Organizations are vulnerable to a variety of natural and man-made emergencies, disasters, and hazards. Recognizing that not all events can be prevented and some risks may be deemed acceptable, proper planning is essential to maintain or restore services when an unexpected or unavoidable event disrupts normal operations. Business continuity planning includes the identification of vulnerabilities, priorities, dependencies, and measures for developing plans to facilitate continuity and recovery before, during, and after such a disruption. Comprehensive business continuity plans are designed and implemented to ensure continuity of operations under abnormal conditions. Plans promote the readiness of organizations for rapid recovery in the face of adverse events or conditions, minimize the impact of such circumstances, and provide means to facilitate functioning during and after emergencies. The development process is usually based on a single framework, and involves key individuals in the functional areas. Plans are based on a risk assessment and business impact analysis and include a process for regular maintenance, including training, testing/drills, and updates. In addition, information security and privacy should be integrated within plans. Examples of Incidents that Activate Business Continuity Plans
- A fire in a building with critical resources would prohibit normal functioning in a localized facility.
- An electrical power loss may cover an extended time period. The organization may experience an extended power loss during and after a snow/ice storm, Super Storm Sandy, and the numerous blizzards/ice storms/fires/floods.
- Floods, massive fires, blizzards, tornadoes, hurricanes, tsunamis, earthquakes, pandemics, ice storms, or mudslides that results in evacuations and inaccessibility to critical resources.
- Criminal activity or terrorist incident may impact a wide geographic area for an extended period of time.
- A pandemic, nuclear, chemical, or biological incident may limit the mobility and accessibility of individuals for extended time periods.
Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data. Such measures include adherence to all governmental regulations and directives. As major disasters have brought acute awareness to the organization, the management recognizes the need for extensive planning and coordination to assure preparedness by developing, testing, and refining plans to handle all types of disruptions to normal services. Use the following steps to get started with a business continuity plan.
1. Obtain commitment and authority from Organization Leadership. High-level support is essential for building the cross-functional teams that are needed to prepare and deploy the plan.
2. Establish a planning team for each business unit.
3. Perform a risk assessment in each unit.
4. Identify critical resources:
a. People – Identify all support staff, and establish a chain of succession for key personnel.
b. Places – Identify key buildings, and plan alternate locations for workers and equipment.
c. Systems – Perform a business impact analysis to prioritize systems in terms of criticality.
d. Other – Identify other critical assets required for normal business operations.
5. Determine continuity and recovery strategies within each unit.
6. Train students, faculty, and staff on what to do in case of a disaster.
7. Test, test, test! Test system recovery procedures. Generate scenarios and simulate them with tabletop exercises.
8. Create a communication plan.
9. Review the business continuity plan annually.
A well-prepared organization should develop a plan addressing all key services and their administration, delivery, and support. The Organization should be considering or embarking on the development of a plan, including commitments, procedures, technologies, resources, methodologies, and communications essential to planning development, support, and deployment.
The organization should plan how to maintain information security at an appropriate level during disruption.
To protect information and other associated assets during disruption.
ISO 27001 Implementation Guidance
The organization should determine its requirements for adapting information security controls during disruption. Information security requirements should be included in the business continuity management processes. Plans should be developed, implemented, tested, reviewed and evaluated to maintain or restore the security of information of critical business processes following interruption or failure. Security of information should be restored at the required level and in the required time frames. The organization should implement and maintain:
a) information security controls, supporting systems and tools within business continuity and ICT continuity plans;
b) processes to maintain existing information security controls during disruption;
c) compensating controls for information security controls that cannot be maintained during disruption.
In the context of business continuity and ICT continuity planning, it can be necessary to adapt the information security requirements depending on the type of disruption, compared to normal operational conditions. As part of the business impact analysis and risk assessment performed within business continuity management, the consequences of loss of confidentiality and integrity of information should be considered and prioritized in addition to the need for maintaining availability. Information on business continuity management systems can be found in ISO 22301 and ISO 22313. Further guidance on business impact analysis (BIA) can be found in ISO/TS 22317.
