One of the most discussed aspects related to data breaches and regulatory compliance is certainly that of business continuity; let’s try to learn more about it and get a good grasp of the issue.
What is business continuity
Business continuity (O.C.) is the ability of an organisation to remain functional even in the presence of an incident that could compromise its productivity. The ultimate goal of business continuity is to avoid at all costs the interruption of service, a phenomenon considered to be of the utmost seriousness. Thus, business continuity is a topic that enters fully into the management of an organisation’s resilience, as its purpose is to put in place strategies, technologies and procedures, aimed at managing the crisis and maintaining the service. It is good to understand that business continuity is activated when ‘ordinary’ procedures fail, but this concept will be clarified later.
Standards and regulatory compliance
National and European legislation (NIS2, Dora Act, etc.) is perfectly aligned with the concept that organisations should develop and implement business continuity policies and strategies. From the point of view of international standards and good practices, it is possible to mention ISO 223011“Security and resilience – Business continuity management systems – Requirements” which addresses and clarifies all the organisational-procedural aspects to be implemented. However, it is good to go into this by pointing out that ISO 22301 is based on preliminary requirements that the organisation must have developed. These include, but are not limited to, management procedures, operating instructions, supporting forms, asset management and main technical-operational plans. Organisations that have not created these prerequisites are unlikely to be able to effectively adopt business continuity regulations because they will not be able to relate effectively to the processes to be managed under emergency conditions.
Organisational structures
Another important aspect concerns the organisational structures required by ISO 22301: at a general level, it is necessary to imagine appropriate figures and functions for crisis management. In 2013, AgID tried to imagine an organisational configuration that could fit the Public Administration, and this configuration is still adequate today. Organisational continuity revolves around three figures/functions: the Head of the O.C., the Emergency Structure and the Crisis Committee
Head of C.O.
The O.C. is the trigger for deciding whether to deal with the crisis according to ‘normal’ incident management procedures (e.g. the databreach procedure) or to involve the Crisis Committee; let us give two examples:
- There is a data breach caused by malware and the ‘ordinary’ data breach management procedure manages to contain it. Clearly, there is no need to activate the Business Continuity Plan (BCP).
- There is a fire that completely devastates the data centre and the data stored inside. It is clear that the ‘ordinary’ data breach management procedure will not be sufficient to ensure that the data is kept, and therefore it will be necessary to activate the PCO.
Given its importance and specific task, the figure requires a formal appointment, just like the CSIRT Manager or the NIS2 Contact Point.
Emergency Structure
The Head of the O.C. makes use of the Emergency Structure for crisis management. Within this structure there are therefore very operational figures who are activated on the basis of the nature of the incident, also working in synergy with any external teams (fire-fighting, first aid, physical security). There is therefore no fixed composition of the emergency structure: the professionals included in this structure are required according to the type of incident that has occurred. This means having heterogeneous skills and profiles, in this sense the standard is very clear: for each team there must be designated personnel and their deputies with the responsibility, authority and competence necessary to perform their assigned role and documented procedures to guide their actions.
Each office concerned by the Business Continuity Plan must therefore collaborate by providing the resources it deems appropriate to deal with the threats listed in the document.
Crisis Committee
It is a body composed of senior figures from the sectors concerned by the crisis management covered by the PCO. When the C.O. activates the emergency management, the persons who are members of the Crisis Committee send their identified resources. In addition, the Crisis Committee has the purpose of reviewing the reliability and updating of the plan as foreseen in Chapter 9.3 of the Standard; at least once a year the Committee must meet to evaluate the C.C.P. and keep it updated in terms of effectiveness and adequacy. As the Business Continuity Plan is extended, the membership of the Crisis Committee may increase with the inclusion of new sectors/offices.
The impact on companies
Although the organisational structure proposed by the standard is reasonably adoptable by organisations, the prerequisites mentioned at the beginning of the article are often overlooked. If the organisation adopts a conduct or structure that is not well disciplined, formalised and appropriate to its objectives and systems, it is unlikely to espouse a model such as that proposed by ISO 22301. Furthermore, it should be made clear that before proceeding to define a Business Continuity Plan, the organisation should carry out an effective risk analysis aimed at identifying the most risky factors on which to base the document.
Supplier chain and service levels
The role of the suppliers is crucial in incident management: the formalisation of service levels (Service Level Agreements – SLAs) based on Recovery Time Objective (RTO), Recovery Point Objective (RPO), Maximum Tolerable Period of Disruption (MTPD)2 is necessary; however, this means aligning with the service/solution provider. Service Level Agreements (SLAs) are therefore essential to ensure proper continuity under normal and extraordinary/emergency conditions. SLAs also contribute to the implementation of change management and the consequent updating of solutions adopted by the organisation. When a solution goes out of the scope of support offered by the organisation, update mechanisms should intervene to restore its reliability.
Conclusions
The development of a business continuity capability can make the real difference between successful emergency management and a severe failure.
