Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

14) Does your organisation's plan include the maintenance of security controls in a disaster?

January 30, 2023
Business Resilience
Business Continuity Security
Security in a Disaster

Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.

If your Business Continuity Plan (BCP) is invoked, it is imperative that operational security controls are maintained throughout the duration of the incident. The objective is to prevent the situation from presenting an opportunity for a cyber security attack on your data or business operations.

An initial incident may be a pre-planned or distracting event, prior to a more sustained critical data attack. Ensuring that the Business Continuity Plan contains instructions on the maintenance of security controls during an incident will minimise the risk of any malicious actors capitalising on the incident.

‘Maintenance’ of security controls does not mean that the exact same security controls used in normal operations must be continued; the nature of the incident may mean that continuity is disrupted. In a crisis situation alternative, compensating controls may be needed which provide equivalent or near-equivalent risk reduction for an identified vulnerability. For example, if a technical control is not functional, alternative additional manual checks may be needed to provide equivalent protective assurance and risk reduction.

The best way to plan security controls is by having an information security expert review your Business Continuity Plan, and by having them as a stakeholder within the annual test of the Business Continuity Plan. During the test they can monitor and report on the effectiveness of your information security controls during the plan rehearsal.

How to implement the control

For SMEs, we recommend that you have an information security consulting firm review your Business Continuity Plan. They will be able to report on any security risks your company is exposed to and map them to security controls within a scenario where the Business Continuity Plan has been implemented.

For larger companies, we recommend you also have a member of the information security team, or an information security consultant test and monitor your information security controls whenever a rehearsal of the Business Continuity Plan is completed. They will be able to report on, and provide recommendations to mitigate the risks of any vulnerabilities found.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.