S 6.118 Checking and maintaining the emergency measures

Initiation responsibility: Emergency Officer

Implementation responsibility: Emergency Officer

Business continuity management is not only about reaching the desired level of security, but also about guaranteeing and constantly improving the level of security reached over the long term. For this reason, all emergency measures should be checked regularly. It is important to note that there is a difference between examining whether or not certain safeguards are suitable and effective in reaching the goals set (completeness and/or update check) and checking the extent to which the emergency measures have been implemented in each area (audit).

Regular and event-based examinations

The examinations necessary for this purpose, which are also called audits, should be performed at specified times, but can also be performed between these times due to certain events. The existing emergency measures should be examined at least once per year. In particular, the knowledge gained from the emergencies or crises that have occurred will lead to the modification of the existing safeguards and should therefore trigger an examination. However, the existing safeguards should also be adapted to changes in the environment, for example if:

• new business processes, applications, or IT components were installed,
• major changes were made to the infrastructure (e.g. when relocating),
• large-scale organisational changes are pending (e.g. outsourcing),
• the threat scenario has changed significantly,
• serious vulnerabilities or instances of damage have been discovered.

Coordinated approach

The government agency or company should specify how the tasks related to these examinations will be coordinated. The examinations performed in the IT area and in security management in particular need to be coordinated. To this end, it is necessary to specify which safeguards will be examined when and by whom so that no work is repeated and no areas in an organisation are left unchecked.

Objects of the examinations

It must be examined whether the emergency measures have actually been implemented and whether they are being maintained as prescribed by the business continuity concept. It must also be examined whether the technical safeguards were implemented and configured correctly. If it is discovered that some emergency measures have not been implemented or are ineffective in practice, the causes for the deviations should be determined.

The business continuity concept must be regularly updated, improved, and adapted to new general conditions. It must be examined regularly whether the selected safeguards are still suitable for reaching the desired goals (completeness and/or update check). Here, the efficiency of the emergency measures used should also be examined or whether or not the goals can be reached using other less resource-intensive safeguards.

Performing the examinations

The scope and depth of the examinations must be defined corresponding to the purpose of the particular examinations. The business continuity concept and the current documentation of the business continuity management process serve as the foundation of all examinations.

Each examination must be performed by people with suitable qualifications. These people must not have been involved in the creation of the concepts, though, in order to avoid blind spots and conflicts. The examiners and/or auditors must be as independent and neutral as possible.

Every single examination must be carefully planned and executed. All relevant discoveries and results must be documented in a report. This report should contain an assessment as well as suggestions for correction.

The results of every single examination should be documented. It must also be specified what will be done with the results of the examinations because the effects of an examination can only become apparent when the necessary corrective measures have been taken based on the results of the examinations. Possible corrective measures include the following, depending on the cause:

• adapting organisational safeguards,
• implementing staff-related safeguards such as training and sensitisation measures or initiating disciplinary measures,
• initiating infrastructural safeguards such as structural modifications,
• implementing technical safeguards such as making changes to systems,
• seeking decisions from the supervisor responsible (up to management level).

The report should be handed over to the head of the area examined as well as to the business continuity management team required to design the further steps on this basis. Serious problems should be reported directly to the management so that they can make wide-ranging decisions promptly.

If special tools are used for the examination, it must be ensured that only authorised persons have access to them, and this also applies to the documentation of the results. Access to the tools used as well as to the results of the examination therefore requires special protection.

Corrective measures

All errors and vulnerabilities detected must be eliminated promptly. The optimisations identified to increase the efficiency and effectiveness of the emergency measures must be implemented.

The decision of how to proceed further must be based on the results of the examinations. In particular, all necessary corrective measures must be documented in an implementation plan. The time frames and the people responsible for implementing the corrective measures must be defined, and they must be provided with the necessary resources.

A process must be created that controls and monitors the implementation. The current status as well as any problems encountered during implementation must be documented. If the corrections needed to eliminate the vulnerabilities are not executed according to plan, they should be escalated, if necessary.

Review questions:

• Are the emergency measures checked regularly and after specific events?
• Are the examinations planned carefully?
• Are the results of the examinations evaluated and implemented in corrective measures when necessary?
• Are the corrective measures planned and controlled regarding their implementation?