AdobeStock_2502515.jpeg

BUSINESS CONTINUITY

Critical files encrypted by ransomware; denial of service attacks, hardware failures, human error and even adverse weather can bring any organisation to its metaphorical knees. ​During such times of trouble, a Business Continuity Plan (BCP) will not only keep critical functions running, but will also address how to deal with customers, the press, suppliers and even the workforce.

​​

Before We Begin:

The success or failure of a BCP depends upon the support of the Senior Leadership Team (SLT). Only SLT can finance the initiative by allocating critical resources such as time, personnel and money as well as giving the project the ‘welly’ it deserves. Finally, SLT are important because they determine Mission Critical Functions (MCFs). MCF are what the organisation is all about. They are the activities that must continue no matter what.

 

Getting ready for a BCP

In many organisations, it is the corporate norm to appoint a business continuity champion to:

·      Develop a communication strategy to keep relevant stakeholders informed

·      Develop a process everyone can understand and follow

·      Maintain the requisite engagement

​​

Usually, this person is a member of the Senior Leadership Team and is supported by

  • Heads Of Department: Because if you are responsible for day to day operations of a particular business unit, then there is every chance you know which activities are critical and what systems and data these depend upon.

  • IT Experts: Because they understand how to protect the system upon which others rely.

  • Physical Security & Site Management: Because these staff members are often the first people on the scene and can tell you when the premises are secure and good to go.

  • Legal Team Representatives: Because every organisation has any number of legal, regulatory or contractual obligations that must be managed, no matter what internal crisis the enterprise is currently experiencing.

  • Human Resources: Who else can address staffing issues, disputes and welfare concerns?

  • Communications Team: Because businesses that fail to provide timely information - delivered in a manner that is both sympathetic and transparent to the relevant stakeholders - do not survive. Reputation is everything!

  • Finance: Because they control the purse strings

Business Impact Assessment (BIA)

Step 1: Fire up a spreadsheet and in column one, for each department, list all business activities.  What tasks do your employees perform day in, day out?

Helpful Tip: Many organisations will distribute the spreadsheets to departmental managers in the first instance or ask a knowledgeable member of the BCP team to conduct interviews. The latter gives us consistency and also allows those being questioned to 'show and tell'.

Step 2:​ In the next three columns, record

  • What hardware is needed to perform these jobs (look around the office)

  • What software is needed to perform these jobs (look on the computers staff use)

  • What data is needed to perform these jobs and where this data is stored (sometime called a vital records programme)

Helpful Tip: Have an I.T bod around when performing this part of the analysis to clarify the names of the systems and applications in use.

Step 3: Consolidate and refine - is there scope to collapse discrete activities under bigger 'functions' to make our list more manageable?

Step 4: We now want to rate the importance of each activity against our Mission Critical Functions (MCF).  So, we might develop a yardstick like this:

If the activity stops, what is the impact on: 

  • MCF1: Employee welfare and safety

  • MCF2: Enterprise reputation

  • MCF3: Compliance with legal, regularity or even contractual obligations

  • MCF4: Operating costs

  • MCF5: Our competitive edge

​​

For each activity, we can then assign a 'subjective' ranking of:

 Very High (5 points), High (4 points), Moderate (3), Low (2), Very Low (1)​ 

 

A Working Example

In a school, the loss of SIMS software might stop the activity of 'Registering students' at the start of each lesson'. So we assess the loss of this activity on our mission critical functions like this:

  • MCF1: Student welfare and safety: 5

  • MCF2: Enterprise reputation: 3

  • MCF3: Compliance with legal, regularity or even contractual obligations: 5

  • MCF4: Operating costs: 1

  • MCF5: Competitive edge: 2

​​

Giving us an aggregated score of 16.

If we repeat this process for other activities we will eventually have a prioritised list of departmental activities or business functions.

Helpful Tip: All departments may exhibit bias and see everything they do as mission critical. This is where senior management teams add value - by considering the relative contributions of each department to mission critical goals. Even so, this can still be tricky. For example, what if registering pupils gave us a score of 5 for MF1, but a score of 1 for everything else? We might still determine that losing the ability to track students is so important that we can ignore the aggregated score and pump resources into protecting the activity anyway. It is a good idea, therefore to document, these decisions, so they can be referred to should the need arise.

