Continuity Planning

Business Continuity Planning

James F. Broder , Eugene Tucker , in Risk Analysis and the Security Survey (Fourth Edition), 2012

Why Plan?

Responsibility for continuity planning often resides with the risk manager, the chief financial officer (CFO), or the data center manager. Security managers are, however, increasingly taking the role of plan developers. Their experience with the protection of assets, involvement in the identification and the mitigation of risk, and their emergency response duties makes them logical choices for this role. The ability to work effectively with all levels of management is a required trait for security managers, a trait that all successful continuity planners must possess.

Some types of businesses, such as healthcare, financial institutions, and industries regulated by toxics laws, are required to maintain continuity plans. Businesses are increasingly regulated by other laws, regulations, and standards, many differing widely in their approach and requirements. Some are intended to be industry specific and others broadbased. Some use differing terminology or try to package the same methodologies in different-looking boxes.

In any case, even in the absence of regulatory requirements, it makes good business sense to maintain a continuity plan. The cost of downtime, the cost of reconstructing lost data, and the loss of cash flow can severely damage many organizations, even beyond their ability to recover. If they are unable to operate, retail and transportation operations can lose an average of more than $100,000 per hour, high-technology manufacturing $200,000 per hour, and financial brokerages more than $6 million per hour. A Business Impact Analysis can help to pinpoint your organization's exact loss potential.

Without continuity planning, the organization may lose its competitive advantage, valuable employees, and future research. Organizations cannot insure against lost customers or a diminished public (customer) image. History consistently shows that between 35 and 50 percent of businesses never recover after major disasters. 2

Other rationales for continuity planning include the following:

Fulfill requirement by financial auditors or by potential customers

Prevent the loss of market share

Capitalize on the lack of planning by the competition

Uphold fiscal responsibility

Avoid stockholder liability

Fulfill regulatory requirement

Retain key employees

Prevent the loss of research

Help ensure the safety of employees

Preserve customer confidence

Assist in the overall economic recovery of the community

Assist in a quick and orderly recovery after a disaster

Minimize the economic loss (devaluation) to the firm

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123822338000169

Contingency Planning

Stephen D. Gantz , Daniel R. Philpott , in FISMA and the Risk Management Framework, 2013

Distinguishing Contingency Planning from Continuity of Operations Planning

Both contingency planning and continuity planning provide key contributions to government efforts to ensure uninterrupted operation of essential functions, and both terms incorporate multiple related (and sometimes overlapping) processes, procedures, and planning activities. The key differences between contingency planning and continuity planning are the scope and level of responsibility associated with each function. Contingency planning applies to individual information systems and is the responsibility of the system owner, while continuity planning applies to the agency and is the responsibility of the continuity coordinator or other designated agency official. Special Publication 800-34 makes a further distinction based on the primary focus of each activity: continuity planning "concerns the ability to continue critical functions and processes during and after an emergency event" and contingency planning "provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency [28]." Continuity planning comprises an interrelated set of plans and associated procedures that describe the actions taken by the organization in response to an emergency situation with the potential to disrupt government operations. These typically include the continuity of operations plan, crisis communications plan, occupant emergency plan, and—to the extent the organization manages key components and resources of the national infrastructure—critical infrastructure protection plan.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597496414000151

Security component fundamentals for assessment

Leighton Johnson , in Security Controls Evaluation, Testing, and Assessment Handbook (Second Edition), 2020

Contingency planning

Information systems are vital elements in most mission/business processes. Because information system resources are so essential to an organization's success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption. Contingency planning is unique to each system, providing preventive measures, recovery strategies, and technical considerations appropriate to the system's information confidentiality, integrity, and availability requirements and the system impact level.

Evaluating a recovery and preparedness process for a system, an organization or an application can involve many areas of technology, operations and the personnel identified throughout and organization. There are many focal points of concern which require analysis and attention of the assessor. As the major area for the controls related to the security objective of availability, Contingency planning has become a focal point for assessors to determine the commitment of the organization's senior management to the security of their operational systems and applications.

