Business continuity testing and incident reporting: advice from ENISA
I often think that ENISA (the European Network and Information Security Agency) is the nearest that the UK has to the American NIST (National Institute of Standards and Technology). It should be the British Standards Institute – which develops excellent standards but then charges you through the nose to get hold of them. NIST doesn’t. And neither does ENISA – which has just released a couple of FAQs for two earlier reports.
Read the FAQs if you like, but the important bit is the two reports themselves, both published in December 2009. The first is Reporting Security Incidents – Good Practices; and the second is National Exercises Good Practice Guide. (The FAQ for the former is here, and for the latter is here.)
Of least value to business (at least in the UK) is the guide on reporting incidents. This should be important since sharing information is an important element in defeating cybercrime and cyber attacks; but the fact is that UK government agencies are very poor at sharing their incident information with business (only with other government agencies and departments). Sharing that is not two-way is not sharing at all; and is not really worth the effort.
The second report, on good practices in national exercises, is however of considerable value to business. Although the report is strictly speaking discussing national exercises, the principles apply just as much to commercial organizations: testing your security response is an essential part of disaster recovery and business continuity planning. Consider the exercise lifecycle graphic below. If you think the steps outlined sound relevant to you (and I suspect that they will), it will be worth reading the full report.