The BCM oversees information security in crisis situations and is key for all organizations in today's society

Where personnel, infrastructure, and IT must be protected, reputation must be preserved, and the capacity to continue operations and commerce (B2B, B2C, etc.) must be ensured. Business Continuity Management (BCM) is a comprehensive management process that enables preparedness in this technological world of change, uncertainty, and high turbulence. It is related to availability technologies such as backups, hot sites, warm sites, cold sites, UPS, RAID, redundancy, etc. Being prepared to face incidents and disasters should be the focus, rather than waiting for potential crises and audit results. The results of the GSISS'08 (Global State of Information Security Survey 2008) study conducted in Spain by PricewaterhouseCoopers reveal that investment in information security continues to be primarily driven by Business Continuity and Disaster Recovery functions, accounting for 40% in 2008 and 55% in 2007. Similarly, regarding management positions associated with security: CEOs (Chief Executive Officers), CFOs (Chief Financial Officers), and CIOs (Chief Information Officers; the executive who sits next to IT at the table) indicate Business Continuity and Disaster Recovery as the main factor influencing investment in information security, while CISOs (Chief Information Security Officers) indicate regulatory compliance as the main factor. Therefore, among the main concerns of CEOs and CIOs, business continuity is a priority. It has become a key necessity for survival in today's turbulent, technology-driven economy. Consequently, business continuity must be implemented as a discipline, not merely as an audit requirement. Some common reasons for the lack of preparedness in some organizations facing crisis situations include: a lack of awareness of the potential damage, an inability to learn from the experiences of others or their own, and a denial of the reality that the number of vulnerabilities and threats grows daily. Anything that prevents an organization from achieving its business objectives is a risk, and preventive, detection, and response measures must be taken. Reasons for ensuring business continuity include: the need for continuous service delivery, the protection of people and assets, the increasing vulnerability to threat materialization, and compliance regulations. According to an IDC report, the cost of an information security incident can range from €15,000 to €6 million. Given the increasing sophistication of attackers, this cost will grow in the coming years, as the cost of the problem far exceeds the cost of its solution. According to IDC, the security market will increase its business volume to $7.3 billion by the end of 2010, which means an average annual growth of 11%.

Terminology. Characterization of Countermeasures.
An incident is an event that, if left uncontrolled, will lead to multiple impacts. A disaster is an unpredictable, catastrophic, unplanned, and sudden event that causes significant damage or loss, or any event that renders a part of an organization unable to provide critical business functions. Examples include earthquakes, hurricanes, terrorist bombings, massive loss of personal data of financial institution customers, DDoS attacks, etc. Possible characteristics of a disaster include:

(i) It is unpredictable. (ii) It can destroy human lives or negatively affect people's health. (iii) It can cause loss of property, infrastructure, facilities, software, data, hardware, etc. (iv) It generates a financial impact. (v) The impact can be at different levels: individual, organizational, community, national, and international.

Business Continuity Management (BCM) is about the availability of processes and resources to ensure the continued achievement of critical objectives. Methodologies such as BS-25999, BS-25777, HB 292 (which enables the BCM lifecycle and includes templates), FEMA 141 (which focuses on BCM with emergency planning and includes a very detailed section on incident management), BCI GPG, APS 232, and TR 19 can be used. BCM is the comprehensive management process that identifies potential impacts that threaten an organization and provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interests of its key stakeholders, core business, and value-creating activities. BCM should be fully integrated into organizations as an embedded management process.
Business Continuity Planning (BCP) refers to the ability to maintain the constant availability of critical systems, applications, and information across the organization. It can also be defined as a set of documented procedures and information that is developed, compiled, and maintained for use in an incident to enable an organization to continue performing critical activities at a predefined, acceptable level. Business Continuity Planning (BCP) has a strong business focus.

Emergency planning and management (EP/EM) is the process resulting from a set of agreed-upon procedures to prevent, reduce, control, mitigate, and take other actions in the event of a civil emergency impacting the organization. Methods such as BS 25999/UK, NFPA-1600, FEMA-141, and ISO PAS 22399 may be used.
Information technology service continuity (ITSC) supports business continuity management (BCM) by ensuring that the required IT components can be recovered within the established timeframes.

