contingency plan

business coop and risk management

June 10, 2015 by Bruce Brown Leave a Comment

NIST SP 800-34, Contingency Planning Guide for Federal Information Systems Rev 1

NIST Special Publication 800-34 breaks down the contingency planning process in seven-steps. The process helps organizations develop and maintain a contingency planning program for their assets. These seven steps are designed to be integrated into each stage of the system development life cycle to leverage the overall risk of an information system.

Develop the contingency planning policy statement. A formal policy provides the authority
and guidance necessary to develop an effective contingency plan.
Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information
systems and components critical to supporting the organization’s mission/business processes. A
template for developing the BIA is provided to assist the user.
Identify preventive controls. Measures taken to reduce the effects of system disruptions can
increase system availability and reduce contingency life cycle costs.
Create contingency strategies. Thorough recovery strategies ensure that the system may be
recovered quickly and effectively following a disruption.
Develop an information system contingency plan. The contingency plan should contain
detailed guidance and procedures for restoring a damaged system unique to the system’s security
impact level and recovery requirements.
Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas
training prepares recovery personnel for plan activation and exercising the plan identifies
planning gaps; combined, the activities improve plan effectiveness and overall organization
preparedness.
Ensure plan maintenance. The plan should be a living document that is updated regularly to
remain current with system enhancements and organizational changes.

This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations. It addresses corporate risk, by introducing a tiered approach to risk.

The Fundamentals of Corporate Risk Management (covered in Chapter 2, of NIST SP 800-39)

800-39 covers corporate risk in three layers (or tiers) of risk management:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

Tier 1: Corporate Organization Level risk management
NIST 800-39, Tier 1 addresses security from the entire organizations perspective. Corporate risk structure starts from the top down. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Corporate/Mission Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2.

To be risk-aware senior leaders/executives need to know:

types of threat sources and threat events that could have an adverse affect the ability of the organizations
potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised
Corporations resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps:

Categorization of the information system
Allocating the organizational security control
Selection, implementation, assessment, authorization, and ongoing

Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include:

Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

Risk Framing

Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.

Risk Assessment

Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response

Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk Monitoring

Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

business risk

February 7, 2014 by Bruce Brown Leave a Comment

You should deal with business risk BEFORE disaster strikes.

Business risk deal with negative impacts to an organizations bottom line. If harm should strike exposed weaknesses, the business needs to know how they will deal with it and how do they adjust to the situation.

A Business Impact Analysis (BIA) is sometimes done to identify the threats, vulnerabilities, assess, the likelihood of threats acting on identified weakness and the impact if they do. DIARMF pulls for NIST and the NIST is robust enough to address address BIA / business risks. The main documents dealing with business risks are 800-39, 800-30, and 800-34.

NIST SP 800-39, Manage Information Security Risk deals with the process of business risks by way of explaining the risk management necessary for an organization.

NIST SP 800-30, Guide for Conducted Risk Assessment describe the tasks and steps of business impact assessments:

A Business Impact Analysis (BIA) identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on BIAs at the organization and mission/business process levels of the risk management hierarchy, respectively.

NIST Special Publication 800-34 provides guidance on BIAs at the information system level of the risk management hierarchy.

One of the biggest business risks capture while doing business impact assessments is interruptions of service. After all, if the business is not DOING business then mission, work and revenue stop. So the business/organization and or department must have a contingency plan. NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems covers what to do in case of interruptions.

A contingency plan covers what to do in the event of service disruptions including procedures, and technical measures that can get systems back quickly for a while until the disruption passes. NIST 800-34 covers information system contingency plans (ISCPs) who documents them and how. This is also a major part of the security controls addressed in 800-53/DIARMF.