Charlie Waters
, , , ,

Business Continuity Part 4

Pour the Coffee

Let’s put on a pot of coffee and roll up our sleeves for this one.  We are about to get into the meat of the Business Continuity Plan and we will want to slow things down and focus on our business functions.  The good news is when we are finished with today’s effort, we will complete Chapter 1 and be 40% finished with the Plan.

And if you have followed our guidance during the Pandemic, your company operations should be flexible in a variety of conditions due to adopting work from home solutions.  This can include laptops, VPNs, IP phones, cloud applications and document storage, or other technologies that help extend your business functions outside of your brick-and-mortar environment.  For TCS, this becomes a game changer and creates an almost seamless transition across all business functions to shift from the office to a home/remote office setup.

1.6 Risk Assessments

We will now document and score what threats may impact our People, Process, and Technology.  As you can see from the screenshot above, we will assess/score the Probability of the threat, the Business Impact of that threat, and our ability to Control the threat.  Each of these will be scored on a scale of 1 to 5, 1 being “Low”, “No Impact”, and “Good” respectively and 5 represents “High”, “High Impact”, and “Poor” respectively.

The tool provides a sample threat list like the one pictured below:

Also, an example of the Risk Assessment table is provided:

Take time to read through the list of threats and look at the examples on how you may score the threats, along with a summary of how the threat could be mitigated.  Each organization will vary in the type of threats, the scoring, and how the threats are mitigated.  This is where you want to spend some energy deliberating on this and work with your team to come up with a comprehensive list.  This exercise could expose some areas where you may need to do more to beef up your continuity strategy.

TCS ended up with 13 different areas but most of them could be at least partially mitigated by defaulting to a work from home strategy.  This may not be possible for all your team, especially if their job function is dependent on equipment or systems on premise.  A helpful tip is to review the Houston County Pre-Disaster Mitigation Plan located here:

https://www.houstoncountyga.org/skins/userfiles/files/Houston%20Co%20PDMP%202020%20(Public).pdf.

This plan addresses many external threats common to our region and can inform your mitigation strategies or affect your scoring because some of these threats are being mitigated at a higher level already.  There is no absolute right or wrong here and the important thing is that these threats are considered and addressed in some logical fashion that is appropriate for your business.  A useful strategy I learned from attending the GBA Southern Operations and Technology School and by working with other Risk Management professionals is to rank order the threats by multiplying each of the 3 score areas (Probability x Impact x Control).  This will give you a composite score for each threat category ranging from 0 to 125.  Understanding these threats as a ranked list can help prioritize spending to further reduce risk if there are gaps in your capabilities.  Of course TCS is available to consult with you regarding your business technology strategy to better align with your mitigation plans.

1.7 Business Impact Analysis Summary

In this step we want to describe how you determined what to include and leave out of your risk analysis.  What business functions, processes, and interdependencies did you consider?  This does not have to be perfect, and it will likely change over time as you revise your plan, but we want to get a basic statement down on paper and go from there.  Part of our BIA statement included factors studied by Houston County in their plan and we made certain assumptions as a result.  For example, the frequency of tornadoes and floods are addressed in their document.

In the BIA Summary example pictured above, you will see how the Plan will document your different business units and its functions along with the associated manager, processes, and related risks.  Additionally, you will want to determine the maximum time you will allow for a critical function to be down, and the daily revenue loss caused by the loss of business function.  The Recovery Time Objective (RTO) will inform how you prioritize your resources before and during a disaster to recover these functions.  Defining the RTO and RPO (Recovery Point Objective) also helps IT know what business continuity and disaster recovery (and backup history) you need to recover business functions, including the information systems and data.  The lower (in number of days or hours) your RTO and the narrower your RPO, the more expensive the technology solutions will be to achieve the desired goals.  This will be a calculated tradeoff between the capital and operational cost of the technical capability versus the likelihood and (financial or business reputation) impact of an event.  This is a conversation to be had with your IT folks well before a disaster.  It will not be helpful to have an undefined RTO only to discover recovering your data from the cloud will take days and you want that business system up in hours.

