Answer one of the following questions:
- Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
- When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
Kelly Sharadin says
First and foremost, when entering into any third-party situation as a business its paramount to review contracts, specifically what the service level agreements and expectations of the provided service. Regarding, availability it’s important to define what is the expected mean time to recovery following an incident. Additionally, it is recommended to identify if the vendor has a crisis communications plan and provide a designated point of contact, and verify the vendor conducts regular tabletop exercises to test their disaster recovery plan. If possible, request that the third-party participate in a tabletop exercise between both parties to fully test the disaster recovery plan.
Kyuande Johnson says
Great Points Kelly,
Having clear cut requirements and expectations of the third party is essential. Having a written out Service Level Agreement ensures that the third party is fully responsible for providing the agreed-upon uptime. Having this clear cut expectation in writing can avoid legal issues and ensure that the third party is providing the promised service and meeting expectations.
Mitchell Dulaney says
Hi Kelly – I agree that there should be transparency between any third party vendor and the client organization with regards to their business continuity planning and disaster recovery processes. This helps instill greater confidence in the vendor’s ability to meet the client’s needs as well as verifying how thorough their information security management system is.
Tal Eidenzon says
Hi Kelly,
All of the point you made are very important. Also evaluating the 3rd party by speaking with peers who also used the 3rd party, especially one that had to go through a disaster recovery assisted by the 3rd party would be incredibly valuable.
Thanks,
Tal
Anthony Wong says
When using a third-party one adequate way of gaining confidence is by having availability requirements and a service level agreement noted within the contract. Additionally, include a right to audit within the contract, and coordinate an external or third-party audit to identify the security posture of the third-party, where data is being stored, controls to protect data, etc. If there are industry standard controls missing, it can be enforced by the contract for the third-party to implement those controls. Furthermore, there needs to be consistent due diligence to ensure the third-party is held accountable in meeting the availability requirements.
Kyuande Johnson says
Great Points Anthony having a solid service level agreement is very essential when considering a third party within your environment. Aspects such as
Uptime and availability should also be outlined in response to a disaster. The organization should know how the third party will contact them if a disaster would to occur.
Anthony Wong says
Kyuande,
I completely agree with your comment. The third-party should definitely have the point of contact’s information readily available in the event of a disaster. Also, I liked how you pointed uptime and availability because most of the time we use those terms synonymously. but are not. As an enterprise working with a third-party, availability should have greater weight over uptime.
Kelly Sharadin says
Hi Anthony,
I agree with many of points you’ve made. I am curious how you would approach consistent due diligence with a third party. Would you require the third-party to undergo quartely audits and provide their results? If yes, that may be worth including in the initial contract requiring an acknowledgement and agreement from the third-party that the partnership is contegant on adequate audit results.
Kelly
Anthony Wong says
Hi Kelly.
Depending on the criticality of the third-party, which is determined by the business and what services the vendor is providing, an annual or bi-annual risk assessment should be sufficient. For example. for a high rated vendor, could have a risk assessment performed annually, whereas medium and low rated vendors are assessed bi-annually. There are definitely areas where you should ask for redacted evidence such as if the third-party is storing you’re data, you should ensure the third-party is encrypting that data at rest.
Vraj Patel says
Hello Anthony, the service level agreement (SLA) and the availability requirements included within the contract does helps defined the requirements of the business to continue its operation during an disruptive event. In addition, it would be best practices to review that SLA and the contract on periodic bases to ensure anything within the contract needs to be changes or not.
Mohammed Syed says
Agree, and To develop an effective BCP plan, we should also verify and identify threats or risks and conduct a business analysis report. Check adopt control for prevention and mitigate with text for improvement BCP plan.
Mitchell Dulaney says
Hi Anthony, good point that the HA requirements and SLA not only need to be included in the contract, but there must be mechanisms in place (hopefully also defined in the contract) for the client organization to continuously verify that the vendor is maintaining a capability to meet those contractual obligations!
Kyuande Johnson says
When considering a third party to handle Business Continuity and Disaster Recovery. Its imparative for the organization and the third party to have clear-cut expectations. The third party needs to know what the organization deems important and how they will support the organization. They need to create a clear understanding of exactly what a third-party provider is going to provide to the organization and account for this in the contract. There is also gonna have to review of the service level agreement provided by the third party. This agreement protections the availability of data during a disaster. There will be a guaranteed threshold on the time the data is unavailable. Uptime and availability should also be outlined in response to a disaster. Uptime is a measure of the reliability of the system; this means that a system is ready for operation. It is also imperative to ensure that the third party has a recovery plan. This will require evidence of this plan, which outlines how the organization will be notified during a disaster.
