Having played in both of these fields, I have become aware of the symbiotic relationship that many overlook. Both are important aspects of corporate risk management and should be natural allies. In the early eighties I managed both as the Data Security Officer for Manufacturers Hanover Trust in New York City. As one of the first CISO’s in the country, I came to understand the importance of both disciplines and had a ring side seat as they grew to maturity. In those early days the emphasis in Infosec was password changes (remember RACF on the mainframe?) and violation reports (Al Gore had not yet invented the Internet and PC’s were an oddity. I still have one arm longer than the other from carrying an Osborne around). Business Continuity barely existed and primarily the focus was limited to disaster recovery of the data center. In their current states, they influence and help control all aspects of the business and their responsibilities are now 24/7 and reach around the world. As they have matured, the playing field has changed, but their need for mutual cooperation has remained. Let me show you what I mean.
Infosec depends on good business continuity. Infosec needs a reliable platform that includes continuous availability of the tools they need to monitor and control access to the systems.
- Without a reliable recovery program in place, a denial of service attack (DOS) brings a company to their knees in a hurry. In effect, the DOS triggers a business continuity event. Infosec needs quickly restored access to determine the cause of the outage and repair whatever damage has been done.
- If the backup procedures are not correctly implemented, rebuilding the systems becomes problematic and can take much longer as they search through previous generations to find an uninfected version.
- If telecommunications can’t be quickly restored, the external (and internal) threats can’t be efficiently managed and the Infosec team will have trouble coordinating their efforts. (That’s why when planning recovery efforts I always want to know how the techies communicate with each other (phone, cell, email, IM, etc.) because those tools become critical to recover as quickly as possible.)
- A good BCP will identify any new access requirements that are necessary to accomplish recovery efforts. For example, new or increased VPN access, higher or increased level access authority, emergency contact information, increased approval authority, etc.
Business Continuity depends on good Infosec. Remember the old John Wayne flick The War Wagon? The plan of attack against the armored stagecoach was to force it off the safest path onto a trail where the security efforts could more easily be thwarted. Exercising a recovery plan can open the organization to increased security threats.
- During the recovery process user passwords are sometimes shared, defeating individual responsibility controls. “Joe’s not here, but I know his password” can sometimes lead to unauthorized access that exposes the company to fraudulent activities and the disclosure of information thought to be secure. (Threats include disclosure of Personal Identification Information (PII), credit card numbers, access to approval levels to release payments, etc.)
- Admin passwords can be used to bypass normal change management control procedures, leading to mistakes. “It’s an emergency, so we don’t have time to test this first, just go ahead and move it into production.” Famous last words as the system crashes, delaying recovery.
- System techs will sometimes leave remote access ports open to make their job easier during recovery, thereby exposing the systems to outside threats. Hackers love open windows.
- There can be pressures brought to bear to circumvent normal access approval procedures that require written, and sometimes dual, signatures. “The boss said it was alright, and it’s only temporary.”
- There’s never enough time to review access violation reports. Many strange things can go bump in the night when the watchers aren’t watching.
- Physical access at the damaged facility can get loose allowing unauthorized parties to wander around to see what they can find and what they can do. The card key access system is down, so doors get propped open.
As you can see, there is a great need for BCP and Infosec to work closely together to address the threats posed by security incidents and unexpected outages. They may be separate silos but there had better be a good bridge between them. As always, your comments are welcome and feel free to contact me directly. Be safe out there.
© Copyright and All Rights Reserved Howard M. Peace