The InfoSec Blog

BCP or BIA

Posted by Anton Aylward

Business continuity planning life cycle
Image via Wikipedia

A business might possibly choose not to have a BCP but they might be interested in doing a BIA
After all, the "impact" might be something positive resulting from some change.

Oh, the Irony!
Expeditious and cost effective.

I've audited BCPs and always found them lacking. They are difficult to build and often make assumptions that are necessary to get the plan done but are unreasonable in reality.

Swine Flu Issues – insufficient discrimination

Posted by antonaylward

The trouble with some people is that they make some deceptively reasonable comments that don't stand up under critical analysis

 With an ailing economy and a whole lot of cancelled contracts resulting from
that poor economy. Pandemic planning is a major threat to our most important
asset people and it appears as though that vulnerability may have been
activated. Its time to dust off the BCP plan and update it with a Pandemic
Mitigation strategy.

If it takes a pandemic to motivate you to create or review a BCP then
something is seriously wrong, and it has nothing to do with the pandemic.

Pandemic?
As one manager said to me a long time ago, "show me the numbers".
I read:

The number of confirmed cases rose Monday to 50 in the U.S., the result
of further testing at a New York City school. The WHO has confirmed 26
cases in Mexico, six in Canada and one in Spain. All of the Canadian
cases were mild, and the people have recovered.

The Mexican government suspects the virus was behind at least 149 deaths
in Mexico, the epicentre of the outbreak, with hundreds more cases
suspected.

I'm sure just about any ocotr - or the 'Net - can supply us with figures on the cases and deaths from 'regular' flu world-wide, as well as the named versions.

People under extreme stress may behave unpredictably and have limited capacity for rational thought

Posted by Anton Aylward

Les Bell, another ex-pat Brit who lives in Australia was discussing the importance of training and reinforcement in such matters as DR/BCP.  Les is also a pilot and so many of his analogies and examples have to do with piloting and aircraft.

Part of our discussion has a much wider scope.
Les had said:

"People under extreme stress may behave unpredictably and have limited capacity for rational thought"

This is the basis of much of pilot training, particularly in simulators, where procedures that are too dangerous to be attempted in a real aircraft can be repeated until drills are automatic.

Don't quote me on this, but I seem to recall reading in an aviation safety-related article that in an emergency, something like 50% of people lose it to the extent that they are completely unable to cope, 25% are capable of functioning with some degree of impairment, and 25% of people are able to complete required tasks correctly. Training by means of drills and rehearsals is able to correct that situation to a considerable extent.

Therefore in BCP/DRP planning, it's important to - as far as possible - simulate an emergency, rather than just story-boarding it, or doing a whiteboard walkthrough. Hence the requirement for fire drills, evacuation drills and the like; repetition conditions the mind to perform the task correctly under stressful conditions.

Most of us don't get the chance to do a full interruption test for our DRP, but the closer we can get, the better.

Training - drill and reinforcement so that you can carry out the actions automatically even when extreme stress has completely blanked and cognitive functions - is an important part of military "boot camp" training and one reason I find it so comical that CISSP course training gets called "boot camp".

Les is quite right.  For a variety of reasons most people "loose it" under extreme stress.  This is why military heroes, people who can hang in there and think clearly and make critical decisions,  are held in such esteem.   Similarly test pilots (and those test pilots who became the early astronauts).  Having lightening fast reactions (racing drivers) and being in top physical condition helps, but there is something more.

Some authorities look to the old American 'gunslingers' and speculate about how the adrenaline rush in such situations is handled by the body and the brain.   Typically all that adrenaline pumps up the muscles for "fight or flight" and in such panic or near panic situations rationality is not the key issue.  But if we shift from the evolutionary context to the 'gunslinger', standing still means that there is a lot of 'shakes'.  Being able to stay calm and not have the shakes leads to being a sucesfull 'gunslinger'.   Evolution in action?

There are other forms of stress as well.   I've seen sysadmins who have been up for more than 30 hours trying in futile to solve a problem that to me, well rested, is simple and obvious.

The lesson here is two-fold.   The first is the point that Les makes.  Train and reinforce.
The second is that when the disaster does strike be aware that the stress will load up on fatigue and that stressed and fatigued people do not make good decisions.  Rest, shifts, alternates, standard plans and scenarios that can work to relieve the stress are important.

Don’t print this out! Its too long

Posted by Anton Aylward

BSI Germany have an extensive list of threats.

Comprehensive? Well, pretty good.
The kind of thing that could keep a client's IT staff occupied for weeks. If they had hard copy to annotate and work with.

However it is bottom-up as opposed to top down, dealing with details (aka threats) rather than FMEA - failure modes and their effects.

Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency - that is what are the most critical failures that will affect the operation of the business.

The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.

FMEA on the other hand identifies criticality regardless of the cause.

See also

Zemanta Pixie