Under FCD-1 and FCD-2 all federal information systems require a contingency plan for recovery and restoration efforts. Additional guidance is provided by NIST is SP 800-34 and templates available on CSRC.NIST.GOV website.

Information system contingency planning represents a broad scope of activities designed to sustain and recover critical system services following an emergency event. Information system contingency planning fits into a much broader security and emergency management effort that includes organizational and business process continuity, disaster recovery planning, and incident management. Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization's information systems, mission/business processes, personnel, and the facility. Because there is an inherent relationship between an information system and the mission/business process it supports, there must be coordination between each plan during development and updates to ensure that recovery strategies and supporting resources neither negate each other nor duplicate efforts.

"Continuity and contingency planning are critical components of emergency management and organizational resilience but are often confused in their use. Continuity planning normally applies to the mission/business itself; it concerns the ability to continue critical functions and processes during and after an emergency event. Contingency planning normally applies to information systems, and provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency. Cyber Incident Response Planning is a type of plan that normally focuses on detection, response, and recovery to a computer security incident or event." 8

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128184271000112

Recovery of Security

Timothy J. Shimeall , Jonathan M. Spring , in Introduction to Information Security, 2014

This chapter introduces recovery strategy. Recovery of security is complex and requires planning and support from several business functions. Computer security incident management is related to, but not the same as, several other fields such as contingency planning, continuity of operations, and emergency management. These other fields are introduced to compare and contrast their functions with computer security incident response to get a clearer picture of what each task involves. Emergency management, in particular, is presented in some depth because there are lessons for computer security incident response to learn from the more mature field of emergency management.

How to build a policy about incident response is covered before discussing incident response itself. The response policy is an organizational stance and responsibilities in response, as opposed to the technological steps of responding to an incident. The team that technologically responds to an incident is the computer security incident response team (CSIRT). The chapter presents several important features of a CSIRT and some recommendations on how to build one, and then discusses how such a team would respond to incidents and strategies. The chapter ends with recommendations on how to extract lessons learned from the incident using an after-action review.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499699000158

Domain 7: Security Operations (e.g., Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Third Edition), 2016

Building The BCP/DRP Team

Building the BCP/DRP team is essential for the organization. The BCP/DRP team comprises those personnel that will have responsibilities if/when an emergency occurs. Before identification of the BCP/DRP personnel can take place, the Continuity Planning Project Team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an organization and focuses on identifying who would need to play a role if a specific emergency event were to occur. This includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions. Also, depending on the type of emergency, different people may have to play a different role. For example, in an IT emergency event that only affected the internal workings of the organization, PR may not have a vital role. However, any emergency that affects customers or the general public would require PR's direct involvement.

Some difficult issues with regards to planning for the CPPT are how to handle the manager/employee relationship. In many software and IT-related businesses, employees are "matrixed." A matrixed organization leverages the expertise of employees by having them work numerous projects under many different management chains of command. For example: employee John Smith is working on four different projects for four different managers. Who will take responsibility for John in the event of an emergency? These types of questions will be answered by the CPPT. It is the planning team that finds answers to organizational questions such as the above example. It should be understood and planned that, in an emergency situation, people become difficult to manage.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128024379000084

Domain 8

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Second Edition), 2012

Building the BCP/DRP team

Building the BCP/DRP team is essential for the organization. The BCP/DRP team is comprised of those personnel who will have responsibilities if or when an emergency occurs. Before identification of the BCP/DRP personnel can take place, the continuity planning project team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an organization and focuses on identifying who would need to play a role if a specific emergency event were to occur. This includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions. Also, depending on the emergency of the event, different people may have to play a different role; for example, in an IT emergency event that only affected the internal workings of the organization, PR may not have a vital role. Any emergency that affects customers or the general public, however, would require PR's direct involvement.

