Integrating Cyber Security and Business Continuity

Overview

Cyber security incidents have business continuity implications and impacts that extend far beyond the Information Technology (IT) domain. It’s important that the University integrate its IT response to cyber security events with the University’s overall business continuity planning model. Rather than maintaining and executing IT cyber security incident management and business continuity plans in silos, plans should be complementary and expansive upon IT’s overall response plan.

While managing cyber security is predominantly an issue for IT, University organizations are far too dependent on technology to survive a cyber security event intact. To enable the most effective University response, touch points between the IT plan and organizational level business continuity plans must be joined in order to ensure that leadership has the information necessary to assess and control the overarching business impacts, while also ensuring IT has leadership’s support in rolling out selected response strategies.

Business continuity plans need to adhere to University security and privacy policies and regulations, even while the institution is functioning during extraordinary conditions. Business continuity plans should be built in accordance with University security and privacy policies as well as state and federal regulations.

1.0 The Organizational Plan

The University is vulnerable to a variety of natural and man-made emergencies, disasters, and hazards. Recognizing that not all events can be prevented and some risks may be deemed acceptable, proper planning is essential to maintain or restore services when an unexpected or unavoidable event disrupts normal operations. Business continuity planning at the organizational level includes the identification of vulnerabilities, priorities, dependencies, and measures for developing plans to facilitate continuity and recovery before, during, and after such a disruption.

Organizational level business continuity plans identify leadership within a specific area to serve as the crisis management team and coordinate the preparedness and response planning. Leadership has the appropriate perspective to assess business-specific impacts and recommend appropriate actions to enable continuity of business operations or prepare for disruption, as well as influence any decisions or timing with the selected IT response strategies for a particular area.

2.0 The Integrated Framework

A business continuity plan is not just a technology plan. It is a much broader view of the functions and information resources of the University. IT resources are a necessary part, but not a sufficient part. People are the most important element. Commitment, leadership, preparation and practice are key factors of a business continuity plan. A well prepared plan should address all key services and their administration, delivery, and support. The following steps outline the process of developing a business continuity plan.

  1. Obtain commitment and authority from institutional leadership.
  2. Establish a planning team for your organization. Who should be involved and in what role?
  3. Perform a risk assessment. Determine the impact of risks on the functioning of your organization under normal operating conditions as well as under the extraordinary conditions during which a business continuity plan will be activated. (Refer to your organization’s Information Asset Classification Register.)
  4. Perform a business impact analysis. Identify Critical Resources and services and the maximum tolerable downtime for these critical services. (Refer to your organization’s Information Asset Classification Register.)
  5. Identify critical resources
    1. People – Identify all support staff, and establish a chain of succession for key personnel.
    2. Places – Identify key buildings, and plan alternate locations for workers and equipment.
    3. Systems – Perform a business impact analysis to prioritize systems in terms of criticality.
    4. Other – Identify other critical assets required for normal business operations.
  6. Determine continuity and recovery strategies for your organization.
  7. Train students, faculty, and staff on what to do in case of a disaster.
  8. Test your plan and recovery procedures. Generate scenarios and simulate them with table top exercises.
  9. Create a communication plan. Being able to communicate during a crisis is essential. Determine alternative means for communication. "Normal" communication means may not be available.
  10. Document all information pertaining to your plan using the form found here. File a copy of the completed form and any other related documentation with Human Resources.
  11. Review the business continuity plan annually.
The information security team will perform an annual gap analysis between your organization’s plan and IT’s capabilities and planned response strategies.