Hello, and welcome back to this next TomCast from GuardSight, an Iron Bow Technologies company; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Ok, over the past couple of TomCasts we have discussed disaster recovery and business impact analysis. We’re going to tie these parts of organizational resilience together today with the business continuity plan. What is a business continuity plan? Well, just how it sounds. It is a plan to ensure the business continues to function in case of an adverse event.
Many get confused over what a business continuity plan encompasses. Every division or department typically believes what their department does is the most important, so conflict can emerge when deciding what areas within the business are focused on first. This is why the business impact analysis is vital, which was discussed during the last TomCast. To rehash, the business impact analysis determines the critical business objectives necessary for the business to function, which then an organization wraps the business continuity plan around.
Also, it is important to understand that business continuity and disaster recovery are not the same topic. While disaster recovery can be included within the overall business continuity plan, recovering from a disaster and meeting recovery time and point objectives are not the main focus of the overall continuity plan. Continuous business is the focus of a business continuity plan. How can a business continue to operate regardless of the events surrounding it?
This is also not a check-the-box type of compliance item. While some organizations are required by regulation to have a business continuity plan, many draft some pseudo-relevant document to say “we have one”, then file it away and move on to the next topic. Business continuity plans are not only fluid documents, or documents that constantly change and update with the business, they are documents that require routine testing and validation.
Like many emergency level activities, ensuring that teams are prepared to take action when the necessity arises is vital to the success of the business continuity plan. Imagine if the fire department did not train their staff and an emergency occurred. Would the firefighters or emergency response personnel know what to do? More than likely not, and it would result in chaos. Same goes for your organizational plan.
Once the plan has been composed, identify the necessary personnel within the business that will be the points of contact for the continuity plan. These are the ones that will help carry out the overall plan from their various divisions or departments. Once those personnel have been identified (and they agree to be a part of the continuity plan), schedule a table-top exercise to validate the plan. This can be a simulation of a physical site disaster event, a health related event, or any event that would normally cause some type of business disruption.
During the exercise, ensure that the plan is tested section by section for validity. Again, since this is a fluid document, if a section does not function as it was written, determine what the actions would be in order for successful function, and update the continuity plan with that information. This will ensure that the plan does, in fact, work and will help ensure successful business continuity.
Also, at a minimum the plan should be tested annually. Twice a year or even quarterly (depending on business function and priority) is preferable. Again, this helps the entire business understand that the plan works as designed. All levels of the organization should be involved at some capacity. From the stakeholders to the employees, everyone should understand what the plan is for, where the plan resides, and should have good working knowledge of the plan overall.
If you happen to be in an organization that constantly questions the return on investment surrounding the composition, testing, and validation of a business continuity plan, then the first response or discussion should surround how long the business can be completely shut down before revenue is lost, and before the business can no longer recover. While adverse events may not occur often enough for organizational leadership to place priority on a continuity plan, another discussion point is that it is more beneficial to have a well-tested plan and not need it than to experience an adverse business disruption and not have one.
The professionals at Iron Bow and GuardSight know all too well the benefits of having a business continuity plan and they have witnessed firsthand organizations that have not had plans when disasters have occurred. If you have questions about business continuity, reach out to folks at either Iron Bow or GuardSight. They would be more than happy to help you understand the benefits to the plan, how to compose a plan, and how to accurately test the plan.
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight or Iron Bow can do for you, head on over to www.guardsight.com or www.ironbow.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!