EVOLVE: organisations’ capacity to adapt and improve their services after a cyberattack

Posted date 25/11/2021
Author
INCIBE (INCIBE)
CII: evolve measurement

All organisations must be prepared so that, after the impact of a cyberattack, it may change, improve and adapt its processes and services. For this reason, it is necessary to protect the main business processes using a set of tasks that allow the organisation to evolve after a serious incident to redesign its strategies and minimise the possible impact of future cyberattacks. Besides improving the security of our service, it will make it possible to mitigate the financial impact and loss of critical information and will positively affect our image and reputation as a company.

The Cyberresilience Improvement Indicators model (CII) is a diagnostic and measurement instrument that is specially designed to help organisations self-assess their ability to anticipate, resist, recover and evolve in the event of incidents. These are the four aims of cyberresilience, the key to recovering from cyberincidents. The ability to evolve makes it possible to determine whether an organisation is ready to adapt and improve its processes and services after the impact of a cyberattack. The two functional domains are analysed by measuring the objectives of this aim: the management of the configuration and changes (CC) and communication (CM).

Evolve definition

Management of settings and changes

The configuration and changes functional domain, framed within the aim to evolve, measures the capacity to maintain the integrity of all of our organisation’s assets (technology, information and facilities) needed to provide the essential services. Below are some actions that allow us to reach this domain:

  • Managing the configuration of information and technology assets. This process implements the procedures for managing the settings of the IT or technological components and equipment associated with the system that make it possible to provide the essential service, such that they are acceptably restored after a cyberincident with serious consequences. In this regard, it is recommended that mechanisms be implemented to detect changes in such assets, whether at the level of policies and procedures, be they technical (software change management), or physical, such as inspections or audits.
  • Testing changes in technology assets before moving to production. The changes to systems should be tested using formal change control procedures. Technical review of the applications before said changes is highly important to ensure that the service is not degraded or interrupted. Each time a change is identified, the set of tests must be designed and executed to ensure that there is no negative impact on the organisation’s operations or security.

Communication

The general aim of this functional domain is to establish processes that guarantee communication between managers involved in operating the essential services, both internal and external to the organisation. To do so, the following is recommended:

  • Establish communication mechanisms external to the organisation in the area of cyberresilience. For example, those used to communicate with clients, external suppliers (service in the cloud), appointing managers and channels of communication with INCIBE or Law Enforcement Agencies or other emergency services. These mechanisms should be assessed to determine whether they are effective and whether they should be used regularly. In this sense, it is advisable to use the channels provided and to create good practices for reporting cyberincidents.
  • Guarantee the availability of internal or external communication channels that the essential service requires. The aim is to guarantee that, in the event of interruption, the mechanisms necessary to establish the appropriate communications with the essential actors to recover the provision of the essential service, exist and are working. It is a matter of verifying, for example, that it is possible to report the incident to the relevant party to have it resolved. Hence, it is recommendable to establish procedures for verifying the communications.
  • Share the continuity strategy with the whole organisation. This will make it possible to know whether the delegations of authority and assignments of responsibility have been done in a satisfactory manner (with the required dissemination and transfer), in order that all the staff involved know it, and recognise who holds the authority at any given time. In this regard, there are several recommendations for companies:
    • Establish, verify and improve a procedure for assigning and communicating responsibilities and authorities within the Business Continuity Plan (BCP) to all the staff involved.
    • Guarantee that responsibilities and authorities within the Business Continuity Plan (BCP) are communicated to all the staff involved, who know their functions and responsibilities.
    • Guarantee that the continuity strategy is communicated and understood within the organisation, as well as the importance of sticking to said strategy.
    • Verify that changes or variations in legal requirements are communicated to the employees and other stakeholders.

To delve into this topic, remember that you can turn to the ISO/IEC 27001:2017 standard, the National Security Scheme and National and European Legislation, as well as its implementation (NIS Directive (EU) 2016/1148 and its transposition to Royal Decree-Law 12/2018).

In short, despite the fact that any organisation may be vulnerable to suffering some kind of cyberattack, the most important thing is that they have the tools and procedures necessary to detect them, to anticipate and be able to adapt to proactively improve the protective measures. The aims of anticipating, resisting, recovering and evolving are strategic to ensure resilient service delivery. In particular, the aim of evolving is essential to adapt the organisation to minimise the impact of future incidents.