Business Continuity requires Security Architecture
4. September 2016 -
An architectured and efficient way to enable your Business Continuity and Information Security within the context of Cyber threats.
From Jeff Primus
The frequency of cyber-attacks continues to increase at an unparalleled pace. By attacking the most vulnerable value chains of organizations, they result in information confidentiality & integrity breaches, discontinuity of business activities and huge financial and reputational damages. Once considered predominantly as a technological issue, the risks related to the information systems are now evaluated within the Enterprise Risk Management scope.
On the other hand, traditionally, Business Continuity Management (BCM) is mostly treated as a domain separate from Information System Security Management (ISSM). With the rapid explosion of cyber threats, the alignment between BCM and ISSM is now becoming a must, in order to provide management with a holistic view and enabling them to implement organizations where the teams closely interact with each other.
It goes without saying that the organizational part of security and BCM is the key for a successful implementation, yet the information system (IS) part needs to also be addressed in an efficient way. Various standards and frameworks exist to help organizations implementing a BCM, but they lack, on one hand, practical guidelines enabling a pragmatic and efficient implementation, and, on the other hand, a strong link with the governance, architecture and security of the IS.
In this article we will introduce very briefly an innovative approach and describe the first steps for the linkage of the ISO© 22301 Standard to the SABSA® Methodology for Enterprise Security Architecture and Strategy, enabling an efficient implementation of BC based on an architectured and secured IS.
ISO 22301 Standard
Business Continuity is defined as the capability of an organization to continue the delivery of products or services at acceptable predefined levels, following a disruptive incident. Based on this definition, BCM can be seen as a holistic management process. It identifies potential threats to an organization and their impacts to business operations. More importantly, it provides a framework for building organizational resilience, preparing an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Within this context, ISO 22301 enables a BCM System (BCMS) that establishes, implements, operates, monitors, reviews, maintains and improves BC. The owner of BCM should be at the CEO level of the organization. BCM structures the following activities:
Planning – During the initial phase of the BCMS, management buy-in is obtained, the organization’s needs, strategic objectives, context and scope are determined, emphasizing the intention of the organization to address the risks & opportunities and to comply with the regulations. Next, empowering of key competences and provisioning of resources are initiated. Additionally, the document lifecycle and communication management, which are key for the success of BCM, are also put in place.
Operations – The major activities related to this phase are: Business Impact Analysis (BIA), Risk Assessment (RA), Strategies, Procedures, Exercises and Tests. For instance, during the BIA step, business requirements such as Recovery Time Objectives (RTO) are captured.
Performance Evaluation – In order to prepare the basis for the improvement phase, the BCMS should now be monitored to verify its effectiveness, efficiency and compliance with the BC objectives. Internal audits and management reviews are also periodically performed in order to analyze and evaluate the performance of the BCMS and identify possible nonconformities.
Improvement – This is the final phase of the cycle where the nonconformities are controlled and corrected using the appropriate actions.
Kommentare werden vor der Freischaltung durch die Redaktion geprüft.