CSA CCM BCR-07
Communication

Establishing effective communication channels with stakeholders and participants is crucial for the success of any business continuity and resilience program. Clear communication ensures everyone understands their roles, responsibilities, and the actions required during a disruption. A well-planned communication strategy can make the difference between a smooth recovery and a chaotic response.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The matrix provides a comprehensive set of controls to help organizations assess and manage the security and resilience of their cloud environments. For more information on business continuity in the cloud, refer to the AWS documentation on Disaster Recovery.

Who should care?

  • Business continuity managers responsible for developing and implementing business continuity plans
  • Incident response teams who need to coordinate and communicate during a disruption
  • Executives and senior management who oversee the organization's resilience and reputation
  • Employees who need to understand their roles and responsibilities during a disruption
  • Customers and external stakeholders who rely on the organization's services

What is the risk?

Ineffective communication during a disruption can lead to:

  • Confusion and lack of coordination among response teams
  • Delays in identifying and responding to incidents
  • Incomplete or inaccurate information being shared with stakeholders
  • Reputational damage if customers and the public are not kept informed
  • Failure to meet regulatory requirements for timely notification of incidents

Implementing BCR-07 can significantly mitigate these risks by ensuring clear, timely, and accurate communication flows throughout the organization and to external stakeholders.

What's the care factor?

Business continuity managers and incident response teams should prioritize this control as it directly impacts their ability to effectively manage a disruption. Executives should also care as poor communication can damage the organization's reputation and customer trust. However, for employees not directly involved in incident response, this control may be a lower priority.

When is it relevant?

BCR-07 is relevant for all organizations that rely on cloud services and need to ensure continuity of critical operations. It is especially important for:

  • Organizations in regulated industries with strict notification requirements (e.g., financial services, healthcare)
  • Organizations with a large, distributed workforce that needs to be kept informed during a disruption
  • Organizations with complex, interdependent systems where coordination is essential for recovery

However, smaller organizations with simpler cloud environments may be able to manage communication more informally.

What are the trade offs?

Implementing BCR-07 requires an investment of time and resources to:

  • Identify and map out all relevant stakeholders and communication channels
  • Develop communication templates, procedures, and training materials
  • Test and exercise the communication plan regularly

This may divert resources from other business continuity or IT initiatives. There is also a risk of "alert fatigue" if too many notifications are sent out, leading to important messages being ignored.

How to make it happen?

  1. Identify all relevant internal and external stakeholders (e.g., employees, customers, regulators, suppliers)
  2. Map out the communication channels and contact information for each stakeholder group
  3. Define clear roles and responsibilities for who will send out communications and approve content
  4. Develop templates for common notification scenarios (e.g., service disruption, data breach, office closure)
  5. Establish criteria and thresholds for when different types of communication should be triggered
  6. Select and implement communication tools (e.g., mass notification system, status page, social media)
  7. Train all involved staff on the communication procedures and tools
  8. Conduct regular exercises to test and refine the communication plan
  9. Review and update the plan at least annually or after any major changes

What are some gotchas?

  • Ensure all contact information is kept up-to-date, especially for external stakeholders
  • Have backup communication methods in case primary channels are down (e.g., phone trees if email is unavailable)
  • In AWS, you will need the ses:SendEmail and sns:Publish permissions to send email and SMS notifications via Amazon SES and SNS. See the AWS Identity and Access Management User Guide for details on IAM permissions.
  • Be mindful of any regulatory requirements for notifying authorities or the public within certain timeframes

What are the alternatives?

While BCR-07 provides a structured approach to communication, some alternatives include:

  • For small teams, ad-hoc communication via phone, email or chat may be sufficient
  • Using a dedicated incident management tool that includes communication features (e.g., PagerDuty, OpsGenie)
  • Outsourcing communication to a specialist public relations or crisis communication firm

Explore further

Related CIS Controls:

  • 10.1 - Ensure Regular Automated Backups
  • 10.2 - Ensure Active-Active, Active-Passive, or Active-Standby High-Availability Options are Implemented
  • 19.4 - Establish and Maintain a Response Plan

Blog

Learn cloud security with our research blog

Your queues, your responsibility
August 20, 2024
Things you wish you didn't need to know about S3
May 30, 2024
S3 Bucket Encryption Doesn't Work The Way You Think It Works
April 19, 2024
Read more