It can be difficult to differentiate between the Incident Response Plan, Disaster Recovery Plan, and the Business Continuity Plan because they are similar and intertwined. The goal of this article is to help identify the differences between these plans, the usefulness of them, and what NIST and FFIEC regulations have to say about them.
Cyber threats are becoming more frequent and intelligent; therefore, it is necessary for all organizations to develop a plan to combat and respond to these threats in a proactive way. This is the purpose of the Incident Response Plan (IRP).
An incident is best described as any anomaly that may have an adverse impact on the security or confidentiality of protected information, assets, or business processes. An incident can have financial, operational, legal, and reputational impact. Common incidents are unauthorized access, malware infection, distributed denial of service (DDoS) attack, internal security breaches and insider threats, security misconfigurations, cryptography and data security, and advanced persistent threats (APTs).
Incidents can be observed and reported by anyone in the organization, but the Incident Response Procedures must be enforced by the crisis management team or incident response team.
According to FFIEC, primary considerations for incident response include the following:
- How to balance concerns regarding confidentiality, integrity, and availability for devices and data. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. Management may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left online.
- When and under what circumstances to invoke the incident response activities, and how to ensure that the proper personnel are notified and available.
- When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both containment and restoration.
- Protocols to define when and under what circumstances to notify and involve regulators, customers, and law enforcement, including names and contact information for each group.
- Which personnel have authority to perform specific actions in the containment of the intrusion and restoration of the system. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisions within the organization.
- How, when, and what to communicate outside of the institution, whether to law enforcement, regulatory agencies, information-sharing organizations, customers, third-party service providers, potential victims, or others.
- How to document and maintain the evidence, the decisions made, and the actions taken.
- What criteria must be met before compromised services, equipment, and software are returned to the network.
- How to learn from the intrusion and use lessons learned to improve the institution's security.
- How and when to prepare and file a Suspicious Activities Report.
According to NIST, the incident response lifecycle cycle has four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication, and recovery, and 4) post-incident analysis. And the incident response plan should include the following elements:
- Strategies and goals
- Senior management approval
- Organizational approach to incident response
- How the incident response team will communicate with the rest of the organization and with other organizations.
- Metrics for measuring the incident response capability and its effectiveness
- Roadmap for maturing the incident response capability
- How the program fits into the overall organization.
The Disaster Recovery Plan is focused on the recovery of assets, or services after an event. Events that initiate the DRP include, natural disasters, infrastructure failures, technology failures, unavailability of staff, or cyber attacks. Disaster Recovery Plans will usually be activated (typically by a crisis management team) when a loss of infrastructure or data is likely to occur or has already happened.
In the DRP there is a large emphasis on redundancy of technology assets, especially at alternate locations. Procedures on how to recover purged or corrupted information from previous backups and archives are all likely to be documented in the DRP. The DRP (along with the IRP and BCP) should be updated on an annual basis and reviewed by senior leadership.
According to NIST 800-34, the DRP applies to major, usually physical disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency.
According to the FFIEC IT Business Continuity Management Booklet, Disaster recovery is the restoring of IT infrastructure, data, and systems. Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored. The BCP should include procedures for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software. Disaster recovery should address guidelines for returning operations back to a normalized state with minimum disruption.
The Business Continuity Plan (BCP) is sort of a masterplan developed by key executive teams. Components of Disaster Recovery and Incident Response can be referenced within a BCP. A BCP is supposed to provide guidance on the continuity of critical assets, objectives, and processes around continued operations during a business interruption. A BCP requires extensive analysis of business objectives and tolerances, such as a Business Impact Analysis.
According to FFIEC IT Business Continuity Management Booklet, a BCP describes the authorities, responsibilities, procedures, and relocation strategies. Components of the plan should include:
- Roles, responsibilities, and required skills for entity personnel and third-party service providers.
- Solutions to various types of foreseeable disruptions, including those emanating from cyber threats.
- Escalation thresholds.
- Immediate steps to protect personnel and customers and minimize damage.
- Prioritization and procedures to recover functions, services, and processes.
- Critical information protection (e.g., physical, electronic, hybrid, and use of off-site storage).
- Logistical arrangements (e.g., housing, transportation, or food) for personnel at the recovery locations.
- Network equipment, connectivity, and communication needs, including entity-owned and personal mobile devices.
- Personnel at alternate sites, including arrangements for those permanently located at the alternate facility.
- Scope and frequency of testing.
- Resumption of a normalized state for business processes.
According to NIST 800-34, The BCP focuses on sustaining an organization’s mission/business processes during and after a disruption. The BCP may also be scoped to address only the functions deemed to be priorities. A BCP may be used for long-term recovery, allowing for additional functions to come online as resources or time allow.
By Taylor Ripplinger, Information Security Analyst
Taylor joined the TraceSecurity team with five years of experience working in information security, IT help desk, and web development. He currently works on projects like IT audits, penetration tests, and onsite social engineering. Taylor currently holds his GSEC and ISO 27001 Lead Implementor certifications, and is working toward his Security+ certification. He earned an Associate of Science and a Bachelor of Arts in German with a minor in Information Technology.