Outcomes of a cybersecurity event can be just as damaging to an organization as a more traditional business continuity/disaster...
recovery event. But despite the possibility of each reporting to the same department, the disciplines typically do not interact.
A cybersecurity incident response plan and business continuity/disaster recovery (BC/DR) activities may launch from an overall incident response plan as the triggering mechanism, but they do not typically interact after that. BC and DR activities are typically linked and collaborative.
By contrast, a comprehensive BC/DR and cybersecurity strategy proposes a different and potentially more effective approach to the relationship of the three disciplines. Once an event occurs, regardless of which of the disciplines responds -- or which has primary responsibility for the incident -- all three work together.
The second figure suggests a way to leverage the skills and resources of the three disciplines to achieve maximum value in the aftermath of an incident, especially a cyber incident. But a simple diagram is not enough. You'll want to find ways to validate the collaboration of the disciplines.
Justifying the collaboration
A cyberattack affects the entire business, not just the servers, networks, data, firewalls or other assets. And a disruption to each of these assets affects the organization and its critical functions.
Based on the nature of the cyber event and its extended effect on company assets, what plan or plans would you launch? Cybersecurity? Disaster recovery? Business continuity?
During the incident response, you'll assess the event, what it is, what it affects, its severity and ways to mitigate it. At some point in the incident response plan timeline, decisions must be made as to whether or not other plans should be activated.
A key question is: At what point does one plan end and another begin? Let's assume the cybersecurity incident response plan is in action, and it's determined that several servers have been compromised. Do you switch over and launch the DR plan? What happens to the cybersecurity plan? If such a transition occurs, how is that transition determined? Who makes that determination? Are those instructions written into each plan?
If each of the disciplines is represented in your organization, it's likely they have been fully justified to senior management. Move the bar higher by discovering ways to leverage the benefits of each discipline. From an audit perspective, it may be necessary to develop new controls that address linkages and ground rules for how and when each plan is used.
Tips for bridging the gap
Consider the following tips to effectively combine a cybersecurity incident response plan with your BC/DR plans:
- Establish cooperation across the plans and their teams. Agree that the disciplines should be more closely aligned and determine new ground rules for how the plans interact, how they are triggered and how they manage the incident.
- Set procedures for how the teams interact from when the incident occurs to when it ends. Each plan includes guidance and contact details for launching a plan or an additional plan, communicating among the teams, as well as a joint post-event meeting to examine how the plans worked and how their teams performed.
- Examine existing plans in the context of a broader range of potential incident scenarios. Cybersecurity events are often different from those associated with BC/DR. Examine the incident scenarios addressed in the cybersecurity incident response plan and BC/DR plans, and look for areas of commonality and overlap. Recognize that a cybersecurity event could evolve into a BC/DR event. Conversely, a BC/DR event could potentially open the door to a cyber event. For example, a catastrophic failure of network firewalls could enable unauthorized data to pass into the organization's internal networks.
- Identify transition points where an incident response plan can launch another plan or more than one plan. When an event occurs, the incident response team moves quickly to determine the nature of the incident. Based on the team's determination and discussions with internal subject matter experts, a specific plan may be launched. Prior to such an event, develop rules and procedures for situations when the incident escalates to more than the initial plan can handle. These transition points are built into each plan to establish criteria for launching additional plans.
- Establish joint planning and management activities. Ensure that the various teams meet periodically to discuss planning activities, new technologies, information sharing and strategies for responding to events. This is also a good opportunity to discuss individual plans, document how they can work collaboratively and identify ways of improving them.
- Schedule joint exercises. When developing exercises associated with a cybersecurity incident response plan and BC/DR plans, consider performing joint exercises. These can help transition planning, information sharing, and increase the likelihood of a successful recovery and resumption of business operations.
How cybersecurity incidents affect BC/DR
Including the cloud in a cyber incident response plan
Avoid these mistakes in cybersecurity incident planning