Acronyms are an ever-growing species. Technologies, standards and concepts come with their share of new acronyms to know and to consider. In recent years we had to learn and understand what GDPR or PSD2 stand for. And we have learned that IT security, compliance and data protection are key requirements for virtually any enterprise. The following acronyms and more importantly the concepts behind them can teach us about what forward-looking organizations and their leaders should be thinking of.
MTPD stands for "Maximum Tolerable Period of Disruption". Its value determines the longest possible amount of time an organization can endure until the impact of an incident leading to a partial or complete disruption of service becomes inacceptable or a recovery becomes more or less useless. Determining this period is an exercise every reader of this text might want to do just now. It might be surprisingly low.
MBCO, closely related to the MTPD, is short for "Minimum Business Continuity Objective". It describes the baseline of services that are necessary for an organization to survive during a disruption. Another important aspect for all of us to think of. MTDL describes the “Maximum Tolerable Data Loss”. It is usually defined as the largest possible amount of data in IT systems (or analog media, like files and binders) an organization can accept to lose and still be able to recover successful operations afterwards. These terms (and many more related and relevant concepts) stem originally from the area of Business Continuity Planning, but they become increasingly important also to management and staff of IT security departments.
One reason for that is yet another acryonym, namely “KRITIS”, which is an abbreviation of „KRITische InfraStrukturen“ (“critical infrastructure”). Critical infrastructure is defined as organizations or institutions of major importance to the state community whose failure or degradation would result in sustained supply shortages, significant public safety disruptions or other dramatic consequences.
Originating from an EU Directive in 2008 the term is closely linked to the Federal Republic of Germany, its legislation and its efforts to reduce potential vulnerabilities of critical infrastructure. The concept aims at improving protection and resilience as a result of the increasing extent of pervasiveness and dependence of almost all areas of life with and from critical infrastructure. A German law (“IT-SiG”), and a regulation “BSI-Kritisverordnung” (“Kritis regulation”) issued in 2015/2016 are the foundation for the specification and enforcement of this significant set of requirements.
Many countries are already looking at regulating and securing critical infrastructure as well, including the US (Department of Homeland Security), so this is far from being just yet another German or European issue. But taking Germany as an example, the overall picture of critical infrastructure includes Energy, Information Technology and Telecommunications, Nutrition and Water, Healthcare, Finance and Insurance, Transport and Traffic. The actual scope of organizations affected can be looked up online. The core legislation is the same for each critical infrastructure, the challenge for individual industries is that sector-specific requirements need to be identified individually. The definition of industry-specific requirements is the responsibility of the individual industries, their industry associations and key corporations as exemplary representatives of their sector. However, these documents need to be government-approved.
Implementing these requirements requires organizations to think in more than just in terms of IT security. While the industry-specific requirement documents often have some IT security specific bias (usually starting with implementing an ISO 27xxx ISMS), organizations also need to consider the acronyms in the beginning of this text. This “paradigm shift” that critical infrastructure has to deal with now (and obviously had to deal with before already) is an important step for any organization. Extending security towards resilience, business continuity will be essential for almost any organization within a world of increasing challenges, including but not limited to cyber threats.
To make systems, processes and organizations future-proof, it is highly recommended to consider security, safety and business continuity more holistically. Why not use related KRITIS-requirements as a benchmark that could help you to increase your organizational maturity? Just because you are not obliged to comply does not mean that going beyond your individual, mandatory requirements cannot improve your overall security posture and business continuity approach.
The definitions and requirements concerning critical infrastructure as they exist at an European and, in particular, German level can be regarded as exemplary in many respect. Even if they have direct relevance primarily for operators of critical infrastructure in Germany, they can serve as a basis for the design, operation and documentation of resilient architectures in Europe and beyond, due to the degree of detail and their comprehensive coverage of a multitude of sectors and industries.
And as a heads up for German readers, the update of the IT-SiG (“IT-Sicherheitsgesetz 2.0”) could be yet another game changer, so they should be prepared for more major changes in systems, processes and organization.