COMP 3357 Managing Cyber Risk Richard Henson University

  • Slides: 23
Download presentation
COMP 3357 Managing Cyber Risk Richard Henson University of Worcester March 2017

COMP 3357 Managing Cyber Risk Richard Henson University of Worcester March 2017

Week 9 – “Business Continuity” risks to an organisation that can cause IT failure

Week 9 – “Business Continuity” risks to an organisation that can cause IT failure Objectives: Explain the many factors that could cause an organisation’s infrastructure to fail Identify the factors that can be controlled to limit damage as a result of various types of IT failure Balance the risk between spending more on business continuity management and having a catastrophic IT failure

In the beginning was the system… then there was IT(!) An organisation cannot work

In the beginning was the system… then there was IT(!) An organisation cannot work without having a system in place… historically a paper-based system nowadays almost everything can vbe digitised great when it works! much that can go wrong!

Paper-based systems and Business Continuity Threats theft of documents loss of documents destruction of

Paper-based systems and Business Continuity Threats theft of documents loss of documents destruction of documents by “acts of god” (insurance term!) flood fire earthquake Risk mitigation: keep documents in a very safe place!

Threats to Digital Systems Need electricity! paper-based system can work without power… Need specialised

Threats to Digital Systems Need electricity! paper-based system can work without power… Need specialised equipment can break down maintenance essential MTBF (mean time before failure an important factor)

Threats from IT Applications Even if hardware and operating systems working well. . .

Threats from IT Applications Even if hardware and operating systems working well. . . applications… may fail are regular upgraded for security and functionality reasons Employees need to be well trained to use the latest version of an application as it is installed!

Engineering Approach? • Writing & testing software is just as much engineering as making

Engineering Approach? • Writing & testing software is just as much engineering as making bridges, railways, aeroplanes, tall buildings, etc. • Engineering approach established over many years… • but expensive!!!

Economics of Business Continuity Same principles apply as with any other aspect of running

Economics of Business Continuity Same principles apply as with any other aspect of running a business can we afford it? what are the consequences if we don’t do it? IT may be much more expensive than paper-based systems overall costs of “doing it (IT) properly” may outweigh savings in employees… Principle of TCO (total cost of ownership) factored in by wise organisations

Planning for Failure… § IT systems fail § hardware/software not infallible § The environment

Planning for Failure… § IT systems fail § hardware/software not infallible § The environment also causes failure § weather unpredictable § Basic principle… accept this and prepare for the worst! § need a plan § covers individual component failure § covers system failure (whether IT or environment!)

Types of Software currently being used Wetware Software Hardware e. g. VDHL [TSI/2013/306 |

Types of Software currently being used Wetware Software Hardware e. g. VDHL [TSI/2013/306 | Draft 0. B | 2014 -02 -10]

TSI Logo e. g. ECU Software Supply Chain (reuse of code…? ) e. g.

TSI Logo e. g. ECU Software Supply Chain (reuse of code…? ) e. g. Refinery Sensor e. g. SMSC e. g. DBMS [TSI/2013/306 | Draft 0. B | 2014 -02 -10] e. g. Web. App

TSI Logo Prerequisites for Trustworthiness Trustworthy Software Trustworthy Practitioners Trustworthy Organisations Components [TSI/2013/306 |

TSI Logo Prerequisites for Trustworthiness Trustworthy Software Trustworthy Practitioners Trustworthy Organisations Components [TSI/2013/306 | Draft 0. B | 2014 -02 -10]

“Appropriate Conduct” (for system developers? ) Nothing new… Babylonian Code of Hammurabi (~1780 BCE)

“Appropriate Conduct” (for system developers? ) Nothing new… Babylonian Code of Hammurabi (~1780 BCE) earliest known example of code of conduct for craftsmen, engineers and builders Hippocrates lays out the Oath (late 5 th Century BCE) a moral framework for the conduct of doctors and other healthcare professionals 13 [TSI/2012/183] © Copyright 2003 -2012

Do People Learn from mistakes…? Old knowledge, New context… apparently they don’t! e. g.

Do People Learn from mistakes…? Old knowledge, New context… apparently they don’t! e. g. Tay Railway Bridge (1880 s)… The Court of Inquiry report concluded that, "The fall of the bridge was occasioned by the insufficiency of the cross bracing and its fastenings to sustain the force of the gale. ” http: //taybridgedisaster. co. uk

Business Continuity Modelling and Management (BCM) Identify possible failures that will affect ability of

Business Continuity Modelling and Management (BCM) Identify possible failures that will affect ability of the organisation to fulfill its purpose… write down as a list as with information risk assessment… categorise as H, M, L provides information for management to make decisions

BCM as an International Standard! Surprising to some that BCM has already become an

BCM as an International Standard! Surprising to some that BCM has already become an International Standard… ISO 22301 (BCM systems) https: //www. bsigroup. com/en-MY/iso 22301 businesscontinuity-management/ Same type of standard as ISO 27001! Information Security Management System

Stages of development of any ISO Management System Plan Implement Check Modify (if necessary…)

Stages of development of any ISO Management System Plan Implement Check Modify (if necessary…)

What is ISO 22301? • According to BSI (British Standards Institute)… • designed to

What is ISO 22301? • According to BSI (British Standards Institute)… • designed to protect businesses from potential disruption • including extreme weather, fire, flood, natural disaster, theft, IT outage, staff illness or terrorist attack • It allows the business to… • identify relevant threats & critical business functions they could impact • put plans in place to ensure minimal damage from these threats

Tips for successful BCM Implementation (BSI) • Get commitment and support from senior management

Tips for successful BCM Implementation (BSI) • Get commitment and support from senior management • Engage the whole business with good internal communication • Compare existing business continuity management system with ISO 22301 requirements • Get customer and supplier feedback on current business continuity management processes • Establish an implementation team to get the best results

Tips for Implementation (2) • Map out and share roles, responsibilities and timescales •

Tips for Implementation (2) • Map out and share roles, responsibilities and timescales • Adapt the basic principles of the ISO 22301 standard to your business • Motivate staff involvement with training and incentives • Share ISO 22301 knowledge and encourage staff to train as internal auditors • Regularly review your ISO 22301 system to make sure it remains effective and you are continually improving it

Checking whether the system is working… Discussed previously regarding ISO 27001… need to have

Checking whether the system is working… Discussed previously regarding ISO 27001… need to have SMART objectives measureability particularly important… reveals that all is well reveals errors (if picked up in time may avoid a disaster!)

Conclusion Business Continuity principles not new… more critical now… dependence on digital systems &

Conclusion Business Continuity principles not new… more critical now… dependence on digital systems & misunderstanding of reliability! Best practice regarded as to develop a management system (ISO 22301) same principles as any other organisational management system ISO 27001 Information Security ISO 14001 Environmental ISO 9001 Quality

Further Reading • All of the International Management Standards are available from ISO and

Further Reading • All of the International Management Standards are available from ISO and BSI • Very expensive! • Excellent online guide to ISO 22301: • http: //www. praxiom. com/iso-22301. htm