Four-Step Planning Process for Your Business Continuity Plan
Conduct a threat assessment. It can help identify the nature and likelihood of an event. According to Verizon’s annual Data Breach Investigations Report (DBIR), malware, phishing and misuse of credentials are major vulnerabilities.¹ Other events may involve unintentional actions such as an employee emailing a wrong file, sending it to the wrong person or misplacing a laptop or other electronic device that contains sensitive information.
Your plan should include ways to mitigate the impact of losses caused by these accidental or intentional acts or technological failures. It should also take into account weather-related or natural disasters, including tornados, hurricanes or earthquakes. Power outages and power grid failures also should be considered.
Business Critical Impact Analysis
Conduct a business impact analysis. It will help you identify and prioritize the business functions that are most critical to keeping your operations running. This analysis can help ensure your business can be restored quickly. Here are a few reasons:
- Your data inventory and classification process can help identify the critical data that must be maintained to continue acceptable levels of operation.
- Having a network inventory can help identify the critical hardware, software and firmware needed to continue to provide goods and/or services.
- Determining the maximum time frame before an interruption can cause significant impact to your business can help you prioritize the areas that need to be addressed first.
Prevention and Mitigation Strategies
Include a comprehensive backup strategy for critical data, hardware, software and firmware. Other non-critical functions can generally be restored and returned to normal operations over time without interrupting your business.
Be sure to specify in your plan who is responsible for creating backups, where the backups are stored, and who has access to the backups. All backups should be stored at a remote location that cannot be impacted by the same event. The area should be secure with restricted access. You also can use third parties to store your backups. When you set up a contract with a third party, specify the level of security required, and the time frame they have to deliver your backups. You should fully document these procedures, and keep them up to date.
Key backup considerations should include:
- Electronic data should be automatically backed up on at least a weekly basis. Consider backing up data more frequently for systems storing critical information.
- Back up proprietary or in-house built software and applications off-site so they can be readily reloaded into replacement equipment.
- A protected authoritative copy of your organization’s web content should be maintained in a safe location.
Testing, Practice and Continuous Improvement
Routinely test your plan so you can evaluate its effectiveness. Key employees and third parties should be familiar with the backup and restoration processes. They should periodically conduct sample tests of the system backups to verify that the operating system, applications and data from the backup can be restored.