SUBSCRIBE TO
CONTINUITY BRIEFING


Business continuity news

Never miss a news story: signup for our free weekly email newsletter.

REGIONAL PORTALS
Continuity Central currently offers three regional business continuity portals:
North America
United Kingdom
Asia Pacific / Australasia

Phoenix Managed BCM

Add to Google  

Use Google?
Click the button to add Continuity Central news to your Google home page
.

Follow us on Twitter  

Get immediate news
and information updates via our Twitter feed.

SUBMIT YOUR NEWS
To submit news stories to Continuity Central, e-mail the editor.

NEWSFEED
Want an RSS newsfeed for your website? Click here

OUR COOKIE POLICY
Before using this website ensure that you understand and accept our cookie policy. More details

Coordinating security response and crisis management planning

By Martin Welsh and Keith Taylor.

Too often information security incident response plans, disaster recovery and business continuity plans are not aligned with the overall corporate crisis management process. Now, more than ever, an organization must be able to quickly respond to a security breach, both from a tactical response and via a strategic corporate message. In this article we will discuss the benefits of, and offer an approach to, integrating the security response process into the overall corporate crisis management plan.

Similar efforts go into building, managing, exercising and maintaining both security incident response plans and overall corporate crisis management plans. For most organizations the escalation, notification and decision making process is similar, regardless of the incident. The struggles organizations encounter, while developing these plans, also tend to be similar. Building awareness, understanding roles and responsibilities, allocating time and resources (financial and human), can all be impediments to sound response plans.

Better plans can be developed by overcoming these shortcomings through integration.

Creating a security emergency response team (SERT)

There are two types of SERTS within an organization: a strategic team and a tactical team. The strategic team will focus on the overall direction for the company. The strategic team is notified by the tactical team on every incident and will make a determination whether executive management needs to be notified. If the incident is affecting a large percentage of the company, for example a DDOS attack, the strategic team will be notified and the head of that team will notify executive management.

The strategic SERT team is made up of the following:

  • Chief information officer (CIO): the CIO of the company will report up to an organization’s executive management on the status of the incident. The escalation process should detail when executive management will be notified (start of incident, during, or after), and what will be reported as well. The CIO’s overall responsibility is to provide the executive management team with an overall picture of what is happening within the organization. This executive reporting process must be appropriate for the audience, and the individual presenting it must know how to communicate so that executives understand the situation and are enabled to make the correct decisions regarding the incident. The executive management team makes the final decision on how to respond to the incident based on the input from the CIO.
  • The chief information security officer (CISO) or IT security director: overall IT security for the organization is the primary responsibility for this role. The CISO typically develops the strategic SERT plan for the company. In devising the plan he/she must ensure that every type of incident and the associated reaction is addressed. In order for the plan to be successful, it must have executive support. The plan must become a living document where changes and maintenance are encouraged on a regular basis. The plan needs to be tested on a regular basis as well (once a quarter, twice a year, etc.) via a table top walk-through exercise with strong representation from both the strategic and tactical teams so that everyone understands their roles and responsibilities. Adding these steps will help the plan become part of an organization’s overall security program, and ensure that it remains valid and up to date.

The CISO has a role on both the strategic and tactical SERT teams. By being a member of both teams, she/he can report up to the CIO on the progress made combating the incident.

The one group most SERT plans overlook is the business units (BU). That issue leads us back to the topic of this paper, linking the SERT with an organization’s existing crisis management plan. Integrating these two initiatives helps ensure that, not only is executive reporting and management in place, but that the business areas are better prepared to respond to any form of incident or business interruption, be they cyber, man-made or natural.

Within each business unit a director or higher is typically appointed to the strategic team. As the security team within the organization evaluates what and how incidents are happening, the business units then notify the SERT team how the incidents are affecting or impacting the business applications or business processes. Information security may think a particular incident is a Priority-1, but adding the response from the business unit may lead us to better understand that the incident is actually only a Priority -3 or lower. The business units become an integral part of the SERT team and the evaluation process. Considering that most incidents affect a business application, the business unit representatives are the ones best equipped to inform the CIO when the impacted application is functioning correctly again. The business unit representatives also assess and add their value when creating an incident matrix. This incident matrix is used when strategic incidents occur.

An example incident matrix can be seen below:

 Incident matrix

NOTE - If there is a fast spreading new worm or virus do an immediate callout
NOTE - Malicious code includes bots, Trojans, worms and viruses.
NOTE - There is a thin line between a probe/scan and attempted or unauthorized access .

