Disaster Recovery Essentials for Hurricane Season
As the eastern Unites States enters hurricane season, now is an opportune time to review your organization’s Business Continuity and Disaster Recovery (BCDR) Plan. BCDR Plans are not just for large corporations, even small and medium organizations can benefit.
While state and local governments focus on evacuation protocols for the individual citizen, post-disaster community recovery efforts are reliant on certain industries, such as:
After disaster strikes, residents may find themselves displaced due to a damaged home. In order to return to normalcy, many dependencies must align to include:
An insurance agent must be available to policyholders to assist in processing claims so the homeowner can contract a construction firm to repair the damages.
The policyholder requires access to their bank or credit union to pay for temporary lodging and food.
The construction firm requires a supplier for building materials to complete the repairs.
The supplier requires reliable logistics to ensure resources are available.
Throughout this scenario local government must be able to repair utilities (power and water) and enable first responders to provide fire control, law and order, and medical services.
Each one of these different organizations are vital to community recovery efforts. Having an established BCDR Plan significantly cuts down on the time to reorganize during a stressful time by ensuring staff are trained, know what to do, where to go, and how to safely get your organization back up and running.
What is a BCDR Plan?
A BCDR Plan is one component of a comprehensive Information Security & Privacy (IS&P) Program that assists organizations in building and maintaining a reputation as a trusted source of products and services. It accomplishes this goal by having preplanned processes and actions for trained employees to act on in the event an issue arises, and aid in ensuring disruptions are kept an internal issue.
Disruptions can include short term impacts, such as a power or water outage to long term impacts, such as natural disasters.
A BCDR Plan should be driven from other components of the IS&P Program, to include the Risk Management (RM) Plan and Incident Response (IR) Plan. Development of the RM Plan should have included a threat modeling exercise to identify reasonable internal and external threats to your organization.
If a risk assessment, which included a threat modeling exercise, has not been conducted the next step is to identify what can go wrong?
An effective BCDR will include a thorough assessment of reasonable internal and external threats to how your organization conducts business operations.
This answer can vary greatly, for this exercise we’ll focus on natural disasters.
While all geographical areas are susceptible to most environmental risks, such as flooding, fire, tornados, and earthquakes; some have a higher probability of one or more of these impacting business operations. The east coast faces the threat of hurricanes during summer months, which the west coast does not typically experience.
Developing a BCDR
Starting the process of developing a BCDR Plan may seem overwhelming, as your organization attempts to wrap their arms around what is critical to operations and what can wait. To answer these questions, Dragoon Security Group suggests these areas of focus and potential questions to ask that may help gain traction.
Products and Services
What products or services do we provide and who benefits from it?
This will answer why (Mission) your organization is there, what it does (Products and Services), and who (Client) is relying on it. Once these details are identified, identify what business processes support the delivery of your organization’s products and services.
Next, calculate the acceptable amount of time your organization can tolerate these business processes can be unavailable; this establishes a Recovery Time Objective (RTO).
Now that your organizations critical business processes are defined, what makes these business processes succeed?
Can staff perform their duties safely?
Has a call tree been established?
Does staff know where to go or who to contact?
What are the key skills required to continue business operations?
What key skills are limited to one or two people?
Who can we cross train to augment key skill area shortages?
Systems and Data
What systems and data are critical to operations?
Would they be available in the event facilities are damaged?
Is data being backed up?
Are off-site or cloud data backups established and tested?
How can we access hard copies of data?
What does your organization need to communicate between the head office and field operations or branch offices?
Does it make sense to have a secondary satellite or mobile hotspot connection?
How much bandwidth is required if the primary internet connection is lost?
Are there alternate work locations outside a disaster area?
Can staff work from home?
During a power loss, are generators available until utilities can be restored?
How long will on site fuel stores for generators last before requiring a resupply?
What vendors support your organization?
How quickly can they respond to meet your organization’s needs?
Do vendor contracts establish time requirements to support your needs?
The BCDR Plan should be documented and available to key personnel within your organization. Staff should know who within your organization to contact for guidance. Physical copies should be securely maintained off-site by key personnel, and digital copies available in the event of destruction.
Dragoon Security Group’s consultants bring decades of experience in guiding businesses in the development of full scope Information Security and Privacy programs, to include Business Continuity and Disaster Recovery Planning. Our engagement plan allows us to swiftly gain an understanding of how your business operates, identify issues, and establish requirements with minimal impact to your operations.
To schedule an appointment to discuss your path to protect your customer’s data, contact us at 803-298-4500 or email info@DragoonSecurityGroup.com.