A difficult issue facing the CPPT is how to handle the manager/employee relationship. In many software and IT-related businesses, employees are "matrixed." A matrixed organization leverages the expertise of employees by having them work numerous projects under many different management chains of command. Suppose employee John Smith is working on four different projects for four different managers. Who will take responsibility for John in the event of an emergency? These types of questions will be answered by the CPPT. It is the planning organization that finds answers to organizational questions such as the above example. It should be understood and planned that, in an emergency situation, people become difficult to manage.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499613000091

Information Technology Security Management

Rahul Bhasker , Bhushan Kapoor , in Computer and Information Security Handbook, 2009

Processes for a Business Continuity Strategy

As is the case with any strategy, the business continuity strategy depends on a commitment from senior management. This can include some of the analysis that is obtained by business impact assessment/risk analysis focused on business value drivers. These business value drivers are determined by the main stakeholders from the organizations. Examples of these value drivers are customer service and intellectual property protection. 10

The Disaster Recovery Institute International (DRII) associates eight tasks with the contingency planning process. 11 These are as follows:

Business impact analysis, to analyze the impact of outage on critical business function operations.

Risk assessment, to assess the risks to the current infrastructure and the incorporation of safeguards to reduce the likelihood and impact of disasters.

Recovery strategy identification, to develop a variety of disaster scenarios and identify recovery strategies.

Recovery strategy selection, to select the appropriate recovery strategies based on the perceived threats and the time needed to recover.

Contingency plan development, to document the processes, equipment, and facilities required to restore the IT assets.

User training, to develop training programs to enable all affected users to perform their tasks.

Plan verification, for accuracy and adequacy.

Plan maintenance, for continuous upkeep of the plan as needs change.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123743541000169

Information Technology Security Management

Rahul Bhaskar , Bhushan Kapoor , in Managing Information Security (Second Edition), 2014

Processes for a Business Continuity Strategy

As is the case with any strategy, the business continuity strategy depends on a commitment from senior management. This can include some of the analysis that is obtained by business impact assessment/risk analysis focused on business value drivers (see checklist: "An Agenda For Action For The Contingency Planning Process"). These business value drivers are determined by the main stakeholders from the organizations. Examples of these value drivers are customer service and intellectual property protection. 10

An Agenda for Action for the Contingency Planning Process

The Disaster Recovery Institute International (DRII) associates eight tasks with the contingency planning process. 11 These are as follows (check all tasks completed):

_____1.

Business impact analysis, to analyze the impact of outage on critical business function operations.

_____2.

Risk assessment, to assess the risks to the current infrastructure and the incorporation of safeguards to reduce the likelihood and impact of disasters.

_____3.

Recovery strategy identification, to develop a variety of disaster scenarios and identify recovery strategies.

_____4.

Recovery strategy selection, to select the appropriate recovery strategies based on the perceived threats and the time needed to recover.

_____5.

Contingency plan development, to document the processes, equipment, and facilities required to restore the IT assets.

_____6.

User training, to develop training programs to enable all affected users to perform their tasks.

_____7.

Plan verification, for accuracy and adequacy.

_____8.

Plan maintenance, for continuous upkeep of the plan as needs change.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124166882000039

Introduction to the Cloud

Derrick Rountree , Ileana Castrillo , in The Basics of Cloud Computing, 2014

System Drivers

There are many system drivers that are steering organizations to the cloud. An organization may want certain system characteristics that they can't provide with their current architecture. Organizations might not have the expertise or funding to achieve certain environment characteristics internally, so they look to a cloud provider to provide them. These characteristics include agility, reliability, scalability, and performance.

Agility

Cloud environments can offer great agility. You can easily reappropriate resources when needed. This allows you to add resources to systems that need them and take them away from systems that don't. You can also easily add systems to expand your capacity.

Internal cloud environments allow you to make better use of your internal infrastructure resources. A cloud infrastructure that uses virtualization can help you increase your density and the percentage of utilization from your infrastructure. As a result, you will be less likely to have systems sitting idle.

Reliability

Building reliability into your environment can be very costly. It usually involves having multiple systems or even multiple datacenter locations. You have to do disaster recovery (DR) and continuity planning and simulations. Many cloud providers already have multiple locations set up, so if you use their services, you can instantly add reliability to your environment. You may have to request to have your service use multiple locations, but at least it's an option.

