Answer one of the following questions:
- Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
- When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
Mei X Wang says
Although business continuity planning may be expensive and resource-consuming, it is just like how cybersecurity was previously viewed. If organizations cannot afford to create a plan, then they definitely cannot afford to pay for the damages from the lack of planning. To gain senior management support, we can conduct business impact analysts. What is the MAXIMUM loss if a risk was to be exploited? By using quantitative($$$ cost) and qualitative(ex. reputation loss), we can build a business case on why business continuity systems are essential. Just like information security becomes recognized due to the exploits of insecure organizations, we can use the same argument and statistics to push for manageable, deployable, business continuity/disaster recovery strategies.
When using third parties, some techniques or solutions I would suggest is to have your organization’s Procurement team do their due diligence in monitoring and assessing the third party. If they are prone to being attacked, have they appeared on the news recently? What’s the security climate of that organization, and what assurance/insurance can be provided if the third party falls through. Doing our due diligence of assessing the third party, having a monitoring period, and have countermeasures in place such as risk transference(insurance) can help the organization gain confidence in the third party.
Vanessa Marin says
Definitely agree with you, Mei!
The procurement team is in charge of selecting vendors and vetting them. They should bring their vendor to the risk management group for an appropriate vendor risk assessment. Procurement teams generally have an understanding of the risks but a formally completed risk assessment is critical. We can’t forget that contracts are the crux of a healthy vendor relationship. They list out the expectations of the organization and the vendor. I also think that having multiple associations with similar vendors is important. In case one of your suppliers goes down, who is the alternative?
What do you think?
Vanessa
Mei X Wang says
Hi Vanessa,
Great input! Having a contract in place and the SLA explicitly defined can help procurement understand where they would need to build countermeasures. They should ALWAYS have backup vendors in the case as well. Especially for companies that rely heavily on shipments (food, supplies, hardware) from the vendors to do day-to-day business.
Amelia Safirstein says
I agree that the SLA is a must. This not only helps ensure that expectations are clear, but it also limits wiggle room or back-tracking on promises when critical situations actually occur.
Rudraduttsinh says
The business continuity Institute defines business continuity management as foreseeing incidents that will affect mission-critical functions and processes for the organization and ensure that it responds to any incident in a planned and rehearsed manner. In simple terms, when an organization cannot afford downtown, it justifies the criticality of the business continuity design, implementation, and all the other functions. The other reasoning behind it is to require legal or compliance reasons—especially where more regulations with the rapid advancement in the technologies. The first step is to define the 3rd parties critical to business operations during the impact analysis and risk assessment. To gain that the third parties’ confidence in their ability to maintain availability for their system. Further, a vendor management program can be implemented to document external party roles, activities, and related controls, align recovery objectives, and validate recovery capabilities.
Reference
Bronson, J. McDonald, T. (2014). Business Continuity and Disaster Recovery. ucop.edu/ethics-compliance-audit-services/_files/webinars/11-13-14-audit/business-continuity.pdf
Supriadi, L., & Sui Pheng, L. (2017). Business Continuity Management (BCM). Business Continuity Management in Construction, 41–73. https://doi.org/10.1007/978-981-10-5487-7_3
Mei X Wang says
Hi Rushi,
A good overview of why business continuity and disaster recovery planning are essential to organizations. If they can’t afford to pay for the planning, they definitely can’t afford to pay the ransom if they were compromised. Business continuity is like insurance, you hope you don’t need it, but when you do need it, it may be your lifeboat.
Krish Damany says
Hi Rushi,
I think it’s incredibly important that you mentioned gaining the third party’s confidence. While it’s important for your organization to have confidence in the third party, the opposite is just as true. If the third party doesn’t have confidence in the organization, then trusting them for developing a BCP would be a futile action, as they may not be able to help your specific needs.
Vanessa Marin says
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
Vendor management is a critical function of Operations and a key factor in Operational Risk. In assessing Vendor Risk you are looking at the overall risk profile of that vendor. Are they compliant with regulations that apply in your industry, what is their maturity level in terms of security, do they have defined and tested BCP and DRP protocols in place. What is their recovery response time in case of an outage…. There are so many questions.
To establish confidence there must be transparency. They should disclose general locations of where data is being stored, where platforms are being serviced from and what potential risks could impact the continuity of the services they are providing. Irrespective or whether your third party vendor takes place in the cloud or is an actual raw material supplier, you should be aware of where things are being managed. Another tool is table top exercises that mimic an actual disruption in availability. Working with your vendor to establish a DRP or a BCP that is specific to your organization is critical in establishing confidence. Testing the DRP or BCP can solidify the steps need to be taken by your org and by the vendor to re-establish service. Defining key contacts, key processes, backup tasks, recovery mechanisms, SLAs, and recovery statistic metrics. Metrics are crucial tools that can help you decide if you should go with that vendor or not.
Sample Metrics:
Recovery Time Objectives (RTO)
Recovery Point Objectives (RPO)
The number of plans that cover each critical business process
The amount of time since each plan was updated
The number of businesses processes that are threatened by a potential disaster
The actual time it takes to recover a business process
The difference between your target and actual recovery time
Having transparency will create a good working relationship with your vendors or third party providers. Also, remember that having a sound contract that includes your requirements, expectations and a formal agreement on both ends is what is really going to establish the baseline of the vendor/org relationship.
Vanessa
Krish Damany says
Organizations are very busy during the day, so maintenance of a business continuity plan between roughly 7 am and 7 pm would just get in the way of normal business operations. The flip side is that a business continuity plan needs to be ready in the event of any emergency situation that would disrupt normal operations. First thing in creating a plan is to determine what is necessary to keep normal business operations running, even if it’s just the basic necessities. With that, one can draft up how to keep those devices online and operational by having them on a specific power grid or isolated from the rest of the machines to mitigate any risk of damage to the backups. Because business operations happen during the day, initial testing should occur at night hours, and then when testing concludes, the testing should happen at a specific scheduled time to notify employees ahead of time to prepare. In the use of third-party vendor, one important thing is to do thorough research on the vendor. This research should include what I’ve written above for the most part, as well as their own BCP and DRP. It’s also important to see if they have been in the news recently for any sort of breach. Once these are considered, then an organization can make an informed decision in relation to the BCP.
Vanessa Marin says
Ahh.. yes. Timing sucks for our BCPs but the reality is that you really need a team that will create one for you or dedicate the time. And most work 7-7. I had the opportunity to be involved as a consultant in the development of a Disaster Recovery Plan for a client. And the project was 6 weeks with a variety of stakeholders from my side and the client’s Maintenance of a DRP or BCP comes down to updating and testing. Like anything else you want and need to pressure test your plan in order to have assurance that it will work when that time comes.
Vanessa
Vincent Piacentino says
Third-Party Agreements
When using third-parties, I would gain adequate confidence in availability for their systems with Third-Party Agreements. Here are some things to consider when assessing availability and reducing risk regarding third parties:
• Review the service provider’s security program
• Understand the provider’s legal and regulatory requirements
• Conduct an onsite inspection and interviews
• Implement a nondisclosure agreement (NDA)
• Review contracts to ensure security and protection levels are agreed on
• Ensure the service provider has a Business Continuity Plan (BCP)
• Confirm Service Level Agreements (SLA) are in place along with Service Level Requirements (SLR)
• All of this should be outlined in a Master Service Agreement (MSA)
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-47.pdf
Krish Damany says
Hi Vincent,
I agree that any third-party agreements would help with boosting confidence. More than just agreements, an organization should do the proper research into the third-party organization to make sure that their infrastructure would be able to handle the needs of the company. Agreements can only do so much in the long run.
Amelia Safirstein says
Great point, Kirsh. While the third-party agreement is absolutely vital, you should always do your own research before trusting another company. At the end of the day, it’s your own organization that will lose if the vendor is unable to provide.
Amelia Safirstein says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
The losses of a crisis situation can easily exceed the costs incurred in the implementation of business continuity systems. An organization that experiences a crisis situation without a business continuity plan in place may not survive the crisis. Organizations can compare the Annualized Loss Expectancy to the costs of the business continuity systems and residual risk to justify implementations.
When using third parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
An organization should always do its due diligence before working with a third party. They should also have an SLA in place to add some accountability and to clarify the expectations of the third party. In some cases, companies can require a third party to provide the results of an audit as an assurance that the third party is following legal or regulatory requirements.
Jerry Butler says
Selecting and dealing with Third-parties can be challenging because there are many vendors out there that promise to do more than just meet a companies business requirements.(They promise to over deliver)
However here is a couple of steps i would take to select a vendor ideal for my availability for my system;
1. The company should set clear guidelines and expectations, this step should involve all stakeholders in the department
2. The procurement team should then come up with final documentation(RFP) and follow policy and procedure guidelines on onboarding new vendors/Third-parties.
3. Next step after selection of the Third-party is the most important, Testing the resilience of vendor systems or applications. This should be done thoroughly before a vendor is confirmed for the job. some of the things consider include;
a) Performing a security review of the system this includes; Vulnerability scans and Pen tests to check the security of the system
b) Test internal controls of the system, for instance access control, account management, change management processes, system hardening, network security etc
c) I would test the Backup system to ensure that the system can recover from a hack or shut down in the expected time period
d) i would look at vendor compliance to industry security standards, for instance i would need to see that they have performed security assessments such as the ISO27001, SOC2, PCI< HIPAA. The compliance standard should be what matches the business objectives, for instance if its health, they should meet the HIPAA compliance standard.
e) I would test physical and environmental security, for instance, the company systems cannot be located in areas where natural disasters are common.
d) Company should have cyber insurance and all metrics of system recovery should be included in the SLA
f) Lasting i would test logging and ensure the company has clear access to vendor systems for purposes of monitoring and control.
These and more would be my considerations for onboarding a third-party vendor