The Northridge earthquake of 25 years ago demonstrated that disasters happen; and when they do you need to have a plan. An incident response plan can assist in reducing the effects of a disaster. There are simple steps that all businesses can take to reduce these effects. The planning begins by recognizing the need for a plan and understanding what is important to your business.
Twenty-five years ago, on January 17, 1994, the 6.7 magnitude Northridge earthquake struck. The earthquake caused 57 deaths and over $20 billion in damage. In the aftermath, most insurance companies stopped selling or providing earthquake coverage, as the losses were too great. Fast forward to today, and the world it is vastly different. In 1994 there were PC computers on local area networks; however, these networks were expensive and complicated. Cell phones were prohibitively expensive and were used only for business. The individual cell phone as it is used now, as a consumable item was unimaginable. There was also this thing called ARPANET that the Government and Universities used, but that was about it; of course, this was the precursor to what is now called the internet.
Today there are now more cell phones than people, and you can refer to the cell phone as a life support device. In terms of networks they indispensable, everything is on a network or in the cloud. An earthquake today or in the future like the Northridge earthquake would be much more catastrophic. In strictly business terms, the destruction of workplace and infrastructure, the loss of access to data would be devastating. Most likely many businesses would not survive. Of course, these effects are not only related to earthquakes, but they also apply equally to floods, fires, tornadoes, etc. The question for a business owner is what can you do to prepare for these events.
The first step is to recognize that having a plan is important, which is to have an Incident Response Plan. Another factor to consider is to meet cybersecurity planning conformance requirements businesses are required to have an Incident Response Plan. For this planning, there is no lack of advice on the internet, and many sites outline incident response planning steps and have examples. Some sources are SANS, and Federal Government agencies that focus on information management systems. Additionally, it is important is to recognize that effective incident response should be focused on an all-hazards approach, and not only on networks and the information management system. As a business the inability to access property, inventory, equipment, tools, vehicles, etc. can be as disruptive and as catastrophic as not accessing the information management system.
As discussed, there are many sources of information for incident response planning and operations. However, one fact is inescapable, and it is often ignored in the checklist mentality; that is effective indecent response is not a standalone plan or an end state. Effective incident response will be the result of doing many things right before a disaster so that the effects of a disaster can be avoided or at least mitigated. This means having a have a plan, a plan that is focused on alternatives and one that avoids dependencies where possible.
Every source for incident response planning will have an approach, and many follow the same outline. An approach is to use the NIST 800-34, Contingency Planning Guide for Federal Information Systems, this is a Federal standard for developing incident response plans. Though it is focused on Information Systems, the general steps apply to all types of businesses and organizations. The following has been modified taking an all-hazards approach.
- To develop an incident response plan, you first need to determine what is important and how you can protect or mitigate its loss. If you are in construction these are the tools of the trade, it is equipment and materials. If this is a services business it can be the facilities and equipment, it is access to data, etc. The first question to answer is how can you operate without access to these resources? The second question is what are the alternatives?
- Based on your business model conduct a business impact analysis. This analysis identifies and prioritizes what is most important.
- Identify preventive controls, this is what can you do to reduce the effects or the risk of a disaster. The best strategy is to avoid risk, second is to reduce the effects or mitigate the effects.
- Have a contingency plan as part of incident response. This is very much related to preventive controls. If access is blocked, or if you lose resources the question is then how to operate without them? Having a plan that provides options, and workarounds will move you forward in the response phase. Consider that poor alternatives are better than no alternatives.
- Include an information system contingency plan, all businesses are dependent on communications, and access to data. If there is a loss of infrastructure, the questions are how do you operate, what are the backups, how do you move forward and communicate. The other issue is, how is your business data restored? This is the plan that exercises and validates these alternatives.
- Ensure plan testing, training, and exercises. Everyone is busy, however, these plans and concepts need to be tested to ensure they meet the 80% actionable test. No plan will be perfect, however, if the point of departure is unworkable, then recovery will be at best difficult, or non-existent.
- Ensure plan maintenance. This plan as with all plans needs to be maintained. It is a living document that should be updated and reviewed regularly so that it is actionable.
All businesses are in flux, there are constant changes in operations and in focus. Incident response planning does not need to cumbersome or detailed. It needs to recognize the most critical functions of the business, and it then needs to look at how these functions can operate or move forward under the stress of a disaster. Just as the earthquake seemed to strike without warning, so do all disasters. Having a plan, having a point of departure toward recovery is the best way to ensure the business is able to survive.
Author, Mike Olivier
Mike Olivier, MBA, MSCS is a certified PMP professional, with cybersecurity experience. His company 171Comply provides cybersecurity consulting services, taking a business approach to cyber planning challenges.
The views expressed in GovFlex blog postings are solely those of the author.