ACSC and CISA launch step-by-step business continuity instructions for SMBs

Business Continuity in a Box, a set of instructions to help organizations to maintain or re-establish basic operations during or after a cyber incident, has been published by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the US Cybersecurity and Infrastructure Security Agency (CISA). Its aim is to assist businesses to establish basic communications functionality and design and deploy an interim cloud solution for hosting cloud applications.

The instructions are for businesses that do not have a business continuity plan in place and should not be used by those existing Microsoft 365 or Google Workspace customers — in these instances businesses should contact their relevant hosting provider.

Business Continuity in a Box has step-by-step instructions to identify and set up an interim solution that best suits a business. This can be used by an organization or the managed services provider (MSP) following an assessment to determine if this is the right tool.

Who can benefit from Business Continuity in a Box

The instructions are better suited for small to medium-sized organisations (10-300 people) who require an interim ICT solution to deliver minimal services. Larger enterprises and government departments can also use the guidance but are likely to need to apply additional configuration steps. Larger organisations should consult with an MSP and carry out appropriate independent risk and business impact assessments.

Someone with basic level of computing knowledge would be able implement the communications package but the applications package requires someone with intermediate level of knowledge of cloud services.

What is included in the Business Continuity in a Box guidance

The instructions should be followed immediately after an incident is identified and were developed using Microsoft 365 as the core technology stack due to its prevalent usage across business and government organisations.

To establish basic communications the document has guidance on how to set up a catch-all mailbox so that critical communications sent to the organisation are not lost during the period when usual email systems are unavailable.

The Continuity of Communications package has information to verify prerequisites, written guidance on provisioning a Microsoft 365 Business Standard tenant and a tool for automated configuration of the Microsoft 365 Business Standard tenant, how to configure organisation settings, how to run an automated configuration of environment and how to validate the environment.

To maintain the continuity of critical applications such as office productivity suites, accounting, human resource management and payroll systems, the instructions include guidance to determine critical functions and requirements to ensure continued business operations, determine an appropriate platform for each required interim application, and deploying a secure cloud-hosted infrastructure-as-a-service (IaaS) solution for each major cloud hosting provider, enabling organisations to take advantage of existing software licenses. The primary focus of the instructions is for IaaS but it also covers platform and software as a service.

Businesses using the continuity application guidance to deploy an interim cloud solution must assess any risks associated with organisational data being stored on an interim cloud solution, including any additional security controls that may be required.

Business Continuity, Cyberattacks

Go to Source