Overview

 

Disaster of a natural or man-made variety can strike a business without warning and may cause damage serious enough to interrupt operations for a significant period of time. This would cause loss of profit and reputation and could negatively impact all stakeholders and the community(Brotherston, 2017, p. 53). Planning for a disaster is advisable for all organizations(Harkins, 2016, p. 32). A Business Continuity Plan will prepare the organization to face all manner of possible disasters. Cybersecurity and the IT infrastructure should be part of the organization wide plan for the following reasons.

  1. Information Technology and cybersecurity are both support business process that are deeply integrated into the wider organizational environment and therefore needs to be included in the overall plan(Harkins, 2016, p. 33).
  2. Disaster planning is legally required for compliance as a part of data security requirements in cybersecurity risk management of personally identifiable information.
  3. The COBIT governance framework in domain PO1.2 Business-IT alignment which states that IT must align with business strategy and there must be “Bi-directional and reciprocal involvement in strategic planning.” Strategic planning requires a holistic approach for success.
  4. NIST 800-53 continuity planning requires input regarding business process requirements from management and stakeholders in the other non-IT departments(NIST, 2015, pp. PAGE F-78-79).
  5. It’s ethically correct to ensure the PII remains confidential, available, and integrous(Harkins, 2016, p. 63).

There are many information security frameworks available and for this analysis paper, COBIT 4.1 will be the chosen high-level governance framework, which offers a holistic approach to aligning business requirements with IT programs(Thomas & Tessin, 2017). NIST 800-34r1 is the chosen security control framework for contingency planning that is complementary to COBIT’s governance methods(Thomas, 2017). As there is some variation in terminology, this analysis will use the following NIST definitions of plan types.

  • Business Impact Analysis (BIA), which systematically examines business process interruption and the impact on relevant key business operations(NIST, 2010, p. 7).
  • The Business Continuity Plan (BCP) is the strategic level plan developed to enable the business to continue to function at a minimum required operational level. BCP focuses on sustaining an organization’s mission/business processes during and after a disruption (NIST, 2010, p. 8).
  • The Disaster Recovery (DR) plan is a section in the BCP that details procedures such as incident response, triage, or escalation criteria. It’s often specifically associated with the IT systems but can refer to any vital business system(Kunthe, 2012). It may include plans for moving operations to an alternate site or contract with outside vendors for services or products(NIST, 2010, p. 8).
  • Disaster Recovery Plan (DRP) as defined by NIST as an “information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency”(NIST, 2010, p. 9).

The CISO and the CISO Office staff are responsible for the organization’s cybersecurity program including emergency operations and the IT portion of the BCP and DR planning and implementation. The following areas are specifically listed as the responsibility of the CISO and staff by the CERT® Division of the Software Engineering Institute(Allen et al., 2015).

  • Incident management and response
  • Detect, triage, analyze, respond to, and recover from suspicious events and security incidents
  • Plan for business continuity
  • IT disaster recovery
  • Test/exercise/drill response plans
  • Test and exercise BC, DR, and incident management(Allen et al., 2015, p. 21)

 

Planning Phase

The CISO and staff is responsible for the business continuity and IT disaster recovery planning. The COBIT governance framework specifies in PO1.2 Business-IT alignment specifies that there must be “Bi-directional and reciprocal involvement in strategic planning (I. ITGI, 2007, p. 30)” which requires that the CISO staff work with relevant stakeholders to develop the strategic and tactical plans. NIST 800-34r1 lists the following seven steps to create a comprehensive information system continuity plan(NIST, 2010, p. 13).

