- Kateřina Kubíková
Plán zvládání rizik
This document is part of risk management and is usually an output of the risk analysis. However, it doesn't only include risks that arise directly from the risk analysis but also, for example, warnings from the National Cyber and Information Security Agency (NÚKIB) about certain software, etc. In accordance with the risk management plan, the company then implements specific security measures.
First and foremost, we will focus on how to identify your assets. To do this, it's helpful to answer a few basic questions that will help you determine what has the highest value for your company and what needs to be protected. For example, ask yourself: What is most critical for the operation of your company? or What do you need to provide your services or sell your products?
The new cybersecurity legislation implementing the NIS2 directive introduces the obligation to have certain documents within a company. In addition to security policies, there are also so-called plans that should have specific and practical content and serve to implement these policies. These plans include, for example, a risk management plan, a business continuity plan, a recovery plan, as well as a security awareness development plan and an audit plan. We will now focus on the first three of these. These documents are required by the regulation in the higher compliance regime, but they are practical enough to be useful for companies under the lower regime as well. What are they for, and what should they include?
Regarding the assets you identify as a company (which are divided into primary and supporting assets), you should maintain security documentation. After identifying the assets, the next step is to assess them in terms of availability, confidentiality, and integrity.
Once the assets have been documented and assessed, the next step is to identify vulnerabilities and threats, i.e., potential risks that could endanger your assets. Vulnerabilities and threats are also evaluated based on their likelihood. The result of the risk analysis is thus a list of calculated risks with a certain value (derived from the value of the assets, vulnerabilities, and threats).
Do you know these terms well?
Asset
Vulnerability
Threat
Risk
Incident
- What is a risk management plan useful for?
The inventory of assets and risks includes threats and vulnerabilities to assets in general. However, not all resulting risks require security measures, as some can be accepted. The inventory of risks, including proposed security measures, is documented in the risk management plan.
- What should a risk management plan include?
According to the regulation in the higher regime the risk management plan should particularly consider significant changes, cybersecurity incidents, results of cybersecurity audits, as well as results from penetration testing and vulnerability scanning. Just like the format of the risk analysis, the risk management plan can be created using a special tool, but a simple Excel spreadsheet will also work effectively.
Risk management plans typically contain several key areas:
- Source of Findings – such as risk analysis or warnings from National Cyber and Information Security Agency.
- Identification of the Asset – where increased risk was identified, including the risk value, specific vulnerabilities, and threats that led to it.
- Specific measures to reduce risk – this should include the priority of the solution, the responsible person (the risk owner should be assigned for each risk), deadlines for implementing security measures, etc.
- Execution control – when the risk management plan and specific risk were reviewed, and whether there was a reduction, removal, or transfer of the risk, etc.
Business continuity plan and Disaster recovery plan
Do you know what to do in the event of an emergency? And do all those involved in resolving it know as well? As part of business continuity management, business continuity plans (BCP) and disaster recovery plans (DRP) are developed. How do they differ, and how can they help you in an emergency?
- What should be done first?
Conducting a Business Impact Analysis (BIA) is very useful for continuity management. Unlike risk analysis, which is conducted for many assets, the BIA is usually focused only on the most critical assets. The main goal of this analysis is to determine how quickly a key asset needs to be restored in the event of a problem and to identify the priorities and interdependencies among these assets.
The analysis particularly assesses the impact of asset unavailability, data loss from backups, and loss of confidentiality on the identified impact areas. These areas can include, for example, financial losses, disruption of normal operations, legal and contractual obligations, and many others. From the BIA, two values emerge for each asset:
- RTO (recovery time objective) defines the maximum time within which the asset needs to be restored, based on the need for availability.
- RPO (recovery point objective) determines how old backups can be at maximum, which is based on the maximum acceptable data loss.
Business continuity plan (BCP)
This document should provide an overview of activities, so that in the event of a negative incident (such as a cybersecurity incident), the company can resume its operations as quickly as possible. Business continuity plans are broader than recovery plans.
Continuity plans mainly include a description of the emergency (which can vary), procedures for managing that specific situation (including individual actions), estimated implementation time, a communication matrix, and a matrix of substitutes for involved personnel.
We can best understand this with an example: A manufacturing company has a production line for dog toys. As part of its continuity management, it has prepared plans for what to do if it suddenly loses this line. What communication procedures should be chosen? What will be its contingency solution? These are the questions it must address within its continuity management.
Continuity management prepares for any cause, not just cybersecurity risks. For example, the production line may stop functioning due to floods, tornadoes, or even ransomware attacks. The key is to clearly define internal audit procedures and responsibilities in addressing these issues.
Disaster recovery plan (DRP)
It is often said that disaster recovery plans are more about the disaster than the recovery. The recovery plan can be thought of as a detailed manual for IT. Within the framework of the business continuity plan, the recovery plan is activated, focusing exclusively on IT and specifying the concrete steps that need to be taken for remediation. Even when the individual items of the recovery plan are completed, the business continuity plan does not end there..
For example, if the impact analysis states that the recovery of email services should take 4 hours (the RTO), it means that IT can restore the ability to send emails within that time frame. However, this does not mean that the entire business continuity plan is complete – this may occur another 2 days later, once all data from the email accounts' archives are restored and the company is fully operational again, almost as it was before the emergency.
Testing and updating
Ensuring the testing of the business continuity plan and recovery plans (including processes related to managing cybersecurity incidents) is, among other things, one of the requirements for top management in companies under higher compliance obligations. Testing these plans is crucial because the rules established in them must be functional and will need to serve their purpose effectively in a real emergency.
Just like with all security policies and other documentation, it is essential to review and update the plans regularly. This also applies to the risk management plan. For example, when an emergency occurs, you will certainly appreciate that you can reach the contact listed in the BCP or DRP and that the expected recovery times are met, rather than being significantly longer than necessary.
