Resilience Glossary
Business Continuity Management (BCM) - Betriebskontinuität bei Cyberangriffen
Business Continuity Management (BCM) ensures that critical business processes continue to run or are quickly restored in the event of a cyberattack, ransomware, or IT failure. Key concepts: BIA (Business Impact Analysis), RTO (Recovery Time Objective), RPO (Recovery Point Objective), BCP (Business Continuity Plan), DRP (Disaster Recovery Plan), offline backup strategy (3-2-1-1-0 rule), tabletop exercises. ISO 22301 and BSI IT-Grundschutz Standard 200-4.
Business Continuity Management (BCM) is the discipline that ensures a company can survive even if it is hacked. It’s not a question of if a cyberattack will happen, but when—and how quickly the company can resume operations afterward.
Core Concepts: RTO and RPO
RTO (Recovery Time Objective):
- Maximum acceptable downtime
- "How long can a system be down at most?"
- Example: Email server RTO = 4 hours
- The system MUST be restored within this time!
RPO (Recovery Point Objective):
- Maximum acceptable data loss
- "How many hours/days of data can be lost?"
- Example: Customer database RPO = 1 hour
- Backup frequency must be less than RPO!
Cost-benefit balance
Lower RTO/RPO = more expensive infrastructure:
| Goal | Solution | Cost |
|---|---|---|
| RPO: 0s | Synchronous replication | Expensive |
| RPO: 15m | Asynchronous replication | Moderate |
| RPO: 24h | Daily backups | Low |
| RTO: 0s | Hot standby / Active-Active | Very expensive |
| RTO: 1h | Warm standby | Moderate |
| RTO: 24h | Cold recovery | Low, slow |
Real-World Examples of Ransomware Scenarios
| Scenario | RTO | RPO |
|---|---|---|
| Without BCM | 3–6 months | Everything lost |
| With BCM | 24–72h | < 24h (last clean backup) |
| Best in Class | 4–8h | < 1h (immutable backups, fast DR) |
Business Impact Analysis (BIA)
BIA Methodology
-
Identify all business processes:
- IT systems, applications, data
- Dependencies: which system needs what?
-
Criticality assessment:
- Financial loss per hour of downtime?
- Reputational damage?
- Regulatory consequences?
- Loss of customers?
-
Define RTO/RPO per process:
| Process | RTO | RPO | Criticality |
|---|---|---|---|
| Online Store | 1h | 15m | Critical |
| ERP/SAP | 4h | 1h | Critical |
| 4h | 4h | High | |
| Development Environment | 48h | 24h | Medium |
| Archive System | 7d | 7d | Low |
- Dependency Chain:
- Online Store requires: Database, Payment Provider, CDN
- If database fails → Store goes down!
- Database protection must meet the store’s RTO/RPO!
BIA Documentation (Template)
- Process: Order Processing
- System: SAP ERP
- Owner: Head of Operations
- RTO: 4 hours
- RPO: 1 hour
- Max. Cost/h: 50,000 EUR in lost revenue
- Dependencies: SAP database, Active Directory, SAP application server
- Contingency process: Manual order entry in Excel (workaround)
- Contact: SAP consultant +49 XXX, SAP Support 0800 XXX
Backup Strategy for Cyberattacks
3-2-1-1-0 Backup Rule (Ransomware-Resistant)
- 3: Three copies of the data (production data + 2 backups)
- 2: Two different media (NAS + tape OR on-premises NAS + cloud backup)
- 1: At least one offsite copy (different building, city, cloud)
- 1: One offline/air-gapped copy – NOT accessible via the network; ransomware cannot encrypt it! Options: Tape (on tape), cloud with Object Lock, offsite rotating NAS
- 0: Zero errors in restore tests - TEST backups regularly (don’t just create them!); monthly test: restore a random file; quarterly DR test: full system restore
Immutable Backups (technical)
# AWS S3 Object Lock (WORM):
aws s3api put-object-lock-configuration \
--bucket backup-bucket \
--object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":30}}}'
# COMPLIANCE mode: even root cannot delete!# Azure Backup Immutability:
Backup Vault → Properties → Immutable Vault: Enable + Lock
→ No one can delete backups (not even admins!)
# Veeam Immutable Backup:
# Repository → Capacity Tier → S3-compatible → Enable Immutability
# Also: Veeam with Hardened Linux Repository (no SSH = no removal)Backup Isolation (important!)
- Backup Server: separate AD tier (not Domain Admin!)
- Backup Credentials: in PAM, not on the Domain Controller
- Backup Network: separate VLAN, only backup traffic allowed
- Ransomware test: Can the attacker reach the backup system?
BCP and Emergency Plans
BCP Structure
- Scope and Purpose
- Crisis Organization (who does what?)
- Communication Plan (internal + external)
- Critical Processes and Workarounds
- IT Recovery Plans (DRP)
- Supplier and Partner Contacts
- Testing and Drill Plan
Crisis Management Organization
Crisis Management Team Members:
- Incident Commander (Overall Responsibility)
- IT Director / CISO (Technical Coordination)
- Communications Officer (internal + external)
- Legal Department (reporting obligations, contractual risks)
- CFO (financial decisions: ransom, insurance)
- Works Council (if employee data is affected)
Escalation Matrix:
| Incident Severity | Escalation |
|---|---|
| Server Outage (< 1h) | IT Team |
| Server Outage (> 1h) | IT Manager |
| Ransomware | CISO + Management → Crisis Team |
| KRITIS Incident | Crisis Team + BSI Report |
Out-of-Band Communication (CRITICAL!)
- Email server compromised? → How to communicate?
- Mobile phone groups: Signal group for crisis management team
- Emergency cell phone: not joined to AD, separate SIM card
- Paper documentation: Phone list available offline!
- Meeting location: Physical war room defined
Workaround Documentation (Example)
- Process: Order acceptance
- Normal: SAP ERP system
- Workaround in case of failure:
- Send orders via email to bestell@company.com
- Excel template:
\\fileserver\emergency-forms\order.xlsx - If file server is also down: Template on USB drive in safe
- Manual processing by sample department
- Post-entry in SAP after recovery
Tabletop Exercises and Tests
Tabletop Exercise (written/oral)
- Scenario: Ransomware attack, 50% of servers encrypted
- Participants: Crisis management team + IT + business units
- Duration: 2–4 hours
- Moderator: AWARE7 or external facilitator
Run through questions/decisions:
- When do we shut down systems?
- Who informs customers? When?
- Do we pay the ransom? Who decides?
- When do we contact the BSI and the police?
Findings from typical tabletop exercises:
- Out-of-band communication not prepared
- Backup passwords only in AD (also encrypted!)
- Contact lists outdated
- No clear decision-making responsibility
DR test (technical)
Annual: Full system recovery from backup
- Time tracking: Was the RTO met?
- Check RPO: How old is the restored data?
- Log: Test report for ISO 22301 / ISO 27001 audit
Common BCM deficiencies (audit findings)
- BCP never tested (theory ≠ practice)
- RTO/RPO not defined (or too optimistic)
- Backups exist but are never restored
- Backup system on the same network as production
- BCP documentation outdated (staff changes, system updates)
- No supplier SLAs for emergencies (e.g., hardware delivery)
BSI Standard 200-4 (BCM)
- Recognized as a BCM framework in Germany
- Structure: similar to ISO 22301, but in German
- Certification: possible (BSI certifiers)
- Chapters: BIA methodology, emergency response plan, exercise planning
