How to derive more benefit from the recommended practices for managing operational resilience?
The following activities will help organizations achieve greater success when adopting the above practices for operational resilience management:
1. Coordinate the implementation of these practices. Implementing these practices requires competence in several disciplines (incident management, asset protection, risk management, etc.). Organizations that create a separate solution or team to deal with each practice will find their operational resilience-management activities to be inefficient and difficult to manage due to the overlaps (e.g., where do incident management, disaster recovery, and asset protection and sustainment begin or end?). Just as the implementation of each operational resilience-management practice should be driven by business objectives, so should their collective implementation. Organizations will improve their operational resilience by taking an integrated approach to implementing these activities and ensuring that there is adequate coordination among them.
Begin by gathering representatives from the different disciplines and departments to develop end-to-end scenarios that describe how the organization should respond to particular threats (as described in Practice 2). Identify which disciplines or departments (e.g., incident analysis, disaster recovery, and crisis communication) to involve at each stage of the response, including afterward, when making improvements to processes and training for service delivery, service continuity, and information security. Then determine how the organization should coordinate its activities in such scenarios. Such rehearsals or simulations help identify superior ways to implement the operational resilience-management practices.
The following diagram may help you remember the purpose of each resilience-management practice. The two practices in the “Stop the bleeding” row deal primarily with resolving incidents. The “Improve and manage” row of the diagram depicts the practices that provide infrastructural and foundational support for establishing, facilitating, measuring, and improving asset protection and operations sustainment activities. The position of those practices in the diagram also indicates their role in protecting and sustaining the health of the organization and continually improving operational resilience-management activities. The diagram illustrates the need for all the operational resilience-management practices to work together.
2. Maintain currency with relevant standards. In the past 10 years, standards have exploded across all disciplines in national and international efforts to deal with the growing number of cybersecurity failures. The number of standards dealing with preparedness planning has quadrupled since 2005. An organization should develop an integrated approach to updating its processes to maintain compliance with standards relevant to its business. For example, when ISO/IEC Standard 27034 Information Technology—Security Techniques—Application Security was published, its guidance affected business managers, IT managers, developers, auditors, and end users. An organization should involve designers, programmers, acquisition managers, IT staff, and users to determine what changes are needed to preserve the effectiveness of operational resilience-management activities while addressing this standard.
3. Understand compliance issues. Compliance issues affect all the recommended practices. An organization must not only follow federal and state legislation and regulations but also be aware that state-by-state differences exist. For example, state requirements vary for notifications about data breaches, and this will inform the organization’s communication practices. However, an organization should view compliance as an outcome of an integrated operational resilience-management program, not a goal. Simply following a rule may not be sufficient to plan for and mitigate risk; new risks arise much faster than the rate of legislation.
Food for thought. Could what happened to Target happen to your organization? What will you do in the next few days and weeks to better prepare your organization to mitigate such attacks and the disruptions they cause to your mission, services, and operations?
Julia H. Allen
Julia Allen is a senior member of the technical staff within the CERT Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen is engaged in developing and transitioning executive outreach programs in enterprise security and governance, as well as conducting research in software security and assurance. Prior to this technical assignment, Ms. Allen served as acting Director of the SEI for an interim period of six months, as well as Deputy Director/Chief Operating Officer for three years. Before joining the SEI, she was a vice president in embedded systems software development for Science Applications International Corporation, and managed large software development programs for TRW (now Northrop Grumman).
Pamela Curtis is a Senior Researcher on the Resilient Enterprise Management Team in the CERT Program at the Software Engineering Institute. Curtis conducts analytical studies and investigations and develops models and assessments related to improving and measuring operational resilience. She has over 25 years of experience in the information technology domain as a systems analyst, programmer, process improvement team leader, technical communicator, and manager. Curtis holds a BA with a concentration in Management from Simmons College and an MS in Management Information Systems from Boston University.
Dr. Nader Mehravari is with the CERT® Division of the Software Engineering Institute (SEI) at the Carnegie Mellon University. His current areas of interest and research include operational resilience, cybersecurity and resilience management, protection and sustainment of critical infrastructure, preparedness planning, and associated risk management principles and practices.