Answer one of the following questions:
- Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
- When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
Elizabeth V Calise says
1. Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
There are companies out there that question to implement a business continuity plan. This could be due to budget constraints or they are looking for reassurance that they work they will do will provide business value and making things more resilient. An organization have a business continuity system does have immediate benefits and in general, there are important reasons for having a business continuity system.
In the past years, there have been numerous cyber attacks and breaches, and plenty of leaked records. For example, the WannaCry ransomware attack that happened in 2017 left organizations blocked out of their data which halted business operations until a ransom was paid. This incident alone demonstrates why it is critical for a business to be able to respond to and recover from disruptions caused by common cyber-attacks. A business continuity system is an approach to organizational resilience and helps the organizations cope with incidents that affect their operations.
A business continuity system helps avoid consequences that follow a data breach and enable the organization to recover from interruptions quickly. It also reduces the time to identify and contain a breach, reduces the likelihood of a future data breach and reduces the overall cost incurred by a data breach.
Dima Dabbas says
Elizabeth,
Unfortunately, like you said many organizations consider the budget first when it comes to developing their business continuity plan. Organizations need to look at the downsides of not having a business continuity plan in place that will help them recover and respond to incidents in a timely manner. The WannaCry cyber attack is definitely a great example of why organizations need to have a business continuity plan in place as organizations were forced to pay ransoms in order to be able to resume their businesses.
Jonathan Duani says
Elizabeth,
I agree and it is actually a sad thing in a lot time instances that a lot of organization think about the bottom line dollar value so much more than actually making sure that the business stays operational and that there is security to prevent something bad from happening. I think like Dima mentioned, WannaCry is a great example. I remember dealing with this problem in an hospital environment the plans that were put into place just in case. It really shows just how important a plan is.
Ahmed A. Alkaysi says
1. Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
This is where conducting a Business Impact Analysis (BIA) comes in handy. The BIA will help determine the impact that the unavailability of a system will have on the business. The team should go through a BIA to determine the financial / business hit the organization will go through in case of an outage. When this analysis is done, it can be presented to upper management showing the logic on why an investment into a business continuity system is required.
In addition to financial loss due to the unavailability of systems, there can be regulatory and reputational risks as well. If these risks / impacts are well researched and presented to management, they will be much more inclined to invest in a continuity system.
Dima Dabbas says
1. Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
Business continuity is essential for organizations to make sure that their business is up and running in case a crisis happens. Business continuity is the process of creating systems that help in the recovery of a business when risks or threats happen within an organization that are critical. For an organization to design and plan out their business continuity plan, there first needs to be an understanding of the data that the systems within the organization deals with, the importance of that data and the critical functions that enable the organization to keep running. It is after defining these business processes and data that an organization can start designing, planning and implementing their business continuity plan.
Organizations need to have their business continuity plan up-to-date, making sure that all changes whether in business processes or technology used is reflected in this plan. It is not just important to define the business processes and functions but also the personnel that would be the contact people in case a crisis happens. This is also detailed in the business continuity plan. It is essential for every individual to understand their role as well as individuals knowing who to contact in case of a crisis. Testing is an important phase in the business continuity plan as it helps ensure that everyone is aware of their roles and responsibilities and to test that the organization is able to respond to the crisis effectively and recover from these interruptions in a quickly manner and in an efficient way.
Brock Donnelly says
Business continuity might not be for every business. Those businesses are either too small or willing to accept the risk of longer then predictable periods downtime. I would very much like to know which business don’t have continuity in place because I would like to short them in the stock market. A major corporation without some foundation for business continuity is like a town without police or emergency medical services. No person wants to have to rely on the police or EMS but in their time of need, they are a major relief. Floods, fires, earthquakes and other natural disasters are considerable threats to organizations of size. Power failures require alternate power solutions. Man-made attacks are mitigated with controls and services. Data availability might require multiple sites. Cloud computing is a tempting solution to level the playing field for all those mentioned nightmares.
Various negative results require positive utilitarian solutions. Without the proper testing and design; salaries for people to provide maintenance and the actual implementation of business continuity for an organization, one simple attack or disaster would lay it to waste. No police to call. No backup.
Steve Pote says
If I needed to frighten the C-Suite I would show images from Terminator and similarly dystopian genre with your verbiage. (I have been there with my job on the line)
“A major corporation without some foundation for business continuity is like a town without police or emergency medical services.”