1.8 Business Continuity Strategy

In this section we want to describe, at a high level, the overall approach to maintaining continuity of your business functions.  This will include basic details of a secondary site for temporary operations along with a map and contract information for that site.

1.9 Emergency Operations Center (EOC) Locations/Contacts

This section is straightforward.  You will list each of your Emergency Operations Center locations, a named point of contact, and a phone number for each site.  This could be one site, or you may define multiple.  It is a good idea to have a prearranged agreement with another organization if they have space to accommodate your business continuity team in an emergency.  This could be a reciprocal agreement.

1.10 Alternate Site Locations and Contacts

You will want to complete a similar list for alternate sites for business operations.  This could be the same as your Emergency Operations Center or a different location.  If you have an offsite storage facility, you will want to document that in the appropriate section as well.

1.11 Organizational Chart

During a disaster is not the time to try and figure out who all works where and reports to whom.  Take the time now, if you do not have one, and document the business functions, management, and staff across your business.  If you have this already, simply copy and paste image into the space provided.

1.12 Team Descriptions and Organization Chart

If your business continuity team will differ in personnel or structure to your org chart, it will be helpful to create a similar chart to define your Business Continuity Organization structure.  An example is provided below; however, this is overkill for TCS being a smaller company, so we opted just to keep our regular org chart knowing the CEO and COO will quarterback the continuity and recovery efforts while Service is busy supporting our clients.  Your mileage may vary.

1.13 Emergency Response Plan Summary

You will summarize the key elements of your Emergency Response Plan in this section.  This plan is separate and distinct from the Business Continuity Plan, although there is overlap.  The BPC will focus primarily on recovery and mitigation and the ERP will focus on preparedness and response.

Okay, time to hit the pause button until next week.  From here we will document various teams and essential lists that are critical to business operations.  This will take us into Chapter 2 of the tool/plan – Critical Business Information.  For those who like checking boxes, here is where we are until we take this up again.  Good progress!

/by
m.a.collins
, , ,

Respond – The Fourth Function of CSF

Krakenimages by Shutterstock

The next logical step in the NIST CyberSecurity Framework is Respond.  In other words, how are you planning to respond when a threat to your organization is detected or realized?  The Respond function essentially sets forth the processes and procedures enacted for incident response, who will own the issue and oversee its execution, who will be engaged to perform the forensics to determine how the threat gained a foothold in the environment, and what steps should be taken correlative to the risk inherent to the threat.

There are four aspects to the Respond function of CSF:

1. Response Planning

The goal in response planning is to enhance your business or organizational resiliency.  Here are some scenarios to consider that we hope would never occur but are likely enough to consider for planning.  We’ll start with a very likely incident.  What happens if your company loses power?   How long can the company network sustain a power outage before it becomes a critical incident?  What would happen if your major Cloud provider (Office365, QuickBooks Online, Kronos, etc.) went offline for a month or longer?  How would your organization respond?  Do you have a Business Continuity plan to cover instances like that?

How would your company be affected by a fire, flood, or tornado?  Would your clients and branches be able to maintain communications and business basics?  Do you have a Disaster Recovery plan that can cover that?

Of course, some these issues are tertiary to cybersecurity – they impact cybersecurity but may or may not be directly related.  What happens if an employee is tricked into opening an attachment that introduces ransomware to the entire network?  Or, what happens if one of your security controls indicates a persistent attack from a particular source? What happens if a disgruntled employee attacks the network from within the company?  Who is notified, who is responsible for mitigation and remediation, who needs to be alerted and when?  What is your Security Incident Response plan?  These are all things you need to consider.

