Information security continuity is a term used within ISO 27001 to describe the process for ensuring confidentiality, integrity and availability of data is maintained in the event of an incident. It is commonly associated with business continuity plans, and often organisations confuse the two assuming that they need a comprehensive business continuity plan in order to meet this requirement. While this certainly does help, the focus is on ensuring information security functions are maintained, not that services are maintained.
So, what does information security continuity actually mean? And how can this be achieved? Well, information security continuity in its simplest form is ensuring you have an ability to carry on protecting your information when an incident occurs. As an example, consider your organisation loses access to its primary office building due to a natural disaster.
In this example your primary concern would be ensuring the business can continue to operate, that customers can be served, payments processed and services remain operational – that is traditional business continuity. But from an information security perspective, you must also be able to ensure that data is secured while alternative methods of working are in place e.g. users working from home processing sensitive data.
The continued preservation of CIA for information assets is the primary objective for information security continuity
To ensure this is considered in a disaster scenario, it is highly recommended (but not mandatory) to include information security aspects within traditional business continuity plans. Taking the above example into consideration, the business continuity plan may be to work remotely or from other office locations until the office building can be re-inhabited.
The security considerations for this plan should be addressed and may include:
- Ensuring organisational policies and procedures can be applied and adhered to in other office/home environments. Users should be reminded of their responsibilities to adhere to corporate policies regardless of their physical location.
- That physical security controls are commensurate in alternative environments. If the plan is to utilize other office environments to work from temporarily, physical security controls must be equivalent to the main office to reduce risks of compromise.
- That remote connection mechanisms are secure and users are required to connect via these mechanisms. Remote connections should be encrypted in transit via suitable encryption algorithms and remote connections should use sufficiently complex authentication to reduce the risk of unauthorized access.
- That information security teams are contactable and can continue to monitor networks for any security incidents regardless of location. If monitoring systems are only available from one location, this may limit the organisations ability to maintain security in the short term.
The above points are a small sample of what should be considered when developing business continuity plans. The focus should be on ensuring the organisation can continue to operate in a secure fashion during relocation or following any incident that may occur.
The organisation should consider the highest risk areas that may be affected by any business continuity plan and implement controls to reduce risks. Another example would be processing of cardholder data. If this processing is required remotely in the event of an incident occurring, there may be wider considerations in terms of maintaining compliance with the payment card industry (PCI-DSS) requirements.
To achieve information security continuity, the organisation must consider people, processes and technology working together securely from any temporary environment that people may work from. The easiest way to achieve this is to expand existing business continuity plans to consider security requirements for each scenario or playbook.