1. COMP.SEC.100
  2. 3. Risk Management and Governance
  3. 3.7 Business Continuity

Business Continuity

Risk governance takes into account that security incidents occur. They must be responded to and recovered from so that business can continue. Incident management is covered in its own module, but risk governance already includes planning for response and recovery. Once incidents or outright cyberattacks have occurred, risk governance seeks to understand the impacts on the system and the effectiveness of the remediation plan. This creates a feedback loop through which exploiting vulnerabilities can be better prevented in the future.

In connection with risk governance, or separately, a management policy to deal with information security incidents may address the following issues. These relate to the capabilities required of the organization, not detailed instructions for action.

  • Plan and prepare: creating a team for handling incidents, and allocating resources for the team’s use.
  • Detection and reporting: monitoring, detecting, and reporting security incidents.
  • Assessment and decision: determining the severity of the incident and deciding on the actions required to handle it.
  • Response: this may include forensic analysis, system repair, isolation, or recovery.
  • Learning: improving the system’s protective measures to reduce the likelihood of future incidents.

To ensure business continuity, risk management and incident handling should also extend to supply chains. Through supply chains, risk management also acquires a societal dimension. For example, a cyberattack on payment systems is not just a problem for banks but affects the operations of companies and the everyday lives of people. Behind this is digitalization and networking. A newer phenomenon is the development of artificial intelligence, which also adds to risk management. There are direct AI threats, where artificial intelligence enables malware creation and automates cyberattacks more efficiently. In indirect threats, AI-generated responses influence people’s behavior and, through that, entire systems. This is not only a societal phenomenon but also an organizational-level risk. In a company, employees can, for example, adopt insecure patterns of action from AI. Because of both direct and indirect threats, AI must also be considered a risk factor.

Posting submission...