It is easy to relate the term business continuity with the technological field or with large corporations. But, on the one hand, business continuity is not exclusive to ICTs, although they are a part of it. On the other hand, disasters equally affect SMEs and the self-employed. All companies must take into account what could be the consequences of a stop in production or in daily activity.
Any company, regardless of its size or its sector, must be prepared to prevent, protect itself and react to security incidents that may directly affect and impact its business.
Each organization will have to analyze different aspects related to its operation, including those related to ICT, prioritize and determine the limits of acceptable operation and establish the necessary measures that guarantee the continuity of the activity in the event of an incident or disaster, minimizing the consequences of the same.
For this reason, we propose to design a Business Continuity Plan that includes action plans, emergency plans, financial plans, communication plans, and contingency plans aimed at mitigating the impact caused by the realization of certain risks on the information and processes. business of a company. The process and start-up must be carried out according to the following phases.
Phase 0. Determination of the scope
It is the phase with the shortest duration and has a low need for resources. However, its execution is essential since here it will be determined which assets, systems, or processes are critical, that is, those whose unavailability would directly impact our organization, causing an unforeseen cessation of activity.
Phase 1. Analysis of the organization
This phase bases its activity on obtaining, elaborating, or understanding the circumstances that surround our organization, analyzing both processes, technologies, or resources. To achieve this overview, we will have to carry out a set of tasks.
In the first place, it will be necessary to meet with the end-users of the processes selected as critical or within our scope, gathering all the information on the operation of said processes. For example, know if backup copies are made, both data and applications, how often, response times in case of having this service outsourced, etc.
Analysis of impact on the Business.
From the information collected, we will conduct a Business Impact Analysis, also known as BIA, for its acronym in English, Business Impact Analysis. This document will contain the requirements, both time and resources, of the processes that are within the scope of the project:
- Recovery time, RTO ( Recovery Time Objective ), or time that a process remains stopped until it is restored.
- Human resources and technologies used so that a process works in a contingency situation.
- Maximum tolerable downtime or MTD ( Maximum Tolerable Downtime ). That is, how long a process can stay down before disastrous consequences occur for the organization.
- Minimum levels of service recovery or ROL ( Revised Operating Level ). This would be the minimum level of recovery that an activity must have to be considered recovered.
- Dependencies with other processes, whether internal or with external providers. It is about knowing if a contingency situation in other processes or in an external supplier would be transferred to our company.
Degree of dependence on the actuality of the data or RPO ( Recovery Point Objective ). The impact that the loss of data would have on our activity is determined.
With this information, we will be able to determine which processes and applications are a priority when it comes to being recovered, as well as the need to have, for example, backup copies.
It consists of studying and determining the possible threats to which the organization is exposed, as well as the possibilities of materializing in each case, and the impact they would cause if they were to occur.
Once the conclusions have been drawn, a risk treatment plan will be drawn up, describing measures, mitigating risk, those responsible for implementation, necessary resources, etc.
Phase 2. Determination of the Continuity Strategy
This phase is based on determining what recovery strategies should be implemented for each of the elements identified as critical or that could be affected in a contingency. That is, how to recover a system or a process to avoid that the contingency degrades it irreversibly for the organization. Keep in mind that some processes may require several recovery strategies.
Phase 3. Response to contingency
This phase begins with the implementation of the initiatives that have emerged in the previous phase. In addition, all documentation related to the response to the contingency must be addressed, through the following documents:
- Crisis plan whose objective is to avoid improvised decision-making that could worsen the situation or that decisions are simply not made.
- Environment recovery operational plans, which must specify on which environment they are applied. It must be taken into account that these documents may cover one or more environments, and will contain specific information for each of them. For example, one environment can be an ERP, another email, etc.
- Technical work procedures, which describe the actions to be carried out for the management and recovery of a system, infrastructure, or environment.
Phase 4. Test, maintenance, and review
For a Continuity Plan to be effective, we must verify that it really works and keep it updated. To do this, a series of tests will have to be executed on the identified environments, after which we will prepare reports that collect the results obtained. In addition, all incidents arising in this process must be reflected, which is essential to establish corrective measures.
Phase 5. Awareness
That awareness is part of the last phase does not imply that it is less important than the predecessors. In this phase, all kinds of measures will be put in place to promote staff awareness in terms of continuity and knowledge of the plans drawn up. The target audience will be both technical and business people if they have some kind of relationship with the scope.
Regardless of the sector or size, any organization must be prepared to confront with guarantees a security incident that could affect the development of its activities. Establishing a series of measures aimed at minimizing the impact that any type of contingency may have on the business will provide greater security and responsiveness to any eventuality. If you need to know more about all these phrases related to the development and implementation of a Contingency and Business Continuity Plan.