Pub. 8 2019 Issue 2

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 28 BCP VS IRP By Daniel Lindley, CISA, CISSP, HCISPP, Network+ F or many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren’t spoken of after they occur. Additionally, it may depend on who you ask and if there’s any resulting reputational damage, just to make things even more muddy. What’s the difference? The first step in making IRP tests a little easier to understand is to define what an incident is and how it differs from any other BCP situation. The FFIEC defines a security incident as “the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data. 1 ” From this description, an incident directly affects the confidentiality, integrity, or availability of systems or data. Examples of incidents include the following: • Computer penetration attempts • Unauthorized account use • Ransomware • Stolen laptop • Fraudulent wire requests In contrast, most BCP tests only address the availability of systems or data to ensure a business function or process can either continue or be restarted. When discussing and documenting a server restoration or recovery from a power outage, the topic of data confidentiality or integrity doesn’t come up. All that matters is successfully restoring availability so the institution can be fully operational. How are they similar? Although the impact to data is different, the steps to take after either type of test are similar, but may vary by institution and should be described in detail in a documented, Board- approved Incident Response Plan. If an institution does not currently have an IRP in place or wants additional guidance, a great place to look are the Incident Identification and Assessment 2 and Incident Response 3 sections of the FFIEC Information Security Booklet. In general, the following need to occur once a suspected or actual incident is identified: • Notification of Response Team  The institution should have a team responsible for business continuity as well as a team responsible for incident response. Positions on these teams are typically assigned to management, who can then assign roles as necessary to other employees. • Root cause identification and containment  You can’t stop what you don’t know about. It is imperative to not only identify the cause of the incident or business interruption, but to ensure no further damage occurs as a result.