Business Continuity, Disaster Recovery, and Incident Response

Woman placing sticky notes on wall of business meeting.

Many use the terms Business Continuity, Disaster Recovery, and Incident Response interchangeably. However, each of these components of the Resilience Triad[1] serve different purposes, and understanding the role and interactions of each is essential to maintaining a robust information security program. A Virtual CISO (vCISO) can assist with creating and managing the triad.

“Business continuity is an organization’s ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible.”[2]

Business continuity can be argued to be the most important component of the Resilience Triad, in that Disaster Recovery and Incident Response support it. However, of the three it is often the most overlooked, because it is assumed, incorrectly, that the other components adequately ensure continuity of operations. They are important, sure, but are not complete.

For example, unique to the Business Continuity Plan (BCP) is the inclusion of Business Impact Analysis (or Analyses, as often individual departments perform their own). Shortened as BIA, they provide guidance for the Disaster Recovery (DR) actions. In the most simplistic example, BIAs direct Information Technology on service restoration prioritization based on business needs.

There are many methods for completing a BIA, and the mechanics are not as important as the goals of service restoration with minimal revenue and reputational impact. While components may vary, BIAs should at minimum contain the following:

    • Identification of critical systems (e.g. online banking portal)

    • Identification of critical information

    • Identification of stewards of the business process

    • Dependent processes (bidirectional)

    • Recovery Time Objectives (RTO), the acceptable downtime for a function before the business impact becomes significant

    • Recovery Point Objective (RPO), the acceptable amount of data that can be lost in restoration processes before the business impact becomes significant

The BCP therefore should incorporate the BIAs to create a restorative process that prioritizes systems based on criticality to business operations. Too often Information Technology is left to make this decision in a vacuum. Information Technology supports the business and needs to understand the business, but should never make risk management decisions for the business.

The BCP should be tested periodically. Business Continuity Plan Table-Top Exercises (BCP-TTX) are simulations of one or more events that may disrupt business operations, such as a tornado striking a primary data center. The BCP-TTX is designed to test incident response and expose gaps in that response.

The BCP-TTX is often one of the most overlooked elements of a holistic information security program. It involves time and effort from high-ranking managers and executives across the organization and is easily dismissed for “scheduling conflicts”. Unfortunately, not conducting at least one annual BCP-TTX robs the organization of the benefits of the exercise, while also not meeting the requirements of some framework and regulations.

One BCP-TTX scenario that vCISO Services led its clients through is the onslaught of a pandemic in 2018 and 2019. There wasn’t much excitement in the exercises, as the general opinion was the chance of a pandemic that could impact business operations was nil. Previous pandemics such as H1N1 and the Avian Flu did not significantly disrupt business operations; in fact, often it seemed that the most impact they had for businesses was for regulators to require a pandemic response plan. Of course, COVID-19 put to rest any doubt that a pandemic could severely disrupt business operations.

Table-top exercises, as noted before, can expose gaps in information security programs. The COVID-19 pandemic resulted in a sudden shift of a large percentage of the global workforce to working from home. It is fortunate that we have created the infrastructure to support video conferencing on such a grand scale; such likely wouldn’t have been possible as recently as ten years earlier, given the technology and infrastructure of that day. Yet the sudden shift resulted in serious, immediate information security concerns such as how to allow for secure network access and paper document disposal.

The vCISO Services clients who participated in the pandemic table-top exercise were much better prepared for the sudden shift to working from home. In fact, each of those clients now see BCP-TTX in a different light. It may be a stretch to say that they eagerly anticipate the annual BCP-TTX, but they certainly have learned the business value of them.

In the next post, we’ll look at the second element of the Resilience Triad, Disaster Recovery. vCISO Services can help with all aspects of creating and maintaining a Resilience Triad program.

This post is an excerpt from the upcoming third edition of Information Security for Small and Midsized Businesses

Photo by Jason Goodman on Unsplash

[1] As far as I know, and as of the writing of the updated edition of Information Security for Small and Midsized Businesses, I am not aware of a descriptor to encompass all three, yet I needed one for purposes of explaining this section. Thus, I made this term up. Perhaps it will stick and serve as a small cybersecurity nomenclature contribution.