Wednesday, July 2, 2014

Business Continuity: No Plan is an Island

“No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend’s or of thine own were: Any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bell tolls; it tolls for thee.” Meditation #17 By John Donne From Devotions upon Emergent Occasions (1623), XVII
(Originally posted on Tripwire's 'The State of Security' at
The importance an organization places on their ability to respond to security breaches is critical to that organization’s survival. BCM (Business Continuity Management) is a plan, a team and a process companies use to protect themselves from financial loss.
BCM usually incorporates a Disaster Recovery Plan and a Business Continuity plan. The Disaster Recovery Plan takes effect as soon as an event occurs and is put into place to protect life and get the critical services back up and running.
Business Continuity is the second phase of BCM that takes effect after the initial event has happened and is designed to limit any lasting effects from the event and to bring the company back to pre-disaster status.


The BCM team deals with ‘what if’, even if it has never happened. They deal with known dangers, like earthquakes in California, hurricanes in Florida and Zombies in Washington DC. (Disclaimer: The US government National Institute of Health disavows any imminent danger from Zombies. See ‘A report on the zombie outbreak of 2009’).
The BCM team needs to deal with hackers, data thieves, denial of service attacks and data breaches. Target most likely had a Disaster Recovery Plan to deal with Zombies, but didn’t have an Incident Response Plan that took into account the loading of malware on their POS systems or the loss of 110 Million customer records.
They did not have a Business Continuity Plan in place to recover from the publicity, lawsuits and loss of customer confidence. I think I would consider the loss of 40 Million credit card details and 70 Million customer records a disaster. Apparently the Board of Directors, the CEO and the CIO did not. This has already cost the CIO and CEO their jobs and is likely to cause the termination of 7 of the 10 board members.


Is saving our jobs reason enough to include information security incident response in the BCM plan, or do we need a better reason?
The traditional BCM team will normally start with assembling the team and appointing a team leader; someone who has a thorough understanding of the organization’s business and who has the authority to allocate the necessary resources. The next step is to inventory the assets, do a Business Impact Analysis to determine the cost per hour or minute of downtime and to assign an ‘over the cliff’ deadline.
In other words, how long can our manufacturing plant be down before we lose so many clients that we can’t recover? For security incidents it might also be how many records can be lost before I start to update my resume.


Up to now, ‘IT’ has been held responsible for ‘Information Security’. Incident response has traditionally been thought of as the sole responsibility of the IT or Information Security department but needs to be incorporated into the operational plans and discussions during BCM meetings.
A hacker can take out your network as efficiently as a power outage or fiber optic break. (Downtime costs your company the same per hour regardless of the reason you can’t send or receive email.) Damage is measured not only in time, but in numbers of records. Information Security is responsible for CIA (Confidentially, Integrity and Availability). Traditional Business Continuity Planning and Disaster Recovery usually only deals with Availability.
The BCM team should also consult the information security group to make sure that any backup, recovery, temporary recovery facilities conform to the company’s security policies and procedures. A company could recover from a hurricane by moving facilities off site, but suffer a debilitating breach due to a hastily set up firewall with little or no protection offered to the temporary servers.


We still need the BCM team. We need someone who understands the business and can allocate sufficient resources to keep it running in the event of a hurricane or hacker, a power outage or a denial of service attack, an insider who pulls the fire alarm so he can go home or sends client records offsite for later.
Traditional information security priorities and methods that rely on a 100% block of attackers won’t work. Companies that survive a security breach have a robust incident response plan in place. It’s not just a matter of preventing breaches, but detecting them and responding to them in a timely manner, and it would be better if your internal team discovered the breach rather than reading about it first on Brian Kreb’s security blog.


Target had a breach on November 12th and their FireEye system detected it on the 28th and notified Target’s information security team. December 2nd, a second notification of ‘unknown malware installed’ was sent to the infosec team. By December 12th, the hackers had downloaded 110 Million records including 40 million credit card details, and were using them.
Two days later, Target hires a company to look into the breach. If Target had planned for the breach, they would have had an incident response plan approved by executive management. Now the executive management has to plan a move to a new job, and the assigned parking space might not be as close to the elevator as it was before.
There are other reasons that the BCM team should include information security incident response and share in the duties and responsibilities. Only the infosec team member can identify IT security assets, threats and risks, but only the executive management can approve resources for remediation.


As you assemble the BCM team, reach out to the CISO or senior member of the information security and risk management team. Preferably this is someone who has risk management experience as they will more likely understand how to help with quantifying risks and not just vulnerabilities.
This person should be given the resources and time to help inventory the systems and services and will need to be included in the compilation of Business Impact Analysis. Parallel to the BIA, there should be an internal or external IT security Risk Assessment done.
This can be done in conjunction with the initial system inventory so that you can make sure you cover all critical assets. As the BIA is finished, the manager in charge of the assessment can combine the results of the vulnerability and threat assessment with the BIA to create a quantifiable threat assessment that can be used to prioritize budgetary controls for security incidents. The IT Risk assessor needs this information to help data valuation and classification.


The information you gathered during the inventory, BIA and Risk Assessment can help justify spending money on critical issues. In IT Risk Management, generally, a critical issue is one that would cause loss of life, permanent disability or a loss of over one Million Dollars. Don’t just spend your control dollars on preventing the loss, but spend money on cutting down the cost of the loss if it happens.


Not if, but when. That is the advice of senior directors at major corporations, including RSA. If you don’t think it will happen to you, it most likely already has. You just don’t know it because your company didn’t detect it, or the help desk didn't send you a notice.
Part of good BCM planning is contacting the media and law enforcement. Don’t forget this in your incident response plan, and you won't if you are working in conjunction with a seasoned BCM team.


In loss prevention, Business Continuity Planning and Disaster Recovery we already rely on insurance companies. They provide business continuity insurance, coverage for extra expenses in case of a covered loss, and even pay for loss of profits in many cases.
BCP insurance can also cover information security breach losses including cost to investigate, fix and pay for PR as well as paying for credit monitoring.


“Any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bell tolls; it tolls for thee,” (Source).
Any damage to your company could be the death bell toll, if not dealt with before it hits the critical point. Learn from your Business Continuity Management Team. Let them learn from you.
There are so many analogies between physical attacks and cyber attacks that we infosec professionals borrow the language. Red Team, Black Team, Attack, Risk Management, Loss Prevention, Downtime and, in some cases, Bankruptcy, ‘early retirement’ and unplanned relocation.
Does your company include information security incident response planning in the organization’s BCM plan? Does your Business Impact Analysis cover denial of service attacks, release of confidential information? Do you even have an Incident Response Plan and an Incident Response Team?

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at

No comments:

Post a Comment