Is your CCMP just a check in the box activity?
Posted on: 28-Oct-2020Author: Deepanjali Kunthe
For the uninitiated CCMP stands for CYBER CRISIS MANAGEMENT PLAN. What is true of plans in general is true for the CCMP too. Those who regularly deal with regulators CCMP has acquired an aura of great importance.
It is easy to document a plan but it is difficult to make a plan that works.
This post is a window into the world of usable CCMPs.
Before we get into what a CCMP should be like, it would be more useful to take a few steps back (may be a few hundred or so) to understand one basic element. What’s the goal of a CCMP? And no, it is not just about satisfying regulatory requirements or making sure that teams have tasks on their ToDo lists.
The goal of a CCMP is ultimately reducing risks and thereby reducing the impact of a cyber crisis.
Once the big picture is clear, the exercise of creating a CCMP becomes more effective and meaningful.
So, what happens when teams lose sight of this goal?
Organisations run the risk of their CCMPs becoming an ineffective and documentation-oriented activity rather a save-the-day kind. It may become a checkbox activity and ultimately something one has to do and not something that one should do.
Creating a CCMP successfully and creating a CCMP that is successful are the two milestones that an organisation should strive to achieve. And one is not more important than the other.
Here are a few key points to create a CCMP successfully:
Leadership buy-in – The significance of this cannot be emphasised enough. It's the organisation’s leadership’s job to provide strategic direction, provide resources and give insights to the CCMP building exercise.
Treat the CCMP like a project- It makes sense to take up the CCMP initiative like a project, so that it has a finite beginning and end. Failing to do this may cause the CCMP creation process to lose steam midway and get shelved or worse drag on endlessly. Having a project plan not only helps keep the activities on track but also helps measure progress and remove obstacles if any.
A project plan needs a project team to implement it. Assembling a project team led by a project manager ensures that tasks are distributed and accounted for.
Plan Owner- Designate a plan owner beforehand who will take over the CCMP ownerships once the project is deemed closed.
To create a successful CCMP:
Keep it short - Creating short and concise documentation that can actually be referred to in the time of crisis and is not left gathering dust. The main plan should not be more than 20-30 pages long and it should have only what is needed during a crisis. All the other details could be included as Appendices.
Build Teams- Create a team structure that is workable for the size and type of your organisation. It is best to create a team that does not just look good on paper but can actually be formed.
The team members, their roles and responsibilities should be clearly documented and communicated. Have backups for crucial roles.
Plan for Incident scenarios- Spend time with individual functions to create most probable incident scenarios, for which crisis management plans should be created.
Make a ready reckoner Toolbox- The CCMP toolbox should have ready checklists, templates, communication moulds that can be used as it is without too many tweaks.
Train, Train, Train!! – All the efforts towards creating a good and functioning CCMP will come to a nought if the relevant teams and people are not trained on their roles and responsibilities. The training could be through classroom sessions or through testing exercises like table-top tests.
Test & Update – Test your CCMP and update it based on the results of the tests.
Most organisations do either the first part or the second efficiently. Very rarely do they get both parts right and that’s what makes the difference between an effective CCMP and one that is just a documentation exercise.
Need help with creation, documentation, testing or training for CCMP?