Written by Uwe Sievers
We talked with BSI project managers about the new version of the BSI standard on emergency management/BCM.
IT security relies on effective prevention, to avoid losses due to security incidents, but also on concepts to deal with such incidents when they do occur. For example, if a ransomware attack could not be prevented, a company’s existence could be at risk due to maliciously encrypted business data and unusable computers. Compromised systems need to be analysed forensically, and it may be necessary to buy and install new hardware for replacement systems before a temporary emergency operation can be started. This all takes time, during which fundamental business processes are not working.
In many companies it is therefore usual for the security department to also be responsible for IT emergency management. And for a long time now, the individuals responsible have been able to draw on support from the German Federal Office for Information Security (BSI): “As the government’s cyber security body, one of our priorities is to make IT systems in industry and government fail-safe and enable users to react quickly in crises and emergencies,” states the agency’s website.
Preventing and handling emergency situations come under the scope of ‘emergency management’. Internationally, however, this is frequently referred to as business continuity management (BCM). In recent times, there has been an increasing focus on BCM due to statutory regulations like the Sarbanes-Oxley Act (USA) or Civil Contingencies Act (UK). The BSI does not distinguish between the two terms: “We use emergency management and BCM synonymously,” explains Daniel Gilles, deputy project manager for the emergency management standard.
The BSI had produced Standard 100-4 as far back as 2008 to provide guidelines for emergency management to supplement its IT baseline protection system. But even before this, the agency had been working on this issue: “We addressed the issue of IT emergency management early on, but at that time we were focussing primarily on IT emergencies,” says Gilles. However, we then realised that this was not enough, he adds. “You need to take a holistic view of an institution,” stresses Cäcilia Jung, the project manager responsible. As computer scientist Gilles explains: “IT emergency management only looks at IT, but there are other important resources involved, like personnel, buildings and service providers.” An integrated approach puts the focus on the relevant business processes. “What is crucial is to protect the most essential business so that the organisation can survive. Under these circumstances you cannot just look at the IT but need to consider all business operations.” In this context, the time factor is paramount, because “although with many processes even a two-week absence is not that bad, others may absolutely need to be available again after just two hours,” says Jung, who has a background in mathematics.
In the context of BCM, emergency management covers far more than just IT emergencies. The two project managers clarify the difference using this example: “In the case of the ransomware attack on the Lukas Hospital in Neuss there was no emergency plan for ransomware attacks but there was a plan in place to handle a complete breakdown of the IT system. This plan was duly activated, and staff carried on working with analogue tools like pen and paper etc.,” explains Gilles. This example shows that if something cannot be intercepted at IT level it can perhaps be headed off at another level. Jung adds: “In terms of IT that would have been a crisis, but in the context of BCM it would have been an emergency; an IT emergency must not necessarily also be an emergency in the BCM context.”
The BSI Standard 100-4 had already provided for a comprehensive systematic approach, says Gilles. A lot has happened since then. “To take account of developments since the publication of BSI Standard 100-4, the standard is currently being revised,” says Jung. This is also designed to simplify the introduction to the topic, because: “In some places the previous standard was somewhat theoretical and did not at the time offer enough specific guidance,” Gilles points out. This resulted in the new Standard 200-4, “which is much easier to implement for novices,” says Jung.
Thepreliminary version of Standard 200-4 is available on the BSI website (German version). This version is what is known as a ‘community draft’ and does not yet represent the final version of the standard. It was possible to comment on the draft until the end of June. “We are currently incorporating the comments and are likely to schedule a second commenting phase. Based on the current situation we assume that the standard will be published next year,” says Jung. Comments, whether on orthographic conventions or content, can be addressed to grundschutz@bsi.bund.de.
You will also find details about the new elements in the revised standard in this article: “BSI experts explain the new Standard 200-4”.