  1. Develop the contingency planning policy using input from the CEO and CIO business wide governance policies(NIST, 2011, pp. D-1-2).
  2. Conduct the business impact analysis (BIA) to determine the information system dependencies and supported business processes.
  3. Identify preventive controls from NIST 800-53 CP-1(NIST, 2015, pp. PAGE F-78)
  4. Create contingency strategies
  5. Develop an information system contingency plan using NIST 800-53 CP-2 (NIST, 2015, pp. PAGE F-78-81)
  6. Ensure plan testing, training, and exercises using NIST 800-53 CP-3 and CP-4 (NIST, 2015, pp. PAGE F-81-82)
  7. Ensure plan maintenance using an SDLC lifecycle model to update as needed. NIST 800-53 CP-2 (NIST, 2015, pp. PAGE F-78-81)

 

Implementation Phase

The CISO and CISO office staff are also responsible for the implementation phase of the business continuity and IT disaster recovery plan. In this phase, any additional required infrastructure is acquired and SLA contracts for emergency services or off-site facilities are finalized. Testing and training of the implemented plan is carried out to ensure that the plan works in real environments. Maintenance of the plan is required as the business grows and vendors change(NIST, 2010, pp. F1-2). New technologies may allow improvement of efficiencies or products to change.

  1. Ensure plan testing, training, and exercises using NIST 800-53 CP-3 and CP-4 (NIST, 2015, pp. PAGE F-81-82)
  2. Ensure plan maintenance using an SDLC lifecycle model to update as needed. NIST 800-53 CP-2 (NIST, 2015, pp. PAGE F-78-81)

 

Execution Phase

The Execution Phase or Activation Phase puts the BCP into action due to an emergency situation. The CISO manages the Emergency Operations and Incident Command Centers which is responsible for making the activation decision based on plan criteria(Allen et al., 2015). The initial steps include:

  • Notify recovery personnel and the CISO of an emergency situation.
  • Conduct an outage assessment to determine action chain.
  • Activate the plan(NIST, 2010, p. 36).
  • Collect incident response metrics(Brotby, 2009, p. 156).

Summary

Matching the COBIT 4.1 or the newer COBIT 5 governance framework with the NIST 800-53 security framework allows tighter control of the complex cyber security and business continuity processes(ITGI, 2007). The holistic approach allows tight alignment between business divisions and processes to the IT policy and infrastructure(Brotby, 2009, pp. 11-14). This allows greater assurance of correct decisions and the correct allocation of limited business resources. This increases the safety of critical assets which increases the trust of customers and stakeholders. An increase in reputation will lead to an increase in profitability(Brotby, 2009, p. 39).

 

 

References

Allen, J. H., Crabb, G., Curtis, P. D., Fitzpatrick, B., Mehravari, N., & Tobar, D. (2015). Structuring the Chief Information Security Officer Organization. CERT® Division: Carnegie Mellon University, 1.

Brotby, W. K. (2009). Information security governance : a practical development and implementation approach. Hoboken, N.J.: John Wiley & Sons.

Brotherston, L. (2017). Defensive security handbook : best practices for securing infrastructure (First edition. ed.). Sebastopol, CA: O’Reilly Media,.

Harkins, M. W. (2016). Managing Risk And Information Security : protect to enable. New York: Springer Science+Business Media.

ITGI. (2007). COBIT Mapping: Mapping of NIST SP800-53 Rev 1 with COBIT 4. 1: Information Systems Audit and Control Association.

ITGI, I. (2007). COBIT 4.1. Framework Control Objective Management.

Kunthe, C. (2012). Difference between BCP and DR Retrieved 3/31/2018, from http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-recovery-planning/Pages/ViewDiscussion.aspx?PostID=72

NIST. (2010). NIST 800-34 r1: Contingency Planning Guide for Federal Information Systems

NIST. (2011). NIST 800-39: Managing Information Security Risk (pp. 88).

NIST. (2015). NIST 800-53 r4: Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication (Vol. 800, pp. 462).

Thomas, M. (2017). COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution. ISACA Now Blog. from http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=808

Thomas, M., & Tessin, P. (2017). Implementing the NIST Cybersecurity Framework Using COBIT 5: ISACA.