Comprehensive business continuity and disaster recovery plans are must-haves for companies of all sizes that are dependent on their systems to run their businesses. In Part 2 on this topic, I discuss factors that have to be considered when building a plan.
Preparing for a disaster can be a daunting task, involving many factors. A company will have to first identify events that will impact the continued business operations — essentially, any time there is a loss of staff, systems, facilities, or third party service providers. Some staff, systems, facilities, or third party service providers are more critical than others, so that will have to be factored into the process, along with event likelihood — for instance, a snowstorm in Florida is not very likely.
Another factor will be time of the event and how long will it be until the loss becomes impactful. The loss of the email system may not be impactful if lost for an hour, but it would be extremely impactful if lost for a week.
Once this Business Impact Analysis (BIA) is completed, the company will have a firm understanding of critical business functions, optimal staff levels, critical systems, service providers, and critical facilities. The company will also have an understanding of how long it will be before the disaster is impactful to the business. With that knowledge, the company will be able to strategize how best to be prepared for these events, which could include:
- Cross-training staff so that people from other departments could help the impacted department
- Having manual processes available to address the loss of automated processes
- Having redundant systems in place that could be activated quickly if there was a loss of a primary system
- Having backup power generators or redundant Internet
What steps go into creating a recovery plan?
Since the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP) are potentially going to be used by a number of different departments with varying skill sets, the first step should be to design, plan, and document a Business Continuity Management (BCM) process. The process should include the following:
- Setting up an internal BCM organization, to ensure that there is representation from each facility, for each system, and from each department
- Complete the BIA process to ensure that there is an up-to-date understanding of what is critical to the business and what redundancy must be in place. This process should occur at least annually
- Develop and review the BCP, to ensure that the content of the plan is standardized and contains the level of detail needed for individuals of any skill level to accomplish their task
- Develop and review the DRP, to ensure that the content of the plan meets the needs of the IT and Facilities personnel, and any other stakeholders
- Plan maintenance process, to ensure that the plans are updated whenever there are significant changes to the organization (e.g., organizational changes, system changes, facility changes). These plans should be reviewed and updated at least annually
- Test all processes, to ensure that evacuation plans, system failovers, and alternate work procedures actually work effectively. A variety of tests should be conducted over the course of a given year
How should it be constructed?
The Business Continuity Plan should include the following:
- How a disaster is declared and by whom
- How Staff Communications will occur (alerting staff that a disaster has occurred)
- Which Staff are critical versus secondary
- Where staff should report if the disaster impacts the facility
- The procedures on how to prioritize and conduct business during a number of different disaster scenarios
- The procedures on how staff will recover from manual processes, performed during the disaster, once the disaster is over
The Disaster Recovery Plan (DRP) should include the following:
- Criteria and responsibilities associated with declaring a disaster
- Procedures on how IT system interaction will occur during a disaster
- Procedures on how to re-construct the IT infrastructure and any lost facilities
- Procedures on how the IT infrastructure is to be operated after a loss of a service provider
When and how should employees be trained on the plan?
Training on the plans can generally be accomplished by testing the different aspects and processes contained within. For example:
- Most companies perform evacuation drills at least annually to ensure that staff know how to leave the building safely and where to go for a headcount
- Companies often create a testing schedule to evaluate how well-written their plans are and to determine whether the organization can indeed failover to backup processes and systems within a defined timeframe
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.