Business Continuity Planning using Standards and Alignment

This article outlines the importance of Business Continuity Planning (BCP) and where to start when building one for customers.

Contingency planning is often binary: it does or does not exist. Business continuity is usually an afterthought of an operating budget. But in a way, it is not difficult to side with businesses who lack such planning. It is time-consuming, expensive, and the resources to plan and maintain a Business Continuity Plan (BCP) are not always available.

Business continuity takes many factors into consideration during a disaster. What roles and responsibilities do personnel have during a crisis? Will a cold, warm, or hot site be accessible during the outage? As a Technology Service Provider (TSP), easing the customer into contingency planning is a must. They likely have no idea what to do or where to begin—it is the responsibility of their IT provider to get them started on the right foot.

What is a Business Continuity Plan?

The Federal Financial Institutions Examination Council (FFIEC), an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, defines BCP as the following:

The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations. Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery. This enterprise-wide framework should consider how every critical process, business unit, department, and system will respond to disruptions and which recovery solutions should be implemented. This framework should include a plan for short-term and long-term recovery operations. Without an enterprise-wide BCP that considers all critical elements of the entire business, an institution may not be able to resume customer service at an acceptable level. Management should also prioritize business objectives and critical operations that are essential for survival of the institution since the restoration of all business units may not be feasible because of cost, logistics, and other unforeseen circumstances.

The statement from the FFIEC is correct: BCP is more than a technology-focused endeavor—it is about restoring all aspects of business operations. This is true for business of all sizes since technology is either a minor or major part of daily operations. To develop a proper plan, a business must identify the probability of risk. The likelihood of occurrence and potential severity determine the best course of action.

According to Ready.gov, the development of a Business Continuity Plan includes four steps:

  • Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
  • Identify, document, and implement to recover critical business functions and processes.
  • Organize a business continuity team and compile a business continuity plan to manage a business disruption.
  • Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

Developing a plan, documenting it, and managing a disruption are important steps. Another critical—and often missed—step is periodic testing of the plan. As business moves forward, technology and personnel changes mean plan revisions are necessary. Not all businesses have a need or care to have a BCP in place. Organizations that have an operating plan are those that potentially need it.

Why Is a Backup Continuity Plan Important?

Running a business is often a challenge and stressful, but rewarding. Smooth business operations mean personnel is productive and the company is generating revenue. But when (not if) a disaster strikes operations and productivity come to a screeching halt. Damage and downtime are unpredictable during an emergency event. This could be a power outage lasting five minutes or tornado damage taking weeks or years to repair.

A large enterprise experiencing downtime is more uncommon in the modern age. They have the money, resources, and personnel to establish, test, and execute a plan at a moment’s notice. They can earmark funding for preventive measures like emergency generators and hot sites. But for the average small business, this type of funding is not easily available. A full BCP is not workable and requires proactive solutions to ease the risk of downtime.

A small business is less likely to have a hot site available. When disaster strikes, a hot site is a fully operational facility. This option is rather expensive and unrealistic to the vast majority of businesses. Business who cannot afford such a luxury falls back to option B: proactive planning. A thorough risk assessment can pinpoint weaknesses in current operations and mitigate potential issues.

A chain of command and reporting structure must remain intact when this occurs. For instance, employees should know where to report, who to contact, and their responsibilities. A BCP must keep everyone informed.

Aspects of a Plan

Developing a BCP for customers is no easy task. There are many factors at play like budget, resources, industry, and compliance requirements. It is unlikely a “one size fits all” plan will apply to every customer. But core aspects will apply to businesses of all sizes. Referring to the Ready.gov checklist mentioned before, there are four components to developing a plan.

Business Impact Analysis: Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.

The first step is to perform a Business Impact Analysis (BIA) in the customer environment. This will include a workflow analysis that assesses the prioritization of business functions and processes that must be recovered. A workflow analysis identifies the interdependencies between critical operations, departments, personnel, and services.

Risk mitigation begins with identifying those areas that will cause the most harm. A Technology Alignment Manager (TAM) already performs an onsite alignment review. The assessment, vCIO recommendations, and implementation is a constant risk reduction process. Applying best practices through standards and alignment is part of an impact assessment.

Risk Assessment: Identify, document, and implement to recover critical business functions and processes.

This part is an evaluation of the BIA assumptions. Using this information is critical to analyzing threats to the customer, their customers, and the markets they serve. A large component of this step is the prioritization of potential disruptions based on severity. This determination stems from the impact on operations and probability of occurrence.



Example of a Risk Assessment Matrix.

Rather than focus on the nature of the threat, a risk assessment focuses on the impact on the institution, its customers, and markets in which it serves. Downtime caused by a hacker, power outage, or flood are all risk factors. Determining the impact of these threats is the focus of the analysis, not on the source.