Shubham Patil says
If a third party is handling business continuity and disaster recovery, there should be SLA documented which clearly states the RTO and RPO. The recovery time objective (RTO) is the maximum time period within which a mission-critical system must be restored to a designated service level after a disaster to avoid unacceptable consequences associated with a break in business continuity. The recovery point objective (RPO) is the acceptable amount of data loss measured in time.
Mohammed Syed says
Yes, I agree we need a Service level agreement and business impact analysis to decide the scope of the plan’s regulatory and legal obligations.
Vraj Patel says
Hello Kyuande, it sure would be helpful to include the clear understanding of the requirements of the business continuity within the contract with the third-party. This could help the businesses to have an understanding of how long their system could be down during a disruptive event. It would also allow the third-party services providers an understanding if they could meet that recover time objective or not.
Mitchell Dulaney says
Kyuande – I think you bring up a solid point that isn’t necessarily addressed by the book, which is that a client organization needs to understand their own requirements and be able to clearly communicate them to a third party. Without doing this, the contract cannot possibly include the real needs of the client organization. Unfortunately, many companies have difficulty analyzing and confirming their own business continuity requirements.
Mitchell Dulaney says
When engaging in business with third parties, it’s important to utilize some common administrative controls to help verify that their information systems meet your security requirements. The first is an agreement that the third party will submit to an external audit before entering into business with your company. This audit should be designed to cover any systems that will impact your company in the event that the third party experiences an information security incident.
Additionally, having a well-written contract approved by your legal team with input from the information security team. This contract should define the scope of work the third party is responsible for, the service level they are agreeing to provide, and the mechanisms available to your company to confirm they are meeting their obligations. These mechanisms should include regular external audits to verify their information security systems are maintaining security requirements dictated by the contract. The contract should also include legal ramifications in the event that the third party fails to maintain the stated level of security. With these ramifications written out, the consequences of a failure on the part of the third party are clearly defined and legally binding, and they will be motivated to live up to the terms of their contract.
Kelly Sharadin says
Hi Mitchell,
Thoughtful post, your first paragraph almost suggests a due diligence approach to validating whether the third party’s disaster recovery plan is adequate. When conducting due diligences that are part of a merger and acquistion I think this would be a valuable addition. However, I wonder how quickly the third-party would be able to provide such document. The delay may be a good indication that the third-party is not prepared to address disaster recovery and that may be a sufficient answer.
Kelly
Anthony Wong says
Mitch,
Great points and I agree a well-written contract goes a long way. Just wanted to add that it may not be possible to get some third-parties to agree to an external audit. It is rare, but it does happen, especially with the larger corporations such as Amazon, Microsoft, Visa, etc. These companies are way too large to care about most organization’s external audit requirements. They’ll be more than happy to lose your business than agree to it. However, they should be able to provide compliance documentation such as a SOC 2 Type 2 report, or a SOC 3 report.
Vraj Patel says
Hello Mitchell, that was great point regarding the third-party external audit report. It will surely guarantee that the organization received support from that third party on the availability of their services during a disruptive event. It would be important to request the external audit report of that service provider every year to evaluate and ensure if there are any changes within that plan that could affect the service that is being received. As changes are made within the organization, there are higher chances that the third-party service provided would be making changes within their business continuity process.
Vraj Patel says
Business continuity enables organizations to continue operating in the face of disasters. Disaster recovery procedures make sure that organizations can promptly recover from any circumstance that can have an impact on their operations. It is essential to ensure the business continuity plan is well-designed so that any key areas of the company can be operated even in the event of an uncertain circumstance. The plan must also be appropriately maintained by being reviewed and evaluated on a regular basis. The testing will make sure that the critical business processes are operating properly, and that the operation can continue. Through a contract with the third party managing certain systems, the businesses may guarantee the systems are accessible during any crisis event.
Mohammed Syed says
Also, When you make a business continuity plan, three essential vital features to understand Resilience, recovery, and contingency.
Mitchell Dulaney says
Hi Vraj. You’re absolutely right – business continuity and disaster recovery plans are only as good as the effort a company puts into the preparation and testing of those plans. A plan can be incredibly well-written and thorough but might be useless (or irrelevant) if it hasn’t been practiced and revised by the time a real disaster takes place.
Tal Eidenzon says
Hi Vraj,
To add to your point, in some situations, implementing controls might be more expensive than the single loss expectancy, in which case the control might not implemented at all. Similarly with a Business Continuity Plan.
Thanks,
Tal
Antonio Cozza says
I agree Vraj, the business continuity plan will be relevant if it is maintained and regularly (perhaps annually) evaluated for any major changes in critical systems controlling primary business processes.
Mohammed Syed says
A business continuity plan is a step that a company must take during or after an unexpected disruption occurs in business operation; a BCP becomes unavoidable for the leading organization to continue business in the critical situation in which the organization creates the plan that protects assets and personnel and ensure operations recovery within the shortest period after a disaster happens.