The objective of this control is Information security continuity should be embedded in the organization’s business continuity management systems.The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. An organization should determine whether the continuity of information security is captured within the business continuity management process or within the disaster recovery management process. Information security requirements should be determined when planning for business continuity and disaster recovery. In the absence of formal business continuity and disaster recovery planning, information security management should assume that information security requirements remain the same in adverse situations, compared to normal operational conditions. Alternatively, an organization could perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.In order to reduce the time and effort of an ‘additional’ business impact analysis for information security, it is recommended to capture information security aspects within the normal business continuity management or disaster recovery management business impact analysis. This implies that the information security continuity requirements are explicitly formulated in the business continuity management or disaster recovery management processes.
The organization should establish, document, implement and maintain processes, procedures, and controls to ensure the required level of continuity for information security during an adverse situation. An organization should ensure that:
- an adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using personnel with the necessary authority, experience and competence;
- incident response personnel with the necessary responsibility, authority, and competence to manage an incident and maintain information security are nominated;
- documented plans, response, and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level, based on management-approved information security continuity objectives.
According to the information security continuity requirements, the organization should establish, document, implement and maintain:
- information security controls within business continuity or disaster recovery processes, procedures, and supporting systems and tools;
- processes, procedures and implement changes to maintain existing information security controls during an adverse situation;
- compensating controls for information security controls that cannot be maintained during an adverse situation.
Within the context of business continuity or disaster recovery, specific processes and procedures may have been defined. Information that is handled within these processes and procedures or within dedicated information systems to support them should be protected. Therefore an organization should involve information security specialists when establishing, implementing, and maintaining business continuity or disaster recovery processes and procedures. Information security controls that have been implemented should continue to operate during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented, and maintained to maintain an acceptable level of information security.
The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. Organizational, technical, procedural, and process changes, whether in an operational or continuity context, can lead to changes in information security continuity requirements. In such cases, the continuity of processes, procedures, and controls for information security should be reviewed against these changed requirements. Organizations should verify their information security management continuity by:
- exercising and testing the functionality of information security continuity processes, procedures, and controls to ensure that they are consistent with the information security continuity objectives;
- exercising and testing the knowledge and routine to operate information security continuity processes, procedures, and controls to ensure that their performance is consistent with the information security continuity objectives;
- reviewing the validity and effectiveness of information security continuity measures when information systems, information security processes, procedures, and controls or business continuity management/disaster recovery management processes and solutions change.
The verification of information security continuity controls is different from general information security testing and verification and should be performed outside the testing of changes. If possible, it is preferable to integrate verification of information security continuity controls with the organization’s business continuity or disaster recovery tests.
The organization must determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. The best ISMS will already have broader Annex A controls that mitigate against a need to implement a disaster recovery process or business continuity plan . Despite that effort, more significant disruptive incidents may still happen so planning for them is important. What happens when a major data center with your information and applications in it becomes unavailable? What happens when a major data breach occurs, a ransomware attack is made or a key person in the business is out of action, or perhaps Head Office suffers major flooding? Having considered the various events and scenarios that need to be planned for, the organization can then document the plan in whatever detail is required to demonstrate it understands those issues and the steps required to address them.The organization needs to establish, document, implement and maintain processes, procedures, and controls to ensure the required level of continuity for information security during a disruptive situation. Once requirements have been identified, the organization must implement policies, procedures, and other physical or technical controls that are adequate and proportionate in order to meet those requirements. Description of the responsibilities, activities, owners, timescales, mitigating work to be undertaken (beyond risks and policies already in operation e.g. crisis communications). A management structure and relevant escalation trigger points should be identified to ensure that if and when an event increases in severity the relevant escalation to the appropriate authority is made effectively and in a timely manner. It should also be made clear when there is a return to business as usual and any BCP processes stop.The organization must verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during these situations. The controls implemented for information security continuity must be tested, reviewed, and evaluated periodically to ensure they are maintained against changes in the business, technologies, and risk levels. The auditor will want to see that there is evidence of; Periodic testing of plans and controls; Logs of plan invocations and the actions taken through to resolution and lessons learned, and Periodic review and change management to ensure that plans are maintained against change.
Business Continuity Plans are an integral part of all organized Information Security activities. The plans are a well-reasoned, step-by-step approach to determine how, when, where, who, and what will be needed should a disruption of normal operations occur. Recent history has demonstrated that plans are a necessity regardless of the size, location, or mission of an organization. And the plan must address the continuity of security and privacy under less than ideal circumstances. Below are some references to further describe the intent of such plans.
