Maxim Annenkov, Security Vision
Businesses are periodically challenged by a variety of incidents, accidents and even natural disasters that range in severity from minor to catastrophic. Business continuity planning is usually designed to help a company continue to operate both in the event of accidents, fires, floods, and other such events, as well as cyberattacks, which in recent times have often been so devastating that they can be compared to natural disasters in terms of damage.
Threats and disruptions mean lost revenues and increased costs, and ultimately a drop in profitability. That said, businesses cannot rely on insurance alone, as it does not cover all the costs and damages of losing customers to competitors. Therefore, a Business Continuity Plan (BCP) is an important part of any business.
Security Vision BCP is a solution for automating the Business Continuity and Business Recovery (BCP) process after an emergency. The product is at the intersection of technologies: it addresses both IS processes, dealing with the consequences of threats related to the failure of information systems, equipment, loss of key suppliers, personnel or premises, and IT processes, analysing the enterprise information model, service resources, asset health metrics and recovery procedures.
The product is designed to meet the requirements of international and domestic standards in the field of business continuity management assurance, such as:
- ISO 22301 International Standard ‘Business Continuity Management System. Requirements’;
- GOST R ISO 22301 - 2021 National Standard of the Russian Federation ‘Reliability in Engineering. Business continuity management systems. Requirements’;
- Regulation of the Central Bank of the Russian Federation N 787-P dated 12.01.2022 ‘On mandatory for credit institutions requirements for operational reliability in banking activities to ensure continuity of banking services’;
- Decree of the Central Bank of the Russian Federation N 4148-U dated 06.10.2016 ‘On requirements for the development and approval of the repository's business continuity plan and the repository's financial stability plan’;
- Resolution of the Government of the Russian Federation N 730 dated 26.08.2013 ‘On Approval of the Regulation on Development of Action Plans for Localisation and Elimination of Accident Consequences at Hazardous Production Facilities’.
Security Vision BCP allows to ensure the implementation of the process at all stages of its life cycle:
At the ‘Business Impact Analysis and Risk Assessment’ stage, a process is implemented to collect information about business processes and the resources on which they depend by sending and analysing questionnaires to resource owners in order to determine the operational, legal, financial and other consequences of a failure and, as a consequence, to establish key metrics:
- Maximum Tolerable Period of Business Interruption (MTPD);
- Target Recovery Time Objective (RTO);
- Recovery Point Objective (RPO).
In the Business Continuity Planning stage, the product allows you to systematise business process-specific continuity plans for specific types of emergencies. The plans allow you to include:
- Specific steps to eliminate failures;
- Conditions for activating and deactivating the plan;
- Roles and responsibilities, key contacts;
- Description of methods and means of communication.
The stage ‘Defining and implementing business continuity procedures’ is realised by a system of requests, within the framework of which it is possible to set and control the execution of tasks to bring the infrastructure in compliance with the approved continuity plans.
It is also possible to conduct regular testing of continuity plans with assessment of the achievement of key performance indicators.
Next, let's take a closer look at the aspects of the product under consideration.
Resource and service model
The basis of the product is the resource-service model, which includes the functionality of reproducing the information model of the enterprise, starting from the fundamental entities that operate the business (e.g., business processes that ensure the functional activities of the company) and ending with technical assets that are necessary resources for the implementation of business assets.
The key business objects of the resource-service model are:
- Business Process
- Product
- Supplier
- Premises
- Equipment (technological).
The link between business and technical objects is the Information System object, which can be further decomposed into Application and Protection Systems. In general, the objects are linked in a hierarchical way in accordance with the developed data model. In addition, the principle of dependence of one entity on another is taken into account (for example, a business process may be completely dependent on the functioning of a particular information system). Thanks to the visual representation in the form of a graph, it is possible to trace the relationships between entities to the level of detail required.
Business Impact Analysis
As part of the business impact analysis, the BCM (Business continuity management) analyst is given the opportunity to create a process assessment area where he can specify the Divisions, Products or Business Processes for which the assessment is planned. In this case, the relationship graph will show the objects for which the questionnaires will be created. The relationship graph, in its turn, is interactive and allows you to reveal the relationships of objects to display their dependencies, as well as to add objects to the assessment area.
