In the course of reviewing a financial institution’s information security program, it comes to the point of reviewing the organization’s business continuity plan. In doing so, it is not uncommon to hear, “Why do we need a business continuity plan?” or “How is this plan going to help me in a cyber-attack/incident?” With these questions, it is safe to assume that the organizations are completing their BCP to check it off a list rather than for their own benefit.
What is a BCP?
A business continuity plan is a comprehensive written plan that provides detailed strategies to address recovery from disruptions in business essential processes. A business continuity plan is typically based on risk assessments, business process prioritization, maximum allowable downtime analysis, and other recovery timeframes.
This means that the business continuity plan is designed to consider aspects of preparing for, mitigating against, and responding to reasonable interruptions to essential business processes. Consider it as a playbook for your favorite sports team. It will provide details on each person’s role and responsibilities for recovering from all kinds of business interruptions such as power outages, biological pandemics, internet connectivity disruptions, weather incidents such as floods and tornadoes, and last but certainly not least, breaches and cyber security events.
Testing your BCP
Many institutions go through the effort of creating a business continuity plan and forget possibly the most vital element of all: TESTING IT. Earlier I compared the BCP to a playbook for a sports team. It is similar in that having a playbook will not win a game. You must practice the plays in the playbook to win. For example, an institution conducted a backup on a server a few weeks ago and then tried to do an emergency restore. But, it now realizes that within the time of creating the backup and the restoration attempt, the entire backup file has been corrupted with no way of restoring it to working condition. However, if the backups had been maintained, the server could have been recovered.
This is just one example of tests covered by the BCP, and several testing methods can be performed from simple checklists and mock disaster implementations. Below are a few examples of testing methods:
- Walk-Through Drill/Simulation Test – Team members, get together and walk through various scenarios and apply the business continuity plan to each one. This testing should assess the functionality of the plan, team member interactions, and decision making, mobilization, and coordination.
- Tabletop Exercise/Structured Walk-Through Test – This test is for familiarizing team members with the business continuity plan and updating outdated information. Team members will discuss the plan and suggest modifications or provide clarification for revisions.
- Functional Drill/Parallel Test – In this test, a mock disaster is declared, and team members are tasked with carrying out the business continuity plan. Two types of functional drills can be used, planned and unplanned.
- Planned Functional Drill – This test is planned, scripted, and organized ahead of time.
- Unplanned Functional Drill – This test results from an actual business interruption. Many small-scale business interruptions are not documented as BCP tests. They are considered to be the most effective. Small-scale business interruptions can include temporary power outages, server failures, and key employees calling in sick. These are considered effective because they are not testing but actual implementations of the business continuity plan.
Always remember to document the results of each test and use the lessons learned to improve the business continuity plan. The business continuity plan is very important in a financial institution’s preparedness program. Thus, an organization must create a cultural paradigm that the BCP is a vital security measure to be embraced and not just another mark on a check box.
Jonathan Ramirez has three years of professional experience in Information Technology. He graduated from Texas Tech University, receiving a B.B.A. in Information Technology with concentrations in App Development and Cyber Security. He now configures and maintains the security appliances in our audits, performs vulnerability reporting, social engineering phone calls, and collects data during CoNetrix Security audit projects.