Just like in years past, the fourth quarter has been full of information security projects here at Bedel Security. Although some of the deadlines have put a strain on my time to post to this blog, I found some time this week to jot down a few thoughts that I think could be helpful to our readers if you are faced with working through any of these projects yourself.
That being said, I'll jump right into it.
Business Impact Analysis (BIA)
This is one that's getting more scrutiny from examiners as of late. But even with the regulatory requirements, it is still an important exercise for your organization to go through because it is the measuring stick that you'll use for planning recovery of your most important assets. It is the communication tool to let your IT and other BCP staff know what the priorities are in a disaster or continuity scenario. Make sure it includes:
- Assets covered by your risk assessment
- RTOs, RPOs, and MTDs for your assets
- Identify the interdependencies (even if an asset isn't valuable for its own sake, other assets may depend on it, increasing the impact)
- Establish a prioritized order of recovery in a DR event
Business Continuity Plan (BCP)
With a good BIA in hand, it's important to tie your prioritized order of recovery into your BCP.
- Have the list, in order of impact, in your BCP
- Make sure you have systems recovery procedures for all your assets in the BIA
- Check your recovery procedures against your RTOs & MTDs: are they feasible?
- Better yet, test your recovery procedures to see if you are hitting your RTOs & MTDs
- Perform tabletop testing to ensure everyone is on the same page for priorities
- Adjust the plan for areas that don't meet expectations of the BIA
Vendor Management
We are seeing vendor management programs that are either too complicated that no one can really explain what the objective is, or it's just not getting done. Our suggestion is this:
- Establish a risk-based (only do the reviews that are commensurate with the risk of that vendor, we recommend 4 tiers) program that includes the following:
- SOC2 reviews
- Insurance
- Contract reviews
- BCP testing
- Financials
- Regulatory examination reports
- Walk before you Run: Get the basics down to a repeatable process before you start doing the more advanced stuff
- Review the program each year and make minor improvements
Incident Response
Kind of like Vendor Management, we're seeing some really complex Incident Response Plans.
The litmus test: ask your incident response coordinator or team members to explain it to you in under 5 minutes. If they can't tell you the basic flow of responsibilities and communication, you have a problem.
Incidents can move and evolve so quickly now that time is of the essence in many situations. If your team is having to take the time to read and review the plan in the heat of battle, you are going to lose.
The keys are:
- Simplify. Keep it under 20 pages. Less is better.
- Establish decision-making frameworks, or decision trees to help your team make decisions, rather than use the plan to tell them what to do in every conceivable situation.
- Create 1-page "quick reference sheets" that you can hand out to various members of the team. Include decision trees, severity levels, and key phone numbers.
- Train and test. Make sure everyone knows their part and can explain it back to you.
Risk Assessments
Nothing new here. I think having an asset-based framework is key, but understanding risk is really helpful too.
- Identify the threats that your asset is actually exposed to, leave out the fluff
- Understand what controls mitigate those threats; don't just list everything under the sun for each threat
- Does that control reduce the likelihood or impact of the threat? There is a difference and your residual risk should reflect that
- Don't overstate anything. This is tough, but we are seeing this quite a bit. Don't overstate inherent risk, don't overstate the effectiveness of controls. (i.e. it is highly unlikely that you have controls in place to take a high risk down to a low)
- This all comes with experience but is definitely a skill that can be learned.
Closing
There's more, but I've run out of time. If you have any questions on any of these, let us know at support@bedelsecurity.com. Or if you want help with any of these projects, or similar information or cyber security projects, we'd be glad to help.