Business Plan - How Important Is It?

1. Business Plan - How Important Is It? Organizations big and small, private, public and government must do everything in their power to avert and defend against disasters – man-made or acts of God. However, statistical probabilities dictate that some events cannot be prevented and organizations need to be prepared to contain the damages and proceed with “business as usual.” This document provides an analysis of the business continuity plan and actions organizations should follow in order to prepare their infrastructure and personnel to deal with the incident. Similar to preparations against physical warfare, cyber defense preparations should include four stages: 1) intrusion detection; 2) possible damage assessment; 3) selection of defense strategy; 4) execution of the strategy. However, when disaster strikes, it is too late to exercise incident response plans, and according to Walcott, one of the participants in Cyber Storm II cyber exercise, it is important to know “what escalation plans are available” (Australian Government, 2009) ahead of time. Therefore, it is necessary to develop the business continuation plan and to make sure that everyone in the organization is trained on how to execute it in case of an emergency. Seymour And Moor (2000) Present Three Stages Of The Crisis: Stage 1 – Storm Breaks – there is often a feeling of control loss; however, the decisions adapted during these few moments will dictate a future direction for incident resolution. Stage 2 – Storm Raging – the team management usually comes under intense scrutiny as the disaster recovery team is required to identify problems, resolve them within a given timeframe, and communicate progress in order to avert gossip; and,

2. Stage 3 – Storm Passing – shift focuses to understanding and explaining what happened and to postulating strategies for disaster prevention. Figure 1 presents “Time to Data” chart proposed by Chang (2010). Author presents three stages for the recovery of business operational data, starting with an initiation of the Data Recovery (DR) procedures within seconds or minutes of the incident. Within hours after the disaster, the most crucial data is recovered in order to continue business operation. Then, after a few days, data recovery procedures are completed and 75 to 100% of the data is restored. The results of the potential impact of possible natural disasters, acts of terrorism, and security should be analyzed contingency developed and implemented in order to ensure business survivability (ISO/IEC 1799, 2002). Figure 2 presents the visual diagram required for the Business Continuity Plan breaches and plans of steps process preparation described by the ISO/IEC 17799 Standard. According to this standard, the goal of the Business Continuity Management is “to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.” (ISO/IEC, 2002, A.11.1) Organizations may decide on their level of adherence to the standard, from loosely following it, closely adhering to it, or becoming certified for it. Under the Business Continuity Plan within the standard, there are three main phases – Planning, Testing, and Maintenance. Each phase contains steps pertaining to that phase. Figure 2.B.C.P. Testing and Maintenance Phases based on ISO/IEC 17799 Standard CxTGroupMichigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539

3. Phase I – Planning The success of Business Continuity Plan is based on the thorough and accurate security risk assessment. “Risk cannot be mitigated if not defined.” (Carlson, n.d., p. 13). ISO/IEC 1799 requires an organization to: ➢ identify and prioritize its business processes; ➢ identify and assess possible security risks that could threaten business operations; ➢ estimate likelihood of the risk exposure; and, ➢ analyze the impact that risk can cause on the business, including operational interruptions, slow down, or shut down. Organizations may employ various techniques to identify and assess possible risks including qualitative and quantitative risk analysis methods. By far, the most popular approach to assess possible risk is with qualitative approach. According to C & A Security Risk Analysis Group (2003), most qualitative risk analysis methods use Threat, Vulnerability and Control interrelated elements depicted in Figure 3. Threats are defined as some event that cause an attack on the organization and may include both man-made and natural disasters. Vulnerabilities are corporate assets and processes that can be exploited by the attacker that may result in damages to an organization. Finally, Controls are measures that can be installed in order to minimize vulnerabilities and they can be categorized into four elements 1. Deterrent Controls that reduce the likelihood of attacks; 2.Detective Controls that discover attacks; 3.Preventive Controlsthat protect vulnerabilities, 4.Corrective Controls that decrease impact of the attack. Figure 3. Risk Model adapted from C&A Security Risk Analysis Group (2003) Once processes are identified and their impact is measured with risk analysis, a strategy can be potential disruptors for all business devised, and business continuation plan can be written. ISO/IEC 17799 standard (2002) recommends the plan to include agreed-upon procedures and processes that would include proper documentation, appropriate staff training, regular testing, and maintenance schedule for the plan. In addition, preparation phase may also include the consideration to purchase additional insurance policies as part of the business continuation planning for various risk factors, such as fire, flood, or theft.

4. ISO/IEC 17799 standard (2002) recommends maintaining a single framework for the business continuity plan, which should consider the following topics: ➢ Conditions under which the business continuity plan is activated; ➢ Actions that should be taken following a given incident; ➢ Fall-back procedures and escalation routes; ➢ Resumption procedures to return the organization to “business as usual”; ➢ Enterprise-wide educational and testing activities for the personnel; and, ➢ A maintenance schedule; Phase II – Testing In order to be effective, the Business Continuity Plan needs to be current, easy to follow and personnel needs to know how to trigger the process and execute the procedures outlined within the plan. During an attack, well trained personnel, maybe able to recognize the threat, remain calm, and safely execute emergency procedures. In order to achieve that, Business Continuity Plan needs to be regularly tested by the recovery personnel. ISO/IEC 17799 (2002) suggests six test techniques that can be applied to test the plan and train recovery team members. These techniques include: 1. Tabletop Testing is a discussion of business recovery procedures given a sample interruption. 2. Simulation of an event and walking recovery team members through the Business Continuity Plan procedure steps; 3. Technical Recovery Testing is the recovery time for the information systems; Park and Giordano (2008), discuss support mechanisms for software survivability, namely component test and recovery, and present three models of survivability – static, dynamic, and hybrid model. Depending on the selected component survivability model, technical recovery testing may involve detection and identification of failure reasons and sharing of information between monitors. 4. Alternate Site Recovery is a process of testing business recovery procedures at an alternate location. 5. Vendor Testing is a process of ensuring that vendor services supplying externally acquired components can remain operational in case of an emergency. 6. Complete Rehearsal involves testing every component of the Business Continuity Plan, including the facility, personnel, processes, and computer systems. Woltjer,Trnka, Lundberg, and Johansson (2009) recommend role playing as an emergency preparedness exercises which allow its participants to gain experience with adapting to changing demands and increase their ability to recover from harmful events. The U.S. Government successfully hosted two “Cyber Storm” large-scale computer readiness exercises, involving multiple states, foreign governments, federal agencies and private companies for a week, during which real cyber warfare threats were launched against exercise CxTGroupMichigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539

5. participants in order to learn effective countermeasures (Georgia Tech, 2008). The Department of Homeland Security (DHS) is preparing to conduct the third Cyber Storm exercise in September 2010 in order to test “policy issues” for information sharing, and define roles and responsibilities during the attack(Aitoro, 2009). Federal Financial Institutions Examination Council (2008) considers flu pandemic as one of the factors that could disable the business and recommends cross training and succession planning throughout the organization. The council further recommends assigning back-up personnel for key operational positions and ensuring adequate staffing at alternate location is achieved either through shifting of employees or hiring personnel from temporary agencies. Phase III – Maintenance Within Business Continuity Plan, there should be a maintenance schedule that explains how and when the plan will be maintained. Each Business Continuity Plan should have assigned personnel, responsible for on-going maintenance and re-assessment of the plan. The responsible staff should be able to recognize business changes not yet reflected in the plan and make necessary adjustments. ISO/IEC 17799 (2002) recommends updating plan whenever new equipment is purchased, computer system is upgraded, or changes in personnel, contact information, business strategy, legislations, or vendors occur. Federal Financial Institutions Examination Council (2008) recommends that Business Continuity Plan should be updated at least once a year or after significant changes in business procedures, or after training and testing reveals significant gaps in the emergency procedures. Federal Financial Institutions Examination Council (2008) also provides a list of Business Continuity Plan best practices that include: ➢ Integration of business continuity planning into job responsibilities; ➢ Incorporation of business continuity aspects into every business decision; and, ➢ Performing regular audits Conclusion Business Continuity Planning is an activity every organization needs to perform in order to ensure the viability of their business operations and procedures. Organizations interested in the implementation of the business Continuity Planning for their business government-operated www.ready.gov to internationally accepted standards, ISO/IEC 1799. The ISO/IEC is a very broad standard for information security management, which covers all forms of data and information security and can be tailed to organizations’ specific needs. Once adapted, organizations must ensure that everyone in the business is aware of the business continuity procedures, steps for initiating the plan and chains of command in case of a disaster. In order to accomplish this, businesses must perform regular personnel training and adjust business continuity plan whenever business processes change. may find many helpful resources, from

6. References Aitoro, J. R. (2009, August 26). DHS’ Cyber Storm III to test Obama’s national cyber response plan. Retrieved March 26, 2010, from Nextgov: http://www.nextgov.com/nextgov/ng_20090826_9168.php Australian Government Attorney-General’s Department. (2009). Cyber Storm III – Fact Sheet. ag.gov.au. C & A Security Risk Analysis Group. (2003). Introduction to Risk Analysis. Cheshire, UK. Carlson, T. (n.d.). Information Security Management: Understanding ISO 17799. Lucent Technologies Worldwide Services. Chang, P. (2010, March 27). Disaster Recovery University,Southfield, MI, USA. Federal Financial Institutions Examination Council. (2008). Business Continuity Planning. In FFIEC, IT Examination Booklet (pp. 1-132). Georgia Tech Information Security Center. (2008). Emerging Cyber Threats Report for 2009. GTISC summit (pp. 1-9). Atlanta: GTISC. ISO/IEC 17799:2005/Co1:2007. (2005). Information Technology – Security techniques – Code of practice for information security management. Zurich, Switzeland: ISO/IEC. Park, J. S., & Giordano, J. (2008). Software Component Survivability in Information Warfare. Nawaz, A., & Zualkernan, I. A. (2009). The Role of Agile Practices in Disaster Management and Recovery : A Case Study. ACM , 164-173. Seymour, M. & Moor, M., Effective Crisis Management: Worldwide Principles and Practices, Cassel, London, 2000. Woltjer, R., Trnka, J., Lundberg, J., & Johansson, B. (2009). Role-Playing Exercises to Strengthen the Resilience of Command and Control Systems. Trust and Control in Complex Socio-Technical Systems , 71-78. Course Notes. Lawrence Technological CxTGroupMichigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills, MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539