by Dr. Greg White, Executive Director, CIAS-ISAO

Last month we covered an introduction to continuity planning. There are a number of possible plans that can (and in most cases, should) be developed for organizations to maintain operations in the event that operations are disrupted from a cyber incident. We focused on three plans in particular: Business Continuity Plans (BCP), Continuity of Operations (COOP) plans and Information System Contingency Plans (ISCP).

Recognizing that many organizations do not have the resources or time to jump into larger plans, we will now focus on some initial steps that smaller communities and organizations can take to begin the process.

To begin, we will focus on more specific plans to maintain computing operations. We recognize a number of different events can happen in the state, including hurricanes, tornados, fires and the most recent winter storms. All of these can impact an organization in multiple ways, including disruption of cyber operations. So, what can organizations do to prepare for a cyber disruptive event?

Backup Recovery Plans

One of the first plans that should be considered and activated is a Backup Recovery Plan. There are many different instances when a backup can save an organization from considerable downtime. In recent years, a common example of this has been the number of ransomware attacks. If an organization has a viable backup recovery plan and strictly follows it, a ransomware attack will have much less of an impact since all important files have been saved for just such an event. Beyond attacks, backups can be essential in the event of more mundane, but potentially significant, events such as loss of a hard drive as a result of hardware failure. So, how do we start on establishing a backup strategy?

The following steps provides a starting point:

1. If the organization has moved its infrastructure to a cloud environment, a number of the benefits of a backup plan will be greatly facilitated. Since the cloud provider maintains the organization’s data (and possibly software), ransomware or hardware failure at the organization will not impact the information stored in the cloud. One thing you may want to do, however, is to ensure the provider has an active backup plan in the event the provider is hit with a disruptive event. Organizations may also consider maintaining some level of backup offline in the event something happens to the cloud. Consider how long you can last if access to the cloud is lost.
2. For organizations maintaining their own data, another initial step should be identifying critical information. What information is needed by the organization in order to function? This should include not just data, but software (and hardware) needed to process the critical data. You may have multiple levels of data; for example, data that is needed daily for operations and other data that is very important but may only be needed periodically (such as payroll information).
3. The organization then needs to determine how frequently a backup is required. How much of the data is modified on a daily basis? The more volatile the information, the more frequently you will want to make a backup.
4. An important consideration in developing your backup strategy is determining what type of backup should be created. Backups take time. This needs to be considered when determining the frequency and type of backup strategy. Recovery time and complexity also differs for the strategies. For example, you can always produce a complete backup which may take the longest amount of time to produce, involve the most storage, but is also fairly easy to recover. An incremental backup, however, only backs up files that have been changed since the last incremental or full backup. This is faster to create and takes up less storage space but takes more time in the recovery process. A periodic full backup will also be required.
5. Consider maintaining multiple sets of backup files. In the event of a security breach, you may not detect this for some time. If the attacker modified files, you would need to go back and recover from a time before the breach occurred. Consider a monthly and yearly saved backup file.
6. Consider where to maintain the backup files. If you keep all files onsite, and the facility is destroyed by the event, you will also have lost all of your backups. You also don’t want to store them online where an attacker may be able to find and destroy them. So, consider maintaining your longer-term backups at a separate facility.
7. If special software and hardware used to process your data is also needed, consider this in your plan as well. Where will you have access to this hardware should you lose your own hardware?
8. Your plan should include details on the decisions you have made for the items above and should include details on making the backups and their recovery. If possible, identify two or more individuals responsible for these activities, which also prevents a single disgruntled employee from negating your backup strategy.
9. Finally, periodically test your backups. Make sure that the first time you try and restore from a backup is not during an emergency. The personnel responsible for restoring from a backup should have experience in doing so to ensure backups contain the information that is needed by your organization.

The above provides a rough discussion that should help you get started. For more information on backup strategies and plans check the following:

1. TechSoup.org
2. BackBlaze.com
3. Spanning.org
4. Acronis.com

Information System Contingency Plan (ISCP)

A second plan that can be fairly quickly put in place, and that will rely heavily on the Backup Recovery Plan, is the Information System Contingency Plan. The NIST SP 800-34 Rev.1 definition of an ISCP:

“An ISCP provides established procedures for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures and testing of a system.”

The Backup Recovery Plan focuses on the data and what is needed to be able to process it. The ISCP is a system focused plan. In a similar manner, the ISCP should start with an evaluation of the impact to the organization of specific functions. This is frequently referred to as a Business Impact Analysis (BIA). An example diagram from NIST SP 800-34 illustrates a BIA.

Notice how, in this example, the business processes are determined, and then the potential impact should each be lost and the maximum amount of time that the organization can function without each process. The systems needed for that process are identified and the amount of time that it takes to recover that process. Finally, based on the FIPS 199 publication, the potential impact on the organization, in terms of Confidentiality, Integrity and Availability should any or all of these be lost, is assessed. Notice the impact uses the simple High, Medium and Low levels of criticality.

Conducting the BIA will help you focus on the most critical systems to the organization and will allow you to develop a strategy for the order in which systems need to be restored. Since budgets are always tight, this will also allow you to determine which systems may need alternative backup sites, including hot sites (where functions are mirrored in real time at the alternate site), warm sites (a facility equipped with necessary systems but not the data) and cold sites (an alternate location where processing can occur but which does not contain any equipment or data), and which you may be able to get by without for a period of time.

Similar to your backup plans, the ISCP should include a list of personnel and the processes they will follow should the plan be needed. They will also detail, or refer to, the backup plans/policies/strategies for the data and software the system utilizes. Exercising the ISCPs should occur periodically so that recovery personnel will be familiar with the processes they are to follow and to ensure that your plans are adequate and correct.

This article does not have sufficient space to go into all of the details needed for BIAs or ISCP, but hopefully it has provided an introduction to them and how they are developed and used.

Though addressed to federal systems, both the NIST and FIPS publications are applicable to any organization. For more information, see:

NIST SP 800-34 Rev. 1: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
              – contains information on BIAs and ISCPs including samples of both types of documents

FIPS 199: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
              – contains information on categorization of information and systems

Interested in learning more about types of continuity plans and how to implement them? Please contact the CIAS-ISAO team for help at cias@utsa.edu.