Planning Information Security Continuity
Information security must be an integral part of all organizational policies, procedures, and practices. Information security should also be an integral element of a business continuity management system. Business continuity plans must recognize the need to strictly adhere to organizational security and privacy policies and regulations, even while the organization is functioning during extraordinary conditions. Good business continuity plans should be built in accordance with strong organizational security and privacy policies as well as state and federal regulations. This will allow important security and privacy practices to continue to be practiced, even during and after a disruptive event. Such practices should be elements of all planning, implementation, testing, and evaluation efforts.
Organization Commitment: Obtain commitment and authority from Organization leadership
A plan should begin with an organization-wide commitment to develop, staff, and support efforts that will be activated when circumstances clearly indicate that business has been or will be disrupted for more than a brief or acceptable time. A plan is not intended to address routine disruptions such as planned or routine maintenance. On the contrary, well-developed and tested plans are essential during and after catastrophic events that preclude the resumption of normal business functioning within well-defined time frames. Begin the planning process by obtaining the buy-in from the executive level of the organization. This high-level mandate establishes the ability, authority, and support to build the cross-functional teams needed for the preparation and the deployment of the plan, facilities and resources, necessary redundancy of services and resources, and commitment from units for ongoing participation. Organizational support for business continuity should include funding for plan development, staffing, training, testing, updating, deployment, and transitioning to normal operations. Note that a business continuity plan is not just a technology plan. It is not just what to do about unavailable IT resources. It is a much broader view of the functions and information resources of the organizations. IT resources are a necessary part, but not a sufficient part. People are the most important element. Commitment, leadership, preparation, and practice are key factors of a business continuity plan. Business continuity can be viewed as an added expense at a time when funding is limited. It is important to realize that having a business continuity plan is a critical function that needs continuous funding. However, even if your organization determines that it cannot afford to support a full plan for everything that is needed, it is important to develop and have a plan in place. Developing a plan forces priorities to be identified and implemented and identifies which risks are acceptable and which must be addressed. And when possible, additional components of a plan should be implemented. Some plan is better than no plan at all. Many Organizations has No Strategic Plans for Disaster Recovery. Data reveal that a large number of organizations do not have strategic plans for disaster recovery. Just under 10% of the organization participating in the fall 2015 survey report a strategic plan for IT disaster recovery. Some sectors have shown only small increases in the percentage of the organization reporting a strategic plan for IT disaster planning between 2008 and 2015.
Framework and Planning Cycle
Having a framework assures a defined structure for the planning process, the development of a plan, priorities, and dependencies within a plan, testing of a plan, procedures for maintaining and updating the plan, and responsibilities of individuals and units before, during, and after the activation of a business continuity plan. Choose a framework to be used as the basis for the plan.
- Create the plan
- Train the participants
- Perform drills
- Do post mortems on the drills
- Review the plan
- Revise the plan
Who Should be Involved and in What Role – Establish a planning team for each business unit
At its core, business continuity management is a well-coordinated, well-tested, cross-functional effort. Representatives from each functional area or business unit are responsible for the identification, prioritization, documentation, and updating of their aspects of the plans, covered services, and facilities. Remember to include academic and their support areas in the list of units to be included. Members of a business continuity team are responsible for the compilation and integration of all input from each functional area into the overall plan. Team coordinators are responsible for the overall coordination of the plan, its deployment, and its refinement. They must be good, dependable managers with strong leadership and problem-solving skills, capable of keeping the effort organized according to procedures, yet able to be creative when things don’t go as planned.
Scope of the Plan
A Business Continuity Plan cannot be unlimited in scope, so it’s important to define the comprehensiveness of the plan: whether it covers contingencies for all major potential threats (severe weather events, terrorist threats, fire, shooter, cyber-attacks, pandemic) or a subset of these disruptions. Define whether the plan covers the entire organization, parts of the location, or multiple locations. Define what critical functions are covered as part of the plan and what activities are not essential. Define the time scope of the plan – does it plan for a disruption that lasts hours, days, or weeks? The Business Impact Analysis should heavily inform the plan’s scope. Defining the scope does not negate the concept that BCP should broadly account for any business disruption. It’s a practical measure acknowledging that the continuity planning process is impacted by budgetary restraints.