Required and agreed-upon business procedures; methods such as PAS 77, BS 25777, and NIST 800-34 can be used. Disaster Recovery Planning (DRP) integrates the procedures for restoring the operability of the target system, application, or computer installation; methods such as NIST 800-34 can be used (it focuses on IT service continuity and includes a good section on Business Impact Analysis. It describes strategies for maintaining IT availability). It allows for the temporary and immediate restoration of network or computing operations within defined timeframes after a disaster has occurred; it is also defined as a set of documented procedures and information necessary to resume normal computing capabilities associated with critical business processes. DRP has a strong focus on technology.

Business Impact Analysis (BIA) refers to the actions necessary to identify customer impacts, financial impacts, reputational impacts, and other related business impacts and assess them based on their criticality to business continuity.

Importance of Business Continuity
There are a growing number of reasons that justify business continuity: (i) No system is foolproof. (ii) Even if ICT and information security risks have been identified, such as data loss, system failure, virus attacks, etc., even if the level of risk acceptance has been determined, even if the risks that can be addressed have been mitigated, even if controls have been implemented, such as encryption mechanisms, intrusion prevention, network monitoring, and even if risks have been proactively managed, an incident can still occur.

Justification for the Need and Benefits of BCP and DRP
Some of the reasons that justify BCP/DRP are: (i) Regulatory compliance. There is a growing number of regulations and standards to comply with. The sector is typically based on SOX, PCI DSS, ISO-27001, BS-25999, BS-25777:2008 (IT continuity management, which is more specific than BS-25999, going into details such as alternative data centers and specific IT procedures), HIPAA, GLBA, FISMA, CUBG, FERPA, MiFID, LSSI-CE, LOPD-RMS, LISI, etc. (ii) Business needs. To minimize losses. According to Jim Hoffer of Health Management Technology, only 6% of organizations that suffer a catastrophic data loss manage to survive, while 43% never reopen and 51% close within two years. (iii) The protection of people and assets. (iv) Increased vulnerabilities to the materialization of threats. (v) The need for continuous service delivery.

The main benefits of BCP/DRP are: (1) Proactively identifying the impacts of operational disruption. (2) Providing an effective response that minimizes the impact on the organization. (3) Maintaining the capacity to manage uninsurable risks. (4) Fostering teamwork. (5) Enhancing an organization's reputation and competitive advantage in its ability to maintain, deliver, and recover from a disaster.

Phases of a BCM Program
The phases of a BCM program are: (1) Preparation. This involves identifying the business, the organization's current situation, the potential consequences of a crisis or disaster, the objectives, the necessary initial investment (budget), who would be responsible for its initiation and monitoring (CEO, CFO, CIO, CRO, CEO, business owner, etc.), and when it should start and end. A useful approach is BS 259999 with the

Part 1 of the code of practice and Part 2 of the specification. The PDCA (Plan-Do-Check-Act) model is applied to BCM. (2) Understanding the organization. Appointing a person for BCM implementation, developing the BCM policy, conducting a Business Impact Analysis (BIA), and determining the critical business mission lines. The objective of the BIA is to assess, over time, the impacts (decreases in performance level) that will occur in the activities that support key services and products. A BIA document includes the following headings: business process, impact, minimum expected performance level, Recovery Time Objective (RTO), time required to fully restore the service, and other dependencies. The BIA process involves: (i) Selecting the participating entities. (ii) Assessing the impacts over time that disrupt the activity. (iii) Establish the MTPOD (Maximum Tolerable Period of Downtime), also known as MTD (Maximum Tolerable Downtime), the RTO (Recovery Time Objective), and the TTRNO (Time To Resume Normal Operations), where MTPOD = RTO + TTRNO. (iv) Identify interdependencies, such as personnel, infrastructure support, and resources. (v) Prioritize the recovery process and build consensus. (3) Assess risks. This involves: (i) Determining risk acceptance criteria. (ii) Determining the acceptable level of risk. (iii) Analyzing risks to prepare for the situation. (iv) Conducting a gap analysis to mitigate risks. (4) Determine BCM strategies and options. As a result of a risk assessment in combination with the BIA, the organization should identify measures that: (i) Reduce the likelihood of a disruption. (ii) Shorten the disruption period. (iii) Limit the impact of the disruption. These are risk treatment and loss mitigation measures. Keep in mind that not all risks can be prevented or reduced. Loss mitigation strategies can be used in conjunction with other strategies: business continuity, acceptance, transfer and change, suspension, or termination. Strategies may be needed for the recovery of the following organizational resources: people, physical infrastructure, technical infrastructure, information, business processes, and stakeholders (entities that can affect or be affected by the organization). (5) Develop and implement BCM responses. This involves developing response plans and documentation. To do this: (i) Recognize the incident or potential incident. (ii) Escalate the incident. (iii) Activate the appropriate business continuity response. (iv) Consider whether resources will be available to support the plan. (v) Communicate with stakeholders. The components of an emergency response are: (a) Internal escalation procedure. (b) Emergency notification procedure. (c) Integrated response: procedures for safety of life, protection of property/physical security, protection of technology, and protection of the organization. (d) Training procedures and responsibilities. Crisis management involves: ground-level response action, incident escalation, incident management framework, media communication policy, central control, assistance to personnel, and continuity and recovery of critical activities. (6) Embed BCM in the organizational culture. Building, promoting, and embedding a BCM culture within the organization ensures that it becomes part of the organization's core values ​​and enables effective management. This is achieved by raising awareness and providing training. (7) Test and practice. Practice and train personnel, use evacuation procedures, and create call trees. Conduct tests on equipment, technologies, servers, UPS systems, telecommunications networks, etc. Possible types of tests include: checklists, structured walkthroughs, simulations, parallel tests, stress tests, total outages, surprise tests, exhaustive tests, modular/component tests, functional tests, etc. (8) Monitor and maintain (maintenance objective). Incidents must be managed despite potential changes in the organization or environment. A review may be triggered due to: a change in the management process, self-assessment, internal/external audit, or training or testing.

