Your company headquarters has just lost all power due to a tornado that destroyed the local power substation. You’re looking at being without reliable electricity for the next several days, or longer. Do your people know what to do?
Many industry standards such as PCI DSS, SOC 2, ISO 27001 and many others have requirements for business continuity and disaster recovery (BCDR). Business continuity outlines how your organization will proceed during and after a disruptive event. Disaster recovery is a set of plans for responding to the event to mitigate and continue functioning.
Without BCDR in place, even the smallest events can have an amplified impact on your operations. In some cases, companies have been shut down by events that could have been overcome with an effective business continuity plan.
The Importance of a Business Continuity Plan
If you’re doing BCDR correctly, you have a documented plan that’s been thought through and tested in real-world exercises. It should cover multiple what-if scenarios, so that if the fit hits the proverbial shan, everyone isn’t just looking around wondering what the heck to do.
Your organization isn’t susceptible to just one or two scenarios — an incident can come in a multitude of forms. For example, before 2020, who would have ever included a nationwide quarantine in their BCDR plans?
There were a ton of organizations that had never even considered that scenario, and they didn’t have a plan in place when COVID-19 arrived. They were thrown into a reality they weren’t prepared for, and many of them weren’t able to respond to the emergency in time to save their businesses.
What to Include in a BCDR Plan
Your business continuity plan shouldn’t be limited to global, history-changing events. It should also include commonplace situations that are as mundane as a late delivery or an equipment failure. Your plan should include all sorts of scenarios that can arise, across all functions of your organization.
No two businesses will have the same disaster recovery plan. BCDR is influenced by a myriad of factors, including:
- Type of organization
- Business model
- Size and location of the organization
- Technologies used
- Server locations
- Budget allocations
- Vendors involved
I could go on, but you get the point.
I’ve seen organizations that have done absolutely nothing for BCDR and companies that took it to the other extreme. Some organizations had hundreds and maybe even thousands of pages that covered everything under the sun.
The best approach is somewhere in between. You’ll never cover every possible scenario, but you should prepare for situations that are most likely and most disruptive.
What to Do With Your BCDR Plan
Business continuity plans aren’t intended to be written once, only to be left on a shelf. Most compliance standards require you to review, train, validate, and test at least annually.
If you wrote your plan in 2015 and don’t dust it off until 2023, you’re almost in the same boat as never having done it. Every year, new things happen. New technologies emerge and new risks come into play. Your business grows and there are new things to account for. At some point, the plan you wrote years ago makes no sense and is as useless as not having a plan.
Do a periodic ongoing review of your BCDR plan. Walk through the scenarios in a role-playing style, physically going through all the motions of the business continuity plan. Use the personnel who would be involved so that they’re trained and knowledgeable.
During the reviews, look for gaps to address — details that aren’t documented, or updates that need to be made.
Tabletop Exercise or Real-World Walkthrough?
Some organizations use an alternative to the real-world walkthrough, called a tabletop exercise. Effectively, it’s a role-playing game that’s done around a table. You talk through a scenario as if it were happening and everyone plays out how they would handle the incident.
The drawback with tabletop exercises is that they are only as good as the person running them, the scenario, and the imaginations of the participants. If any of those variables is lacking, you lose benefit.
When you walk through a scenario in the real world, you have to actually go and solve the problem, leveraging the framework. You’re walking through the scenario itself and discovering issues that your imaginations wouldn’t think of during the tabletop. A real-world walkthrough ensures that you spot the gaps in your plan so you can go back and make adjustments as needed.
Declare Your Incidents!
Your BCDR exists in order to be used. But I keep finding organizations that seem reluctant to declare an incident or a disaster. They don’t want to make a declaration that invokes their disaster recovery plan. Instead, they insist that they have everything under control and they’ve abolished all incidents. There are no issues, and everything is going perfectly according to plan.
Often, these companies feel a stigma about declaring a disaster or an incident. People tend to look at those words negatively. But keep in mind, the disasters we’re talking about span the range of everything from an asteroid taking out the Eastern Seaboard to losing power during a thunderstorm. Not everything is Armageddon, and not everything is the failure of the organization to do their job.
The bottom line is that stuff happens. Nothing is 100 percent perfect, ever. What matters is how you deal with an incident, not the fact that it happened in the first place.
Assessors will honestly get suspicious when you say you haven’t had an incident. Everybody has had an incident. It doesn’t sound credible to claim that you went through an entire year and nothing went wrong.
If you aren’t willing to make a declaration, it sounds like a cover-up to the Assessor and their B.S. detector is certainly activated. Now they’re going to start digging deeper to see what’s really going on in your organization. I’ve seen it happen.
Not only is your company worse off for not having used your plans, you’re placing yourself under greater scrutiny with your Assessor, who is now more likely to find issues. Many of the Assessors feel like they must find improvements in order to have performed their jobs properly, so it’s actually easier to give them a softball with several declared incidents and continuity events.
On the other hand, if you declare an incident when an incident-worthy event occurs, your Assessor’s radar will not be raised — especially if it’s something typical. You’re also better off for it as an organization, because you’ve field tested your BCDR plans. And you benefit from real-world lessons learned afterwards.
As long as your organization has handled the incident properly, your Assessor will actually be appreciative, because you’re doing exactly what you should be doing. They love seeing companies that do all the right things.
As a result, the Assessor is less stressed and more confident in your organization, which makes your assessment a lot easier to go through.
Need help getting your arms around your compliance standard’s requirements? TCT has deep experience in the front lines of security and compliance. Subscribe to the TCT blog to get more industry-leading expertise.
Get equipped with insider expertise
Subscribe to the TCT blog