Theme 2 : Having the Right Procedures: Make a Plan
Once you have taken stock of your situation by drawing up an inventory and doing the necessary analysis, you need to move on to the next step: making a plan.
Already in the Middle Ages, a lord did not wait for his enemies to attack him or for an incident to occur before thinking about the right procedures to put in place.
To defend himself, he planned the training of his troops (archers, infantrymen, etc.) in advance, he thought about procedures for storing food to withstand a siege, he drew up evacuation procedures (for example, in the event of a fire) and he agreed with his allies on the procedure to be used to call for reinforcements on the day an enemy attacked.
Similarly, in the digital age, your must also adopt procedures to anticipate and limit the impact of cyber security incidents.
This plan needs to encompass three distinct stages:
- Before the incident: what you do to prevent a cyber security incident from happening. At this stage, a good policy, including awareness-raising among your staff (see theme 3 “’Awareness-raising: your plan in practice”), as well as the control of risks relating to your suppliers and subcontractors (management of , access to your computer systems, etc.), will be very useful. This is the key document in your cybersecurity prevention system!
- During the incident: what you do when the cyber security incident happens in any case, to avoid a total shutdown of your business and regain control of the situation. Here, we refer to an and a .
- After the incident: what you do after the cyber security incident, in order to learn from your experience. This is the “Post-Incident Review”.
Don't wait for the incident to happen before thinking about having the right procedures in place!
Keep in mind
- Fortified castle in the Middle Ages:
- Procedures for:
- training troops (archers, infantrymen, etc.);
- storing food (siege);
- evacuation (fire, etc.);
- call for allied reinforcements;
- etc.
- Cybersecurity for your business:
- Planning procedures in 3 stages:
- before the incident: policy (awareness-raising, supplier/subcontractor management, etc.);
- during the incident: (regaining control) and (maintaining activity);
- after the incident: post-incident review (learning from the experience).