Most of the company leaders I meet with today seem to understand the importance of security. They know there are threats waiting to do “something” malicious. Most don’t understand why.
Most think that no one will be interested in anything they have. The rest seem to feel like “it is all being handled” and it is under control.
On occasion, I will meet someone who is very interested in learning how to better protect their business, but they don’t know where to start. It seems overwhelming to them. Let’s break things down a bit.
What are You Trying to Protect?
It is essential to understand that there isn’t a one-size-fits-all checklist to protect your organization. Every situation is just a little different. It comes down to your assets. What are you trying to protect?
I always recommend that leaders first try to inventory what they have. For example, a printing company will have a much different asset list than a software development company. They have different equipment and different products, and, therefore, there are different threats or risks to think about.
Try to write down what your assets are before thinking about the things that may put those at risk. It is also very important to determine data classifications during this step to understand the sensitivity and handling requirements of your data.
Why are You Trying to Protect It?
It is also important to remember that businesses have customers. Many of those customers have certain expectations when doing business with you that should be addressed.
You may have contracts and agreements with clients that address these expectations. You may also have certain assets that are protected by laws and regulations.
Once you have your list of assets and your list of obligations and commitments documented, then you can begin to look for resources and best practices that will help you address each. Keep in mind as you go through these steps that it doesn’t have to be perfect.
You will have plenty of opportunities to review this and make adjustments as your company matures in cyber security.
Important Exercises That Must be Performed Regularly
Business Impact Analysis (BIA)
Once you have your list of assets and completely understand your commitments, you are well on your way to completing your first Business Impact Analysis.
The objectives of a BIA include:
- Determining the criticality of business functions and their dependencies
- Determining the impact of disruptions in critical business functions.
- Determining the tolerable limits of failure or loss of each function. (IE-Recovery Time Objective (RTO) and Recovery Point Objective (RPO))
- Determining the minimum resources that must be allocated to recover and resume critical business functions.
- Determining the sequence of recovering critical business functions in the event of a disaster
The deliverables expected from a BIA include:
- Detailed report on findings, which contains:
- The prioritized list of assets and critical business functions
- Criticality Classifications
- Tolerable Limits for each
- Restoration Priorities
- Minimum resources needed to recover the prioritized critical business functions
Risk Assessment
Identify known threats to your business and how to treat each to reduce the risk rating to an acceptable level. Risks should be collected as they are identified and documented in a Risk Register (normally a spreadsheet).
Depending on the size, complexity, and maturity of your organization, the risk assessment may be performed monthly, quarterly, or annually. You want to perform a thorough risk assessment annually, at the very least.
You will also want to perform risk assessments if there any significant changes to your organization.
Business Continuity Plan (BCP)
Once the BIA is complete and a risk assessment has been conducted, you have the building blocks needed to conduct a Business Continuity Plan.
A business continuity plan contains the steps and information required to resume operations following a disruption. This plan will include:
- A Disaster Recovery Plan
- Roles and Responsibilities
- Business Restoration Strategies
- Communication Protocols
- Testing and Training Requirements
- Root Cause Analysis Requirements.
Business continuity plans should be tested annually, at the very least. You should also test your BCP if there are any significant changes to your organization or in your agreements with clients.
Testing the Business Continuity plan is crucial to make sure that operations can be restored within the parameters outlined in the Business Impact Analysis to ultimately satisfy the requirements of the agreements and contracts you have with clients.
Once you have some of the fundamentals in place, you can take a step back and work to mature your security plans and procedures. The steps listed here will drive you into discussions like data retention and restoration, vulnerability management, patching, etc.