A business continuity plan looks at the risks and threats that face an organization and establishes a mechanism to ensure that business functions can continue to operate in the event of a disaster.
The key input for the information security professional when it comes to business continuity planning is from business or mission stakeholders. The key term in business continuity planning is business. The focus should not initially be on technology as technology serves to enable the business to do its work. Rather, the focus should be on the business functions that technology is supporting.
Key questions that you should be answering as you are developing your business continuity plan include:
- What are your organizational risks: As part of your information security program, you should be well versed in discussing risks with your organization. In fact, you may have already had this discussion with your organization, and business continuity may be the conversation that has naturally flowed out of your risk management program. If you haven't begun discussing organizational risks, now is the time as you can't begin developing a business continuity plan without understanding the negative impacts your organization can suffer. Questions you can ask include:
- Are there geographical risks that can affect the operations of our organizations (hurricanes, wildfires, floods, blizzards)?
- What will be the impact of a major disruption? What will the consequences be to the organization from a revenue and reputation perspective?
- How will the organization continue to earn revenue in the event of a disaster (e-commerce website redundancy, manufacturing plant control systems)?
- What products and services does your organization provide and how will you continue to provide these products and services in the event of a disaster?
- How does your organization's location affect its availability: Determine if your organization would be unable to continue operating if key locations became unavailable.
For example, does your organization rely too heavily on a headquarters? If the building became unavailable, would the organization cease to function? If you could answer yes to that question, you have a problem. Organizations take different approaches to solve this issue, including the following:
-
- The establishment of satellite locations that will take over key capabilities in the event of a disaster. These locations are typically part of the organization. Key team members would move to these locations and continue their roles from these satellite locations.
- Developing a plan to establish an emergency command center at a predefined location. In this case, an alternate location such as a hotel may be defined where team members will move to re-establish operations.
- The organization may move to a full telework capability until operations can be reinstated in the primary work facility.
- Do you have a succession plan: What will you do if a key member of your team is unavailable? We tend to be morbid when we think about this, but let's be positive. What will you do when one of your key team members gets hit by the lottery? They are alive and well but will not be supporting your organization anymore. Also, you can have a situation where a key team member is available to work but environmental conditions have cut the team member off from the organization. You must have the necessary plans in place to ensure that you have the human resources available to continue operating your organization. Questions to ask include:
- Who takes key executive leadership roles over if top-level positions members are unavailable or incapacitated?
- Are technical details properly documented so that if key technical resources are not available, business continuity actions can still be taken?
- Do you have team members cross-trained in duties so that you can perform at least minimal functionality (hopefully more) in the event of a disaster?
- How will you continue to pay your staff?