All businesses are prone to various threats and disruptions that can generate lower revenue, increased costs, and lower profits which can disrupt any stable company in the market; however, the organization can cover costs, retain customers, and resume operation within a short time without damage business revenue and goodwill in the market if they have proper Business Recovery Plan. BCP provides the ability to withstand catastrophes like global pandemics, cyber security attacks, power outages, natural disasters, etc.; organizations can face unpredictable events anytime. If they face them blindly without a proper plan, their effect is more significant. So BCP allows recovering self-earlier from any time of situation which occurs unexpectedly. Whenever an organization creates a plan should consider the critical business functions, potential threats and risks, crucial systems, and pieces of equipment planning.
When using the third-party system, before the finalized third-party history, their recovery plan, customer feedback, and disaster policy should be reviewed first and then given space in our BCP plan. In this era, we can utilize updated technology in Business continuity Planning such as Cloud computing, and SDWAN, where seamless backup, disaster recovery, cost-effective, flexibility, and more advanced technology and the feature can provide us trust, stability, and security in business continuity.
Shubham Patil says
Mohammed,
I agree with your point of utilizing the latest technology in business continuity planning, Disaster recovery in cloud computing can do just that. In case of disaster, critical workloads can be failed over to a DR site in order to resume business operations. As soon as your production data center gets restored, you can fail back from the cloud and restore your infrastructure and its components to their original state.
Shubham Patil says
Business continuity planning defines what should take place during and after an incident. Actions that are required to take place for emergency response, continuity of operations, and dealing with major outages must be documented and readily available to the operations staff. There should be at least two instances of these documents: the original that is kept on-site and a copy that is at an offsite location. BC plans should not be trusted until they have been tested. Organizations should carry out exercises to ensure that the staff fully understands their responsibilities and how to carry them out. The BC plan is only useful if the organization in general, and the BC team in particular, knows how to execute the plan. This requires periodic training, tests, and exercises to ensure that both the plan and the staff are able to keep the business going no matter what comes their way. Testing your Business Continuity Plan (BCP) helps to continuously improve your ability to successfully recover from various scenarios, whether it be a natural disaster or a communications failure. Many organizations suffered tremendously in 2020 because their BCP didn’t account for a global pandemic in which many (or even all) staff members would have to work from home for extended periods of time. Information systems are certainly an important part of the continuity strategies, plans, and solutions, but the scope of the BCP is much broader than that of the DRP.
Vraj Patel says
Hello Shubham, that was a great post. The tested, efficient business continuity plan helps organizations in carrying out their core functions during the disruptive event. Additionally, as you mentioned storing the plan both on-site and off-site, it would be best practice to update the off-site plan if changes are made to the on-site plan just in case business has to utilize the off-site plan in the event that the on-site plan is unavailable.
Antonio Cozza says
Great analysis Shubham, the effectiveness of the business continuity plan will heavily be impacted by the immediate response during an incident. Thus, testing that the plan actually works will be paramount to its success in the event of a real incident. Training in executing the BCP will be a differentiating factor in its efficacy.
Tal Eidenzon says
Considering that business continuity does not support day-to-day operations until a crisis situation, how does one justify the design, implementation, maintenance, and testing for business continuity system(s)?
This is a very interesting and complex question, with many possible answers, depending on the maturity of the organization. For some younger organizations that are still in the proof-of-concept phases, it may not make sense at all to spend time or money on developing a BCP, as it may be more financially feasible to start from scratch if a disaster hits. In larger, more mature organizations, with a surplus, a BCP is very highly recommended, at least for those risks that could threaten business continuity.
Thanks,
Tal
Antonio Cozza says
I agree with this sentiment Tal; an organization’s maturity and established practices / reputation will play a large role pertaining to its business continuity plan, if there is one. For the more mature organizations, the BCP should reflect a summary of all systems pertaining to the most critical of business processes – systems that the organization cannot function without.
Antonio Cozza says
When using third-parties, how would you gain adequate confidence in their ability to maintain availability for their systems? What techniques or solutions would you use?
The first thing that must be done when using a third-party to gain confidence in their ability to maintain systems availability is to establish clear agreement on the expected and guaranteed uptime written in the Service-Level Agreement, and what the service-provider will do in the event of an incident that results in downtime. If downtime occurs, the 3rd party should be able to convey and demonstrate that it will exercise best practices in incident response in order to restore systems back to the normal environment. Having a clear understanding of this information will increase confidence in the third party, as well as observing other incidents which caused downtime, and how quickly they were resolved based on the type of threat that affected availability. Another couple of items to be checked are how long the third party has been in business to ensure that it is a more reputable company, and also one could use the Gartner Magic Quadrant to observe the current service provider leaders.