Integrating Information Security and Business Continuity

integrating_infosec_and_bcmThe organizations we work with are increasingly coordinating, and in some cases integrating, the management of their Business Continuity Management (BCM) program with the management of Information Security (InfoSec). This perspective looks at how they are approaching coordination/integration. Let’s explore the various forms of integration possibilities between BCM and InfoSec..

INTEGRATION POSSIBILITIES: BCM & INFOSEC

Coordinating on Incident Response and Exercising
The most basic and common coordination between BCM and InfoSec occurs when coordinating the response to a cyber incident. For an in depth look at this type of coordination, see Integrating BCM and Cyber Security.

Conducting an Asset Inventory with a Business Impact Analysis (BIA)
In BCM, we are very familiar with engaging the business to understand their continuity requirements. The process is called the Business Impact Analysis. InfoSec has a similar need to understand what assets (often applications) are being used for what. This is often a simple integration because much of what InfoSec teams need is already captured in the BIA. In fact, we often only add about 3 questions to BIAs to achieve InfoSec’s requirements. Specifically, when capturing application dependencies, we ask:

  1. What is the impact if information from this system were to be disclosed to the wrong people?
  2. What is the impact if information from this system were to be falsified or corrupted?
  3. Does this system contain protected health information or personally identifiable information, such as addresses, phone numbers, driver’s license information, etc.?

Often these questions use a drop down format that allows users to choose options based on the data classification process established by InfoSec. By adding these questions, InfoSec groups can easily complete their asset inventories and classify systems based on risk.

Unifying Management Processes
The two most common InfoSec and BCM standards (ISO 27001 and ISO 22301, respectively) use a common framework of a management system to structure their activities. This common structure can be used to integrate the management processes, including management reviews, audits, and (in some cases) SOPs.

This process also enables the combined tracking of issues or gaps and involves deepening management reporting – moving beyond just looking at risk gaps to a more holistic view of how well are we protected across the board, based on a deep understanding of the business and its priorities.

Unifying the Organization’s ‘Risk Language’
Many functions in an organization worry about risk – and most of them use different words to describe it. By choosing a common language, organizations can begin to prioritize risks across disciplines and focus on the most important ones first. One of the first steps in doing this is using common scales for impact and likelihood rating, thus standardizing heat maps. Follow-up steps may also include standardized tracking of remediation plans (also known as risk treatment plans).

Reconciling the ‘Controls’ Philosophy of InfoSec with the Process Methodology of BCM
InfoSec groups think in terms of controls. The NIST 800 standard and ISO 27001 provide control ‘families’ and suggested controls. In contrast, BCM barely thinks about controls and tends to be more focused on establishing requirements from the business and fulfilling those. This can be a difficult divide to bridge, but some organizations have started moving down that path – primarily by re-conceptualizing BCM as a set of controls that fit into InfoSec’s framework. This isn’t a perfect match, but it’s a great start. Look for more on this approach in a future perspective!

WHY ARE ORGANIZATIONS PURSUING COORDINATION/INTEGRATION?

Let’s look at the benefits and cautions to both the InfoSec and BCM teams, as well as the organization overall:

BENEFITS

INFORMATION SECURITY
  • Better fulfillment of the CIA triad (Confidentiality, Integrity, Availability)
  • Opportunity to better understand the business, what is important to it, and connect that to risks
  • Opportunity to leverage the BIA and (sometimes) more extensive management reporting from BCM
  • Opportunity to expand personal knowledge of team members into a broader risk space
BUSINESS CONTINUITY
  • Provides increased visibility into the organization and additional allies to aid in spreading the BCM ‘message’
  • Expanding the BIA to support security provides an easy, additional win for a critical (and often undervalued) step in BCM – the business impact analysis
  • Opportunity to leverage a simpler management reporting style – control status (unfortunately, this often lacks the ‘business lens’ that many executives expect)
  • Opportunity to expand the personal knowledge of team members into a broader risk space
ORGANIZATION
  • Enables movement toward a holistic view of risk, which provides the opportunity to better prioritize gap closures
  • Provides a more efficient process overall (combined BIA for example), which increases corporate value

CAUTIONS

INFORMATION SECURITY
  • Can distract from the ‘core’ mission, which is often focused on confidentiality
BUSINESS CONTINUITY
  • BCM can easily become an afterthought if the focus of the combined team is ‘mostly’ InfoSec. For example, if the BCM team is 3 people and the InfoSec team is 50, there may be a tendency to consider BCM an afterthought.
ORGANIZATION
  • Having these functions report to one person is a good start, but not enough – that person must be able balance and coordinate them (and care about both!)

As you can see – there are many great benefits to explore from every side! In our work with clients, this seems to be a natural fit – even when BCM and Information Security report to widely different groups. Thus we expect that more and more organizations will pursue this path. Ultimately, both InfoSec and BCM professionals have an opportunity here to help drive the industry in an exciting new direction.

Are you doing some interesting integration between InfoSec and BCM? Please share them below.
_______________________

Rob Giffin
Avalution Consulting: Business Continuity Consulting


Leave a Reply