Featured image

Table of Contents Link to heading

Business Resilience Definition Link to heading

The term resilience is defined as:

the ability to survive, adapt, and flourish in the face of turbulent change.

Applying this to a business gives us the concept of business resilience -

the ability of a business to withstand, adapt and thrive in the face of
turbulent change that originates from both internal and external sources as
well as anticipated or unanticipated events.

A resilient business can adapt to disruptions and keep operating while looking after its people, assets, and brand equity.

It is important to know that Information Security is not Business Resilience. Business Resilience drives the need for Information Security as todays businesses are heavily reliant on technology and the interconnected world we live in.

We will look at Business Resilience from two different perspectives.

  1. Business Continuity Management System (BCMS): a reactive system which assumes a threat has occurred and a Business Continuity Plan is in place to deal with it.
  2. Information Security Management System (ISMS) - ISO 27001: a preventative plan that does not assume a threat has occurred as yet.

Business Continuity Definition Link to heading

To achieve business resilience, an organisation must be able to resume
operations in the aftermath of a disaster.

This requires a business continuity plan -

provides procedures for returning critical business functions, the people
and systems that support them, and the facilities where the work is done to
a state where the organisation can fulfill its commitments and obligations.

Here is an overview of Business Continuity:

  1. Identifying Potential Risks: Look at the business and decide what are the risks to continuity should what you have identified become unavailable.
  2. Understanding Business Impacts: What impact would an attack or significant event have on your assets and the running of the business.
  3. Recovery Time Objectives: Decide on an acceptable timeframe that critical assets are restored.
  4. Incident Response Plan: An incident response plan is a documented, written plan with distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity incident.
  5. Organisation-wide Communications: All user communication is critical to keep staff and customers advised on current events.
  6. Dummy Testing: The testing phase of your plan to see if the implemented strategies work.
  7. Timely Updates: Ensure all systems and software are updated on a regular basis.

Information Security in Business Resilience Link to heading

It is important to understand that information security is one of the main concepts to consider when thinking about how to avoid and/or recover from disaster.

Consider how many businesses are reliant on technology to enable their business processes. This can include email, banking, ordering, shipping, client accounts, communications, etc.

Any cybersecurity threat that results in exposure of data also exposes the company to a significant reputational risk that threatens the company’s ongoing operations.

Information Security often involves using the CIA Triad to apply protection techniques to the information assets of a business.

Confidentiality Link to heading

Applying the tenet of Confidentiality to an asset involves the following techniques:

  1. Limiting access through Access Control that uses AAA
    1. Authentication (requires the validation of a users identity)
    2. Authorisation (matches authenticated users to an access level of an asset)
    3. Accounting (ensures an action on an asset can be attributed to an authenticated identity)
  2. Encrypting data in transit and at rest
  3. Secure storage
  4. End user education on how they should use the data

Integrity Link to heading

Integrity of Information assets is ensuring the asset has not been modified in transit or at rest.

This can be achieved via:

  1. Hashing assets
  2. Backup and Restore procedures

Availability Link to heading

Availability means to ensure the information asset is only available to authorised users as needed.

This can be achieved via:

  1. Firewalls
  2. Intrusion Detection Systems
  3. DDoS protection

Roles and responsibilities Link to heading

Information security is no longer the role the sole responsibility of a small, dedicated group of professional in the company. It is now the responsibility of all employees.

Following is a brief list of roles in an organisation and their main responsibilities.

  • Chief Information Security Officer (CISO): Primarily responsible for the assessment, management, and the implementation of the program that secures the organisation’s information.
  • Information Security Manager: Accountable for day-to-day operations of the infosec program.
  • Network Security Engineer: These people take policies or security requirements and engineer or design technical solutions that will make these policies an enforceable methodology.
  • Network Security Analysts: These people mostly analyse logs (log analysis), tweak IDS rules, decide when there’s a breach or potential breach and other similar functions.