Security – ISMS – BCP and DRP

BCP and DRP

Requirements

In business, BCP and DRP are essential to help deal with unexpected situations. This is because they can cause interruption or degradation of operational company functions. The best case scenario is that they cause nothing more than a minor inconvenience to an organisation. However, extreme situations can lead to the suspension of the entire business operational capability; during a major natural disaster, for example.

A healthy organisation will have Business Continuity Plans in place that are designed to: a) enact contingencies to keep the business at least partly operational, while b) full recover of the business is delivered. To aid Business Continuity, a range of Disaster Recovery Plans are needed to ensure every aspect of the business is restored. These plans will include anything from the recovery of relatively trivial operational functions to major, long-term efforts, such as relocation to new premises in the event of a catastrophic natural disaster.

It would be easy to assume that security is not relevant during a disaster situation. After all, keeping the business afloat and subsequent full recovery of the business are of paramount importance. However, it is during disaster situations that technology systems may be most vulnerable to attack.

During a major disaster, the primary focus will be on recovery of the business from that disaster. In this situation, there is a risk that the security framework is demoted to an ‘afterthought’, only to be dealt with when the business is back on its feet. If this approach is taken, there is a very real threat of cyber-incidents at a time when the business cannot afford to be further compromised.

So, to ensure that the security framework remains effective during a disaster situation – and that the security framework itself survives – information security considerations must remain ‘front of mind’ at all times. This means security measures must be integrated into the Business Continuity Planning processes of the organisation.

Details of how security will be maintained during BCP and DRP efforts should be recorded in the ISMS, and should involve:

• Planning Information Security in Business Continuity events
• Implementing Information Security in Business Continuity events
• Verifying and Evaluating Information Security in Business Continuity events

Policy Explanation

The three key policy areas as they relate to Business Continuity and Disaster Recovery are designed to:

1. ensure security remains effective during an adverse/disaster situation;
2. recover normal security measures during an adverse/disaster situation, or implement suitable modifications to those measures to maintain the desired security stance;
3. ensure that security of information can be verified, ie provide confirmation of the effectiveness of the existing and modified security measures during an adverse/disaster situation.

The goal is to ensure that information security receives the necessary attention during a disaster situation. Information security management should assume that security requirements remain the same in unfavourable situations as during normal operational. To facilitate this, organisations must identify and acknowledge their essential security measures when developing the Disaster Recovery and Business Continuity Plans.

Maintaining security measures during a disaster can sometimes be a contentious approach, especially when the situation is likely to challenge the core principles of the ISMS. For instance, it may be considered unreasonable to rigidly adhere to a security measure when a contingency activity is more important for the survival of the company.

To navigate these complex considerations, it would be prudent to involve independent Information Security professionals when developing the organisation’s BCP and DRP. This will allow realistic evaluation of which security measures must be maintained and when it is appropriate to relax the rules to facilitate business recovery.

During an adverse situation, security considerations should be included within the situation impact analysis in response to the event, ie efforts required to maintain security need to be embedded in the recovery exercise. However, when ‘in the thick of the action’ during DR efforts, a call may need to be made on whether a security measure really is immovable, eg where access controls to some core technology absolutely must be maintained to observe legislative obligations when there is a perceived negative impact on the livelihood of the organisation. Here too, the availability of independent IS Security resources during execution of BCP and DRP tasks can help guide the organisation to a sensible approach.

Finally, in a disaster situation, it is important that the security checks usually carried out when business is operating normally are still in effect. When standard verification of security measures is impossible, alternative controls may need to be applied to confirm effectiveness of the defences. These modified evaluations may need to be developed at short notice then enforced and maintained during the ongoing adverse situation.