[Posted on behalf of Dennis Leber Cybersecurity Executive | CISO | Board Member | Educator | Speaker | Author ]
Business Continuity Planning (BCP) goes beyond Cybersecurity; however, cyber security leaders are often looked at to implement, lead, and design the BCP program.
BCP is the plan implemented when a disaster occurs. These disasters span natural disasters, cyber attacks, or simple power outages. Simply; the question is, how do you keep the business running? That could mean utilizing pen and paper processes until normal operations are restored.
The goal of the BCP is to identify these risks to your organization then minimize, and prepare responses to these events. The formal process that initiates the BCP is called a Business Impact Analysis (BIA). The BIA is an exercise that guides you through determining the impact (financial & operational) if these risks occur. The BIA; dependent on how involved or mature your BIA is, provides your Recovery time objectives (RTOs), Recovery point objectives (RPOs), work time recovery (WRT), and maximum tolerable downtime (MTD).
Good article here on RTO, RPO, WRT, and MTD HERE
Different BIAs from simple to complex SIMPLE , INVOLVED , COMPLEX/MATURE
This process also provides insight to designing your systems and data backups, as well as other relatable information that can be utilized in different exercises such as data classification, and security planning. The BIA contributes to these items but we must remember the BIA is solely for your BCP.
For a simple BIA process:
Identify the risks (scenarios) that can stop your business
Identify all the systems, processes, people, and locations that each scenario impacts
Create plans (checklists, playbooks, teams) that allow business to continue as you work to recover back to normal
Test these, desktop test are a start; but grow to actually test - borrowing from my Military leadership days; train the same way you are going to fight
Learn, adapt, and improve upon the plan after testing and/or real life situations
This is not a part time job, and it is a living/breathing process and plan - allocate resources to this like your business depends on it - it very well may at some point.
Comments