The organizations we work with are increasingly coordinating, and in some cases integrating, the management of their Business Continuity Management (BCM) program with the management of Information Security (InfoSec). This perspective looks at how they are approaching coordination/integration. Let’s explore the various forms of integration possibilities between BCM and InfoSec..
INTEGRATION POSSIBILITIES: BCM & INFOSEC
Coordinating on Incident Response and Exercising
The most basic and common coordination between BCM and InfoSec occurs when coordinating the response to a cyber incident. For an in depth look at this type of coordination, see Integrating BCM and Cyber Security.
Conducting an Asset Inventory with a Business Impact Analysis (BIA)
In BCM, we are very familiar with engaging the business to understand their continuity requirements. The process is called the Business Impact Analysis. InfoSec has a similar need to understand what assets (often applications) are being used for what. This is often a simple integration because much of what InfoSec teams need is already captured in the BIA. In fact, we often only add about 3 questions to BIAs to achieve InfoSec’s requirements. Specifically, when capturing application dependencies, we ask:
- What is the impact if information from this system were to be disclosed to the wrong people?
- What is the impact if information from this system were to be falsified or corrupted?
- Does this system contain protected health information or personally identifiable information, such as addresses, phone numbers, driver’s license information, etc.?
Often these questions use a drop down format that allows users to choose options based on the data classification process established by InfoSec. By adding these questions, InfoSec groups can easily complete their asset inventories and classify systems based on risk.
Unifying Management Processes
The two most common InfoSec and BCM standards (ISO 27001 and ISO 22301, respectively) use a common framework of a management system to structure their activities. This common structure can be used to integrate the management processes, including management reviews, audits, and (in some cases) SOPs.
This process also enables the combined tracking of issues or gaps and involves deepening management reporting – moving beyond just looking at risk gaps to a more holistic view of how well are we protected across the board, based on a deep understanding of the business and its priorities.
Unifying the Organization’s ‘Risk Language’
Many functions in an organization worry about risk – and most of them use different words to describe it. By choosing a common language, organizations can begin to prioritize risks across disciplines and focus on the most important ones first. One of the first steps in doing this is using common scales for impact and likelihood rating, thus standardizing heat maps. Follow-up steps may also include standardized tracking of remediation plans (also known as risk treatment plans).
Reconciling the ‘Controls’ Philosophy of InfoSec with the Process Methodology of BCM
InfoSec groups think in terms of controls. The NIST 800 standard and ISO 27001 provide control ‘families’ and suggested controls. In contrast, BCM barely thinks about controls and tends to be more focused on establishing requirements from the business and fulfilling those. This can be a difficult divide to bridge, but some organizations have started moving down that path – primarily by re-conceptualizing BCM as a set of controls that fit into InfoSec’s framework. This isn’t a perfect match, but it’s a great start. Look for more on this approach in a future perspective!
WHY ARE ORGANIZATIONS PURSUING COORDINATION/INTEGRATION?
Let’s look at the benefits and cautions to both the InfoSec and BCM teams, as well as the organization overall:
As you can see – there are many great benefits to explore from every side! In our work with clients, this seems to be a natural fit – even when BCM and Information Security report to widely different groups. Thus we expect that more and more organizations will pursue this path. Ultimately, both InfoSec and BCM professionals have an opportunity here to help drive the industry in an exciting new direction.
Are you doing some interesting integration between InfoSec and BCM? Please share them below.