Business Continuity and Risk Management – Perform a risk assessment in each unit
It is important to determine the impact of risks on the functioning of the organization under normal operating conditions as well as under the extraordinary conditions during which a business continuity plan will be activated. Risk Management is an activity directed towards the assessing, mitigating, and monitoring of risks to an organization. In Business Continuity Management, it is important to determine what activities are vulnerable under what conditions, what measures should be taken to reduce risk and at what cost, what risks are acceptable, and what measures should be taken to facilitate functioning during and immediately after incidents that disrupt normal operations of the organization.
Business Impact Analysis – Identify Critical Resources
A Business Impact Analysis (BIA) identifies the organization’s critical services and resources and the maximum tolerable downtime (MTD) for these critical services. The BIA must identify vulnerabilities, threats, and risks and prioritize the order of events for the restoration of key business processes. The BIA is distinguished from Risk Assessment in that it defines the window of time available to restore services. First determine the organization’s key functions and resources that must be continuously available, during and immediately after major disruptive events. Business units must identify their key resources, prioritize them, and assess the risks to determine how long these key resources can be unavailable and factors that impact that duration. Each unit must perform a risk assessment to identify measures to be taken to reduce risks as well as identify acceptable risks where the cost of mitigation is higher than the cost of the consequence. Each unit must also assess the priority of resources and services. This prioritization should be identified by the unit itself. Alternate resources may be identified for use should the primary resources become unavailable or inaccessible. The results of the business impact analysis are input to the development of the business continuity plan.
All required information pertaining to the plan, key resources, facilities, management structure, priorities/dependencies, documentation, and personnel should be kept in secure locations which can be physical, virtual, or cloud-based. This information should also be made available to key personnel who will be responsible for coordinating continuity efforts during and after the incident or event. Operational information will assist those directly working to keep/restore functions. Individuals most familiar with applications may not be able to respond. Documentation will assist others in performing the required tasks. Emergency templates for all functions included in the plan should include a summary of business impact analysis data, required resources (hardware, software, data) for the application to run, dependencies on other applications and resources, vendor contacts, people who should be kept apprised of the status of the recovery, and the list of key individuals and how to reach them.
The inability to contact key team members can hamper the most well-designed plan. Contact information must include all means for reaching people at all times. This list must include alternate people should a key individual be unavailable or unreachable. Contact information must be kept current at all times and include alternative means such as home and cell phone numbers, alternate email addresses, and social networking, text, and Twitter contact information.
Checklists should be created to document the inventory of everything kept in designated physical, remote, virtual, and/or cloud locations for coordinating efforts – contact information, documentation, resources/systems, backup power, communications equipment, food, water, vendor contacts, etc.
Keep Track of Activities
While testing a plan or during an actual deployment, remember to keep track of who is doing what. This can be done via conference calls, texting, alternative websites, and actual staff reporting in to track all activities as well as make sure that people are safe and getting sufficient food, water, and rest. Communication may be difficult, but it is essential. Not everything will work as scripted, and communicating with other team members may help solve the unexpected or undocumented.
People are the key elements of the plan. Being able to communicate during a crisis may not be easy due to loss or overloading of infrastructure. Continuity plan leaders or coordinators should be good leaders and managers, capable of keeping the effort organized according to procedures, yet able to be creative when things don’t go as planned. Have at least two people scheduled at all times as team coordinators for the continuity effort. Never have a single point of failure! Someone may not be available at a critical time. Team coordinators should be involved in the monthly assessment of the resources and facilities. Establish a substitution procedure for team coordinators should one be unavailable due to schedule conflicts, illness, or vacations. Substitution should be communicated carefully to avoid confusion. Because people are key, it is important to care for their needs as the organization is heavily dependent on their skills and ability to perform. Be cognizant of their needs for food, water, and rest as well as their ability to communicate with their families. Support them as they help the organization get through the crisis.