Risk Management: Organize a business continuity team and compile a business continuity plan to manage a business disruption.

After a risk assessment concludes, a continuity plan must be in writing. A plan consists of specifics like what conditions prompt the execution of the plan and the process of the BCP. It must also contain the immediate steps necessary during the interruption. Effective use of the BCP minimizes service disruptions through the implementation of mitigation strategies.

This step is necessary when identifying, assessing, and reducing known risk to an acceptable level. The plan contains details that assist in mitigating risk before a disaster. It will focus on the maintenance of the plan, keeping documentation up to date, and seeking approval from senior management—at least—annually.

Risk Monitoring and Testing: Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

The final step includes the monitoring and testing of the BCP. Continual testing of the plan ensures the BIA remains viable. Monitoring the process for faults provides the Emergency Response Team with the information necessary to update, install, and test revisions to the BCP. Testing the plan will ensure the roles and responsibilities of personnel remain workable.

Business Impact Analysis using Standards and Alignment

The purpose of myITprocess is for service providers to apply best practices to their customers. Providers already complete alignment reviews, vCIO recommendations, and technology implementations. Incorporating a BCP is no different from using standards on a routine basis.

But the real mystery is where to begin, what questions are relevant, and how often an assessment should occur. As mentioned before, a BIA will not be one size fits all, but proven frameworks cover the common items. Some reasons why myITprocess is already useful for performing a BIA as part of a BCP:

  • Sections and Categories in the Standards Library repeat on the desired frequency.
  • TAM and vCIO roles perform risk mitigation as part of their role by default.
  • The Strategic Roadmap feature presents recommendations to customers for reducing high-risk areas.

The Impact Analysis is an ongoing check of the customer environment for risks and how to mitigate them. Every customer has a different environment but common core impact elements.  Clients and locations are divisible in the Standards Library and added on a per review basis.

Related Article: Standards Library

Use of the Tagging feature in myITprocess is beneficial to alignment. It can help differentiate category types and locations for each assessment. Creating a new review allows an engineer to select proper categories when auditing a customer.



Related Article: Section and Category Tags

Tags are completely customizable and allow the user to organize sections and categories. Filtering is best used when many tags exist and need drilling down when creating a review.

Where to Begin When Building a Plan

Because a contingency plan differs from customer to customer, mitigating the same risks does not hold water. A core set of best practices can blanket every customer with the addition of industry- and customer-specific standards added at a later time. In essence, using the same assessment for every customer is not recommended—one client’s risks are different from the others.

There are many resources available when creating a BCP with private and government resources.

Tip: Having trouble starting a Business Continuity Plan for your customers? Perform one on your TSP to establish a framework which can then be adapted to customer environments.

National Institute of Standards and Technology (NIST)

NIST has an extensive library of Special Publications (SP) and Federal Information Processing Standards (FIPS) that pertain to Disaster Recovery and Business Continuity.

Publication

Title

Link to Documentation

SP 800-30 Rev. 1

Guide for Conducting Risk Assessments

https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

SP 800-37 Rev. 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

SP 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems

https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

SP 800-84

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

https://csrc.nist.gov/publications/detail/sp/800-84/final

FIPS 200

Minimum Security Requirements for Federal Information and Information Systems

https://csrc.nist.gov/publications/detail/fips/200/final

 

Federal Emergency Management Agency (FEMA)

The information offered by FEMA presents useful information for planning, maintaining, and executing a BCP. The documentation available allows planners to “Define the scope, objectives, and assumptions of the business continuity plan.”

Publication

Title

Link to Documentation

Business Continuity Plan

Business Continuity Plan

https://www.fema.gov/media-library/assets/documents/89510#

 

Ready.gov

Publication

Title

Link to Documentation

Ready.gov

Business Continuity Plan

https://www.ready.gov/business/implementation/continuity

 

General Security, System Hardening, and Benchmarking

Providing a generalized security assessment of a customer environment is always a good idea. A one-time audit is not recommended and should occur on a scheduled frequency. The following controls and checklists are vendor-neutral assessments provided by third-party organizations—and available as a myITprocess template.

Organization

Title

Link to Documentation

Center for Internet Security

CIS Controls 7.1

https://www.cisecurity.org/controls/

Center for Internet Security

CIS Benchmarks

https://www.cisecurity.org/cis-benchmarks/

National Cyber Security Centre

Cyber Essentials

https://www.cyberessentials.ncsc.gov.uk/advice/

National Institute of Standards and Technology

Cybersecurity Framework 1.1

https://www.nist.gov/cyberframework

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us