Business Continuity in a Cyber World
eBook - ePub

Business Continuity in a Cyber World

  1. 204 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Business Continuity in a Cyber World

About this book

Until recently, if it has been considered at all in the context of business continuity, cyber security may have been thought of in terms of disaster recovery and little else. Recent events have shown that cyber-attacks are now an everyday occurrence, and it is becoming clear that the impact of these can have devastating effects on organizations whether large or small, public or private sector. Cyber security is one aspect of information security, since the impacts or consequences of a cyber-attack will inevitably damage one or more of the three pillars of information security: the confidentiality, integrity or availability of an organization's information assets. The main difference between information security and cyber security is that while information security deals with all types of information assets, cyber security deals purely with those which are accessible by means of interconnected electronic networks, including the Internet. Many responsible organizations now have robust information security, business continuity and disaster recovery programs in place, and it is not the intention of this book to re-write those, but to inform organizations about the kind of precautions they should take to stave off successful cyber-attacks and how they should deal with them when they arise in order to protect the day-to-day businesses.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Business Continuity in a Cyber World by David Sutton in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Business Expert Press
Year
2018
Print ISBN
9781947441460
eBook ISBN
9781947441477
Topic
Business
Subtopic
Information Management
Index
Business
CHAPTER 1
The Practice of Business Continuity Management
This chapter will introduce the concept of business continuity management with a particular reference to cybersecurity. It will describe the need for, and the benefits of, business continuity within all kinds of organizations and will cover some basic business continuity terminology.
What Exactly Is Business Continuity Management?
Many people think that business continuity is all about protecting the future of the organization against some form of disruption. This is perfectly true, but it’s also about protecting the organization’s past history and its current position, and it’s worthwhile spending a few moments developing these points.
Firstly, most if not all organizations depend upon their reputation in order to survive and grow. Once an organization’s reputation becomes tarnished, it is very difficult—some might say even impossible—to repair the damage and regain the organization’s reputation and standing to what it was before things went wrong. For example, how easy would it be to trust an organization that has released sensitive personal details of your life, regardless of whether the release was accidental or deliberate?
Secondly, most disruptive incidents—especially cyber incidents—will have an immediate effect. A denial of service attack, as we shall see later, can stop an organization’s online trading in seconds and with it that organization’s ability to continue to deliver its online products or services ceases.
Thirdly, even if an organization can recover from whatever has caused the disruption, the first two factors—loss of reputation and damage to its current trading position—might well mean that future trading or delivery of services is impossible.
Business continuity takes the view that all three areas must be addressed, and does so in a clear and concise manner:
  • To begin with, the business continuity practitioner must understand how the organization functions; what its key objectives are; how it attains these; and what will be the impact or consequence if it cannot do so. This is covered in greater detail in Chapter 4.
  • The next step is to understand the vulnerabilities and threats to which the organization is exposed; the likelihood that the threats will be carried out; and therefore, the level of risk the organization faces. We address this aspect of business continuity in Chapter 5.
  • Following this, the organization must decide on the most appropriate methods of treating the risks, which may be one or more of
    • avoiding the risk;
    • sharing it with another organization;
    • reducing the risk;
    • accepting some level of residual risk.
This is covered in Chapter 6; in Chapter 7 how the organization must implement the risk treatment method chosen; and finally in Chapter 8 verify that the treatment has been successful.
Why Should Organizations Practice Business Continuity?
To most people, the answer to this question should appear obvious, but it is a matter of continuing amazement that some organizations simply don’t see the point.
Perhaps the most dangerous attitude is the view that “it hasn’t happened to us in the past, so it probably won’t happen in the future.” The outcome of this view could only ever go one of two ways, and if organizations that think it’s going to swing in their favor, they are likely to be in for a surprise, especially in the highly unpredictable world of cyber disruptions.
Another common view is that business continuity is expensive, that it reduces an organization’s revenues and therefore its profits. Once an organization understands that the cost of prevention is normally far less than the cost of the disruption itself, together with the cost of correcting the disruption, this view is more easily overcome.
A much more positive argument is that business continuity can improve an organization’s profitability, since its customers and trading partners are much more likely to wish to do business with the organization if it can show that it takes business continuity seriously. Indeed, in some sectors, demonstrating an organization’s business continuity capability or accreditation to a national or international standard may be a legal or contractual requirement.
How This Relates to Cybersecurity
Although business continuity and cybersecurity are two somewhat different disciplines, we shall see throughout the remainder of this book that they are actually inextricably connected. The reason for this is twofold:
Firstly, we need to understand how cyber-related disruptions can impact an organization’s normal day-to-day operations, and secondly, we must appreciate how other disruptive (non-cyber-related) incidents can impact an organization’s cyber activities.
There is also a belief when discussing business continuity and cybersecurity that the solution must be disaster recovery, but as we shall see in Chapter 7, disaster recovery is just one method of dealing with risk as part of an overall risk management plan.
The Importance of Senior Management Buy-In
It is often the case that people lower down an organization see the need for some form of business continuity, but have difficulty convincing those higher up that it is a worthwhile idea. This issue is dealt with in Chapter 2, where we discuss business cases and how these can be used to inform senior management, obtain their buy-in to the concept of a business continuity program, and ensure not only that funds are available to cover the costs but also that all levels within the organization become aware of and part of the program.
