Contingencies, Security and Recovery — a COVID-19 Cautionary Tale
- April 27, 2020
Under normal circumstances, government CIOs and CTOs are challenged with an onslaught of disruptions — ranging from power outages and bandwidth issues to more severe events, such as unexpected weather systems, a significant data breach, ransomware and, of course, now the current predicament of a global pandemic. It is easy for an IT environment to become overly complicated quickly in emergency situations, which is why it’s essential to have a plan in place to take the guesswork out during crunch time — when decisions must be focused on protecting the health and well-being of citizens.
Robust contingency and recovery plans are mission critical and IT leaders must maintain a focus on security controls configuration and remediation to ensure all aspects of the information system(s) are configured according to the proper baselines. In the cases of most federal and state or local agencies, following NIST guidelines is among the most essential activities IT leaders should undertake. Shelter-In-Place orders have precipitated unprecedented numbers of government employees working remotely. Protections are crucial to combat opportunistic cyberthreats that strike during times of crisis.
Accordingly, for contingency planning to be successful, IT leadership should adhere to the steps defined in the NIST Special Publication 800-34 “Contingency Planning Guide for Information Technology Systems,” which includes:
- Understand the IT Contingency Planning Process and its place within the overall Continuity of Operations Plan and Business Continuity Plan process.
- Develop or reexamine their contingency policy and planning process and apply the elements of the planning cycle, including preliminary planning, business impact analysis, alternate site selection, and recovery strategies.
- Develop or reexamine their IT contingency planning policies and plans with an emphasis on maintenance, training, and exercising the contingency plan.
A comprehensive approach to contingency planning should also include conducting business impact analysis exercises, identifying preventative controls and recovery strategies — including backup methods, alternate sites, and device/ equipment replacement, among other things. IT leaders should develop an inclusive list of all servers, hardware, software, websites, mobile applications, custom and COTS applications, and cloud-based applications — just to name a few.
IT leaders need to understand that eventualities may happen at the most inopportune times. Advance planning for every scenario may not be possible or eliminate all risks, bad actors, or unforeseen events, but a robust IT contingency plan certainly helps. One recent example involved a critical healthcare customer in the U.S. that was at high risk from a business continuity standpoint because of their non-enablement of work-from-home access. This situation was an extremely difficult task to conceive and implement the idea of enabling 100% work from home. However, with the right governance and contingency planning in place, the team pivoted quickly to move to telework to accommodate the COVID-19 situation. It proved that nothing is impossible when we can collaborate and put our best foot forward to achieve challenging goals.
Recently, news of nearly 25,000 addresses and passwords (allegedly from NIH, CDC, WHO, Gates Foundation and others) were dumped online. This is but one of many examples of months-long initiatives where the bad guys are weaponizing COVID-19 pandemic — a very dangerous scenario globally.
Cyber hygiene is not a discrete event. Agencies need a rolling real-time view of their security controls configuration ecosystem. Ideally, mechanisms should be in place to continually validate the entire information system. If applicable, the IT ecosystem should have a way to automatically remediate any misconfigurations or systems that are not patched (also in real-time), and not in compliance with established baselines. Timely, accurate and understandable information is a critical component in defense and readiness. Comprehensive reports and dashboards provide on-demand insight of risks and compliance. Keeping System Security Plans (SSP) up to date to support rolling Authority to Operate (ATO) activity needs to continue to be a priority to expedite onboarding of mission-critical systems.
Implementing and evaluating contingency, risks and cyber hygiene plans — even if they are being developed and improved upon in real-time — will help agencies focus on safeguarding the health and safety of citizens and the critical mission of government in these trying times versus worrying about data breaches and ransomware.
The COVID-19 crisis is serving as a wake-up call to many CTOs and CIOs throughout government and industry. It is a cautionary tale of readiness and risk, to imagine the unimaginable and plan for the worst-case scenario regardless of the type of virus — whether Corona or computer.