THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Making a PlanWhen it comes to disasters, you never know what type will hit your organization. How do you know what to prepare for? There are so many things that could go wrong, and planning for all of them will definitely impact your bottom line. Planning for the most likely event or one that would have the most impact on your business might be the way to go. Nevertheless, regardless of what you decide to prepare for, you need to have a plan. Plan Development Develop a plan outline that addresses all of the various areas that could be impacted during a disaster. (A disaster for this blog is anything that could potentially impact your organization or hinder its normal operational tempo). Below are a few of the areas that should be included in your Disaster Plan (DP):
Areas of Focus For most businesses, you will want to get up and running as soon as possible and it is for this reason that you will want to be a thorough as you can with your planning process. There will also be additional documents/evaluations that will be included in the planning process for the DP, which are:
Bringing it Together When developing the DP, it is important to have finished the supporting documents and conducted the various evaluations. This will take time, as you will want to talk with all of the stakeholders in your organization and gather their input. (The plan should not be prepared in isolation from the rest of the company, but be inclusive). Including the findings of the supporting documents and findings will help to flesh out the DP as you specifically address those areas. Using diagrams and flow charts will also be an important part of the plan. These will help to illustrate the plan and provide additional detail that may not be in other areas of your document. Creating process flows and decision trees will be an important part of the development process as these may change depending on the scope of the incident. Including additional content will also help to explain specific requirements of the DP, as there may be a need to include lists of employees, vendors, and other support personnel who will need to be contacted in case of an incident. Communicating the Plan You have gathered all of the stakeholders in your organization and they have helped bring the plan together. After the plan has been signed off, and adopted by your organization, you will need to communicate the plan to the rest of the business. How do you do this? There are several effective ways, but making sure that all of the people that you listed (assigned duties to) know what they are responsible for and what they are specifically required to do for the plan. Depending on what your specific organization handles employee communication, the plan could be communicated through an email, or a classroom training session. Both of these can be effective as they provide a way to pass along the information that the employee’s will need to know. When a disaster hits your company, you don’t want people to wonder what they are supposed to be doing during the event. You are only as prepared as your last test. Testing the Plan
Probably the most important part of the plan is the testing of the DP. You should be testing your plan at least on an annual basis to make sure that it is still valid. In addition, updating your plan throughout the year is not a bad idea either, as your environment may change with additions or upgrades to current technologies. The plan should be a living document, in that it reflects the current situation of your organization. If it does not, make sure that you address it as soon as you are able to do so. At a minimum, a tabletop test of your plan should be performed with all of the stakeholders and those with responsibilities outlined in the DP itself. Testing should be documented and the findings addressed if there are any. This will provide areas that will need to be addressed in a timely manner. For most certifications, having a DP is a must and the organization needs to show documentation that they are testing it on an annual basis, so this will help with any of those compliance requirements that you might face. Summary While there is, a lot that will go into a DP, in the end it is worth all of the effort when you see the plan in action. Developing the plan when you are not stressed with an incident allows you to think through the situation in a calm and collected manner. Developing a DP is one of the most important items that an IT Security Pro can do to help their organization. Whether it is making changes to the plan, or finding a solution that will meet the needs of the business. It is also important to make sure all areas of the business are addressed and that the plan takes into consideration contractual and regulatory requirements as well as specific needs of the company.
