CISSP: Choose/identify a regulation, standard or certification that has ‘potential’ business continuity ramifications. Write a structured, detailed, well-researched and well supported synopsis on how this requirement came about and where this applies (and doesn’t apply).
Eric Hiu Fung Tse- AD 610- Week5 – Assignment
Table of Content
Table of Content 2
CISSP (Certified Information Systems Security) 3
What was the catalyst or need identified that gave rise to this requirement? What agency or body monitors or oversees this?. 3
Is it direct or indirect (or both)? If indirect, what makes it necessary or applicable?. 4
What is the risk associated with non-compliance?. 5
What is the potential impact or limitations associated with this requirement?. 6
Potential impact 6
What are the cost factors associated with compliance or non-compliance? Where do you see this going in the long-term (other industries, countries, etc.)?. 8
CISSP (Certified Information Systems Security)
I would like to talk about CISSP certification. It is one of the certificates related to my profession.
What was the catalyst or need identified that gave rise to this requirement? What agency or body monitors or oversees this?
Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium (ISC)². (ISC)² is a self-declared Non-profit organization ((ISC)², 2009) but is not a Charitable Organization under the applicable Internal Revenue Service Code.
In the mid-1980s a need arose for a standardized certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this. The International Information Systems Security Certification Consortium or “(ISC)²” formed in mid-1989 as a non-profit organization with this goal. (Harris, Shon, 2010)
Talking about Cultural BCM differences, there have been a number of specialist areas incorporating business continuity into their own disciplines. The first to do this was information security, which led to confusion between business continuity and IT backup and recovery. This confusion was formalized to some extent by its inclusion in the BS 7755 Information Security Standard, which eventually became the ISO 27001 standard. As this standard has been widely adopted in such places as India, Japan, and Korea, the first references to BCM many people experienced came as part of information security. This misconception then became incorporated into many education and certification programmes such as CISSP. (Hiles, 2007)
Is it direct or indirect (or both)? If indirect, what makes it necessary or applicable?
The below describes the outline of business continuity and disaster recovery planning knowledge domain. It would give us a better idea on how this requirement came about and where this applies. (Miller & Gregory, 2010)
||1.1 Natural disasters
1.2Man made disasters
1.3 How Disasters affect
||2.1 COOPeration is the key.|
||3.1 Senior management support
3.2 Senior management involvement
3.3 project team membership
3.4 who brings the donuts
||5.1 Perform a Vulnerability Assessment
5.2 Carry out a Critically Assessment
5.3 Determine the Maximum Tolerable Downtime
5.4 Establish recovery targets
5.5 Determine resource requirement
||6.1 Emergency response
6.2 Damage assessment
6.3 Personnel safety
6.4 Personnel notification
6.5 Backups and off-site storage
6.6 Software escrow agreements
6.7 External communications
6.9 Logistics and supplies
6.10 Fire and water protection
6.12 Data processing continuity planning
||7.1 Making your BCP project a success
7.2 simplifying large or complex critical functions
7.3 Documenting the strategy
||8.1 Securing senior management approval
8.2 Promoting organization awareness
8.3 Maintaining the plan
||9.1 Preparing for emergency response
9.2 Notifying personnel
9.3 Facilitating external communications
9.4 Maintaining physical and logical security
9.5 Personnel safety
10.2 structured walkthrough
10.5 Interruption (or cutover)
What is the risk associated with non-compliance?
BCP and DEP work hand in hand to provide an organization with the means to continue and recover business operations when a disaster strikes. BCP and DRP exist for one reason: Bad things happen. Organizations that want to survive a disastrous event need to make formal and extensive plans – contingency plans to keep business running and recovery plans to return operation normal.
So the risk associated with non-compliance is, if the company does not following the rules and procedures, they may not be able to keep their operation running or return operation normal when disasters happen. They do not have all the documented procedures and processes, or those procedures and processes are not tested, practices, assessed carefully etc.
I am wondering if there is any legal risk involved. There are other regulations such as SOX that operations have to follow. I am not sure if CISSP would directly related to legal regulations, but many enterprise security policies and mandate are quite similar with this.
What is the potential impact or limitations associated with this requirement?
The CISSP business continuity framework provides a concise view of what IT security professional has to do with business continuity. Comparing the breadth and depth of the content against the “Definite Handbook of Business and Continuity Management“, the CISSP BCP scope is like the tip of the iceberg. Of course business continuity is only one of the many topics in information security that they cannot be as comprehensive as the ones with BCI (Business Continuity Institute).
