"Failing to plan is planning to fail."
Business continuity (BCP) and disaster recovery planning (DRP) are an organization’s LAST CORRECTIVE CONTROL when all other controls have failed!
BCP/DRP may prevent or provide remedy for force majeure circumstances such as injury, loss of life, or failure of an entire organization.
Furthermore, BCP/DRP provides the advantage of being able to view the organization’s critical processes and assets in a different, often clarifying light.
Risk analysis conducted during a BCP/DRP plan stage often lead to immediate mitigating actions.
An eventual potentially crippling disaster may have no impact due to prudent risk management steps taken as a result of a thorough BCP/DRP plan.
WHERE TO START?
Developing a Business Continuity and Disaster Recovery Plans is essential for a company's responsiveness and ability to recover from an interruption in normal business functions or catastrophic event. In order to ensure that all planning has been considered, the BCP/DRP has a specific set of requirements to review and implement. Below are listed the high-level steps to achieving a sound, logical BCP/DRP:
- Define Project Scope
- Business Impact Analysis
- Identify Preventive Controls
- Recovery Strategy
- Plan Design and Development
- Implementation, Training, and Testing
- BCP/DRP Maintenance
BUSINESS CONTINUITY vs. DISASTER RECOVERY
NOT TO BE USED INTERCHANGEABLY!
BUSINESS CONTINUITY PLANNING will ensure the business will continue to operate prior to, during, and after a disaster happens.
The focus is on the business in its entirety and making sure critical services and functions provided by the business will still be performed, both if threatened by a disruption as well as after the threat has subsided.
Organizations need to consider common threats to their critical functions as well as any associated vulnerabilities that might facilitate a significant disruption. Business Continuity Planning is a long-term strategy for continued successful operation despite of inevitable threats and disasters.
DISASTER RECOVERY PLANNING - while Business Continuity Planning is responsible for the strategic, long-term, business-oriented plan for uninterrupted operation when faced with a threat or disruption, the Disaster Recovery Plan will provide the tactics. In essence, DRP is a short-term plan for dealing with specific IT-oriented outages.
Mitigating a virus infection with a risk of spreading is an example of a specific IT-oriented disruption that a DRP must address. The focus is on efficiently mitigating the outage impact and the immediate response and recovery of critical IT systems. Disaster Recovery Planning provides a means for immediate response to disasters.
THE RELATION BETWEEN BCP & DRP - the Business Continuity Plan is an all-inclusive plan that includes, amongst multiple specific plans, the Disaster Recovery Plan - the importance stems from the fact that the focus and process of these overlap critically.
Continual provision of business-critical services facing threats is achieved with the aid of the tactical DRP. The plans, with their different scopes, are organically intertwined.
In order to distinguish between a BCP and a DRP one needs to realize that the BCP is concerned with the business-critical function or service provided by the company, whereas the DRP focuses on the actual systems and their interoperability so the business function is performed.
As mentioned before, the Business Continuity Plan is an umbrella plan that contains others plans, in addition to the Disaster Recovery Plan:
Continuity of Operations Plan (COOP) - describes the procedures required to maintain operations during a disaster. This includes transfer of personnel to an alternative disaster recovery site, and operations of that site.
Continuity of Support Plan - focuses narrowly on support of specific IT systems and applications. It is also called the IT contingency plan, emphasizing IT over general business support.
Cyber Incident Response Plan (CIRP) - designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.
Business Recovery Plan (BRP) - also known as the business resumption plan, details the steps required to restore normal business operations.
Crisis Communications Plan - used for communicating to staff and the public in the event of a disruptive event. Instructions for notifying the affected members of the organization are an integral part of any BCP/DRP.
Occupant Emergency Plan (OEP) - provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.
THE DISASTER RECOVERY PLAN
The Disaster Recovery Plan must be an actionable prescription for recovery. Writing the plan is not enough, thorough testing is needed. Information systems are in a constant state of flux, with infrastructure, hardware, software, and configuration changes altering the way the DRP needs to be carried out. Testing the details of the DRP will ensure both the initial and continued efficacy of the plan. The tests must be performed on an annual basis as an absolute minimum.
REVIEW - the most basic form of initial DRP testing. It involves simply reading the DRP in its entirety.
CHECKLIST - also referred to as consistency testing, lists all necessary components required for successful recovery and ensures that they are, or will be, readily available should a disaster occur.
WALKTHROUGH/TABLETOP - the goal is to talk through the proposed recovery procedures in a structured manner to determine whether there are any noticeable omissions, gaps, erroneous assumptions, or simply technical missteps that would hinder the recovery process from successfully being carried out.
SIMULATION (AKA WALKTHROUGH DRILL) - goes beyond talking about the process and actually has teams carry out the recovery process. The team must respond to a simulated disaster as directed by the DRP.
PARALLEL PROCESSING - involves recovery of critical processing components at an alternative computing facility, and then restore data from a previous backup. Regular production systems are not interrupted.
PARTIAL & COMPLETE INTERRUPTION - extreme caution should be exercised before attempting an actual interruption test. This test causes the organization to actually stop processing normal business at the primary location and use an alternative computing facility.
SOME OF OUR SERVICES
RELATED TO BCP & DRP
Development of continuity action strategies
Developing a business continuity strategy allows the identification of critical business processes and areas, and planning measures to ensure their continuity.
As part of the services performed:
- Identification of critical organizational processes and their supporting resources
- Assessment of the possible damage caused by violations of critical processes in the event of emergencies through Penetration Testing and Vulnerability Assessment
- Risk assessment of business continuity violations
- Defining continuity requirements
- Selecting common ways to ensure continuity of critical business processes on the basis of technical and financial analysis
- Development of strategies to ensure business continuity of the organization
- Defining common approaches to the creation of a system, to ensure continuity of the processes
Development and integration of measures
The service focuses on the development and implementation of measures to ensure continuity of operations in accordance with the chosen strategy:
- Description of critical business processes and the choice of optimal recovery methods for each of them
- Implementation of disaster recovery solutions
- Development of plans for Incident Resolution (IMP), Business Continuity (BCP) and Disaster Recovery Plans (DRP)
- Training the staff of the Company
- Testing developed plans
Additionally, within the service:
- Introduction of technical means to ensure the continuity of IT infrastructure and disaster recovery solutions
- Construction of a disaster IT infrastructure necessary to implement relevant plans
- Implementation of application systems for the automation of work with plans to ensure Information Security