PM Confidential: Security, Business Continuity, and Disaster Recovery

Our last Security TPM article is a big one - discussing security, business continuity, and disaster recovery. Pour yourself a cup of coffee and give yourself a minute. There are a lot of big ideas to absorb but I'm going to keep the main points near the top because I value your time. No security org can operate without a strong sense of how to continue business operations or how to recover from a disaster. Indeed, one of your top priorities will always be: 'how to go on when things go wrong.'

But you're smart, you already know this. Business continuity / Disaster Recovery (BD/DR) is often already working in a large organization. However, you may come into the discussion because A) Opportunities have been identified or B) The plan didn't wasn't sufficient for real-world expectations and attacks. Let's focus on the 'how' of disaster recovery and business continuity in an infosec context assuming that you're being dropped into an organization that already has many/most of these resources in place. Where to begin?

Perform Gap Analysis on Existing BC/DR plans

Reviewing an enterprise Business Continuity (BC) and Disaster Recovery (DR) plan for gap analysis involves assessing the existing plan against established standards, best practices, and organizational requirements. As a Security Technical Program Manager (TPM), here is a step-by-step guide for conducting a thorough gap analysis. I'm going to give you some bullet-points and then if you need more information, please feel free to reach out and we can drill in for greater depth:

1. Understand the Organizational Context:

• Familiarize yourself with the organization's overall structure, goals, and objectives.
• Understand key business functions, critical assets, and dependencies.

2. Review Relevant Standards and Frameworks:

• Identify the applicable standards and frameworks for BC/DR, such as ISO/IEC 22301, NIST SP 800-34, NIST Cybersecurity Framework, and any industry-specific standards.

3. Perform a Document Review:

• Obtain a copy of the existing BC/DR plan and associated documentation.
• Ensure you have access to policies, procedures, and any related incident response plans.

4. Assess Alignment with Standards:

• Evaluate the existing plan against the requirements of relevant standards and frameworks.
• Identify areas where the plan aligns well and areas where there might be gaps.

5. Conduct a Business Impact Analysis (BIA) Review:

• Assess the completeness and accuracy of the Business Impact Analysis (BIA).
• Verify that critical functions, dependencies, and recovery time objectives (RTOs) are accurately identified.

6. Evaluate Risk Management Practices:

• Review the risk assessment methodology used in the plan.
• Assess how well risks are identified, analyzed, and managed, considering both security and business continuity aspects.

7. Check Incident Response Integration:

• Evaluate the integration of incident response procedures within the BC/DR plan.
• Ensure that security incidents are appropriately addressed in the context of business continuity.

8. Examine Communication Protocols:

• Review communication plans and protocols during an incident.
• Assess how well internal and external communication is addressed.

9. Evaluate Testing and Exercise Plans:

• Assess the comprehensiveness of testing and exercise plans.
• Ensure that various scenarios, including security incidents, are considered in testing.

10. Check Documentation and Version Control:

• Ensure that all documentation, including the BC/DR plan, is up-to-date.
• Verify that version control mechanisms are in place.

11. Assess Training Programs:

• Review training programs for personnel involved in BC/DR activities.
• Assess the adequacy of training in both security and business continuity aspects.

12. Evaluate Continuous Improvement Processes:

• Check for mechanisms that facilitate continuous improvement.
• Assess how lessons learned from testing and incidents are incorporated into the plan.

13. Consider Legal and Regulatory Compliance:

• Assess the BC/DR plan's alignment with legal and regulatory requirements applicable to the organization.

14. Engage Stakeholders:

• Collaborate with key stakeholders, including IT, operations, legal, and senior management.
• Obtain feedback on the practicality and effectiveness of the plan.

15. Document Findings:

• Create a comprehensive report documenting the identified gaps and areas of strength.
• Prioritize the gaps based on severity and potential impact.

16. Develop an Action Plan:

• Propose remediation steps for each identified gap.
• Clearly outline the action items, responsible parties, and timelines for addressing the gaps.

17. Communicate Recommendations:

• Present your findings and recommendations to relevant stakeholders.
• Seek approval and support for implementing the suggested improvements.

18. Follow-Up and Iterative Improvement:

• Monitor the implementation of recommended changes.
• Establish a process for ongoing review and improvement of the BC/DR plan.

