The Security Stack for Business Continuity and Disaster Recovery
Daniel Mikulsky & Thomas Carroll
This paper expands upon the four-layer model for cybersecurity, known as the Security Stack, by incorporating crisis management, situational awareness, business continuity and disaster recovery planning into this comprehensive incident response model. Development of this expanded model was driven by the premise that individual organizations, and the societies in which they operate, are less secure when the information-communications technology (ICT) systems that manage, monitor, secure and protect their infrastructure are unavailable due to calamitous events. Organizational and national resiliency is achieved through planning for catastrophic scenarios and maintaining levels of situational awareness of impending threats.
Plans for crisis management, business continuity and disaster recovery are espoused in international standards such as British Standard 25999 (BS25999) and mandated for U.S. federal agencies by the U.S. Federal Information Security Management Act (FISMA). Business continuity and disaster recovery plans increase resiliency, but are frequently fragmented from overall security and risk management governance. These plans need to be incorporated into a larger security framework that provides situational awareness, and links organizational crisis management into the national and international structures for security and resiliency. CSC proposes its Security Stack as the framework to accomplish these objectives.
Our model traverses the four layers of the Security Stack starting with the lowest, Level 1, where most organizations address ICT disaster recovery (DR), generally through system redundancy and technology DR plans. These approaches mature in Level 2 through business continuity (BC) and continuity of operation plans (COOP) to fulfill obligations to stakeholders. The traditional approach to BC/DR stops here.
Our model adds Level 3 for situational awareness, provided through a security operations center (SOC) to maintain the same vigilance for disruptive threats as are maintained for cybersecurity threats. Level 4 is national crisis management, which through the SOC in Level 3, links the private-sector needs for DR and BC with public-sector incident management framework to build a resilient nation and society.
Read the complete white paper: The Security Stack for Business Continuity and Disaster Recovery (PDF, 2.7 MB)