Smaller organizations have the benefit of being able to pivot quickly and adjust to unforeseen situations.  Larger organization require more thorough planning to survive and adapt to such events.  However, we all know that planning ahead of time makes these situations less stressful and easier to overcome.  If that weren’t true, EMA and the Military wouldn’t invest so much time in training and preparing their personnel for disaster response.  Be sure your response planning includes Business Continuity, Disaster Recovery, and Security Incident Response plans.

2. Communications

This article has already hinted at communications, but it is the key to overcoming any crisis.  Technology can help us here, since we all have a smartphone in our pockets; but how will you leverage those technologies in response to an emergency?  What do your personnel need to know and expect when normal avenues of communication are not an option?  How will you respond in such a way to maintain business as usual while not destroying evidence necessary for the authorities to forensically investigate the incident?  Who is going to notify the authorities and what authorities should be notified?  How will your clients get in contact with you?  How often will you test these plans to ensure you aren’t overlooking a critical roadblock?  When do you need to contact your cyber-insurance provider?

There are a lot of questions to consider, which is why leadership must make it a priority to plan out these scenarios.  Attempting to make these decisions on the fly will generate incredible chaos and likely will miss better options that would save the company time and money.  There are a lot of moving parts to cybersecurity incidents, and the more you plan before you need them, the better your organization will weather the storm of an attack.  Defining who communicates with whom and by when will mitigate a lot of unnecessary stress and chaos.

3. Analysis

It’s difficult to talk about one aspect of Response without alluding to others.  We’ve mentioned forensics already, but forensics needs to be planned for in the communications stage of an incident response plan.  Additionally, forensics needs to be performed and executed. 

If you have a cyber-insurance policy, today’s policies often cover forensics up to a certain amount.  Depending on your insurance provider, they may want you to notify them (communications again) before doing anything; because they want to ensure the proper authorities are involved before you make changes that will negatively impact their ability to forensically identify how the attack occurred, who was responsible for it, and what can be done to mitigate that threat in the future.

If you have an IT department, you need to have some means for them to perform their analysis from a read-only snapshot archive.  This enables analysis to be performed without tampering or contaminating digital evidence.  This is where your Protect function comes into play.  Those enhanced logging and archiving measures developed and implemented will help both internal and external sources get to the bottom of the issue.

4. Mitigation

Finally, once you’ve identified various threats, it is important to have a plan for isolating those threats from doing any further damage to your organization.  For instance, TCS has the ability to immediately isolate a computer from the network as soon as ransomware is detected on it.  This effectively enables us to limit the threat exposure to our clients, but ransomware is only one of many threats to our clients.

Different kinds of threats pose different mitigation complications depending on the type of threat.  Planning ahead to determine how different threats can be isolated and contained as quickly as possible will help you recover faster with less negative impact to your organization.

Conclusion:

As you can see, the further we get into the functions of CSF, the easier they get.  All that front-loading work at the beginning to identify the various types of threats, perform risk analyses, implement protection measures, develop policies and procedures for how personnel will perform critical tasks, makes it much easier to respond to emergent issues.

That being said, there are a lot of moving parts to the incident response plan. If you find that you are overwhelmed by the magnitude of incident response planning and need some consulting or even compliance assistance, please reach out to TCS today!  We’d be honored to help you work through these issues and have the best plan possible for your organization to weather just about any storm short of a zombie apocalypse.

Note: This article was based on the resources available at https://www.nist.gov/cyberframework/respond

/by
m.a.collins
, , ,

A Quick Guide for the NIST CyberSecurity Framework and Why It Is Important

Credit: N. Hanacek/NIST

After reading this article, you will know the five elements of the NIST CyberSecurity Framework (CSF) and why they are important for your business.  NIST released its latest CSF in 2018, and it serves as a guide to how to approach cybersecurity from a holistic perspective.

In a world where so much misinformation thrives (on any topic), IT security is no exception.  Business owners tend to think they are “secure” if they use multifactor authentication.  Or they think if they have a sophisticated firewall, they are safe.  The reality is that every business is different.  Since they are different, every business needs its own unique plan and approach to security.  The NIST CSF provides businesses some structure in the security process. 

NIST has broken out the framework into five elements:  Identify, Protect, Detect, Respond, and Recover.  These five elements are activities that need to be performed in order to appropriately approach cybersecurity for any organization.  While these activities use familiar terms, there is more than meets the eye for each one.  Here is a breakdown of each element:

1. Identify

This seems simple enough at first glance, but start pealing back the onion, and you find many layers to this one element.  Simply put, the Identify piece of the puzzle includes both inventorying and risk analysis.  In the inventorying piece, you are identifying your mission critical assets – both material (devices, including virtual) and intellectual (IP).  Once you have identified those assets, you perform a risk analysis to determine where you are exposed.

2. Protect

Along a similar vein, the Protect element seems straightforward as well, but there are some aspects to protection that complicate it.  For instance, you aren’t simply protecting your data and assets from attacks, you are also working to protect the organization by mitigating successful attacks.  You also need to include your personnel in the protect element. What training needs to be implemented in order to mitigate the threat of user hacks?  What specific security awareness training exercises will benefit your personnel the most?  Those are some of the questions you will be asking in the Protect exercise. The main idea is protecting your critical assets and mitigating the ill effects of successful attacks.

3. Detect

Detect is ongoing and active.  How will you know if you are being attacked?  Various studies show that many times hackers successfully attack businesses without them even knowing it.  The business doesn’t realize they’ve been compromised until the hackers use their access to negatively impact that business.  This means that for every mission-critical piece (both intellectual and property) there needs to be a detection mechanism to alert when hackers are trying to compromise each system. Most organizations do not have this piece in place at all.

Another aspect of the complexity with regard to detection is the constantly moving target of patching (both operating systems and third-party software). Staying on top of the latest security patching while verifying that these patches don’t introduce bugs or other unintended consequences requires diligence and commitment. IT personnel must create security baselines and monitor against drifting away from those baselines. Doing so is easy to overlook, especially in environments where IT personnel are constantly resolving end user issues.

4. Respond

The Respond element is tied to the Detect element.  Once your detection system alerts you to a compromise, how will you respond?  Who is alerted?  Every business needs to identify the person who will own this response.  This doesn’t mean the activities of response can’t be delegated to other employees, or even a third-party MSP.  This simply means that someone needs to be responsible for ensuring the response is appropriate and thorough.

What makes the Response element difficult is the variance of responses depending on what the detection system is alerting.  Nevertheless, it is imperative that responses include the ability to audit the threat, mitigating the threat immediately, implementing controls to ensure the threat is contained, while keeping other mission-critical systems online and free from attack.

5. Recover

Recover is the simplest of the five elements.  This is where you execute the failsafes you implemented in the Protect element.  Again, someone in your organization must own this element and ensure that the recovery planning process is followed.  You also need to ensure in your recovery planning process that you include a hotwash meeting post-incident to document lessons learned and refine your recovery process. IT personnel should schedule routine recovery exercises to test their effectiveness. When was the last time you performed a scheduled business recovery exercise?

Conclusion

NIST has identified these elements as the best approach to cybersecurity.  While every business is different and each of these elements will impact businesses in different way, these elements serve to bolster the maturity and security posture of all businesses and organizations.  If you skip any one of these elements, your business will suffer.  Think of these elements as you would elements on the periodic table. We all know the elemental makeup of water is H20. Change or remove either element, and you no longer have water. You might even end up with something like hydrogen peroxide, for instance.  In like manner, change or remove any one of the five elements in NIST, and you have something altogether different from “secure.” 

If this framework seems overwhelming, TCS can help!  We’ve built our processes around the cybersecurity framework to ensure we aren’t missing anything with regard to our clients’ security.  We would honor the opportunity to help your organization, as well.  If you want to learn more about these elements, stay tuned for more content coming with deeper dives into each one.

/by