Once the questionnaires are generated, the analyst can revoke the questionnaire, change the deadline and the person responsible for completing it, as well as create new questionnaires already in the evaluation process, which can be especially relevant if the process has identified objects that were not previously considered in the formation of the evaluation area.
The questions on the questionnaires are generated from guides that allow for fine-tuning depending on the organisation-specific relevant values of parameters such as:
- Periods of business interruption;
- Types of consequences;
- Categories of consequences;
- Action strategies in case of resource unavailability.
You can also create any number of additional questions with any number of answers in the gazetteer system.
Interim results of questionnaire completion are always available to the BCM analyst on the summary and full assessment process card in an easy to analyse form. Information about identified discrepancies in key metrics or changes to object properties is displayed in the form of tooltips on the relevant questionnaires.
Based on the results of the impact assessment, automatic updating of the resource and service model object data is available.
Also at all stages of the impact analysis BCM analyst can create requests to eliminate the identified discrepancies or to bring the organisation's infrastructure into compliance with the stated requirements.
Business Continuity Plan
The main task of the Security Vision BCP module is to create a business continuity plan for each business unit and keep it up to date.
A Business Continuity Plan is an entity that accumulates up-to-date information on the business processes of a given business unit in terms of criticality and key metrics. Thus, the continuity plan is a logical continuation of the completed BIA (Business impact analysis) process.
The relationships between business processes and related entities can be conveniently tracked in a graph. Further decomposition of the relationships provides a more detailed picture if necessary.
The continuity plan contains a set of emergency scenarios and a list of actions for each of them (the Recovery Plan object is responsible for this in the system). Actions are divided into three phases, which can be either sequential or parallel:
- Immediate measures in case of an emergency (evacuation of personnel, calling the fire brigade);
- Measures to maintain the functioning of the unit (transfer to remote work, relocation to an alternative site);
- Measures to restore normal functioning of the unit (restoration of IT infrastructure).
For each action, the person responsible for it and the maximum permissible execution time are specified. Pre-determined criteria for returning to normal business functioning are also specified. Thus, when the continuity plan is activated, the action plan responsible for the abnormal situation will be implemented.
The continuity plan has a communications matrix that includes the contacts and roles of those responsible for executing the plan, as well as the organisation's external and internal emergency contacts.
Keeping the continuity plan up to date is the responsibility of the Testing Plan object, which includes a procedure for testing the readiness and completeness of the continuity and recovery plans for each emergency scenario. Based on the results of the testing performed, a report of the success of the testing shall be prepared and attached. In case of identification of untested stages, a task is created to make adjustments to the relevant continuity plan.
Testing is performed on a regular basis, and the system automatically sends notifications to responsible persons about the need to perform this or that testing depending on the schedule included in it.
Reports and dashboards
The Security Vision SMR module includes preconfigured reports that allow to upload data both on individual system objects - resource and service model objects, assessment processes, questionnaires, etc., and summary reports that contain consolidated information.
Also included are several preconfigured dashboards that display key information on the status of assessment processes, questionnaires, and summary analytics of the collected data.
All dashboards are automatically updated and interactive: the user can ‘dive’ into the required data slice and see the source for calculating a particular indicator.
The flexible Security Vision platform builder allows users to create their own reports and dashboards on a no-code basis, without resorting to development and layout tools.
Part of the Security Vision ecosystem
The SMR Resource and Service Model is also a full-fledged component of the Asset Management Module, part of the Security Vision ecosystem. In addition to its core functionality, the Asset Management Module is tightly coupled with the other products in the ecosystem, synergising the functionality of the product line into a single data domain through cross-fertilisation, re-use of information and a single management interface. The Asset Module is an important source of baseline information used by ecosystem products, such as a list of software/OS vulnerabilities, installed updates, and artefacts and evidence used in incident management or risk management processes.
