, www.isc2.org). He is a member of the Business Continuity Institute. Visit –
