This article is part eleven in a twelve-part series on information security fundamentals for small and medium-sized businesses.
If you read the previous article on security incident management, you were reminded that well-informed business owners prepare for the worst. Although a documented disaster recovery plan is essential, what’s your plan for keeping the business running during the recovery process? It’s important that you document these details in your Business Continuity Plan.
The first step in preparing your BCP is to perform a business continuity risk assessment. While a general risk assessment focuses on risks to the confidentiality, integrity, and availability of your systems and data, a business continuity risk assessment dives deeper into availability-related threats. In short, anything that could get in the way of delivering your products and/or services to your customers is covered by this assessment.
So what questions may come up during your business continuity risk assessment? Here are a few examples:
- • If an illness sweeps through your organization, incapacitating over half your workforce, who will deliver services to your customers?
- • If a chemical spill occurs on a nearby highway or railway, forcing an evacuation of your main office, how will your employees work together until the evacuation order has been lifted?
- • If your leadership team is seriously injured while traveling together, who will run the company while they recover?
The results of this assessment will keep you on the right track as your document your BCP. At a minimum, your BCP needs to identify the critical elements of your business (i.e., people, locations, and assets) and outline the prioritized steps necessary to restore those elements to a functional state in the event of a business-impacting event.
By documenting who will do what and when ahead of time, you will minimize the confusion during the recovery period, ensuring that the business is back up and running as quickly as possible. (For a more detailed look at a BCP, the FCA Essential Practices for Information Technology write-up on Business Continuity is a fantastic resource.)
With your BCP in hand, the last step is to test your BCP on a regular basis. Check your financial calendar and find the slowest time of the year for your business, and schedule a test of your BCP. During this window, simulate one of the of high-risk events you identified during your business continuity risk assessment and validate whether your BCP holds water. These controlled tabletop exercises will help your safely identify the gaps in your BCP well before your plan is truly needed, further reducing the impact to your customers during an actual event.
To recap, every business owner should do the following:
- • Perform a business continuity risk assessment
- • Document a Business Continuity Plan
- • Test the BCP on a regular basis
In the next article, we’ll tackle Compliance Management.