Plan with me if you want to live…
Elizabeth V Calise says
Brock,
Your comment, “Business continuity might not be for every business. Those businesses are either too small or willing to accept the risk of longer then predictable periods downtime.” caught my attention.
I will have to disagree. I believe all companies should have some type of business continuity plan (BCP). It should not matter the size fo the organization. According to the Federal Emergency Management Agency (FEMA), 90% of smaller companies fail within a year unless they can resume oeprations within five days. I think it crucial for all companies to plan. Unfortunantely, only 20% of larger companies spend more than 10 days on their BCP.
I even thought maybe it would be unnecessary for the very small shops like mom and pop stores, but even then they should have some type of plan in place. To be prepared if a hurricane hits or they experience a flood. If not prepared, they are going to experience much downtime which leads to loss and then leads to a high chance of having to close the business.
Jonathan Duani says
Elizabeth,
I agree with your comments here. I think that every company NEEDS to have some sort of disaster recovery or business continuity. If something something simple in a small business couple cripple the company if a place is not in place. Now, I do think a lot of small companies do not have this but it seems much more important now a days with how the cyber landscape is changing.
Frederic D Rohrer says
“Cloud computing is a tempting solution to level the playing field for all those mentioned nightmares.” I think this is a good point and something that many organizations are weighing when considering cloud. With Service Level Agreements that outline Business Continuity cases some of the risk and insurance can be outsourced to the cloud hosting provider.
Jonathan Duani says
2. When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
When it comes to 3rd part services there are a couple things that I would do to make sure that that there is no downtime with their systems. The first thing is I would get in writing from them that they assure so much uptime as per the contract that we both signed. It needs to state in writing and mutually agreed upon a special amount of uptime and downtime. I also think that it will be a good idea to read through their business continuity and disaster recovery plans. I think that is important to make sure that their plans align properly with your businesses plans as well as their sites plans to be tested. You want to make sure that what they have written out on paper actually holds true and is read to go in the event of an emergency. Finally, I think that having different sites in different geographic locations would be a lot better because if something were to happen in one part of the country or world there will be no down time because it will just fail over to another and continue operations with little to no down time at all. It should be almost seamless of a transition.
Ahmed A. Alkaysi says
Really good points Jon. Having a written out contract with agreed upon SLAs will help establish expectations between the two organizations. If SLAs are not being met, then the offending company should pay repercussions. This should all be written in the contract itself. Reviewing the DR and BCP annually can also be part of the contract as well.
Dima Dabbas says
Jonathan,
Great points. Yes, when it comes to third parties, organizations need to make sure that the third parties have business continuity plans that align with the business goals of the main organization before being partners. Data backups by having alternate locations where the data is stored is also very important and it would be better to have them in different geographical locations. This will help ensure that the data is not destroyed and that the business operations of the organization are not interrupted.
Steve Pote says
Don’t justify home grown. Someone else is already better at it.
Disaster Recovery-as-a-Service (DraaS)…
I will get back to that. First, I know this tune, ~Help Desk~ residents have felt the hot breath of the corporate cut-back wolf whenever words like “does not support day-to-day operations” are used. I mean, “what do we even pay you for anyway?”…
Help Desk has continued to exist with two basic survival techniques; project the cost if no one was there…and, better still, to become more than a cost center – producing widgets or supporting other companies etc..
With all the chewy math of encryption, data foundry shows a curve – bigger > more justification for business continuity systems.
https://www.datafoundry.com/blog/business-continuity-and-disaster-recovery-plan-budget
I want to get back to ~as a Service~. This is where the mature Help Desk went. Always busy. Globally knowledgeable. Metered and measured for quality and billing. A ~use it when you need it~ solution.
Keep an eye on this Magic Quadrant:
https://www.gartner.com/document/3936757?ref=TypeAheadSearch&qid=5a4e58c921eb3e7fb9ed92
Chances are, unless you are burning CD’s to carry in a briefcase, these names are part of systems already in place. Relax and let subject matter experts do their job.
Oby Okereke says
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
With regard to using third-party service providers, the need to ensure adequate confidence in maintaining availability of the services will require a third-party service provider to address availability within their BCDR plan.
Also,a risk assessment must be carried out to ensure the third-party service provider has a risk appetite that is commensurate with the risk appetite of business entity requesting of its services. This calls for due diligence to assure an agreed upon SLA’s will be maintained based on the results of the risk assessment as well as the review of BCDR and contingency plans.
The need to include the third party as part of the BCDR tests is one way of knowing if the third-party is in the position to address any disaster recovery needs. A vigorous testing can validate existing gaps in providing availability; the RPO and RTO has to be determined as part of the BIA process.
Depending on the size of the third-party, a review of a SOC 2 Type 2 will equally address concerns surrounding availability thus providing a level of assurance that the third party is in the position or not to meet the availability security objective.
Duy Nguyen says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
Business continuity planning involves developing, testing, and maintaining policies, procedures, and processes that are necessary for an organization to continue operation in event of an incident. An effective BCM ensures that an organization’s business can provide minimum acceptable services in event of an incident and help reduce loss.
As stated in many readings, no system is 100 percent secured or protect. An event of an incident large or small is just a matter of time. Business continuity planning is about having the right people, with the right skills, doing the right things to minimize impact to the enterprise. BCM ensures that an organization is prepared and gives an overall assurance of protection in event of an incident. With a proper BCM, organizations can recover to a point where they would be comfortable maintaining or restore business continuity of enterprise services.
Elizabeth V Calise says
Duy,
You brought up a lot of good points about how BCP needs the right people with the skills , etc. I also wanted to mentioned that a company can include right skills and people in their BCP and have the support, but they need to sure thet are adapting the plan as well. The business continutiy function continues to evolve. It has shifted from a technical focus to a broader understanding of risk and resilience. It is essential to understand how an organziation fucntions from a business, operational, and risk perspective.
Scott Radaszkiewicz says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
First of all, senior management has to be onboard with any disaster recovery plan. Any organization should have a clear understanding of the impact to the business should any part of a process fail, including technology. What is the impact to the bottom line should technology system be unavailable for a minute, an hour, or days. Any business continuity plan should be able to restore an organization to normal operating conditions within an identified period of time. This period of time will be different for any organization and is part of their risk appetite. How long can they stand to be down, before operations are restored.
Identifying the impact to business when systems are down. The rationale for business continuity is sometimes hard to justify, but it’s like insurance. You don’t use it, but when you need it, you’ll be thankful you have it.
Dima Dabbas says
Scott,
Senior management definitely needs to be involved when the business continuity plan is developed. Senior management can help determine the critical business processes that need to be up and running even when a disaster or incident occurs. A business continuity plan should be tested to ensure that the critical business processes are not down for a long period of time and that all personnel know their roles and responsibilities in case of incidents and disasters.
Sheena L. Thomas says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)? Having a BCP is a proactive plan that ensures that critical process and services are delivered or continue to be available during a disruption. Many companies are at a higher risk of closing if they don’t have a BCP in place. According to Dave Hatter of Bizjournals.com “many small and medium size companies haven’t studied the risks and are not adequately prepared for a disaster.
For example, if your inventory system crashed, could you ship your products? What is the cost of a plant full of idle workers? If your data center burned down, could it be restored in an hour? A day? A week? Ever? Would you be able to comply with new laws like Sarbanes-Oxley? Would your business be able to continue?
According to Aveco, 20 percent of companies will suffer fire, flood, power failures, terrorism or hardware or software disaster. Of those without a DRP:
• 80 percent will fail in just over a year.
• 43 percent will not even re-open.
• 93 percent that experience a significant data loss are out of business within five years according to the U.S. Bureau of Labor.”
Many heavy regulated industries require both DR and BCP and to test both plans yearly. However, if you are not required to have a BCP, doesn’t mean one should not be put into place. It’s better to be prepared and have nothing happen, then to not be prepared and have a catastrophic event occur. Don’t risk losing your company because no one took the time out to create a plan. Learn from the mistakes of other companies who failed to have a BCP.
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
I don’t think you can ever maintain adequate confidence when a 3rd party vendor maintains data or a house a critical system for your company. I think the only thing you can do is purchase cyber insurance, conduct 3rd party audits, and ensure that they maintain backups and High Availability, redundancy for your environment. Review their BCP & DR plan. Make sure the contract states everything they are supposed to do to maintain the availability of your system during a disruption.
https://www.bizjournals.com/cincinnati/stories/2004/08/09/focus5.html
Jonathan Duani says
Sheena,
Some really great points you brought up here. I like how you mentioned about even though the industry might not require a business continuity plan or disaster Recovery plan. It might be a good idea to have one anyway. I think it is important to note that even a small over site of not having a plan could put your company in jeopardy but also if you do not test your plan to make sure that you can actually implement it if need be is also important. I think a lot of companies might have a plan written up but don’t actually confirm that it is working correctly.