0 Comments
Testing your Business Continuity Plan If you have developed your Business Continuity Plan (BCP) you will need to test it at some point to make sure that it will help support the organization in case of a disaster. (Also, having a Disaster Recovery Plan (DRP) will be crucial in determining how the business will respond to the disaster, but that will be for another blog). As they say, “you are only as protected as your last test”. Really, that is the key here. You need to test the BCP on a regular basis, because things change in your environment all the time. The BCP should be a living document in that it should reflect the way your business is conducted. Developing a Test Plan So your BCP is completed and you have all the additional documentation that you will need to support the overall recovery strategy (you have a recovery strategy, don’t you?). Now is the time to develop a test plan that you will simulate as your disaster. (Please, no aliens or asteroids hitting and wiping out the business, it’s just not going to happen, and it’s a waste of your time). Pick an area where you will most likely see in your geographic area. Some common disasters are listed below:
Ransomware & Pandemics In the list above there were a pandemic disaster is listed. The reason for this is that the CDC and other organizations like NIST (National Institute of Standards and Technology) have come out with guidelines on how a company should prepare for such events. With that in mind, even though you may not test for it at first, including it in your preparation planning process and discussing how you are going to deal with it in case it effects your business is a best practice. Ransomware is also listed above and the reason for that is that a ransomware attack on an organization will have the same impact as a disaster. And you might as well prepare for it like one. Different scenarios and different means of infiltration of the ransomware makes this type of disaster difficult to plan for, but determining how you will react to it and how you will handle specific aspects will go a long way in ensuring your customers and employees that you are doing things the right way. “you are only as protected as your last test” Types of Tests
Tabletop There are several types of testing that you could do when you are testing your BCP. The most common or the one that is required by most standards is the tabletop test. If you are not familiar with this type of test, it is important that you be. This test runs through a given scenario with the BCP (that you developed) as the decision maker’s guide. This test depending on the complexity should take a while to complete and should challenge the leadership of your organization in a way that they have not been done before. Partial Functional Test This type of testing will have a component that is part of the functional test as part of the tabletop scenario. This will bring some realism to the events of the testing process. Conducting a network backup during the same time or testing your backup generators are very common during these types of tests. These are meant to put a little stress on the company for recovery purposes, but not affect the overall business operations. Functional A functional test is meant to be a full on test of the continuity plan and is meant to show that the company will be able to recover in the event of a disaster. This type of test requires a simulated event where the impact to the operations of the business (physical disconnection of network wiring, or a fire breaks out) are effected and the recovery is required in order to be back up and functioning within a reasonable amount of time. This should not be done on a regular basis, but should be performed periodically in order to ensure the plan is effective. Working up to this point is the goal of most organizations. Some types of industries will require it, but most do not. Sticking to the Script One of the things that has happened more times to those of us who have run these tests is that the Leadership Team will go off the script and tell you things that will not make sense. Given a scenario, the Leadership will want to perform everything correctly. Truth is, this is where you will find your weak points in your planning process, and you want to have failures, so you can fix them for the next time you have a test. Going off script and saying you have a solution for a problem (but it is not in your plan) is lying to yourself and your company. If it is not in your plan, you can’t use it. If it needs to be added after the training, fine, but not during the training scenario testing. Nevertheless, it can’t be used as part of the recovery portion of the testing. Keeping the script and the plan the same will ensure that you identify your gaps and are able to address them effectively once you start to remediate the findings of your testing. Documentation of Disaster One of the key things that you can do to ensure that you have an effective test of your BCP is to document the process from beginning to the end. This may be difficult due to the communication that is going on between the different leadership members who will be making those key decisions. But the process should be documented in order to determine if there is a gap in the overall planning process. Keeping track of important events or incidents will help to ensure that you are able to analyze the events in a chronological order when the testing has been completed. Noting all incidents as they happen (having someone who is not part of the testing process would be great to have during the testing to take notes) will ensure that you can go back and look at the events in a more objective manner later on. In addition, providing documentation of the disaster may be needed for auditing purposes later on, if you are under any sort of regulatory requirement. Remediation Efforts After the testing has been completed, the remediation efforts will begin. This is where the real work of the BCP testing will be conducted. Identify the gaps that happened during the testing of the plan, and list them so that all of those that have taken part may see those specific areas that may need to be worked on. This will also help to identify the possible responsible parties for those areas within your organization. Prioritizing the remediation efforts will give the business a detailed period for which they will need to begin working towards fixing the identified gaps. The plan here is to make sure that the gaps have been addressed within a given period, or that the company will be able to deal with the gap as a known issue. (This should also be recorded on your Risk Register as an acceptance of the risk to the company). Summary While there are many items that go into a Business Continuity Plan, the plan is there to help your organization to recover from a disaster. Without this documented plan, your business runs the risk of not being able to recover and may go out of business because of it. The importance of the planning process cannot be under stated here. The time you take in making sure that, you have plans or processes in place in case your organization has to deal will a disaster will go a long way in ensuring that you will recover and with your business intact. Business Continuity planning has become a buzzword in the IT industry after recent natural and man made disasters. These disasters have left businesses reeling as they search for ways to continue to survive and to serve their customers. Businesses that thrive on technology are especially hard hit as these disasters can impact the whole organization and in most cases will be a turning point in the success of the business.
Here are some things that you need to look at when developing your disaster planning:
The Benefits The benefits that your business will be that in case of a disaster you will be prepared to address the issues that you may deal with. Whether you are facing an network outage or if your data center is hit by an earthquake, you will be able to prioritize your recovery efforts and focus your planing and strategies on those areas that make sense for your business. The benefits for the company is that you will be able to plan and develop a plan that addresses the issues that a disaster will cause to the organization. When developing a plan you want to make sure that you address all possible areas that could be impacted. In the disaster you will not have time to think of all of the possible areas that could be impacted, thinking about them during normal operations will provide you a clear and thoughtful mindset in order to develop your planing and strategies. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|