For the positive impact, CISSP BP does recover concepts like project initiation and management, continuing visible support, risk evaluation and control etc.
For the limitations, CISSP BCP assumes all the BP works are done by a team CISSP professionals. BCI methodology is much more comprehensive. They assume there are separate internal multi-disciplinary organizations and people. They have a two modes paradigm. They have an extensive corporate recovery team. They have HR interactions.
According to Business Continuity Methodology (BCM), the internal organization responsible for development, oversight, etc. of all business continuity planning should follow the plan (Organization chart) as above.
1) Two modes: development and operation (maintenance)
There are two effectively two areas of business continuity, one is the development or implementation teams, the other one is operation support teams. Since they belong to enterprise risk management and they have to be visible enough to get enterprise support, they are reported to CRO (Chief Risk Officer), who is reported directly to CEO or board of directors.
2) Extensive corporate recovery team
Corporate recovery teams: During recovery from a disaster or event, the business units within an organization will need to concentrate on restoring their own environment and become productive again. The technology support staff within an organization will be focused on providing a restored technical environment so that the business units can access their systems and data and become productive again. Therefore it will be necessary to create overall corporate recovery support teams that are activated during recovery procedures, These teams are comprised of company’s decision-makers who have the authority to declare a disaster status on behalf of the organization, as well as the authority to declare a disaster status on behalf of the organization, as well as the authority to release funds from the organization, deal with insurance companies, the press and process any employee personal claim or pay issues. (Hiles. 2007).
The human resources/personnel/training department of an organization must play key roles in installing appropriate training programmes for employees of an organization.
3) Interactions with External Organizations
For most organizations this is one of the weakest areas in the planning process (but it is getting better). In general, coordination between the private and public sectors has been a real challenge. This has improved significantly since 9/11, but there is still room for major improvement.
Procedures need to be in place for informing and communicating with public authorities during a crisis. Typically this involves the fire and police departments, but may involve other organizations, such as the Federal Emergency Management Agency (FEMA) and others. Plans should identify key contacts within these organizations and procedures for informing and communicating with these groups. Exchanging business cards or home phone numbers shouldn’t be an activity during time of crisis.
It isn’t enough, though; simply to know who the local authorities are and inform them of the situation. Depending on your situation, environment, etc. there may be specific agencies (e.g., EPA) or laws that govern your situation. The process and requirements for communicating with these agencies should be clear. Management needs to conform to these requirements. There are an untold number of cases where the proper authorities were either not informed or not informed on time during a crisis. The results for the organization can be devastating.
External agencies can and often do assist with actual exercising/testing. This is highly recommended, since it validates your actual processes and provides for a better public/private partnership. Agencies are typically very willing to become involved in organizational exercises and can often bring a level of credibility and realism to any exercise. Like any exercise, results should be logged with actions and dates for resolution agreed.
What are the cost factors associated with compliance or non-compliance? Where do you see this going in the long-term (other industries, countries, etc.)?
When you implement the Business Continuity department using projects, there are costs incurred for with compliance. You may think about being non-compliance can save you a lot of money. But if you spend this money, it would greatly increase your business to keep operating or recover to operations when disasters happen. Imagine how much money if you are going to lose if your operations are down or not running. How much money per each hour?
Although the CISSP BCP is not as comprehensive as BCI methodology (BCM) for now, I can see things will get converge together in the long term. The (isc)?2 will incorporate the knowledge body of BCP from BCI since they are the expert. Eventually, the gap would be narrowed.
Please identify all sources (minimum 3) for your work.
(Note: Feel free to select from the list provided or research your one on your own, but make sure your choice is not a topic we have already addressed in course (i.e, don’t do HIPAA, Sarbanes, etc – recommend you check with your facilitator before starting).
(ISC)². 2009. “About (ISC)²”, Retrieved November 23, 2009.
Harris, Shon (2010). All-In-One CISSP Exam Guide (5 ed.). New York: McGraw-Hill. pp. 7-8. ISBN 0071602178.
Hiles. (2007). The Definitive Handbook of Business Continuity Management 2nd edition
Miller & Gregory. (2010). CISSP for Dummies 3rd Edition.
Eric Tse, Richmond Hill, Toronto
Tse and Tse Consulting -Security, Identity Access Management, Solution Architect, Consulting