Step 5: In the next column, specify how long we can go without each business function before irreparable harm is done.  Is it minutes, hours, days or weeks?  This time limit is known as the 'Maximum Tolerable Downtime' (MTD).  Many organisations compliment this figure with another: The Recovery Time Objective - this is the amount of time in which you can feasibly recover the business function in the event of a disruption.

As you can imagine, the goal of Business Continuity Planning is to ensure that your RTOs are less than your MTDs. In other words, you do not want a situation where a business function is unavailable beyond the maximum tolerable downtime.

Putting It All Together

Our spreadsheet is starting to build a picture of what activities and functions are mission critical and the systems, applications and data upon which they rely. Once we know what is most important, we can prioritise our resources protecting them. For example, perhaps we need

  • Alternate premises / reciprocal agreements or support for mobile working

  • Redundant equipment

  • Redundant data stores (aka backups)

  • Redundant supply chains

  • Redundant utilities

  • Redundant support services / supply chains

  • Cross training or succession planning for staff

  • Work arounds - such as using paper based systems.

  • Better security controls

ASIDE NUMBER 1: ADVANTAGES OF THE CLOUD

This is where cloud computing usually comes into its element. The cloud offers

  • Rapid Elasticity: Hardware, software, networking, bandwidth, security services - all of these resources can be rapidly scaled in the cloud to meet your organisation's needs.

  • On Demand Self Service: Most cloud providers offer an online portal to help provision and manage resources quickly and easily.

  • Broad Network Access: Offering better support and access for a distributed workforce.

  • Metered Service: You only pay for what you use. Meaning once the crisis is over, you can quickly return to pre crisis budgets, without paying for redundant resources.

 

ASIDE NUMBER 2: LAYING THE GROUND WORK FOR OTHER KEY PROCESSES

The work we have done here will also support

  • A comprehensive risk assessment - looking at threats to the organisation and attempting to identify where they might exploit your vulnerabilities and,

  • The implementation of a security framework to protect your assets against those risks.

Both very worthy goals for any organisation​ serious about protecting its longevity and cyber resiliency.

WHAT DOES A BUSINESS CONTINUITY DOCUMENT LOOK LIKE

A Business Continuity Plan will have the following sections:

 

  • BCP Goals: Explains the goals of Business Continuity Planning by listing Mission Critical Functions that must be maintained during a crisis.

  • Statement of Importance: Usually this is just a letter from the CEO to employees stating

    • Why the organisation has devoted significant resources to BCP planning

    • Why BCP is everyone's responsibility and why everyone is expected to assist its implementation

  • Statement of Priorities: This is the table we have made. The aim is to show the most critical business functions and how they will be maintained during a crisis.

  • Methodology Used: This is an explanation of how the criticality of each business function / activity has been determined, together with underlying assumptions, caveats and events that might precipitate a re-evaluation.

TRAINING, TESTING AND MAINTENANCE

People with direct BC responsibilities will need to be trained for their specific role, so if disaster strikes, they know what to do and when to do it. Of course, knowing the plan is not the same as testing whether it works.  Each departmental manager will need to run different scenarios and feedback to the BCP committee how training went in order to refine the plan and resolve ongoing issues. Testing turns a stagnate document sat on the Information Security Officer's Shelf, into a living, breathing plan that will save the organisation in a time of crisis.

Don't forget, either, that the Business Continuity Plan will need to be updated to reflect changes in the organisation.  You may, for example, want to exploit new business opportunities, or take advantage of new tech. You might change operational procedures or find new industry partners. Whatever happens, the BCP has to remain current in order for it to be effective.

FINAL THOUGHTS

It is almost impossible to write a BCP plan without addressing a Disaster Recovery Plan (DRP).  ​The former is about keeping the 'show on the road' whilst the latter concentrates on how to recover services that have gone down.  This also moves into Incident Response (IR) territory and is outside the scope of this article. However, check out our other resources to find out more about these topics.

See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk