Secure View
Because business must go on

Here's what you can do to make your business continuity plan effective. by Avinash W. Kadam

Information security stands on three pillars: Confidentiality, Integrity and Availability. Business Continuity Management (BCM) depends on availability of information. Disasters and security failures have become a way of life for us. Despite all the uncertainties, we have to ensure that critical business processes are protected, so that business goes on with minimum interruption. Only adequate planning, good design and documentation of business continuity processes can achieve this. Regular training and testing of business continuity plans ensures that everyone involved in responding to a crisis will always be prepared to cope with sudden failures.

BCM PROCESS

Management is defined as planning, organizing, directing and controlling the business processes to achieve the business objectives. The BCM process is no different.

Planning: The organization depends on smooth functioning of a number of business processes. Many of these processes are also dependent on IT processes. An interruption of IT processes will adversely impact the business processes, thus affecting the business objectives. Plan an appropriate strategy for ensuring business continuity in the face of business interruptions, even disasters.

Organizing: Document the strategy. Identify the impact of an interruption. Decide in advance on the business priorities for recovery. Make detail plans to implement the strategy. Indicate who will be responsible for what portion of the plan.

Directing: Ensure regular testing of the plan. Make sure that there is clear understanding about each person's roles and responsibilities in the face of a crisis. The normal organization structure may not be functioning, still the business must continue to function.

Controlling: Create a forum that leads the business continuity process. This forum should be empowered to take necessary decisions, including transferring the risk by taking insurance.

IMPACT ANALYSIS

There are two important activities that need to be performed meticulously. The cost benefit of most subsequent actions will depend on attention to detail given during this phase. These activities are:

• Risk assessment
• Business impact analysis

Risk assessment involves a lot of hard-nosed analysis of related, real-life facts, and a little bit of gazing into the crystal ball, and predicting the future. Nobody can say with certainty, what could cause an interruption, and what will be the cause of a disaster. And we read so many 'horror' stories about disasters. Prudent risk assessment requires a balanced view. Don't be an alarmist who expects the worst to occur; do not be an optimist either, who believes nothing could go wrong. Based on past experience, statistical data, published incidences, which have affected similar industries in similar environments, compile a list of all threats. Assign a value of 'high,' 'medium,' or 'low' to the probability of such a threat turning into a risk for you. Predict the worst possible scenarios for each incident, preferably in actual rupee terms; classify these as high, medium or low.

The consequences may not always be quantifiable, and may be something intangible like damage to reputation. Take the opinion of others in the organization. At the end of this exercise, you should have a reasonable list of risks that you and your colleagues believe to be realistic. You should have identified a good balance of natural risks like floods and rains; non-random risks like fires, explosions, and virus attacks; human risks like insider threats, hackers, industrial espionage etc. Prioritize the risks based on the product of probability and consequences. The high combination of threat and consequences has to be tackled immediately. Remember, this exercise is to be done with business priorities in mind, hence it is not limited to IT resources. You have to consider all the business processes, and take the opinion of business process owners.

Next, you should determine the business impact of each risk. Business impact will consist of overall loss to the business, as well as the time to recover to normalcy.

Business impact analysis helps in prioritizing the recovery sequence. Sometimes a seemingly normal and routine activity may require the highest priority to minimize the business impact. For example, if a bank faces disaster due to fire or a major fraud, there is an immediate run on its ATMs as well as branches for cash withdrawal. Restoring customer confidence is the topmost priority. Making available a large amount of cash becomes the most important task.

Writing and implementing continuity plans

"Write your plan and then do what you write" is a time-tested maxim. After an interruption or disaster, the business has to recover as quickly as possible. You will not have much time to think. This provides sufficient reason to write all the emergency procedures and also to define responsibilities. There will also be a number of services that need to be restored within a given time. Some of these will be external services. Document how to recover each of these in the plan. Since time is a critical element, the recovery procedure should take into account the estimated time required for restore. Also identify the dependencies. It may be critical to restore some functions before others. For example, you may need to restore the email communication before telephone communication as this will help in reaching the entire world in shortest possible time. Telephone communication may be overwhelmed with too many calls in an emergency.