Folake Stella Alabede says
2. When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
As was read in the textbook for this course; Third-party audits are conducted by, or on behalf of, another organization; Security audit are evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party. Auditors provide an impartial unbiased view of the state of security controls
Organizations using 3rd party solutions, for outsourcing purposes and other different reasons (some of the common products/solutions being ADP, Workday, Ceridian etc;) the first thing to look out for would be a SOC 2 report (especially the SOC 2 type 2 report), and more confidence in the organization/report is mostly achieved especially if the report was performed by one of the big 4 (pardon the bias and maybe ignoring the Arthur Anderson aspect), and some other reputable accounting firms.
Also, when leasing cloud based services, it is important to understand who is responsible for maintenance and security, the cloud service provider provides the least amount of maintenance and security in the IaaS model.
Oby Okereke says
Hi Stella:
You mention a good point with regard to cloud based services. The responsibility of security is still an area that most organizations that have adopted the cloud model struggle with. I believe the term “shared responsibility” is what I am speaking to, An articulated approach is required to ensure the availability of systems in the cloud. One need not search far to uncover data breaches that has occurred with systems/data in the cloud and a deep dive into the incident will usually reveal that most of the security failure is on the part of the cloud service customer not the cloud service provider; thus the ease with which data is breached in the cloud thereby hindering the security objective of availability is really alarming and calls for more attention in that area.
Jonathan Reid Kerr says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
Business Continuity Planning should be an important for every organization, large and small. The main problem is that for many businesses the benefit of systems for business continuity is hard to see and justify when looking at their face value. In order to justify possibly costly implementations, you have to look at the alternatives.
The most effective way to justify the implementation of business continuity systems is to asses the impact that major risk events will have on the organization, then determine how much risk the organization is willing to accept. Once these two things are determined, risks too large for the organization to accept can be identified. Showing the large scale impact a specific risk event can have will, in most cases, justify the spending required for maintenance and testing.
Frederic D Rohrer says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
Business continuity can be justified by doing a loss expectancy calculation for the system or data for which the continuity should be implemented. If the loss expectancy outweighs the cost of continuity implementation then the system pays for itself. Often is the case that continuity systems are not more expensive to maintain, if properly designed and implemented. For example, fail-over server copies need to be provisioned automatically, using container orchestration. Otherwise calculations against loss expectancy need to include the maintenance cost as well.
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
Third parties can be analyzed in numerous way, all based on the level of trust you put in them. One could request a SLA or provision some test servers and do disaster recovery testing with a live environment. You could also hire a third party auditor to test and certify that the systems can maintain availability. This way perhaps the implementation can even be insured against non-availability.
Rommel R. Miro says
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
When a company uses a third party, the third party outfit essentially absorb and take on the risk on your behalf, for a fee. The risk that they assume can cover equipment, data and everything in between. Since they have all the marbles, I would want to see (a) verified records of their performance from the past, with similar clients, (b) their own disaster recovery plan and (c) their own business continuity plan- because being able to assume the risk for me is the reason they were hired. Accreditation, if applicable to the industry or system being protected or outsourced, can be required. Cyber Insurance will also definitely be part of the conversation, just to cover bases. If the DR plan needs to be put into action – how quickly can they get their critical operations back up and running? Do they have a hot, warm or cold site backups? Do they outsource any of their products or services themselves?
If they are storing data, one must know where their data will reside – will they be in a warehouse with other clients or dedicated in-house data storage? All of these things should be outlined in the SLA.
Oby Okereke says
Hi Rom:
Your response per dealing with a third-party service provider is most descriptive. I sincerely think you have it all covered, One sentence that piqued my interest though is that you opined that ” the third party outfit essentially absorbs and takes on the risk on your behalf, for a fee”, I would like to explore this statement further as I personally consider it a blanket statement because there are highly regulated industries that would bar a business from thinking they can hand off some of their business tasks to a third-party provider and hold them responsible for any mishaps. The delegation of a particular task or function by a firm does not correspond to a delegation of responsibility in certain highly regulated industries, no matter how much fee is offered for such services. There is always a limit to what a third party can do. Other than that statement, I’m wholly in agreement with your points. Kudos!
Jonathan Duani says
Mel,
I feel like I am agreeing with Oby here. I do not think they absorb the risk for you. I think the risk is talked about in the negotiations and the company hiring the third party vendor might takes additional steps to ensure that the security of the systems inherit some of that of the organization. I think a company who is implementing a vendor should seriously consider the risk that is associated and see if they are willing to do what is needed to accept or mitigate that risk.