Companies of all sizes are in the cross hairs of a malevolent, adversarial community who’s primary objective is to take what you have, even if it leaves you and your dream in ruin.
All fighters upon entering the ring or octagon, are told to “protect yourself at all times” and I believe the same holds true for businesses today. However, protecting your business is not achieved by turning a governance standard into a one size fits all compliance checklist.
To avoid inadvertently operating under a false sense of security, every company needs to actively maintain a full suite of contingency related plans. For this post, we will focus on aligning the Business Continuity (BCP) and Information Security (InfoSec) Programs. Cyber & Information related incidents have direct hard and soft impacts on every level of a businesses operations. This reason, among others, is why it is imperative to align business continuity and information security efforts throughout your organization.
Timely, coordinated responses to an active threat, failure event or downtime regardless of cause, can only be achieved by having an active partnership between the BCP and InfoSec teams in place prior to the occurrence of an event. In support of this partnership, co-creation of an incident response/recovery strategy, crisis communications plan, response escalation levels and agreement on a common risk based language are key to having any hope of success when forced to respond to a cyber related attack.
The following are some key design elements to include when developing a joint incident response strategy.
• Command Control Team: Minimum should include members of both BCP & InfoSec teams, facilities, PR/Media and legal council (please note: Sr. executive support is critical)
• Crisis Communications Plan: Facilitates information exchange, reduces response lag time. (examples: Secure conference bridge(s), text, Skype, exchange or web-mail, Cell & Fax)
• Common Set of Documents: Includes joint response/recovery plans, contact lists, escalation levels and who else needs to be involved, including how to reach them and when.
• When a disruptive event is considered “neutralized”: Define who makes this call, including when and how it is implemented, documented & communicated.
• Joint – After Action Report: Process outline for creation and review of an After Action Report. Include implementation guidelines and documentation for any “lessons learned” changes to existing plan(s)
• Stress Test Response Plans: Conduct joint annual – cyber incident response exercises. Depending on program maturity, these could be orientation, table top (basic & advanced), functional or full scale exercises
While not all inclusive, this list is intended to serve as a starting point in your organization for a conversation about how a collaborative strategy can make your company stronger and more cyber-resilient. This strategy will help ensure the success of both the BCP & InfoSec teams while providing for cyber/information security of the company each is committed to protect.