ICT Disaster Recovery and Business Continuity Planning

In BICSI Bytesby info@bicsi.com.au

Is having your company information backed up on the Cloud a Business Continuity Plan?

According to Laura Toplis, Director of BCP Builder: “Unfortunately, the answer is ‘No’. I have encountered confusion around the differences and inter-dependencies of ICT Disaster Recovery and Business Continuity Planning, so this article aims to highlight the main points.”

Being able to access your information is key to business continuity; however there is more to a business continuity plan than availability of information.

Having a business continuity plan means you have thought about the products, services and activities your organisation provides, put them in order of priority and identified options to continue working during an unexpected disruption.

You should have plans in place to cover:

·         Loss of people

·         Loss of infrastructure

·         Loss of workspace

·         Loss of supply chain

·         Loss of reputation

You should consider who would be the best people in your organisation to respond to a crisis, record their details as the Response Team and give them the appropriate training and plans to succeed.

Being able to access your information is critical and if your information is only available on the Cloud with no other back up, this is a significant risk.

Accessing the Cloud relies on an internet connection – which may not always be available. Data on cloud services can be lost through a malicious attack, natural disaster, loss of encryption key or a data wipe by the service provider or you could be locked out of your systems due to a ransomware attack.

To ensure your information is always available, you should discuss your backup and Disaster Recovery System with ICT. The more frequently you back up your system the more expensive it becomes – would it matter if you lost a week of data? Do you need your systems to be replicated in real-time?

Check that the back-ups are tested regularly because you need to be confident they will work when you need them. If you don’t already have one in place, consider creating a manual system to fall back on while your back-ups are being restored.

Having robust information security practices and protocols protects your organisation and selecting a responsible staff member or team to oversee this task will ensure it is taken seriously. Any new procedures should be developed in collaboration with the CISO (Chief Information Security Officer). One example would be to ensure users are only using network storage, in this case if their laptop is compromised for any reason there is no loss of data as it will still be available on the network.

Choose a realistic scenario for your industry and run a simulation exercise that involves loss of infrastructure (ICT in particular).

·         Walk-through the entire process and run testing to ensure everybody is confident and understands their role, including identification of suspicious emails.

·         Show staff what to do in particular scenarios, e.g. if they get a ransomware lock screen – unplug from the network and raise the alarm.

·         Create a safe atmosphere where staff feel comfortable to report mistakes, such as opening a phishing email, so they act quickly and report the problem, rather than trying to hide it.

·         Do these tests regularly and cover different areas of the business, include a Communications Plan where all interested parties are contacted – these may include:

o   CISO

o   Information Security Response Team

o   Insurance adjusters

o   Local police (depending on the type of incident – you may not want to draw media attention to your organisation)

o   Help Desk Director

o   IT Management and managers of affected applications

o   Senior Management.