During an incident the strategic team typically sets up a conference call as part of a preliminary response. During this conference call each team member will identify themselves. The call will take place within the timeframe allotted. During the initial call the type and potential severity of the incident is identified, including impacted systems and applications. This call helps determine if the incident is spreading within the company. During subsequent calls with the team initial response effectiveness is gauged. If these initial actions aren’t effective the strategic team will change the direction of the tactical team.

Within the strategic team it is important that only one message is being clearly sent to the executive team as well as to the employees. If there is more than the one message this would confuse personnel within the company. Also only executives or identified personnel are allowed to speak to the media if asked about the incident.

It is difficult to create a matrix that will cover all types of incidents but if a SERT team can hold brainstorming sessions with everyone this would be a great help. By doing this we would get direct buy in from the business units instead of working within an IT vacuum, as tends to happen. Once the matrix is created this would be presented to a director level person for approval.

The functions of the strategic team are to:

  • Make a preliminary assessment of the damage;
  • Notify senior management on the current status, impact to business and plan of action;
  • Declare a disaster if necessary;
  • Initiate the plan during an emergency situation;
  • Organize and control a command center as a central point of control of recovery efforts;
  • Organize and provide administrative support to recovery efforts;
  • Administer and direct the problem management function.

Once the incident is closed a root cause analysis (RCA) is performed. Key points of this analysis include:

  • The CISO is responsible to ensure timely completion of RCA report.
  • RCA is mandatory for all critical situations.
  • Capture the inputs from all the stakeholders within <N> business days after the root cause is identified.
  • The draft RCA report is reviewed with all the stakeholders within the next <N> business days after problem resolution.
  • The RCA document is available at <common location>,
  • The RCA report clearly captures lessons learned and action items.
  • The final RCA report, after review with all stakeholders, is to be and formally accepted by the customer within <N> weeks.
Why is crisis management planning so important?

Crisis management plans allow organizations to respond quickly and efficiently to an event. While emergency response deals with evacuation and staff safety, crisis management takes the next step beyond the initial emergency and deals with the escalation and decision making process that executives and operations must utilize to protect the organization at time of incident.

Crisis management provides the means to integrate and coordinate an organization’s overall response. This process links emergency response management to business continuity and disaster recovery and provides companies with:

  • An incident response organizational structure, such as:
    • Internal to crisis management: providing consistent communication flow;
    • In context of greater response planning: alerting appropriate company management;
    • Interfacing with external entities: such as customers, analysts, and media.
  • Linkage to alerting (emergency response);
  • Assessment and decision making: pulling in appropriate management, executives, operations and vendors needed to support the incident;
  • Structure for initiation and ongoing monitoring / management of a situation;
  • Processes and tools to support statusing, escalation, and de-escalation.

Recent history is full of stories of organizations that have responded well (think Odwalla Juices) and not so well (Exxon) to business emergencies.

Odwalla, acted quickly, took responsibility, addressed the problem and as an organization rebounded. They spent millions including the recall, process improvements and the largest fine ever assessed by the FDA. Yet, this is an incident that today is not widely talked about or remembered.

Conversely with Exxon the Valdez issue was handled poorly, media communication was poor, clean up was slow as was their acceptance of culpability. This ended up costing Exxon $billions in fines and even more in reputation loss.

Pulling it all together

There are similarities in the security response and crisis management plans and linking them will help pull the pieces together to better prepare an organization to respond to an incident: any incident! Integrating information security into the crisis management process, and further into business continuity and disaster recovery, better prepares an organization to respond effectively.

Why linking the processes is important

Many organizations let minor incidents turn into major events because their initial response is weak. Delays and confusion at the front end of an issue can allow it to blossom or mushroom into a much worse incident. Don’t let that happen to your organization: link your incident response plans together into comprehensive action plans that pulls in executive, operational, technical and third party support that can quickly respond to any event.

Remember:

  • Integrated planning builds an integrated and accurate communication process.
  • Combining the efforts ensures more successful business area buy- in.
  • Business unit involvement makes the assessment process more accurate.  
  • Maintaining the plans better prepares your organization to respond to any outage, event or incident.
About the authors:

Martin Welsh, CBCP, MBCI, leads the Disaster Recovery and Business Continuity practice at Cognizant, a global provider of IT, consulting, and BPO services.

Keith Taylor, MS, leads the IT Security Professional Services practice at Cognizant. He has over 15 years overall in IT security controls in global security operations and security appliances.

Cognizant retains the copyright for this article.

•Date: 25th October 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

BCM software

BCM software

Phoenix

Business continuity software

How to choose an Emergency Notification System