Business continuity planning, incident management and disaster recovery
At BSI’s Consulting Services, we are an ISO 27001 and 9001 certified organisation who carry out multiple business continuity tabletop, simulation, and where practical, physical exercises.
In our most recent business continuity exercise, the scenario involved losing access to our office building with all facilities and data in place, but access denied. This scenario which could come about as a result of instances of gas leaks, serious detrimental weather conditions, downed electrical cabling or physical destruction to an adjacent building meant that remote working would have to be possible for all staff, not only for those who already work from home on a regular basis. Through this process and previous contingency planning we learned that some slight adjustments to our network infrastructure would be beneficial and that a small number of staff could use an uplift of their hardware (especially on the mobile side). All in all, we learned that our business would not be significantly impacted and that we would be able to continue delivering services to our clients. Little did we know that these lessons learned would be so significant only a few months later when we, like all other organisations globally, had to respond to the current environment.
BCP and thoughts on data
Our business continuity planning (BCP) proved to be extremely useful for us. We had of course learned from all other previous exercises and experiences but this one proved to be particularly on point with what would come a few months later. Planning, on any level, is an extremely useful tool.
In the era of data, planning helps to check several boxes across different disciplines including information security, data protection and privacy, data management, business continuity and disaster recovery. It helps us keep our data houses in order. For example, carrying out an exercise where data mapping and an understanding of what data is hosted and where within our organisation will help address questions such as:
- How it is secured?
- What type of data is processed
and with what purpose?
- What systems it is hosted
within, their location and whether these are fit for purpose – can we easily
search, filter, and export the data from those systems?
If organisations have this process planned and documented, they will be well ahead in their data management and compliance journey with their data security and privacy requirements.
The cloud enablement process
The exercise of planning and mapping has become more streamlined using cloud platforms. As organisations take advantage of cloud functionality and transition into either cloud-only or cloud-first models, it allows them to manage their data recovery process in an easier way. In fact, for business continuity, the cloud has been vital, offering a lot of power, storage, and new functionality to enable the use of the cloud as a robust, centralised, and more easily managed location for data.
A recent BSI survey across 745 public sector organisations in the UK posed the question: “What do you consider to be the key requirement and business drivers for cloud adoption?” and the number one response with 68 per cent was business continuity and disaster recovery.
Considerations such as recovery time objective (RTO), which is the amount of time required to recover systems, and the recovery point objective (RPO), which is the point to which systems can be recovered to are more easily attainable with cloud based systems than data centre systems.
One word of caution to note is whilst cloud services offer great functionality and performance with features such as auto-scaling and elasticity, organisations still need to understand and decide what functionality they are choosing to use in their daily operations.
If an organisation purchases a cloud package that does not fulfil the data preservation and protection requirements that the organisation needs, more work needs to be done to supplement it with other technology. It needs to be determined whether the basic package is just not enough for their needs and whether an upgrade may be in order.
We have identified several gaps in this area for clients where it was assumed that data uploaded to public cloud or in some cases software as a service (SaaS) providers was automatically backed up. While those providers in the main had a high level of resilience, they did not have the data protection features that our clients needed, and appropriate third-party technology solutions had to be procured to bridge the gap.
With our experience of providing digital forensics and incident response engagements we often see intrusions, data deletion and other issues that could have been mitigated or avoided altogether if a secure configuration in a cloud platform would have been enabled. Indeed, this has been recognised in best practices industry guidance such as the OWASP top 10. The understanding of the technology still needs to be there as it is not all plug and play.
Another relevant element that needs to be considered is that of shared responsibility within the cloud model as documented by NIST whereby there is a growing level of responsibility on the cloud consumer as they progress from SaaS to infrastructure as a service (IaaS). This shared responsibility element needs to be captured by organisations as part of their supply chain and third-party provider due diligence and irrespective of the cloud model chosen by the cloud user, they are responsible for the data. Each organisation will have its own priorities and challenges, and these will need to be mapped to the technology they use, not only by choosing the technology platform to purchase but also how to use it when they are deployed.
Data in the cloud
Cloud use has facilitated the collection and analysis of data. These days, in most investigations and matters, the data does not leave the cloud anymore — it is born in the cloud, searched in the cloud, collected in the cloud, and processed in the cloud for analysis and reporting.
The use of these tools, where data can be easily accessed and stored in a centralised location, means that all work by our consultants as part of our BSI Virtual Consulting Services can easily be done remotely with virtually no change to our existing processes.
The extensive use of API’s combined with technology partnerships between the big public cloud providers eases the transfer of data sets between providers meaning data can move between providers as compared to the original model of north to south, up to, and down from the cloud. This saves time, money and eases the complexity of data transfers.
One important element of good planning is having tried and tested standard operating procedures and processes in place that are easily repeatable and understood by organisations. The last thing companies need to be doing in a business continuity or incident management scenario is trying to figure out what to do which can cost time and impact their ability to respond.
A key standard to be considered is the ISO 22301:2019 Security and resilience. Business continuity management systems. Requirements standard, that covers planning, implementing, operating, and improving a document management system to protect against, prepare for and reduce the impact of disruptive incidents. As present, BSI has made this and several other related standards such as incident management, risk management, crisis management and operational resilience available free of charge and to date over 44,000 downloads have been recorded. These standards can be accessed from this link.
Preparing for the worst and hoping for the best is a good mantra when it comes to business continuity planning. Bringing new organisational participants into that process can be beneficial by bringing new ideas or variations on traditional ones that might be missed. Whether you are choosing what technology fits your organisation; what data your organisation processes; which cloud provider the data resides with; or how you will be able to search and access it when the need arises; having a properly thought out plan incorporating all of these elements will enable your organisation to be resilient when the unexpected happens.
For more details on BSI’s Virtual Consulting Services visit bsigroup.com/cyber-ie
Stephen Bowes is global practice director of Information and Security
Technologies at BSI