Scalability and Elasticity

A cloud environment can automatically scale to meet customer needs. New resources can be dynamically added to meet increased usage. This helps in two ways. The increased capacity helps ensure that user needs are met. The fact that resources can be dynamically allocated on demand means that they don't always have to be available, which means you don't need to have systems waiting and sitting idle. These systems still use resources. If you don't need to have the system waiting, you can save on utilization of resources such as power and cooling.

This scalability allows you to better meets your customers' needs. You can quickly add the capacity your customers need for temporary or permanent expansion. You can use an external cloud environment for temporary capacity to provide resources while you expand your permanent capacity.

Figure 1.3. Burst Capacity

Performance

Performance in cloud systems is constantly being measured and monitored. If performance falls below a certain level, the systems can automatically adjust to provide more capacity, if that is what's needed. The presence of a service-level agreement (SLA) is also a benefit. An SLA guarantees a certain level of performance. If that level is not met, the service provider must generally meet some level of restitution. This restitution is often in the form of a chargeback or a fee reduction. So, although performance itself is not assured, there can be an assurance that the cost of a lack of performance can be mitigated.

Ease of Maintenance

Ease of maintenance can be a very attractive benefit of cloud computing. If someone else is managing the infrastructure and the systems used to provide the service, they will generally be responsible for maintenance. This means several things. You don't have to worry about tracking and staying up to date with the latest hardware and software patches. You don't have to worry about spending time trying to manage multiple servers and multitudes of disparate client systems. You don't have to worry about the downtime caused by maintenance windows. There will be few instances where administrators will have to come into the office after hours to make system changes. Also, having to maintain maintenance and support agreements with multiple vendors can be very costly. In a cloud environment, you only have to maintain an agreement with the service provider.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124059320000013

Crisis Management Planning for Kidnap, Ransom, and Extortion

James F. Broder , Eugene Tucker , in Risk Analysis and the Security Survey (Fourth Edition), 2012

Plan Documentation

To mount a successful response to kidnappings, extortion, and other threats, a plan to deal with such crises must be formulated in advance. The major responsibility for advance planning belongs to the organization. Organizational planning is more effective than individual effort, and it is more likely to be implemented and thus successful. Therefore, organizations must develop crisis management skills that are adaptable to any demand made on them.

Although a crisis management plan can stand on its own, a business continuity plan that does not include crisis management will generally fall short of the objectives of the organization and emerging standards. Crisis management can exist as a subsection of the business continuity management team plan, as part of the public relations team plan, or as a combination of both, depending on the construction of the document and the size of the organization. Some planners believe the development of separate documents for continuity planning and crisis management is the most effective approach. Others point out that separate plans are cumbersome and require extensive duplication of information and upkeep. The complexity of the risks will guide the planner toward the best document format.

Because extortionists can often inflict heavy losses on organizations, it is imperative that the CMT prepare a readiness plan that will minimize these losses. This plan must fix corporate objectives and limitations, and it must be designed to be effective when the CMT is operating under the emotional strain of responsibility for human life, often with limited data and time for making decisions.

The plan must resolve the fixed elements of a crisis, so as to require the CMT to make only those decisions during a crisis that are affected by immediate variables. Also, it must have sufficient flexibility to enable the CMT to develop alternative strategies after gathering information and analyzing threats under rapidly changing crisis conditions.

In the event of a kidnapping, provisions for gathering personal data, such as employee and family biographical sketches, as well as medical and other requirements of the employee and his or her family, must be incorporated into the plan along with methods to make these data readily available during the crisis period.

The resource section of the plan should include phone numbers and addresses of the team members, major customers, media contacts, brokers, local officials, and regulatory agencies. The plan should include instructions on how to best contact these resources and officials. Ensure that equipment and supplies such as projection machines, sound amplification equipment, battery-driven bullhorns, sign-in sheets, and name tags are available in preparation for any news conferences.

The crisis management plan, like the continuity plan, is a confidential document. It contains important strategic information and phone numbers of key executives. Its distribution must be limited. Both are living documents that must be maintained and simulated. Testing of the plan should include role playing and on-camera interviews. Rehearse responses well in advance of the need.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123822338000182