• United States




Business Continuity Event Planning: Detection and response planning

Nov 20, 20085 mins
Business ContinuityPhysical Security

Building an incident response team (IRT) is a good first step along the path toward effective business continuity event (BCE) management.  But the team needs a plan to follow when an event occurs.  A documented plan, institutionalized through regular IRT training, enables quick response to service or product delivery failures, mitigating business impact to levels acceptable to management and customers.

In this post, we look at the fundamental characteristics of an incident management plan (IMP).  We also examine the first of the two cornerstones of effective BCE response: detection.

IMP Overview

According to BS 25999-1:2006 (Business Continuity Management, Part 1: Code of Practice), the purpose of an IMP is management of the initial phase of an event.  The plan should be:

  • Flexible, feasible and relevant
  • Easy to read and understand
  • The basis for managing all possible issues, including stakeholder and external challenges, facing the organization during a BCE

Minimally, the IMP should contain first-responder guidelines, including:

  • Task and action lists.  These lists are developed during scenario planning sessions and provide checklists for quickly implementing containment and mitigation controls.
  • Emergency contacts.  A complete list of internal and external contacts enables quick notification of key management and support personnel.  Notification should automatically initiate appropriate elements of the business continuity plan, which is the topic of a future article.  Lack of effective communication is one of the best ways to fall short of BCE management objectives. 
  • Media response.  Small events are easily contained within the walls of the organization.  News of large events, however, often finds its way to the public.  How your organization deals with public perception affects the extent of damage to the business.  Dealing with the media during a crisis should be controlled by the public relations representative on the IRT and produce specific public perception outcomes, as defined by executive management. 

Business continuity event management consists of five phases: prepare, detect, contain-mitigate, analyze, and remediate-measure.  The IMP focuses on detection, containment, and initial efforts to mitigate adverse business effects.


During business impact analysis in the preparation phase, various controls are identified to improve the organization’s ability to detect impending events or those already occurring.  Early detection is an important part of effective mitigation.  However, detection without appropriate response provides little value.

Monitoring systems or personnel should initiate an appropriate Task/Action List when an event is detected.  Events which potentially disrupt service or product delivery range from malware spreading across the network, to a failed server, to a natural or political catastrophe.  Detection controls—administrative, physical, and technical—help predict failures or identify them early enough to prevent grave consequences to the business or personnel.

Detection controls fall into four categories: intrusion detection/prevention, network infrastructure availability, facility availability, and asset availability (financial, physical, or human).

Intrusion detection/prevention

There are two types of intrusions:  physical and technical.  A physical intrusion consists of a human or human controlled intruder gaining physical access to restricted facilities or network infrastructure.  Detection controls include motion detectors, security cameras, etc.

Technical intrusions are usually characterized in one of two ways.  In the first, a human gains remote access to network resources.  In the second, malware finds its way onto one or more critical or sensitive systems.  In either case, sensitive data might leak or critical systems fail.  Technical detection controls include intrusion detection/prevention devices and log management. 

Effective log management usually consists of aggregation of logs from various network devices.  The result is processed by a correlation engine which can use bits and pieces of information collected from disparate systems to create a picture of network activity.

Network infrastructure availability

Hard drives, drive arrays, switches, servers, and any other technical device you can imagine will eventually fail if used long enough.  The best response results are reached when you can detect potential or existing failures, and prevent unscheduled downtime or quickly restore functionality.Network or system anomaly detection begins with baselining normal operation.  This is followed by monitoring network and system behavior, sending alerts when significant deviations from one or more baselines occur.   In addition, log management efforts, as described above, can supplement monitoring solutions.

Facility availability

Detection controls for facility availability help prevent serious damage to portions of structures or entire buildings.  Some events, such as hurricanes or tornados, cannot be prevented.  However, knowing they’re coming and initiating existing, tested response plans can reduce their effects on the business.In addition to the nightly weather report, facility detection controls include:

  • Fire detection systems
  • Water detection systems
  • Sensors and alarms
  • Political analysis (just as important as a good weather report when operating in politically unstable areas)

Asset availability

Business assets include physical, financial, and human components.  In this post, we focus on physical and financial event detection.  Human resource issues are included in a future business continuity plan article.

Physical assets are susceptible to damage, theft, or unauthorized access to information they contain.  Controls which help detect these activities include security guards, security cameras, and inventory and asset tracking systems.

Theft of financial assets, including intellectual property, is a real problem for many organizations.  Their loss or compromise can have serious consequences for continued business operation.  In addition to technical monitoring controls, the following are helpful ways to detect questionable activity:

  • Rotation of duties and mandatory vacations.  Getting another set of eyes on daily business processes and outcomes can often reveal anomalous employee behavior.  Employee knowledge that others will eventually see their work also helps prevent bad behavior.
  • Security reviews and audits.
  • Background investigations.
  • Financial audits.
  • Management oversight reports.

The controls used depend on the results of the business impact analysis, budget, management’s threshold for risk, etc.  However, once detection controls are in place, response processes must support them.  Building containment and mitigation processes is the topic of next week’s post.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.