Preparedness

The proactive measures taken by an organization to anticipate and plan for potential disruptions or emergencies, including the development of policies, procedures, training, and resources to enhance its ability to respond effectively and recover swiftly. Preparedness activities often encompass risk assessment, scenario planning, training exercises, and the establishment of communication protocols to ensure readiness for various types of threats or events.

The lack of a plan for the continuity of information systems and business continuity management increases the risk of failure of the Civil Registry Agency processes in the event of a natural disaster or primary systems failure.

lack of a plan information_security Civil Status Information System in the Civil Registry Agency KNAO Kosovo 2023

The FOCBS' existing operations team is preparing intensively for the technology change, but will only just be able to cover the planned service life due to its members reaching a certain age. The maintenance contract for the Polycom radio network will expire in 2030 at the latest. The FOCBS is therefore under significant pressure to secure the expertise over the entire service life of Polycom, and to quickly clarify the situation regarding the support contract, which is due to expire, in terms of procurement law.

secure the expertise public_e-services Audit of the DTI key project Polycom Value Preservation 2030 with a focus on the border security subnetwork SFAO Switzerland 2024

^{Information security DK2023}
Quality of the plans

The authorities have developed contingency plans for the majority of the IT systems, but the quality of the plans varies significantly. A few plans are satisfactory, whereas others, particularly the disaster recovery plans, are affected by significant shortcomings. For example, descriptions of the technical recovery of IT systems after a major IT breakdown were missing in more than half of the plans. A few of the IT systems are without contingency plans.
Cyber security resilience of the Danish public sector II Rigsrevisionen - Denmark 2023

^{Information security DK2023}
Compensatory measures

The Danish Agency for Governmental IT Services has not implemented sufficient compensatory measures to manage servers that are no longer supported by the developer The Danish Agency for Governmental IT Services have a series of measures in place to reduce the risk of cyberattacks spreading. However, there is still a risk of cyberattacks spreading between servers and between authorities.
Security of servers managed by the Danish Agency for Governmental IT Services Rigsrevisionen - Denmark 2023

Critical infrastructure

IBM: “Critical infrastructure refers to the systems, facilities and assets that are vital for the functioning of society and the economy.” Some sectors are especially important in that respect - regarding complexity, interconnections and fact that any threat to these sectors could have potentially debilitating national security, economic, and public health or safety consequences. For instance: Chemical Sector, Commercial Facilities Sector, Communications Sector, Critical Manufacturing Sector, Dams Sector, Defense Industrial Base Sector, Emergency Services Sector, Energy Sector.

We found, however, that no scenario had been constructed specifically for a crisis caused by a cyber attack. Moreover, no information was available at head office on the cascade effects caused by a cyber attack on the critical water structures. We also found that certain important documents relating to the response to a cyber attack (i.e. crisis maps and network reports) were not kept up to date. This means that there is a risk that the response to a cyber crisis may be neither sufficiently rapid nor sufficiently effective.

cascade effects information_security Strengthening the digital defences: the cyber security and critical water structures NCA Netherlands 2019

^{Information security US2024}
Address the challenge

the implementation plan gave responsibility to agencies in areas such as harmonizing baseline cyber requirements for critical infrastructure and further designating federal agency responsibilities for coordinating the activities of critical infrastructure sectors. If effectively implemented, the strategy and implementation plan could potentially address the challenge of cybersecurity risks to critical infrastructure.
CYBERSECURITY: Implementation of Executive Order Requirements Is Essential to Address Key Actions GAO - USA 2024

Supply chain

The series of goods or service providers that are involved in passing products from manufacturers to the supplied organization.

^{Information security US2024}
Security practices

DEFINING what should be considered “critical software”; IDENTIFYING key practices that enhance the security of supply chain software; supplying contract LANGUAGE to require agency supply chain partners to perform these key practices. [And in longer term:] develop GUIDELINES that contain criteria for evaluating the software security practices of developers and suppliers; require developers and suppliers to identify TOOLS for demonstrating conformance with secure practices to agencies and others that purchase the software.
CYBERSECURITY: Implementation of Executive Order Requirements Is Essential to Address Key Actions GAO - USA 2024

Resilience

The ability of an organization to adapt and respond effectively to unexpected changes or disruptions, maintaining essential functions and swiftly recovering from setbacks.

Position comprehension

Comprehensive situational awareness forms the baseline for business impact analysis, risk assessments, and the development of realistic and effective continuity strategies. It usually includes regulatory and stakeholder obligations , as well as:

• Critical functions and processes : Knowing which operations are vital to keep the business running.

• Dependencies : Recognizing key systems, suppliers, personnel, and infrastructure the business relies on.

• Risk exposure : Being aware of internal and external risks specific to the organization’s operations, industry, and location.

• Resource availability : Understanding what financial, technological, and human resources are currently in place to respond to disruptions.

^{Information security UK2025}
Levels of maturity

Multiple fundamental system controls were at low levels of maturity across departments, including asset management, protective monitoring and response planning (…) Departments cannot manage risk effectively and make risk-based decisions about how they protect their most important assets, if they do not understand their digital estate and security risks.
Government cyber resilience NAO - UK 2025

Business Impact Analysis (BIA)

The process of evaluating and quantifying the potential effects of disruptions to critical business functions and processes, helping prioritize recovery efforts and resource allocation.