Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets, episode 14, take two. I'm your host, James Bowers with Input Output, Chief Security and Compliance Architect, and I say take two because we recorded this whole thing and then found out somehow we had multiple audio feeds and it sounds like we're doing it in a cave. Absolute, just pandemonium, can't edit it out, so take two. We all make mistakes, it's a journey.
So happy you're back here with us. Last week we talked about business continuity plans and this week we're going to continue that discussion but rather than like we did last week and talk about how we identify what we need to make continuity plans for and the general ingredients, this week we're actually going to step through the different components and kind of the order that we do them in and actually going to be using our business continuity plan form, the one right from our written information security plan, policy program, and it just makes it a lot easier. It's, I hate to simplify it too much, but it's basically a business continuity plan paint by numbers, fill in this box, fill in this one, put your name here and answer these questions and once you go through all of that, you have a pretty solid continuity plan.
So I always say there's always more that you can do, but this is a really good foundation. It actually can even get you through like an ISO 27001, a SOC 2 audit, lots of different audits, it's been through those, so even though it seems very simple, it's actually got all the parts in there and it's in a very nice structure. So we're actually going to walk through that today.
I'll talk to you all about it and show you how to put together a good continuity plan. Before we do that, however, click that subscribe button, click that follow button, send us some comments, get on the phone right now, text your friends, call your family, tell everybody you know about cash in the cyber sheets. This is where you need to be at 10 a.m. on Thursdays.
We're happy you're here. We want all your friends too. Also, leave us some comments.
If there's something that you want to talk about, things that you're having trouble at your business and your practice, whatever, we'd love to be able to discuss that with you. And we've got a lot more businesses lined up to come on. We'd love to have you business owners out there on the show as well to hear your story.
How did you get through some of the tough times? What were some of the biggest risks? How did you power through those? Because entrepreneurship, business ownership, business management, it's not easy. So we'd love to hear your story. We'd love to have you on.
Click follow. Let me stop doing our shameless plugs and actually get into the business continuity planning. So again, we're going if you have a written information security program and you want a little bit of a free for your deep dive.
This is form BCM FLM 001. It's right from our form manual. We've got a lot of them in here.
But as a quick recap to last week, last week we talked about how we identify what we need to have a business continuity plan for. And without going into a lot of detail, remember, we've got to know our five business metrics, how many leads we get, our conversion rate, our average lifetime value, our average lifetime of a client and our expenses. Once we know all those things, then we can identify what are the primary systems, people, processes, functions, whatever, that support that, that support all of those.
Then, that was a long pause. Hamster fell off the wheel. Once we have all of those, then we can create our continuity plans.
Now, we are going to do a business impact analysis here. We are going to talk about the different things that could go sideways, the different things that could happen to impact us and what we're going to do. But remember, what we really want to focus on is what are we going to do if this critical system is not available? It just, it just up and vanishes because that way, if we have an answer for that, what we'll do, it really doesn't matter what happens.
We'll have a plan for it because even though we can identify a lot of things that go sideways, there are so many more that we can identify that we haven't been able to even conceptualize yet. So, please put yourself into a position to be prepared for anything, prepared for the unknown, rather than just going through the steps, steps, rather than just going through the steps to create a few continuity plans for a fire, for a blizzard and other things like that. So, getting into our form, the very first part of it is the name.
We're just going to name the damn thing. What system, what process, what function is this for? Now, we'll talk about this a little bit more in our continuity or business impact analysis for the continuity plan. Word shuffling there.
But you can go about this a few different ways. One is you can name the primary system. So, let's say our primary office location.
And then in the impact area, do all the different things like you go sideways and explain what you'll do. Or you could create a different continuity plan for those different big events. So, primary office fire, primary office hurricane, primary office legal trouble.
You could also break it up into kind of umbrella sections. And a good way to do that is using like PESL categories, political, economic, social, technological, environmental, legal. I think I got them all.
I just did them out of order. You could do those. So, primary office environmental issues, primary office economic issues or legal issues, and then that can let you hone it in.
There's no right or wrong answer here. Just whatever works best for you. Whatever works best for your business.
What I would say, be very, very careful with this, is as with all things security and compliance, get that balance. We don't want to make things so detailed, so in depth that when we jump in to use the continuity plan or try to figure out what we're supposed to do, we've got to read a novel the size of Moby Dick just to figure it out. That's not helpful.
On the other side, we don't want to make it so vague that we don't know what to do when things happen. And even though we may have some power players, people that know everything inside and out in some of those areas, if they're not available and our plan is too vague, we don't really have a plan. It's not helpful.
So again, measure that, balance it, whatever works best for you and your company. Again, there's no right or wrong answer here, unless you're getting audited by or like an ISO or SOC 2 or FedRAMP, then your auditor will probably say there's the right way for it. But again, it really comes down to your business, your risk, and your risk being in the sentence.
So first part, kind of logistics, name, who the owner is. Remember, one head on the chopping block. You can delegate this, you can have multiple people involved, but the responsible party needs to fall to just one person.
