Business continuity and disaster recovery planning: The basics

Good business continuity plans will keep your company up and running through interruptions of any kind: power failures, IT system crashes, natural disasters, supply chain problems and more

1 2 Page 2
Page 2 of 2

It bears repeating: Information systems are certainly central to today's business operations. However, an IT-only BCDR plan is hardly a plan at all. The same holds true for a facilities-only plan. Understanding the full array of assets, people, systems, and processes that make your business run is the key to success.

More and more organizations are creating Enterprise Risk Management departments or programs, and that is a natural fit for business continuity efforts.

Can we outsource our contingency measures?

Disaster recovery services—offsite data storage, mobile phone units, remote workstations and the like-are often outsourced, simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks, disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access for dozens of displaced companies.

How do you convince the CEO or the board of the need for disaster recovery plans and capabilities?

Hager advised chief security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."

Hager also says that smaller companies have more (and cheaper) options for disaster recovery than bigger ones. For example, the data can be taken home at night. That's certainly a low-cost way to do offsite backup.

Some of this sounds like overkill for my company. Isn't it a bit much?

The elaborate machinations that USAA went through in developing and testing its contingency plans might strike the average CSO (or CEO, anyway) as being over the top. And for some businesses, that's absolutely true. After all, HazMat training and an evacuation plan for 20,000 employees is not a necessity for every company.

Like many security issues, continuity planning comes down to basic risk management: How much risk can your company tolerate, and how much is it willing to spend to mitigate various risks?

In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. That's a trade-off that Pete Hugdahl, USAA's assistant vice president of security, frequently confronts. "It gets really difficult when the cost factor comes into play," he said. "Are we going to spend $100,000 to fence in the property? How do we know if it's worth it?"

And—make no mistake—there is no absolute answer. Whether you spend the money or accept the risk is an executive decision, and it should be an informed decision. Half-hearted disaster recovery planning (in light of the BP oil spill of 2010, the 2005 hurricane season, 9/11, the Northeast blackout of 2003, and so on) is a failure to perform due diligence.

This document was compiled from articles published in CSO magazine and CSOonline.com. Contributing writers include Joan Goodchild, Bill Brenner, Scott Berinato, Kate Walsh, Kathleen Carr, Daintry Duffy, Michael Goldberg, and Sarah Scalet.

What else can I do?

Cloud services company Evolve IP has created a list of suggestions for executives to evaluate their current disaster avoidance plans or, should a plan not exist, provide directional measures to protect their information and communications systems.

Establish a disaster recovery functional team

Elect one spokesperson from the group for communication. In the event of a multi-location organization each location should have a core team or representative that works with the corporate entity.

Risk assessment

Identify risks in the following areas:

Information – What information and information systems are most vital to continue to run the business at an acceptable level?

Communication Infrastructure – What communications (email, toll free lines, call centers, VPNs, Terminal Services) are most vital to continue to run the business at an acceptable level?

Access and Authorization – Who needs to access the above systems and in what secure manner (VPN, SSL, DR Site) in the event of a disaster?

Physical Work Environment – What is necessary to conduct business in an emergency should the affected location not be available?

Internal and External Communication – Who do we need to contact in the event of an emergency and with what information?

Cloud-based data centers and applications

Create a written recovery plan that is hosted remotely in a secure and redundant data center. Schedule and test your plan at least once per year or in accordance with regulatory/compliance requirements. Ensure employees can access the hosted environment (both from within the business confines and remotely) during fail-over mode from the designated locations.

1 2 Page 2
Page 2 of 2
New! Download the State of Cybercrime 2017 report