Cyber-Security Framework Aids in Business Continuity Planning

Share this post

Jul 30, 2015

Company operations are increasingly intertwined with critical technology. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business disrupting incident. In order to minimize the risk of technology-related continuity incidents, company-wide computer security best practices are essential.

So, what is BCP in cyber security? Computer and cyber security mitigation measures, along with BCP reviews, can safeguard necessary integrated technologies, prevent hacking, and ensure business continuity planning in cyber security. A breach in computer security can create a temporary or permanent loss of operations, software, and/or vital records.

In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The Energy Sector reported the most reported incidents, followed by critical manufacturing. It is essential that companies share cyber security breach information, review lessons learned, and protect technologies in order to minimize the threat to critical infrastructure.

Reported Business Continuity Cyber-Security Incidents by Industry Sector

The Energy Sector Cybersecurity Framework Implementation Guidance manual states, “ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested.” As incidents are reported, ICS-CERT can provide situational awareness to critical infrastructure industries about similar or related incidents, as well as share data regarding potential hacking and evasive techniques and tactics.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology-related critical business processes and business continuity planning. In early 2015, the Energy Department released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST). In an effort to maintain business continuity, a cyber-security program framework should be implemented.

Business Continuity Plan for Cyber-Security Program + Examples

The cyber-security program framework consists of a continuous seven-step approach that enables organizations to address the steadily evolving risk environment. In order to secure business continuity efforts, companies should evaluate the framework against their current cyber-security efforts.

STEP 1: Prioritize and Scope

  • Address how to frame, assess, respond to, and monitor risk
  • Evaluate industry specific critical infrastructure protection objectives and priorities

STEP 2: Orient

  • Focus on critical systems and assets
  • As resources permit, expand focus to include less critical systems and assets
  • Determine evaluation approach used to identify current cyber security and risk management environment (ex: self-evaluations, third-party evaluations)

STEP 3: Create a Current Profile

  • Evaluate and determine status of current systems and security protocols
  • Identify existing cyber security risk management practices and measure them against best practices and proven frameworks. “It is important to understand that the purpose of identifying a Current Profile is not simply to create a map between organizational practices and Category and Subcategory outcomes, but also to understand the degree to which those practices achieve the outcomes outlined by the Framework.” (Energy Sector Cybersecurity Framework Implementation Guidance, page 10)

STEP 4: Conduct a Risk Assessment

  • Perform cybersecurity risk assessments to identify and evaluate cyber security risks, and determine which are outside of current tolerances

STEP 5: Target Outcomes

  • Identify the desired outcomes and associated cyber security and risk management standards, tools, methods, and guidelines that will mitigate cyber security risks, commensurate with the risk to organizational and critical infrastructure security
  • When creating a Target Profile, the organization should consider:
    • Current risk management practices
    • Current risk environment
    • Legal and regulatory requirements
    • Business and mission objectives
    • Organizational constraints

STEP 6: Determine, Analyze + Prioritize Gaps

  • Identify gaps between current profile and targeted outcomes
  • Mitigation priority levels should be assigned to all identified gaps. Prioritization of gaps should include consideration of current:
    • Risk management practices
    • Risk environment
    • Legal and regulatory requirements
    • Business and mission objectives
    • Any applicable organizational constraints
  • Develop a cybersecurity business continuity plan of prioritized mitigation actions to advance to “Targeted Outcome” based on available resources, business needs, and current risk environment

STEP 7: Implement Action Plan

  • Execute the implementation plan
  • Track progress and completion
  • Evaluate to ensure gaps are closed and risks are monitored