Control of the Week 16 - Business Continuity Plan and Disaster Recovery
This week’s control involves the Business Continuity Plan and Disaster Recovery. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juthani (Senior Manager, IS Risk & Compliance), Chika Nwajagu (Senior Security Analyst at Tugboat Logic) and Garima Desai ( Manager, IS Risk & Compliance) why having a plan for disaster situations will be critical to your audit and business as a whole.
Why these controls are important
CR5 - Business Continuity Plans (BCP)
CR6 - Disaster Recovery Plan (DRP)
Business Continuity and disaster recovery plans (including restoration of backups) have been developed and tested annually. Test results are reviewed and consequently, contingency plans are updated.
The best thing you can do in a disruption involves a process that occurs before a disruption even happens. While we cannot fully predict most disruptive situations, having a plan means that you do not have any ambiguity in the course of action to take should a disruption occur. These controls are closely tied to our previous control focus (Back-up and Recovery Process), but deal with continuity and disaster recovery at the business and technology level respectively.
The Business Impact Analysis (BIA) is a document that outlines the potential effects of an interruption, identifies critical functions of your business, Recovery Time Objective (RTO), Recovery Point Objective (RPO), and any dependencies you have on third parties and internally within your organization.
The Business Continuity Plans (BCP) are documents that are reviewed annually and outline what a business should do in the event of a disruption (e.g. loss of people, loss of data, loss of technology etc.). These plans ensure that your business can continue to operate with minimum available resources.
The Disaster Recovery Plan (DRP) is a document that handles what to do in the event of a disaster. Some of the types of disaster you can plan for include events that not only impact your data or physical location, but events that happen on local, national or international level.
These controls and their respective documentation encompass not only your data and electronic assets, but also physical assets that could be lost. While they are all separate plans and documents to help in the event of a disaster, they are all closely related.
How to implement these controls for your audits
The first step towards implementing these controls should be to conduct a Business Impact Analysis (BIA). This analysis will define what critical functions or resources that your organization cannot function without. These are the elements you need to keep your organization running at a minimum capacity, and will be defined by your leadership team.
As an example, payroll would be a critical element for most organizations. In your plan, you would outline how long your organization could survive without payroll processes before it cripples daily operations and the workarounds in case that happens (your employees need to be paid because they need to be able to function as well).
For the Business Impact Analysis you should define:
- What risks or impact categories exist in the organization (e.g. financial, employee engagement, reputation, legal and regulatory, health & safety, etc.).
- Have all categories defined in your risk assessment to determine level of impact (mark them as high, moderate or low risk).
- The critical functions you need to continue running functionally.
- Know the requirements (people, technology, facility, 3rd party, internal dependencies) to run critical functions in a crisis and define the bare minimum that needs to be done.
- What dependencies you have on third parties (e.g. if you use AWS servers and they are critical to your business, if they go down, you go down with them).
- What services are you going to recover first and in what order or RTO (Recovery Time Objective)
- How much information you are able to lose in case of a disaster or RPO (Recovery Point Objective)
- Who is responsible for each element of the plan.
Plans for disaster recovery can be extensive but it is a good idea to have a lean document available to employees and management so that they aren’t flipping through 400 pages in a crisis! Have a document prepared that shows them who is responsible, what they should do, and who they should notify. Designate how all of the conditions are met or applied, and the course of action to take in the event that crisis occurs. This includes anything that would reduce recovery time, ensure safety of staff, links to other back-up controls, and when to cut your losses.
On the management level, you must develop, review and test your plans. You need to include a plan to train your employees and implement the outlined measures. Everyone needs to know who to talk to and under what circumstances. Testing these plans periodically (e.g. annually) can be a part of awareness as well. For instance, a simple test we’ve all been a part of is a fire drill. Perform the fire drill as a test, and note what areas need improvement to ensure your employees are kept as safe as possible. Auditors will be looking for a document approved by management, and have records of testing that they can look at.
Overall, having a plan for disaster will remove any ambiguity, which we’ll be honest, isn’t great in a crisis situation.