JEFF HOWELL
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources

Contingency Planning

Picture
Executive Summary
Organizational planning is the process of setting short and long-term objectives for the organization. Once the plan has been approved by the senior leadership team, it is cascaded to lower levels of the organization to execute.  However, as Mike Tyson is quoted “everyone has a plan ‘til they get punched in the mouth”. To account for the unexpected, responsible leaders invest in contingency plans to restore business operations in the event of a disruption.  Senior management awareness about the value of resilience is increasing; 59% now admit cyber resilience effects revenues, versus 47% in 2016 (Ponemon, 2018). As this trend continues, organizational plans will evolve to incorporate more contingency planning to create tighter alignment to meet the strategic goals of the organization.  This section will evaluate the tension between the two plan types in terms of pros and cons between each, key components, consideration of approaches to resiliency and finally a consideration of the factors between continued operations and full restoration.

Picture
Organizational plans contain the following; Vision, Mission, Objectives, Strategies and Actions. This is often expressed with the acronym VMOSA (Halla, 2016). The advantages to an organizational plan are; gives an organization a sense of direction, focuses attention on objectives and results, establishes a basis for teamwork, provides guidelines for decision making and helps anticipate problems and cope with change. However, pitfalls of organizational plans include; strategic planning horizon (time horizons outside most board of directors and investor view), cost-based thinking and self-referential strategy frameworks. The later means executives build a strategy around what they can control (Martin R., et al., 2015).  This is important to note as leadership teams do not have control over unexpected events like cyber breaches or natural disasters, they do, however, have control over developing the capability to plan for and respond to incidents. Therefore, organizations must have the ability to withstand all hazards and sustain its mission through environmental changes (Sawnson, M., et al., 2010). 

Picture
The critical components of contingency planning include: a business continuity plan (BCP) which provides procedures for sustaining critical mission and business processes during and after a disruption, incident responseplan (IRP) which enables security personnel to identify, mitigate and recover from malicious computer incidents and disaster recovery plans (DRP) which is an information system focused plan designed to restore operability of the target system, application or computer facility (Swanson, M., et al., 2010). The advantage of having a contingency plan is a backup can be activated in the event of a disruption with the goal to minimize disruption, ensure safety and resume operations. However, the main disadvantage is the cost.  Specifically, it is a tax to the organization; meaning, in a
perfect world with no disruptions, this would not be considered as it wouldn’t support the objectives of the organizational plan. This becomes the tension between the organizational plan and the contingency plan. The organizational plan allocates resources to accomplish its objectives, the contingency plan usurps them. The common link between the two plans is risk. There is inherent risk for every organization and this justifies the investment in contingency plans.  

​References
Halla, N. (2016, October 23). Vision Mission Objectives Strategies & Action Plan (VMOSA) for making a road map - Part 1. Retrieved June 10, 2018, from https://www.technet21.org/en/forums/discussions/vision-mission-objectives-strategies-action-plan-vmosa-formaking-a-road-map-part-1

Martin, R. L., Osberg, S., Lafley, A., Martin, R., Rivkin, J. W., Siggelkow, N., & Porter, M. E. (2015, October 12). The Big Lie of Strategic Planning. Retrieved June 10, 2018, from https://hbr.org/2014/01/the-big-lie-of-strategic-planning

Ponemon. (2018, March). The Third Annual Study on the Cyber Resilient Organization (Rep.). Retrieved June 9, 2018, from Ponemon Institute website: https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2018_C yber_Resilient_Organization_Study.pdf

Swanson, M., Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010). Contingency planning guide for federal information systems (34th ed., Vol. 800) (United States, Department of Commerce, National Institute of Standards and Technology). Gaithersburg, MD.
Jeff Howell  -  San Carlos, CA  -  Privacy Statement - email Jeff
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources