For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Based on the findings from this effort, we’ve identified those areas where many municipalities are most vulnerable and are excited to share practical tips and actionable insights to increase information security in municipalities. This post—the sixth in our Cyber Security Foundation for Municipal Government series—overviews incident response, disaster recovery and business continuity planning.
It’s easy to put off contingency planning. But the old saying is unfortunately true: failing to plan is planning to fail. When a cyber or physical event (e.g., hurricane or flood) hits your municipality—and that’s only a matter of time—how bad will the damage be? How long will it take you to recover? How will citizens and employees be impacted?
All these questions boil down to one core question that answers everything else: How well did you plan for the event in advance?
Incident response is the steps you take from the instant you realized you’ve been hacked. Does mayhem reign or do you have a plan?
Every incident response plan needs at least these four basic parts:
- Detection: To quickly assess the situation and take action to limit the impact. One municipal IT manager we interviewed said his plan was for staff to rip the computer wires right off the network if they thought they were hit by a virus. We hope your plan is more comprehensive.
- Analysis: What is the impact of the breach? What systems and functions are affected?
- Recovery: Contain and eradicate the threat.
- Post Incident: Document lessons learned and leverage them to enhance prevention and response… Because sooner or later it will happen again.
In addition to the above, you also want to check whether your cyber liability insurance specifies any incident response requirements that you need to account for.
Disaster recovery (DR) is the ability to restore the data and applications that run your municipality. What’s a “disaster”? It’s anything that stops or reduces your ability to operate below acceptable levels.
A primary DR consideration is how quickly you can recover systems and data when disaster strikes. From an IT viewpoint, what creates a disaster is downtime, not the event itself.
To minimize downtime, you need to do some careful planning to ensure that you can recover the data and IT systems in accordance with organizational requirements. The primary contingencies to plan for include: loss of computing hardware/software and data, loss of telephony, loss of key staff, disruption of vendor relationships/deliveries, and loss of access to your physical office space. Ultimately, you’ll need to develop detailed recovery procedures for each of these impacts.
This is about the point where Disaster Recovery begins to cross over to Business Continuity.
Keep in mind, many of these steps can be taken over a long period of time. There is no need to rush through this process. Even if it takes you a while to complete, you will have gained significant ground in becoming a more secure municipality for your community.
While DR relates to recovering the IT function, Business Continuity (BC) is about recovering the various business functions (e.g., payroll, tax collection, etc.) to keep your organization up-and-running at acceptable levels with minimal/acceptable downtime or service outages. BC is more granular than DR (which it effectively encompasses) and focuses more on operational needs and requirements versus IT systems.
BC addresses how long can critical business processes be unavailable before the impacts are unacceptable? This leads you to identify Recovery Time Objectives (RTOs) for your functions and systems, and Recovery Point Objectives (RPOs) for your data.
From there, you can develop strategies that enable you to meet those recovery objectives. These evolve into policies and procedures that allow you to successfully implement the strategies that meet the objectives.
The next step is to train employees in those policies and procedures so they can access and use them successfully under the pressure and confusion of a real disaster scenario.
Of course, your plan needs to change as your municipality changes. It’s a good idea to revisit and update DR plans about every three months.
All that might sound daunting! But rest assured, we have seen this process through from beginning to end numerous times and it is more achievable than it appears. Keep in mind, this can be done over an extended period of time. There is no need to rush through this process. Even if it takes you a while to complete, you will have gained significant ground in becoming a more secure and available municipality for your community.
Testing Your Contingency Plans
So you’ve done some contingency planning—that’s great! But how well will your plan really work?
Nobody gets everything 100% correct and complete the first time around. To find out where the glitches are, you need to test your plan before disaster forces you to put it into practice.
Operational testing of a contingency plan is the optimal approach. But this can entail significant time and potential risk from crashing systems.
Many organizations opt for a tabletop exercise instead. But it can be challenging to develop a solid exercise scenario that really gets people thinking and collaborating about the plan.
To talk with an expert about your goals for contingency planning, as well as your risks and concerns, contact Pivot Point Security.
In our next post, we’ll explain the critical issues around vendor risk management for municipalities. Until then… stay tuned and stay safe!
Ongoing Series: Cyber Security Foundation for Municipal Governments
We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. The full list of topics we will be covering includes:
- Covering the bases
- Password management and access control
- Backup and encryption
- Malware and social engineering attacks
- Cyber security awareness education
- Contingency planning: Incident response, disaster recovery and business continuity (CURRENT POST)
- Vendor risk management (coming soon)
- Patching and other “technical controls” (coming soon)