CIBERDEFENSA ORIENTACIONES PARA EL DISEÑO, PLANEAMIENTO, IMPLANTACIÓN Y DESARROLLO DE UNA CIBERDEFENSA MILITAR 50 290. The operations continuity plan contains the technical, human, procedural and organizational measures to recover and restore critical operations that have been disabled or interrupted by a cyber attack. 291. The standard process for preparing an operations continuity plan is based on three phases threat identification, critical service identification and definition of cyber defense measures. 292. The cyber threat identification phase serves to analyze the four general cases (known threat and known response known threat and unknown response unknown threat and known response and unknown threat and unknown response, and to identify and classify the most likely and dangerous threats. 293. In the known threat/known response case, cyber defense measures necessary to deal with a specific cyber threat (known TTPs and impact) are known. 294. In the known threat/unknown response case, the cyber threat TTPs and potential impacts are known, but the right cyber defense measures to deal with them are not known. It is necessary to experiment with possible solutions and build collaborations with organizations that may have solutions. 295. In the unknown threat/known response case, contingency situations are analyzed, anticipating probable impacts, where the measures to recover from them are known, but the causes that produce them are unknown. 296. In the unknown threats/unknown response case, a mechanism is established to expeditiously organize a group of experts who can advise in real time on the appropriate reactive measures to unforeseen situations in which the cyber threat TTPs are unknown and reactive measures are not planned. 297. In the critical services identification phase, the services, operations, processes, systems, etc. the interruption or disablement of which may lead to an unacceptable lack of operation for the organization should be identified, and the impact measurement criteria that should trigger an automatic or human response should be established. 298. In the measures definition phase, all the preventive (data backup systems, backup SOC, etc) and reactive measures necessary to recover from the expected impacts should be defined, to react to unforeseen impacts and to anticipate unknown threats (cyber threat hunting). 299. The communications plan establishes the official position of the cyber force in all the particularly sensitive matters (offensive operations, intelligence operations, organization, resources, capabilities, missions, etc, identifying the situations in which information can be made public and how and who can deliver information. 300. The communications plan also establishes the form, the way and the responsible entity to report on serious ongoing incidents.