One of the more critical aspects of organizational risk management is that of Business Continuity. Many organizations overlook the importance of developing and instituting a Business Continuity Plan (BCP).
To be clear, business continuity planning is not an information technology, information security or information risk management process. It is an executive-led, organizational business process. However, one of the best definitions of the process comes from the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-39 “Managing Information Security Risk”, which states
“An important part of achieving risk-aware processes is the understanding of senior leaders/executives of: (i) the types of threat sources and threat events that can adversely affect the ability of organizations to successfully execute their missions/business functions); (ii) the potential adverse impacts/consequences on organizational operations and assets, individuals, other organizations, or the Nation if the confidentiality, integrity, or availability of information or information systems used in a mission/business process is compromised; and (iii) the likely resilience to such a compromise that can be achieved with a given mission/business process definition, applying realistic expectations for the resilience of information technology.”
Put simply, ensure your business and business processes are resilient enough to weather a significant threat event without having to put up a sign that says, “Closed for Business”.
The COVID-19 pandemic has shined a light on the need for crisis planning and a BCP. While it may well be impossible to plan for a specific event, it is important to have a strategy documented that allows for alternate work locations, data back-up, logistics and supply chain management.
A BCP is necessary to ensure a business can effectively operate during a crisis. Sometimes, this is called crisis planning and it is closely aligned with emergency management and disaster recovery. A BCP is a strategic business plan and defines various threat sources, threat events and threat scenarios that have been risk assessed and present an unacceptable risk to the organization. A pandemic is an example of a threat event which should have a corollary set of actions defined in a BCP to execute when one is declared. This is a call-to-action and does not define the processes necessary to establish a comprehensive BCP. A good primer on business continuity planning is NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems”1
The size of a business is irrelevant to the need to develop, document, test and update a BCP. Small businesses have less margin for error during a crisis and without a BCP, they may very well fail during a crisis or event. This has been publicized in the healthcare industry where physician practices have elected to shutter their doors after a ransomware attack because they had no data back-up and could not recover from the attack.
Types of threat events to consider in a BCP include: floods, tornadoes, earthquakes, pandemics, electrical outages, ransomware attacks, fire, HVAC failure, terrorism, vandalism, and theft. This is not an all-inclusive list and developing a BCP is not an insignificant effort but is well worth the investment. For regulated businesses, this may not be optional so don’t just “check the box”, do it right.
If you don’t have a BCP or think it is time to apply some recent lessons learned, then here are some key considerations to assist you during the COVID-19 pandemic:
- Don’t lose what you learned.
- Take advantage of the processes and procedures you defined and applied to establish or update your BCP.
- Document as you go.
- This is an opportunity to assess what processes you used and use them as a starting point or to update your BCP.
- Evaluate and update remote security processes
- Ensure you evaluate the administrative, technical and physical security processes to ensure the continuity of the business when work-from-home (WFH) or modified on-premise strategies are leveraged.
- Identify capacity and logistic log-jams in the business supply chain
- Assess remote access capacity for VPN and other security appliances
- Evaluate whether all WFH personnel have access to corporate IT resources (e.g., laptops, mobile devices, etc.)
- Continued availability of critical business applications
- Ensure IT and application business owners can maintain the security and availability of the critical business systems
- Identify gaps for incorporation into a BCP
Given that many, if not, all organizations have had to execute a BCP during the COVID-19 pandemic even if it wasn’t documented, tested, or trained you will have learned a lot. Make sure to conduct a periodic “Hot Wash” meeting to discuss what is working and what isn’t. Use what you have learned and make it a baseline for a defined BCP or use it to update your existing BCP.