Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses.
The definition of a disaster is anything that can impact the continuation of business operations. Most people think disasters would just include major weather events (snowstorms, hurricanes, flood, and tornadoes), fire, earthquakes, war, and hurricanes. However, there are so many other events that could impact the continuing operations of a business, including:
- A plumbing leak that forces the employees to have to evacuate the business facility
- A vendor that has a disaster and can no longer fully support the business
- The death of a critical employee, without a succession plan
- A sickness or pandemic that results in a percentage of the staff being not able to fully perform its business function
Companies should have a documented plan in place to address the following, based on the disaster:
- How the business can continue to function at some less than optimal level during the disaster event
- How the business can use alternative work locations to continue operations during the disaster event
- How the business can failover to backup systems to continue operations during the disaster event
- How the business can recover data and restore all operations back to normal, once the disaster event has passed
What is the difference between a business continuity plan and a disaster recovery plan?
A Business Continuity Plan (BCP) defines how the business functions will operate during the disaster event. It will also include plans on how to protect the staff, such as evacuation plans or hide-in-place strategies. Its focus is on people and process. A company, based on size and complexity, could have one BCP, or they could have a plan for each department in the company.
A Disaster Recovery Plan (DRP) defines how business will failover to backup systems or will use backup facilities to continue operations. The DRP will also address how the plans on how to recover from the disaster such as rebuilding replacement systems a facilities. A company, based on size and complexity, could have one DRP, or they could have a plan for each facility and each IT system.
Why does a business need one?
A business should always be prepared to handle events that impact the business. Consider the following:
- Is there an evacuation plan? Do all employees know how to evacuate the facility and where their outdoor meeting point is for a proper headcount ensuring that everyone got out safely?
- Is there a plan on how work will be conducted/prioritized if 50% of the accounts receivable department are out sick for the day/week?
- Is there a plan on how work will be conducted if there was a loss of the Internet, phone service, or the electrical power?
In my next blog post I will discuss factors that have to be considered when building a plan.
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.