The terms Business Continuity (BC) and Disaster Recovery (DR) have often been used interchangeably. DR usually involves recovering data and software systems in a timely manner to save the business. The concept of disaster recovery with initial focus on natural disasters, in recent times has evolved to a more holistic concept of Business Continuity. We define BC as:
“Measures that make a business more resilient and fault-tolerant so that it is able to withstand both large and small shocks while continuing its operations in a normal manner and keeping its digital assets protected”
The shocks can come as a result of large natural disasters such as earthquake, localized events such as flooding, server crash, etc., or a cybersecurity breach such as ransomware attack. While it is impossible to describe in detail how to construct a robust business continuity plan, in this edition we briefly discuss six (6) essential components of a business continuity plan.
6 Essential Components of a Business Continuity Plan:
- Emergency Team: The plan must specify an org chart identifying team members with clear responsibilities that include: a) Team Lead, b) Location Coordinator, c) Local Restoration Team Leader, d) Incident Response and e) Technical Team Lead. Each Team member must know what his/her responsibilities are during emergency.
- Incident Response (IR): Although usually as IR is separate standalone document, it should be referenced and treated as a sub-document of the BC. IR is usually a playbook on how to deal with different types of incidences for the firm and describes the steps for dealing with different scenarios.
- Business Systems: The section should identify all systems, both software and hardware (servers, storage, PCs, etc.) such as emails, CRM, ERP, file servers, eCommerce sites etc. that business relies on. Additionally, each system should be classified as either mission critical or non-mission critical. This would help management team decide on the backup and recover plan for those systems in a cost-effective manner.
- Backup and Recovery Plan: This section must be thought out very carefully. It should describe in adequate detail how each of the above systems are being backed up, including backup software involved, local backup and cloud backup information (destination, frequency, etc.), scope of backup (data, image, etc.), RPO (recovery point objective), RTO (recovery time objective), and whether fail-over (local/cloud) is available and how to per(especially for mission critical systems). The recovery part of this section should describe step by step for each system, how to perform recovery.
- Network Topology: No BC or DR is complete without a detailed network diagram. The network diagram should identify all major components of a business network including routers, firewalls, switches, printers, storage devices, servers and which systems they run. The network topology should identify all IP addresses, both public and private, which should be necessary to reconfigure as a part of restoration.
- Disaster Recovery Drill: To assess how robust and practical plan is, it must be put to regular test. This section should describe how often DR drill must be performed, it’s scope, and how the results must be captured and validated, especially against RTO and RPO parameters. We recommend DR drills at least twice a year, if not quarterly