Standards and Guidelines in BCM.
NIST, in its document SP800-34, describes a guide for information technology systems continuity planning, which is structured in the following points: (1) Develop a continuity planning policy statement. (2) Conduct a business impact analysis. (3) Identify preventive controls. (4) Develop recovery strategies. (5) Develop the contingency plan. (6) Test the plan and conduct training and exercises. (7)

Maintain the plan. The British Standards Institute (BSI), in its code of best practice BS25999 on business continuity management, establishes the following points: (1) Establish the business continuity management policy. (2) Manage the BCM (Business Continuity Management) program. (3) Understand the organization. (4) Develop and implement a BCM response. (5) Practice, maintain, and review BCM agreements. (6) Embed BCM in the organization's culture. The ISO 27001 standard on information security management includes information security in the business continuity management process, enables risk and business continuity assessment, allows for the development and implementation of continuity plans that include information security, provides a business continuity planning framework, and allows for the verification, maintenance, and reassessment of business continuity plans.
Final Considerations
Our research group has been working on the synthesis, design, analysis, implementation, assessment, and evaluation of BCM programs for over twelve years, using diverse strategies and methods in combination with risk analysis and management. We identify risks and impacts and develop countermeasures at all levels—technical, administrative, and so on.

More information or a quote

This article is part of the activities carried out within the
LEFIS-APTICE (funded by Socrates 2005-2007, European Commission ).
Bibliography

- Areitio, J. “Identification and analysis of information security services and mechanisms.” Conectrónica Magazine. No. 97. May 2006.
- Areitio, J. “Analysis of information security measurement and metrics.” Conectrónica Magazine. No. 92. November 2005.
- Areitio, J. “Implication of information security in ITIL-based ICT service management.” Conectrónica Magazine. No. 110. September 2007.
- Areitio, J. “Robust integration between incident management and information security forensics.” Conectrónica Magazine. No. 103. January 2007.
- Areitio, J. “Information Security: Networks, Computing, and Information Systems.” Cengage Learning-Paraninfo. 2008.
- Benantar, M. “Access Control Systems: Security, Identity Management and Trust Models”. Springer-Verlag. New York, Inc. 2005.
- Hills, A. “Definitive Handbook of Business Continuity Management.” John Wiley and Sons. 2007.
- Solms, SH von “Information Security Governance”. Springer. 2008.
- Walsh, TR “A Manager's Guide to Handling Information Security Incidents”. Auerbach. 2009.
- Blyth, M. “Business Continuity Management: Building an Effective Incident Management Plan.” Wiley. 2009.
- Hare-Brown, N. “Information Security Incidents Management: A Methodology”. BSI Standards. 2007.
- Elliot, D. “Business Continuity Management: A Critical Management”. Routledge. 2009.
- Schmidt, K. “High Availability and Disaster Recovery: Concepts, Design, Implementation”. Springer. 2006.
- Snedaker, S. “Business Continuity and Disaster Recovery Planning for IT Professionals”. Syngress. 2007.

Author:
Prof. Dr. Javier Areitio Bertolín,
Professor at the Faculty of Engineering, ESIDE.
Director of the Networks and Systems Research Group, University of Deusto.