Business Continuity in Information Security
What is BCMS- Business Continuity Management System?
· Business Continuity Management System specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
· The standard for Business Continuity Management System is ISO 22301:2012
· It was initially developed by ISO technical committee on societal security and published for the first time in May 2012.
In Information Security, not all the aspects of Business Continuity are covered. Only the selected aspects are covered like- Information Security Continuity and Redundancies.
According to ISO 27001, the Information Security Continuity broadly talks about following-
1. Planning Information Security Continuity-
While building the ISMS manual, planning the InfoSec continuity is very important.
While planning, we need to consider the situations which have a catastrophic impact on the business like an earthquake, flood, terrorist attack, power failure, system breakdown, critical data breach (either by the internal or external entity), cyber-attack, hacking, political strike, tsunami, volcanic eruption etc. During such incidents, an organization has to be ready with 'Plan B' so that your Information Security is not at stake. You need to make sure that it stands uncompromised in any situation.
Planning Information Security Continuity comprises of following 3 steps-
Step-1: The organization needs to think all applicable situation (e.g. mentioned above) according to the geographic location, availability, manpower etc. E.g. if your office is in the historic or prime location of the city then there can be a possibility of a terrorist attack. Therefore, considering the information security the organization should have high physical security, a secret area to assemble and secure path to evacuate the office & locking the systems having confidential information.
Let's take another example of floods. Assume, you have an office in an area which is highly vulnerable to floods. Then, your plan shall depend upon which floor the office is situated.
If it's on the ground or 1st floor, then the probability of water entering your office premises is high. Else, it won't affect your systems etc. which are inside the office. In above both cases, the organization needs to be ready with the plans during floods if employees won't be able to travel to the office from their homes due to the temporary collapse of public transport.
Step-2: The Information Security team needs to jot down all the applicable threats to the organization which may cause harm to Information Security of the company.
Now the question arises, how to bring together all the scenarios?
The answer is simple; the Information Security Team should sit and do a brainstorming session of all the situations. They need to check the historical data of past events which caused to the business continuity of organization. There are several other methods to understand the critical situations & work upon them.
Step-3: After understanding all the scenarios, the organization needs to start evaluating the probable solution for all such events. Here the management involvement is required. After getting approval on the things like budget etc. only the InfoSec team can come up with a solution for the problems.
E.g. there are several industries where they keep the inflammable things outside their office (paper; printing industry). Then the office is an area where the chances of catching the fire are high. To avoid fire, you need to ready with fire extinguishers, fire exit plan, assembly point etc.
Also, proper awareness & training sessions, mock drills should be conducted in regular intervals for employees
2. Implementing Information Security Continuity
Implementation phase comes after understanding & evaluating the various scenarios which may lead to having a catastrophic impact on the Information Security of the company. During this phase, the organization needs to start taking actions on what they have planned.
E.g. installing fire extinguishers, back up on the cloud, setting up a new business site (away from current location), installation of anti-virus etc.
The Information Security team should maintain logs for all the recurring activities. They can be produced as a proof of regular implementation during audits. The data can be captured by regularly filling the checklists. The checklists have all the recurring tasks for the remainder of the end user. The data can be filled in checklists according to a frequency like daily, weekly, monthly or quarterly.
3. Verify, Review and Evaluate Information Security Continuity
The organization needs to verify the established Information Security Continuity Controls at regular intervals. If there's any change required to be made then it is reviewed and changed according to the need.
The effectiveness of the control also matters a lot for example if you have implemented the backup policy of senior management as 3 months but due to data loss and other problems if it's not effective then it has to be reviewed. Based on the evaluation done, the back policy should be modified. for more info visit to https://www.cunixinfotech.com/