Learn how to build business resilience with four essential plans and understand their unique roles and how they work together.
In his From Ice Storm To IT: Preparing For The Unexpected article published last month, Keller Schroeder’s VP of Infrastructure, Ryan Kremer, highlighted the importance of preparing your business for a disaster. This month, I’d like to expand on that topic to briefly discuss the plans that will form the foundation for building business resilience. While a mature governance practice can encompass a few dozen policies, plans, and procedures, the four that we will briefly describe today are:
· Risk Management Plan
· Business Continuity Plan
· Disaster Recovery Plan
· Incident Response Plan
Although each of these plans serves a different function, they build upon one another in important ways.
RISK MANAGEMENT PLAN
PURPOSE: The purpose of the Risk Management (RM) Plan is to identify, assesses, and develop mitigation strategies for potential risks that could negatively impact an organization.
The Risk Management Plan not only informs the other three plans discussed here, but it also informs the company’s entire cybersecurity strategy. By identifying the risks facing the organization, the company can more strategically implement cybersecurity controls that address risks deemed most impactful to business continuity.
One important thing to note is that the Risk Management Plan is not strictly a cybersecurity plan. As Information Security Consultants, we are primarily focused on reducing cybersecurity risks. But a fully mature Risk Management Policy should address all risks facing an organization, including things like supply chain, competitive, and financial risks.
BUSINESS CONTINUITY PLAN
PURPOSE: The purpose of the Business Continuity (BC) Plan is to build a plan for continuing key business functions during a disaster that impacts normal business operations.
Like the Risk Management Plan, the Business Continuity Plan is not strictly focused on technical or cybersecurity aspects of business continuity. The plan should include steps for continuing business operations, even in a degraded state, when business-critical systems are down. But it should also include steps for continuing operations during other disasters such as flood, fire, natural disasters, or any other event that could negatively impact business operations.
DISASTER RECOVERY PLAN
PURPOSE: The Disaster Recovery (DR) Plan is where you plan for how to restore business-critical systems to normal operations after a disaster has occurred.
The Disaster Recovery Plan is the plan that helps you determine how you will restore systems to normal operation through restoration from backup, failover to a DR site, or other means. Building this plan forces you to think through how much data loss is acceptable, is the time it takes to restore a system acceptable to the business units, and other key considerations. The answers to these questions can then help you determine how to design your backup and DR systems to meet the needs of the business.
The Disaster Recovery and Business Continuity Plans are heavily intertwined, so we often see them combined into a single Business Continuity/Disaster Recovery Plan (BCDR). The Business Continuity Plan not only identifies the necessary steps to continue business operations but also defines how long we can continue conducting business using those alternate processes and systems. However, some alternate processes may not be acceptable indefinitely. So, it is critical that these two plans clearly identify how long systems can be down without negatively impacting business operations and then build plans for recovering systems within an acceptable timeframe based on that metric.
INCIDENT RESPONSE PLAN
PURPOSE: The Incident Response (IR) Plan outlines the steps that an organization should take to prepare for, detect, and respond to a cyber incident.
While the Business Continuity and Disaster Recovery Plans identify steps to respond to many types of failures, the Incident Response Plan usually focuses specifically on cyber incidents like data breaches and ransomware. The Incident Response Plan identifies key internal and external stakeholders (e.g., business and technical leaders, legal counsel, cyber insurance, law enforcement, etc.) that need to be involved in the Incident Response process, establishes communication plans, and can provide playbooks for responding to specific types of incidents.
CONCLUSION
The four plans discussed here are foundational to building business resilience. As you develop these plans, keep in mind to include a cross-sectional team of business and technology leaders as well as front-line employees to build a full picture of the key business processes and systems. This will help ensure business plans adequately protect business goals and objectives. Admittedly, developing these plans requires a significant investment, but building a better understanding of the risks your business faces and thinking through your security strategies helps to protect business value well into the future. If you have questions or would like assistance with building your governance program, please let us know!
Written By:
David Boarman
Business Unit Director for Information Security – Governance
Infrastructure Solutions Group
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