One of the reasons I recommend a beginning gap analysis is to identify areas for improvement in the enterprise BC/DR plan. PLUS, you'll come out of that gap analysis with a better understanding of what the BC/DR plan is. This holistic exercise will ensure that any recommendations you make will aligns with best practices, standards, and the organization's specific requirements.

"Help - they don't have ANY BC/DR plan!"

So, what if the company doesn't have any plans? Well, that's a big deal. You need to start by getting the important people together. Make a plan for the plan! Talk about how to handle problems, what to do if something bad happens. Get everyone to agree and then start making the plan step by step. Remember, this isn't just a plan. It's like a big project. You need to break it into small pieces and make sure everyone knows what they're doing. It might take some time, but with your help, the company can be ready for anything that comes its way!

First things first, creating a BC/DR plan should involve key stakeholders like the CEO and other SLT staff. In fact, the CISSP recommends having the CEO sign off on the plan to help everyone else understand how important this is for the business. Your 'plan to create the plan' should address the following four areas:

• Risk Management: Describe how your organization assesses and manages risks, particularly those related to security, in alignment with the frameworks.
• Incident Response and Recovery Procedures: Outline the steps your organization takes to detect, respond to, and recover from security incidents.
• Collaboration and Communication: Emphasize collaboration with internal and external stakeholders, as well as communication strategies during security-related incidents.
• Training and Testing: Highlight ongoing training for staff and regular testing of the disaster recovery plan to ensure its effectiveness and alignment with security frameworks.

Building a BC/DR Plan From Scratch (TL;DR version)

Depending on the size/scope of the organization, a comprehensive BC/DR plan can take weeks/months/years to develop and implement. No panicking! If they're asking you - the new resource - to build the plan then let's approach the situation with compassion, comprehension, and a systematic approach. You're a TPM, so you'll understand it when I say: "Treat it like a project."

That's right - BC/DR plans are projects unto themselves. They should have charters, stakeholder buy-in, milestones, deliverables, resources and a program workbook to highlight any challenges you need your stakeholders to be aware of. Use Waterfall to break it down into a WBS, or use Agile to create program epics, break those program epics to epics, epics to user stories, and so forth. Break the work down into simple easy-to-accomplish chunks.

As you create the "BC/DR Plan" project, you'll need to be aware of ALL THE AREAS your plan will be addressing. For a single Security Technical Program Manager (TPM) assigned to building a Business Continuity (BC) and Disaster Recovery (DR) plan from scratch, here are the major areas you'll be focusing on in the first 180 days of your assignment:

1. Understand Organizational Context:

• Familiarize yourself with the organization's structure, business functions, and key assets.
• Identify stakeholders and their roles in the BC/DR planning process.

2. Define Objectives and Scope:

• Clearly define the objectives of the BC/DR plan.
• Define the scope, including systems, processes, and personnel that are critical for business operations.

3. Select Appropriate Standards and Frameworks:

• Choose the applicable standards and frameworks based on the organization's needs: ISO/IEC 22301:2019, NIST Cybersecurity Framework, NIST SP 800-53, ISO/IEC 27001:2013, ISO/IEC 27002:2013, and NIST SP 800-37 Revision 2.

4. Perform a Gap Analysis:

• Use the gap analysis process to assess the current state against the chosen standards and frameworks.
• Identify areas where the organization currently complies and areas that need improvement.

5. Establish a BC/DR Team:

• Assemble a cross-functional BC/DR team with representatives from IT, operations, legal, and other relevant departments.
• Define roles and responsibilities within the team.

6. Conduct a Business Impact Analysis (BIA):

• Perform a BIA to identify critical business functions and their dependencies.
• Assess the potential impact of disruptions on these functions.

7. Risk Assessment:

• Conduct a risk assessment, considering security risks identified in ISO/IEC 27001:2013 and NIST SP 800-53.
• Evaluate the potential impact and likelihood of risks on business operations.

8. Security Controls Implementation:

• Implement security controls from ISO/IEC 27001:2013 and NIST SP 800-53 to address identified risks.
• Integrate security controls into the BC/DR plan.

9. Mapping to ISO/IEC 22301:2019:

• Use the mapping document (NIST SP 800-53 Revision 5 to ISO/IEC 27001) to align the security controls with ISO/IEC 22301:2019 requirements.