A Few Words on Standards
Standards, specifications, guidelines, and recommendations are all written with the express purpose of ensuring that things are designed, produced, and delivered to a uniform level of quality, and so that something produced to meet a given standard in one country will be compatible with something produced elsewhere. At a fundamental level, that’s it, so let’s take a closer look at the definitions of these terms.
Standards
Standards and specifications are directive tell you what should be done; guidelines and recommendations are informative, and tell you how you should go about it. The Merriam-Webster dictionary defines Standard1 as “something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality”; and “something established by authority, custom, or general consent as a model or example.”
Some standards bodies produce their output for local consumption only, whereas the larger ones tend to produce output intended for more widespread use. An example of the former category is the Singapore Standards Council, whose output is generally used solely within that country. An example of the second category is the British Standards Institute, which has been at the forefront of standards development since 1901, and much of its output is utilized worldwide, often being turned into truly international standards by the ISO.
In some countries, it is possible for an organization to be formally accredited against a standard, providing that organization with proof that its business practice meets or exceeds the level required by the standard.
Specifications
A specification is defined as “an act of identifying something precisely or of stating a precise requirement”; and “a detailed description of the design and materials used to make something.”
Guidelines
A guideline is defined as “a general rule, principle, or piece of advice.”
Recommendations
A recommendation is defined as “a suggestion or proposal as to the best course of action, especially one put forward by an authoritative body.”
Good Practice Guidelines
There are also so-called Good Practice documents, which rather than being issued by a standards body, originate from an organization that has a legitimate claim to be the main source of knowledge on matters pertaining to it.
Regardless of their name or definition, standards, specifications, guidelines, and recommendations are costly to produce and tend to be developed and distributed by large international organizations that usually make a charge, or by government departments, which may subsidize them to a greater or lesser degree.
At the time of writing, there are two principal documents with which we should become familiar. The first is the Business Continuity Institute’s (BCI’s) Good Practice Guidelines 2018, which although not an international standard, is widely accepted as an excellent source of knowledge and information on the subject. The second is from ISO 22301:2012—Societal security—Business continuity management systems—Requirements.
For the beginner in business continuity, the BCI Good Practice Guidelines (GPG) 2018 is very much the best place to start. Apart from providing considerable detail about how to go about the business continuity process, it has the great advantage of being relatively inexpensive to buy. ISO 22301 (to give it its abbreviated title), on the other hand, is considerably more costly and is much less detailed, dealing only with the essentials, and making the assumption that the reader is already familiar with the practice of business continuity. It is, therefore, aimed more at the more experienced practitioner.
Unfortunately, until you purchase a Standards document, it’s difficult to assess how useful it is likely to be to you, and often the descriptions provided on the Standards’ websites do not give the potential buyer much of a flavor of what is inside. In Appendix B of this book, we shall examine both the BCI’s GPG 2018 and ISO 22301 in a little more detail, and we’ll also take a brief look at a number of other business continuity and information security standards.
Plan-Do-Check-Act
Like many subjects involving the risk management process, the business continuity standards follow the frequently used Plan-Do-Check-Act principle, also known as the Deming cycle.
Plan
In the first stage, we establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the work is also a part of the proposed improvement.
Do
In the second stage, we implement the plan or carry out the activity, collecting data for analysis in the following Check and Act steps.
Check
In the third stage, we study the actual results (measured and collected in Do) and compare them against the expected results (targets or goals from the Plan) to identify any differences. We look for any deviations from the plan and also for its appropriateness and completeness.
Act
In the fourth and final stage, sometimes called the Adjust stage, we undertake corrective actions on significant differences between actual and planned results, by analyzing the differences to determine their root causes and determining where to apply changes that will include improvement of the process.
Business Continuity Terminology
As with any specialist subject, business continuity makes use of some terminology with which readers may not be immediately familiar.
Maximum Tolerable Period of Disruption (MTPD)
The maximum tolerable period of disruption, referred to as MTPD or MTPoD, is the time it would take for the impact arising from a disruptive incident to be deemed unacceptable.
This is a fairly fundamental measurement—it could be very short, in the case of organizations that provide a real-time service such as an Internet banking, where the customer needs 24-hour access to his or her money and banking facilities. Other services can be unavailable for much longer periods of time without great impact, but there will come a point in time beyond which the organization is unable to survive.
The MTPD will be a major factor in determining the continuity requirements that we shall discuss in Chapter 7.
Recovery Time Objective (RTO)
While the MTPD defines the abso...

Table of contents

  1. Cover
  2. Half Title Page
  3. Title Page
  4. Copyright Page
  5. Contents
  6. Acknowledgments
  7. Introduction
  8. Chapter 1 The Practice of Business Continuity Management
  9. Chapter 2 A Brief Overview of the Risk Management Process
  10. Chapter 3 The Main Cybersecurity Issues
  11. Chapter 4 Information Assets and Impacts
  12. Chapter 5 Vulnerabilities and Threats
  13. Chapter 6 Selecting Strategic, Tactical, and Operational Solutions
  14. Chapter 7 Business Continuity Activities and Solutions
  15. Chapter 8 Testing, Exercising, and Maintaining Plans
  16. Chapter 9 Embedding Cybersecurity and Business Continuity
  17. Appendix A Information on Cybersecurity Controls
  18. Appendix B Standards and Good Practice Guidelines
  19. Glossary
  20. Bibliography
  21. About the Author
  22. Index