If you have multiple people as owner or as in charge, it turns into a thing of, well, I thought they were doing it, and no, they were supposed to. One person responsible, that person can delegate however they want, they can completely remove themselves from it if they want to. That's completely fine.
But they're still responsible. So if it goes sideways, still a no. Next, we want to identify our initiation criteria.
How do we even know that we need to pull this out of the file cabinet and start using it? Simple as that. Resolution criteria, we'll actually talk about this a little bit later too, but how do we know when we can stop using this plan and go back to either plan B, technically it would be the plan C, or back to normal operations. Then in our next section, we're going to identify the parties involved with that.
Who initiates the continuity plan? That could be the owner, that could be a senior manager, it could be anybody. But we'll identify here who has that authority and who's going to basically ring that bell that, hey, we're using this continuity plan now. The next is our managing party.
A lot of times that's the same as the initiating party. Sometimes it can be different. We're just going to name them here.
And then the resolution party, who's going to identify when, okay, time for plan C, or we're back to normal operations. Again, this can all be the same person, completely okay. You just want to be able to identify that.
That way nobody's guessing when things go south, who's doing what. You got it, you got it documented. Now, the next two sections are really the meat and potatoes of the continuity plan.
It is the, it's the impact analysis and the actual continuity plan itself. So, like we talked about before on the business impact analysis, we can view that collectively for the BCP that we're creating. So, if it's for the physical office, we could name all the different things here that there could be an environmental issue or a fire, or you should probably call out some of the specifics in your area.
So, like here in Florida, hurricane, there could be legal issues. There could be a cyber attack, technological issue. However you want to split those up is okay.
Or if you're doing separate continuity plans for each of those, that's okay too. We're just going to identify everything in here of how the business, how we, the organization, would be impacted. So, if our primary office had a fire, well, what's that going to mean? We can't stay at the location.
We could lose access to the critical data, critical supplies. Whatever that is, this is a big, this is brainstorming time. Get all the relevant people, subject matter experts, get them in to talk through this.
And we also have resources and help companies and business owners walk through this with just a lot of questions. But that way it just gets the juices flowing. That's all you're really doing.
It's not magic. It's, there's no real special science there. Not to poo-poo on anybody that's like really good at this or studied it for a long time.
But it's really just a glorified thought exercise that you put on paper. And then revise and edit and improve. What we're also going to do is do a risk analysis against, typically you'd say like the CIA triad on the IOGRCF, Input Output Governance Risk and Compliance Framework.
We actually look at what we call the CIAPS, Confidentiality, Integrity, Availability, Privacy and Safety, and we also look at mission objectives and obligations. That's really the business focus of things. So, if we had a fire, what type of confidentiality risk would that introduce? Probably not a lot there, but definitely availability.
It could also introduce safety issues. It could also introduce impacts to our mission and objectives, which is financial and reputation. Or to our mission and obligations, our legal and regulatory requirements.
We want to identify each of those, and the way that this is split up is it's a very good just walk down, answer the questions, it's all right there. So, once we've gone through and identified all the different impacts, next step is we're going to actually start creating our continuity plan. Seems like a lot of steps to get to what we're calling the continuity plan.
But the process works. So, if this is a, if you've created this document to where there's one for each of the different types of events, then you'll just describe that here. If you are doing it to where you have like one primary system or function with all the different events, like primary office and environmental issues, legal issues, yada, yada, yada, then you can identify all those here.
But we'll really now just describe what are we going to do. If there's a fire, well, we make sure everybody's evacuated. We contact all of our employees.
We move to site B. All of those that have remote working capabilities start working remotely. If there is legal issues, we contact our legal counsel. We work remotely.
If we're allowed, so on and so forth. We just name all the different things that we're going to do. A big part here, though, that we want to consider, and this is overlooked by the majority of companies that we see, is you want to do another risk analysis against your continuity plan.
What new risk are those continuity operations going to introduce you in the organization to? So, if our primary office, there's a fire, we're moving over to a new one, well, that new location may not have security guards like our office does, and they may not have key card access, which means that any of the assets, the systems, the information that we take over there, somebody could walk right in and grab it. So, that's new confidentiality risk, possibly new privacy risk. We want to identify the different things that could impact us while we're doing those continuity efforts, and that will sometimes lend to us tweaking our continuity plan, we didn't really consider that, let's not do it this way, or putting compensating controls in place, or just accepting it.
Hey, if we have to move to the alternate location, that's just a risk we have to accept. We got to keep running. So, again, no right or wrong there, it's what's appropriate for your business, but make sure for each of your continuity actions, each of your continuity plans, consider all of those different risks, the confidentiality, integrity, availability, privacy, safety, mission and objectives, mission and obligations.
Or, as we like to say, the SIAPSMU, it's not an acronym we use, but maybe it will be, maybe we'll trademark that, put it on some shirts, on some mugs. It doesn't exactly roll off the tongue, though. So, once we've got all of that, our next step is from all of our continuity plans, we want to identify, are there any special continuity resources, or plan resources that we need, are we going to need special funding, are we going to need special authorization, or is there, if we're moving to an office, do we need a mover, or do we need to contact the landlord of where we're going, any of those things we want to put in here.
What I would also recommend is with senior management, whoever's authorized, have these conversations now, and get pre-approval for certain things. So, say if there's a cyber attack, you need to act quick, you need to move fast, otherwise that can spread, it can become a lot worse. So, it's good now to identify, okay, I'm authorized to bring down 40% of our systems, or I'm authorized to take this area offline, I'm authorized to spend $5,000, let's say, get a team in here to help execute, and while they're doing that, I can get further approvals, whatever it is.
You're going to have the conversation when things go sideways, which is a bad time to have it, so it's a good time to have that conversation now. Go ahead and list any of those authorizations now that you can, and those you'll definitely want to revisit at least annually to make sure, hey, this is still kosher, it's still fine, but you want to identify that up front, and it will save you so much headache when things, when you actually have to use your continuity plan, when a disaster is happening. What we also want to identify here is, with any of those special resources, any special contacts.
Like I said, we're moving to a new office, or going to the new office, do we need to contact the landlord, here's their information. Do we need to get help from our data center to power cycle some systems, here's their information, here's our utilities. A lot of these names will probably be on our ICERT list, our information security incident response plan, incident response team member list, which if you listen to our podcast on incident management, it's in there.
But a lot of those names are going to coincide for any of this you identify when doing the continuity plan, a lot of times those are good to add on to that ICERT list, because when an incident happens, it's when you execute your continuity plan, it's all connected. Next part we want to identify is, how long will we operate with these continuity procedures? In some cases, it's just until things come back online. Perfectly okay, no right or wrong.
However, there does come a point to where, if it's weeks, if it's months, God forbid, we may need to move to an alternate solution. So, a really good example of this is, let's say Microsoft 365, the Microsoft Ecosystems stand. That's very difficult to move from.
For a lot of companies, that's their entire environment. But if it's offline for three, four, five weeks, months, at some point, we've got to make a decision, are we going to just close our business, or are we going to move to some other solution? Listen, after four weeks, we need to connect with senior management, make an evaluation, see are we coming out of this, and if not, start getting moved over, start turning the wheels to get over to, say, Google Suite or some other solution. We want to identify how long we can operate under these continuity guidelines.
And what's also going to help drive that is, are there any SLAs? Are there any manufacturing requirements, regulatory requirements? There's only so long that you can tell a regulator, sorry, we can't meet our deadlines, we can't meet our regulatory requirements because, you know, that supplier's not doing what they're supposed to do. That doesn't apply. You need to have another plan, you need to be able to execute.
So, identify that here. The next part is, what are the disaster recovery plan specifics? Really, how are we going to move from continuity operations back to normal operations? That's all disaster recovery is. So, what needs to be in place? Are there any special resources? How are we going to identify that? There was the, we named them earlier, the resolution party.
How are we going to decide that, okay, we're done using the continuity plan, now we're back to business as usual? We can close our incident, we can do our lessons learned, post-mortem, and move on. That's all there really is to that. There's not anything else deeper than that.
And then the final part is just identifying how often are we going to test, measure, and audit our continuity plan? Well, we should review it at a minimum, at least annually, and whenever there's a significant change. Then we can also identify how are we going to test it. Are we going to do walk-throughs, or are we going to do tabletop, or parallel runs, or a full interruption test? Again, whatever works best for your business, but make sure to weigh that against the importance, and don't make assumptions.
Don't assume that all those server backups you have will work when needed. Sometimes it's good to do an actual full test, shut everything down, and then try using the backup systems. Don't do it on a busy day, but definitely plan that to make sure that things are going to work the way they need to, and the way that you expect them to.
And then finally, use finally, I think like three times, finally, finally, are there any auditor requirements? You know, who's going to do the audits? Is that going to be the owner of the BCP? Is that going to be the internal auditor of the organization, whoever? And what's nice once you have all of this identified is you have your continuity plan, impact assessment, disaster recovery, and auditing requirements all wrapped into one. So, it makes it very easy to grab this and execute it, to review it, and then to audit it to make sure that it's still meeting all of your organization's requirements, and fully supporting the need of the company, of your clients, and everybody that would be impacted. So, that is our down and dirty business continuity plan development process.
Like I said, I just walked right through our form. If you're interested in that, feel free to reach out to us. We've got that available in our written information security policy program, our WISP program.
That comes with all the policies that support this. So, it explains all of the, what I call making toast, all of the long, long, long explanations for what seems like simple stuff, all of those policies, and then also the forms that you can use and just continue to print these off for each of the different systems. So, I would like to thank you for listening to episode 14 of Cache in the Cyber Sheets.
Again, click that subscribe, follow, wherever you're listening to us at, leave us some comments. If you'd like to tell your story about your business, the things that you've gone through, we'd love to hear from you, would love to have you on the show. Just reach out to us.
We will see you next week, 10 a.m. Thursday, same time, same place. Thanks for listening, and have a great day.
