[BreachExchange] 6 Key Considerations for a Business Continuity and Disaster Recovery Plan

Destry Winant destry at riskbasedsecurity.com
Fri Oct 26 03:10:59 EDT 2018


Disasters, industrial accidents and other catastrophic incidents are
events that can strike any organization without warning. One of the
greatest dangers with such events is the likelihood of grounding a
business for good. Think about what would happen if, for instance,
your organization lost all of its customer and financial records
following a natural disaster.

In the best case, disasters can disrupt your operations for minutes or
hours. In the worst case, you may have to shut down the business
permanently. Developing a business continuity and disaster recovery
(BC/DR) plan is key to ensuring your organization is always prepared
for such unexpected incidents.

Here are the main considerations for developing such plans.

1.   Classify Enterprise Data

The average organization is home to a wide range of information. Such
data comprises spreadsheets, emails, contact lists, computational
data, physical files, document printouts, payroll information and

The business must categorize its data based on its value. The
classification will help define the most appropriate backup, archival,
retention and retrieval policies. The data classification determines
system classification.

2.   Classify Enterprise Systems

System classification lies at the heart of every effective BC/DR plan.
It’s important because first, not all systems are created equal. Some
are more important to organization survival than others. Second, no
business has infinite resources. That means more resources should be
expended on high priority systems and less on low priority systems.

Information systems can be classified as either business support,
business critical or mission critical. Mission critical should enjoy
the highest level of protection and redundancy.

3.   Choose a BC/DR Location

BC/DR-associated standards such as ISO 27001, ISO 22301, NIST SP 800
and BS25999-2 don’t usually specify the minimum distance there should
be between a production site and a disaster recovery site. That’s
mainly because the definition of sufficient distance will vary
depending on whether the disaster is a fire, flood, earthquake,
tsunami, hurricane, tornado, data corruption or ransomware infection.

At the minimum, your choice of a BC/DR site should be driven by your
business model, your main revenue streams and regulatory requirements.
As much as possible, use cloud-based disaster recovery solutionsfor
your BC/DR since this will almost certainly fulfil any distance

4.   Get Senior Leadership to See the Value

Implementing a BC/DR plan costs money. The larger the organization,
the more expensive the redundancy setup is likely to be. The size of
the expenditure is likely to raise eyebrows when presented to senior
management. The key to getting the expenditure approved is ensuring
the business leadership focuses on the value and not the cost.

For starters, BC/DR plans often uncover plenty of otherwise hidden
issues with the production environment during the risk assessment.
This inadvertently helps make production systems more robust even
before you factor the recovery plan. Another way to soften management
is to recommend cloud-based DR systems the organization only pays for
when the DR plan is invoked.

5.   Document the Plan

This may sound obvious except if industry surveys are anything to go
by, as much as 40 percent of companies don’t have a DR plan. Many
organizations will set up elaborate backup systems and redundant
network links but won’t have a specific well-thought-out step-by-step
BC/DR plan. Yet, documentation cannot be overemphasized.

Remember that certain disasters may come with massive loss of human
life including key employees. Documenting a plan that details server
architecture, network infrastructure, system applications,
interdependencies, interfaces, contacts, assets and the recovery
sequence ensures business continuity after such a deadly event.

6.   Test the Plan

A Forrester/Disaster Recovery Journal survey found that 1 in 5
organizations do not test their BC/DR plans at all. Creating a working
BC/DR plan is intense work that may involve several months of
meetings, workshops, training, documentation and testing. After such
an exhausting process, too many businesses will consider their work as
complete and will only refer to the plans again when disaster does
strike. This is a catastrophic mistake.

First, the production environment is never static. As systems and
procedures change and evolve, so should the BC/DR plan. Second,
regular testing is an effective way to unearth unforeseen challenges
or gaps such as configuration problems, version inconsistencies, data
conversion failures and incomplete recovery. BC/DR plans should be
tested via a drill at least once a year.

BC/DR planning is a painstaking process. But it pales in comparison to
the disastrous repercussions of not having an effective BC/DR plan. A
good plan minimizes downtime and prevents reputational damage and lost
market share.

More information about the BreachExchange mailing list