6 minute read
Resilience, security and business continuity
Holger Berens, chairman of the Board of the German Association for Critical Infrastructure Protection discusses holistic approaches to business security
THE RECENT acts of sabotage on the Baltic Sea pipelines have shown that, in today’s disruptive times, the focus cannot only be on security against cyberattacks. In order to ensure adequate security, attacks from the air (e.g. drones), on land (e.g. overcoming perimeter protection) and from the water (e.g. remotely operated submarines) must be included in the risk and business impact analysis. Of course, cyber threats cannot be ignored, either. The question has to be how a holistic security system can be implemented. In today’s volatile business environment, a company must be resilient on many fronts. For managers, responsibility is not a choice; it is an obligation. They must invest specifically in the development of security processes to minimise risks in order to form a stronger, more efficient company.
Advertisement
BUSINESS CONTINUITY MANAGEMENT
The best way to make a company resilient is to build in business continuity management (BCM) from the start. BCM describes all measures that serve to prepare organisations for possible critical business interruptions. That includes identifying threats at an early stage, managing them professionally and following up systematically. BCM is a cross-organisational and dynamic process that must continuously adapt to changes both within and outside of the organisation. The core objectives of BCM are to harden organisations through emergency preparedness (business resilience), to bridge failures through timely emergency response (business continuity) and to restore processes through emergency management (business recovery). There is also a need to maintain stakeholders’ appreciation of the organisation through reliable emergency communication (business reputation). In order to effectively minimise risks, BCM concepts assume the worst and prepare for extreme cases. A high quality BCM will consider all potential threats, risks and does not fail to take everything into account. However, there are no binding criteria. At best, there are indications and practice guidelines within the framework of the well-known ISO certifications for quality management (ISO 9001) and information security (ISO 27001). These standards focus on the protection, functioning and availability of people, processes, and data of an organisation.
PLAN, DO, CHECK, ACT
The PDCA cycle (plan, do, check, act) is fundamental for BCM concepts. This facilitates communication and understanding within the organisation. These are briefly explained below: Plan – What are the potential threats? How can your company prevent them and what needs to happen if the situation arises? The action plans developed in this phase should be tested regularly and mastered by all those involved. Do – In this phase, what has been planned for an emergency is carried out. The actors follow the actions developed in the plan phase, ensuring operational continuity. Check – Once an acute crisis situation has been overcome, the question of the causes is on the agenda. The incident should be evaluated by those responsible for BCM in the company and appropriate forensic analyses carried out. Act – Finally, it is a matter of returning to normal operations and drawing any consequences from an incident. Should new measures be planned and improvements introduced for the next PDCA cycle already in that initial phase? Or is the probability of the threat situation repeating itself so low that no adjustments are necessary in business continuity management?
PLANNING FOR BCM
In the planning phase, there should always be a business impact analysis (BIA). This is the proactive or preventive
01
part of BCM. An advantage is that it can be built on existing risk analyses – regardless of whether they are derived from ISO 9001, ISO 27001 or SOX. A risk assessment analyses potential threats and the likelihood of them occurring. A BIA measures the severity of these threats and their impact on the company’s operations and finances. The BIA is an extension of the risk assessment, identifying potential risks and measuring their impact. It is essential to identify the key business processes on which the organisation economically depends. This is the only way to build a consistent system within a reasonable time. All business processes are considered time-critical if their failure within a predefined period of time can lead to intolerable damage to the institution. If resources such as personnel, IT systems or service providers are needed to maintain the time-critical business processes, then these resources must also be considered critical. However, there may be business processes in an institution that are not time-critical. These are not taken into account as they are assumed to have sufficient time to react appropriately. The goal is to determine the possible effects of a business interruption on the institution. The results of the BIA are the essential basis for all further activities and measures in BCM, as they show what is particularly worth protecting and what can be neglected if necessary. Businesses can gain an understanding of: • Overview of the time-critical business processes and their maximum tolerable downtime • Overview of the time-critical process dependencies • Overview of the time-critical resources and their required recovery time (RTO) as well as the timeliness of data recovery (RPO) • Overview of possible single points of failure
LIMITATIONS OF THE BIA
The BIA cannot and should not answer the question of whether resources can be saved or used more efficiently. The BIA also cannot and should not answer the question of whether a business process is important for the institution. The institution needs controlling in order to make business decisions and strategically align itself for the future. However, these processes do not have to be time-critical. And finally, the BIA cannot give a complete overview of all processes and resources of the institution. Firstly, only those business processes are considered that lie within the scope of the BCMS/ the area of investigation defined in the preliminary analysis. Secondly, only the process and resource dependencies of the business processes assessed as time-critical are examined in more detail. The BIA therefore does not replace process or resource management. A holistic BCM is not witchcraft and is indispensable for the survival of the organisation in today’s world. In the upcoming webinar, the structure and implementation of an individualised BCM are discussed based on best practice.
For more information:
Holger Berens will be part of Tank Storage Magazine’s webinar: How to prevent and react to cyber-attacks against critical infrastructure. The webinar will take place on 15 November 2022. www.tankstoragemag.com www.bmi.bund.de
01 Holger Berens, chairman of the Board, German
Association for Critical Infrastructure Protection
New Pipe Support Barrier Reduces Corrosion and Installation Costs
Lift-Off Pipe Supports, a Lake Charles, Louisiana Company, has recently successfully designed, manufactured and installed their new “LOR” range of pipe supports with excellent results (according to the installers and pipeline company owners).
Lake Charles, LA, July 14, 2017 – ( PR.com ) – Lift-Off Pipe Supports has recently designed, manufactured and supplied their 6” and 8” LOR (Lift Off Rest) range of pipe supports to a well know pipeline operating company with excellent results. The client is very impressed with the support as they do not fall off or get displaced during line expansion or contraction and very fast to install (about 15 minutes). An additional advantage is that the support cannot slide off the beam by using our patented design method. No drilling or any mechanical fixing method is required, besides lifting the pipe off the beam. No hot work is needed. The LOR is unique in the sense that it has a very high conductivity resistance, to ensure that the pipelines and associated equipment is adequately grounded. A major cause of cathodic protection failures. Lift-Off Pipe Supports supplied 6” and 8” LOR’s to suit 12,” 16,” 20” and 24” piping. The advantage of the LOR is that the support barrier, or width only needs to be approximately half of the pipe diameter and addresses the contact point between the support beam and the pipe. +1 337-515-8590 Lift-Off Pipe Supports supplys the LOR to suit structural sections from Contact via Email 1” to 16” wide flange widths to suite piping up to 48.” www.liftoffpipe.com
