CIR Risk Analysis and Review and Business Impact Analysis
Risk Treatment Strategy
The risk treatment summarized by Verizon surveys for the following cyber security risk is as appended in the four figures shown below.
For more information, refer to the blog for Verizon’s recommended practices [under construction] for tackling various cyber security threats.
Re-Visiting these Processes
Organizations must remember that these processes are not conducted just once; they should be shown periodically or when significant organisational and technological changes occur.
These processes take up the majority of the time in preparing a plan to manage cybersecurity incidents effectively, and that is because they are the most critical processes in the overall development of the plan.
Pairing their importance with the rapid advancement in technology, organizations are left with no choice but to conduct these processes to continue to ensure that their plan remains relevant so that cyber security incidents are managed effectively, minimizing impacts to the business.
Key Take Away for CIR from the RAR and BIA Phases
The key takeaway is that as a BCM or cyber security professional, drawing the connections between the continuation of the disrupted CBFs and the impact of the cyber security incident is critical in ensuring effective management of the disruption due to the cyber security incident.
During a cyber security incident, the cyber security team is the overall in-charge of managing the incident. Information regarding the cyber security incident gathered by this team should be communicated to the BCM team during the start.
This should be executed concurrently with the appropriate CIR procedures to contain the incident and minimize the attack from the organization’s systems.
Meanwhile, suppose the BCM team can receive the information regarding the affected information assets early during the outage. In that case, the BCM team can notify the business users to commence preparation for their CBFs potentially affected by the cyber security incident.
The consolation for the business users is that during a typical cyber security incident, they will still have access to the infrastructure (office) as it is not denied access. However, the cyber security attack will most likely compromise the technology infrastructure and assets within the organization.
Therefore, with the information received and the list of CBFs previously identified, they can determine which CBFs will be affected by the cyber security incident, take precautionary measures, and be on standby to execute the appropriate procedures as documented on the BC plan to ensure minimal downtime of CBFs.
Summary of RAR and BIA for CIR
Identifying an organization’s information assets is conducted first because the organization has to know and understand they are trying to protect itself from the influence of cybercriminals.
The identification of CBFs and risk assessment are conducted simultaneously. The identified assets pave the way for the organization to determine what cyber security threats can influence them negatively and which CBFs utilize them. At the same time, the impacts of associated cyber security threats are calculated and determined, which can also be used to determine which business functions are critical.
Based on the criticality and severity of the CBFs and the impacts of cyber security threats, the organization has to prioritize the order in which the CBFs have to be recovered to meet the MBCO. The organization will dedicate more effort and resources to recovering CBFs, which are higher on the priority list during the risk treatment process.
At this point, every organization will be unique regarding its identified information assets, identified CBFs, and identified cyber security threats. Therefore, the priorities of recovery will differ, so the allocation of effort and resources changes accordingly.
Related Topics to CIR RAR and BIA
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 6Risk Analysis and Review and Business Impact Analysis 6.9 Risk Treatment
Note: This version was the draft 2nd Edition being updated by 2023. The numeric in the square bracket [X.X] cross-refers to the actual chapter and section in the 1st Edition.