Being able to communicate during a crisis is essential. Stakeholders such as Employees, Customers, and Vendors need to know what is happening as well as what they can/cannot do. Relatives of employees want to know about the safety of individuals in the organization. Employees involved in continuity need to know how, when, and where they should report. Continuity plan personnel need to communicate with campus executives on the status of services and resources. Everyone needs to know what they should/should not do and when circumstances are expected to change. Determine alternative means for communication. “Normal” communication means and data feeds for supplying such information such as phone numbers may not be available. Plans should include alternative technologies for communicating and the availability of key data. Social networking sites should be considered as an alternative means of communication, but not necessarily as a primary method. Power losses (regardless of cause) may result in disruption of services – cell towers, Internet access, and the campus network. Other failures have equally disruptive consequences. During 9/11 in New York City, dial tone was lost, cell service was spotty and overloaded, and most internet access was disrupted due to the loss of the carriers. No services were maintained during Hurricane Katrina. Super Storm Sandy presented major disruptions to infrastructure (electricity, natural gas, communications, roads), routine and emergency services, life/safety services, housing, deliveries (food/water/fuel), and facilities. Many of its impacts are still being experienced today. Identify alternative means (cell phone, text, email, etc.) for contacting individuals needed to manage the process and to provide continuity services. Consider digital signage, landlines, or speakers in locations where cell signals are weak/unavailable, CATV, text messaging, social media, and new technologies as they proliferate in the classroom, residential, administrative, and service buildings. People need to know what the emergency is, how to react, and what to expect in order to prevent a bad situation from becoming worse. No information, or worse, bad information can transition a bad situation into a crisis. Emergency responders must be contacted, know if/when they are needed, what roles they will play, and where you want them to perform tasks. Remember, people are the key component to business continuity, and communication with and among them is absolutely necessary. Communication is also a life/safety concern for the community, not just for first responders. Timely consistent communications are essential before, during, or after natural disasters, weather/natural disasters, lockdowns, and any event that impacts the life/safety of individuals and the availability of services and facilities. It is also important to be able to determine who is ok after an incident. A preset, known means for communication is essential. The Common Alerting Protocol provides a means for the dissemination of consistent information via a multitude of technologies. As more systems are built or upgraded to CAP, a single alert can trigger a wide variety of public warning systems, increasing the likelihood that intended recipients receive the alert by one or more communication pathways. CAP provides the capability to include rich content, such as photographs, maps, streaming video, and more as well as the ability to geographically-target alerts to a defined warning area, limited only by the capacity of the delivery system used. Because CAP provides the capability to incorporate both text and equivalent audio, CAP alerts can better serve the needs of hearing or visually impaired persons. Details about CAP, its implementation, terminology, elements, messaging, standards, and implementations can be seen at the above web address. Its intent is to support a means for disseminating consistent, timely messages via multiple technologies to reach as many people as possible. In summary, communications should involve a suite of products/technologies, be activated for life/safety reasons, and must quickly reach as many people as possible.
Training, Maintaining, and Re-assessing Business Continuity Plans
Business continuity plans must include managed, organized procedures for the development of procedures to assure the continuity of operations under extraordinary circumstances including the maintenance of measures to assure the privacy and security of its information resources. It includes training individuals with responsibilities for the plan’s implementation, having regular reviews and updates to keep the plan correct, and testing the plan to evaluate its feasibility, thoroughness, and effectiveness even under the most unusual of circumstances while maintaining the privacy and security of its information resources. Training of all plan coordinators and key personnel should take place at least once a year. Training should include:
The process, expectations of individuals, applications and resources, priorities, contact information and methods, procedures, documentation, facilities, and schedules. At least once a year a drill should be conducted. This can be a table-top exercise or a “live” test. At the conclusion of the drill, a review of responses and actions should be completed to determine the next steps such as modifications to the plan, additional training, and further testing. In addition to drills to test the plan, its components/procedures, and its people, it is critical to test all methods of emergency communication with members of the organizations. Organizations should have multiple methods for contacting members in the event of an emergency or urgent change in regular functions. Everyone (Employees, Customers, contractors, and suppliers) should be enrolled in an emergency communication alert list, including all cell phones which would likely be used for text messages. Data collected should not be limited to campus supplied phones and email addresses. All information collected will only be used in the event of an emergency and should not be shared outside the organization. Everyone should be prompted at least semi-annually to review/update their data. Drills should be scheduled at least quarterly to test this emergency alert system. Events in the last year can demonstrate the necessity for such emergency alert systems using personal communication devices as well as other technologies.
Document and Review Activities – Review the business continuity plan annually
Business Continuity plans are living documents that must change and evolve to reflect organizational changes. To be effective, plans must be continually revised and improved to be in alignment with the current environment. A review should be conducted annually (or more frequently) to document all organizational changes that will impact the plan including:
- Information gleaned from recent incidents.
- Information gleaned from plan training and testing.
- Changes in the Business Impact Analysis.
- Implementation of new equipment and technology.
- Organizational restructuring.
- Major additions or changes to facilities.
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.