physical side of cybersecurity
Cybersecurity

The physical side of cybersecurity – contingency and continuity planning in the realm.

Marty Tatro
by February 18, 2022

Introduction

Physical security is not always considered as closely as it should be when planning an organization’s cybersecurity profile. Because of this, we have put together three posts here to give you a good starting point to work from, introduce physical security, and offer some insight into why physical security is so crucial in cybersecurity.

In this second of three posts, we will discuss the physical components of contingency and continuity planning, both of which should be a substantial part of your organization’s overall cybersecurity structure.

Note: This is the second of three posts concerning physical security in the cybersecurity field. The first post acts as an introduction, while this second post will cover contingency/continuity planning. The last post will cover topics of heating, ventilation, and air conditioning (HVAC). 

What are contingency planning and continuity planning?

Any discussion of cybersecurity must include some form of contingency and continuity planning. If and when an incident or natural disaster occurs, your organization and its clients depend on a robust plan for recovering as quickly as possible. Your organization will likely fail without these plans after the first significant event.

Contingency planning is the setting of an alternative method (or methods) by which you will conduct business when something happens to your primary method. The Computer Security Resource Center (CSRC) defines a contingency plan as: “Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do.” (CSRC)

A continuity plan, also known as a business continuity plan (BCP), defines how your business functions over short and long-term negative event periods. If your business is affected by a natural disaster and cleanup takes longer than anticipated, contingency and continuity plans work together to ensure that your business is not out of commission any longer than necessary.  

What do plans have to do with physical cybersecurity? 

When we plan to correct a deficiency or fix a problem, we must look at the source of the problem and as many ways to resolve it as possible. This is true even in the physical realm of cybersecurity. Organizations require planning to ensure that policies and procedures are defined and followed when needed, as when a problem crops up. What components of a contingency plan, or a continuity plan, are physically related to cybersecurity?

Within the contingency plan, your organization will detail what is required to happen when a breach, natural disaster, or even a human-made disaster occurs. So, let’s dig into that a bit with some examples:

  • Primary data residence goes down: When this occurs, your primary location in which your data is stored or used becomes unavailable for a while. This could happen if flooding destroys your servers in the basement or a vehicular accident breaks connectivity with your Internet provider. 
  • Backup location for stored data becomes unavailable: This might not seem like much of a problem initially, but if you also lose your primary site (as noted above), then this could quickly prove problematic.
  • Distributed Denial of Service:  Your Internet service provider experiences a massive Distributed Denial of Service (DDoS) attack, which makes your access unavailable or too slow to use. 

As you can see, there are several ways the physical world can impact your ability to access and make use of data your business requires to accomplish its work. Contingency planning allows you to plan for those outages. Beyond the contingency plan, your continuity plan tells you what to do when something happens and usually follows your previous responses and the policies and procedures created from after-action reviews of the techniques used to remedy resulting problems. If we take the examples above as our previous problem occurrences, the following would likely end up in your continuity plan:

  • Because your primary location went down for an extended period, the organization decides to plan and implement a separate data facility that will have backups of all systems and data used in your daily business. This location is called a ‘hot’ site if it is running and available at all times. If it has all the data up to a certain point, say until midnight of each evening, and is available within a short period of time, then this would be a ‘warm’ site. The last type of site would be a ‘cold’ site, which has all the equipment and systems necessary to allow you to come up within a specified length of time, but it is not up to date and may not even be turned on all the time. Your data is not backed up except in perhaps a monthly rotation. 
  • Because your backup location has become available, you decide to implement a secondary site at a greater distance away from your primary. By locating further away, you reduce the chances that an event affecting one location will affect the other, thus providing usable redundancy protections.
  • Your organization decides that it would be beneficial to install access to another provider, allowing automatic switch over to this alternate if your primary provider is unavailable.

Your continuity plan will take the results of the initial problems and the resolutions and codify them so that recovery is quick and as painless as possible. Locations, secondary sets of servers and systems, and separate Internet connections are all physical security measures that are parts of the contingency and continuity plans.

Northstarr Recommendations

For our initial post conFor more physical cybersecurity information and recommendations, please see the following first post in the series:

The physical side of cybersecurity – an introduction to physical security and some ‘hard’ recommendations.