The documented plan should ensure that someone, referring to this plan, would be able to prioritize various actions to meet the business objectives of restoring various customer services in an acceptable timeframe.

Implement the plan through appropriate delegation of responsibilities. Provide appropriate staffing. Create backup arrangements.

Business continuity planning framework

The business continuity plan may swell as more procedures are added, each written to meet a specific condition. For large organizations there may be departmental plans, unit-wise plans, location-wise plans and region-wise plans in addition to corporate plans. It is necessary to have a common and consistent framework so that all these plans work in a coordinated fashion.

Consistency of planning framework could be achieved by defining a few common processes:

• Each plan should have an owner and individuals responsible for various components of the plan. This will ensure that each plan is updated regularly, and executed as the need arises. Also, the plan owner should ensure availability of all resources for execution of the plan. He should also be responsible for all the backup arrangements, alternate arrangements and resumption of business. This will ensure that each plan gets appropriate attention from the owners of business resources whose revival will depend on proper execution of the plan.

Each plan should have at least the following procedures:

• Condition for activating the plans: How do you distinguish a temporary interruption from a disaster? By defining the conditions you may suppress yourself from crying wolf for every alarm. The definition should be clear and concise so that there is no delay in taking the decision.
• Emergency procedures that describe the immediate actions to be taken. These should define the priorities; human life should be the first priority in every situation. Restoring business operations, contacting government authorities, communicating to stakeholders and the public, communicating to the press should be covered in these procedures.
• Fallback procedures that can restore essential business functions in a given time limit.
• Resumption procedures that restore the business to complete normalcy.
• Maintenance schedule giving a timetable of testing the plan and updating it.
• Awareness and education activities, that prepare all the persons to act in an appropriate manner, and not panic in a crisis.
• Responsibility allotments to individuals so that each person knows what is expected of him.

Testing, maintaining, and re-assessing

Business continuity planning is based on a number of assumptions about risks, the circumstances and availability of correct information. Each of these gets refined while testing the plan. However, it is not prudent to test the entire plan in the first attempt. Systematic testing involves testing individual components of the plan in such a way that the testing does not interrupt routine business operations.

The various types of tests recommended are:

• Basic: Single component testing - Identify individual elements like availability and currency of Business Continuity Plan, retrieval of vital offsite records, contact list of staff, suppliers and other contact persons, lead time of critical equipment, readiness of the disaster recovery site etc.
• Walkthrough - or tabletop testing of various scenarios: Go through the procedure with the team and confirm the adequacy of plan.
• Integrated test: Involve integrating a number of components in the order in which they would occur during actual recovery procedure.
• Incident simulation: Write a test scenario for a disaster event and simulate the incidence. Document the observations.
• Technical recovery testing: Test the restoration of information system based on various backups as
  well as the arrangements at
  alternate sites
• Testing the supplier facilities and services: Testing the preparedness of contractors and suppliers.
• Partial simulation: Involve several business units.
• Full simulation: also called full interruption or mock disaster test. This is an ultimate business continuity plan test that activates the complete business continuity plan.

As you will notice, each of these tests requires various resources, and causes different amount of disruption. Full simulation is of course the fullest testing that will cause maximum disruption. An annual calendar should be made to execute each of the tests at a definite interval.

The outcome of each test should be to re-assess the plan and improve it. The plan owner should be responsible for maintaining and improving the plan. Apart from the inputs received from testing, the plans should also be updated whenever there are changes in the systems, environment or business requirements. By regularly reviewing the plans and keeping them up-to-date, you will be sure that your Business Continuity Plan serves you well.

Avinash Kadam is Director, Miel e-Security, Pvt. Ltd. He can be reached at awkadam@mielesecurity.com