(5) Risk Treatment Ch12

12. Information security aspects of business continuity management

12.1 Information security continuity and redundancy

Objective: Information security continuity should be embedded in the organization’s business continuity management systems to ensure availability of information processing facilities.

12.1.1 Planning information security continuity

The organization should determine its requirements for continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Determine and formulate explicitly the information security requirements during the business continuity management or disaster recovery management processes. Involve information security specialists when establishing business continuity or disaster recovery processes and define the predetermined level of information security of main information systems.
In the absence of formal business continuity and disaster recovery planning, assume that information security requirements remain the same in adverse situations, compared to normal operational conditions.
Alternatively, perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.

Control 11 – Data Recovery, CIS Critical Security Controls Version 8, https://www.cisecurity.org/controls/v8

12.1.2 Implementing information security continuity

The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Enact business continuity and disaster recovery plans of main information systems and data. Realistic recovery efforts require a thorough evaluation of the resources required to resume business processes as quickly as possible.
Establish, document, implement and maintain:
a) information security controls within business continuity or disaster recovery processes;
b) processes, procedures and implementation changes to maintain existing information security controls during an adverse situation. Information security controls that have been implemented should continue to operate during an adverse situation;
c) compensating controls for information security that cannot be maintained during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented and maintained to maintain an acceptable level of information security.

When implementing continuity procedures:
develop an adequate management structure to prepare for, mitigate and respond to a disruptive event or incident;
nominate the incident response personnel with the necessary responsibility, authority and competence to manage a disruptive event or incident;
ensure that documented response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level (see 12.1.1 Planning information security continuity).

Template for IT Service Continuity Plan, https://www.smartsheet.com/business-continuity-templates#it-service-continuity-plan-template
Chapter 3. Information System Contingency Planning Process, NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

12.1.3 Verify, review and evaluate information security continuity

The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Verify the information security management continuity by:
a) exercising and testing the information security continuity processes and controls to ensure that they are consistent with the information security continuity objectives;
b) exercising and testing the knowledge and routine to operate information security continuity processes and controls;
c) reviewing the validity and effectiveness of information security continuity measures when there are organizational, technical, procedural and process changes in the organsiaton.
For testing purposes, integrate verification of information security continuity controls with the organization’s business continuity or disaster recovery tests.

12.1.4 Redundancies and availability of information processing facilities

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

When planning information security continuity (see 12.1.1), identify business requirements for the availability of information systems.
Consider redundant components or architectures to guarantee the contiuous availability. High-availability options such as fully redundant load balanced systems at alternate sites, data mirroring, and offsite database replication are normally expensive to set up, operate, and maintain and should be considered only for those high-impact information systems categorized with a high-availability security objective.
The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing redundant systems.
Test redundant information systems to ensure the failover from one component to another component works as intended.