10. Develop Policies and Procedures:

• Develop detailed BC/DR policies and procedures aligned with ISO/IEC 22301:2019 and other chosen standards.
• Ensure that policies cover incident response, recovery, and communication protocols.

11. Incident Response Planning:

• Integrate incident response plans, aligning with NIST Cybersecurity Framework principles.
• Clearly define roles and responsibilities during security incidents.

12. Communication Plan:

• Develop a communication plan for internal and external stakeholders during and after an incident.
• Consider recommendations from ISO/IEC 22301:2019 and NIST Cybersecurity Framework Version 1.1.

13. Training and Awareness Programs:

• Implement training programs to raise awareness among employees regarding their roles and responsibilities.
• Align training with ISO/IEC 22301:2019 and other relevant standards.

14. Testing and Exercises:

• Develop a comprehensive testing and exercise program, considering recommendations from NIST SP 800-53 and ISO/IEC 22301:2019.
• Include scenarios that involve security incidents.

15. Documentation and Version Control:

• Document all aspects of the BC/DR plan in accordance with ISO/IEC 22301:2019 and other standards.
• Implement version control mechanisms for documentation.

16. Continuous Improvement Process:

• Establish a process for continuous improvement based on lessons learned from testing and incidents.
• Regularly review and update the BC/DR plan.

17. Compliance Check:

• Regularly check for compliance with chosen standards and frameworks.
• Update the plan to meet changing compliance requirements.

18. Communicate and Gain Buy-In:

• Communicate the plan across the organization.
• Gain buy-in from key stakeholders and ensure that everyone understands their roles and responsibilities.

19. Follow-Up and Iterative Improvement:

• Monitor the implementation of recommended changes.
• Establish a process for ongoing review and improvement of the BC/DR plan.

These 19 areas seem like a lot, but when you break them down into a project plan, those chunks become very do-able. In fact, feel free to use this material when you create your program charter for buy-in with your boss and executive stakeholders. Don't be shy about asking for resources, buy-in, and support - business continuity and disaster recovery are big jobs, and your exec stakeholders will know that.

In wrapping things up, let's chat about why making a strong plan for when things go haywire is super important for any security team. This article has walked you through the nitty-gritty of checking and improving your existing plans or even starting a brand-new one. If you're a Security Technical Program Manager (TPM), this guide is here to help you step by step. Whether you're polishing up what's already there or starting fresh, the key is to match up with global standards like ISO/IEC 22301:2019, NIST Cybersecurity Framework, and NIST SP 800-53. Understanding how your company works, dealing with risks, and responding to incidents are big parts of this. Starting with a check-up helps find what's working well and what needs a little boost, setting you up for improvements that follow the best ways of doing things. And if you're on the exciting journey of creating a plan from scratch, a chill and organized approach, plus teamwork with others in the company, is the way to go. Remember, this isn't just about making a plan; it's like putting together a cool project. So, take it step by step, get the nod from the big bosses, and make it happen. With care and a full-on approach, you, as a Security TPM, can make sure your team is all set to handle whatever curveballs come their way, standing strong through the ups and downs. You've got this!

Helpful Resources

Don't freak out when you read this list - these aren't documents you should expect to memorize. Just as lawyers 'don't always know the answer but they know where to look,' Security TPMs know where to look for relevant information on infosec topics:

1 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 22301:2019 https://www.iso.org/standard/75106.html

2 National Institute of Standards and Technology (NIST), Cybersecurity Framework, USA, https://www.nist.gov/cyberframework

3 National Institute of Standards and Technology, Cybersecurity Framework Version 1.1, USA, April 2018, https://www.nist.gov/cyberframework/framework

4 National Institute of Standards and Technology, Special Publication (SP) 800-53 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

5 International Organization for Standardization/International Electrotechnical https://www.iso.org/standard/54534.html

6 International Organization for Standardization/International Electrotechnical , https://www.iso.org/standard/54533.html

7 National Institute of Standards and Technology, NIST SP 800-53 Revision 5 https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-to-iso-27001-mapping.docx

8 ISO/IEC 27002:2013

9 National Institute of Standards and Technology, SP 800-37 Revision 2 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf