WHY BUSINESS CONTINUITY MANAGEMENT IS SO IMPORTANT FOR IT SERVICE PROVIDERS
Whenever there is disruption in business, it can cost money, damage in reputation or sometimes customer loss. Insurance companies does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan is must for any IT service provider for sustaining such catastrophic conditions.
Business Continuity process identifies the likelihood and impact of the risks on the business and then produces a contingency plan to deal with any kind of eventualities, like IT system failure, terrorism, natural calamities like earthquake and flood, unavailability of staff etc.
Business Continuity is one of the most critical aspect of any business.
WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)?
Business continuity management (BCM) is a framework for identifying an organization’s risk, its exposure to external and internal threats pertaining to service availability and hence formulating a plan to mitigate the risk. Business Continuity Management involves development of plan to prevent any disaster and assist in recovery in case of crisis. The motive of Business Continuity management is to develop and implement ability to effectively respond to threats such as data breaches or natural disasters and protect the business interests of the organization. BCM includes crisis management, disaster recovery, business recovery, incident management, emergency management and contingency planning.
What Is Business Continuity Planning (BCP)?
Business continuity planning (BCP) is the step by step process of creating a robust preventive system and a mechanism of quick recovery from the potential risks to a company. BCP ensures that personnel and assets are protected, and are able to function quickly in the event of a disaster. Business Continuity Planning is conceived in advance and involves input from key stakeholders and personnel.
Business continuity Planning is the assessment of both internal and external risks and its impact on the business and then implementing preventive, detective and corrective measures.
BCP involves defining any and all risks that can affect the organisation’s objectives and operations, making it an important part of the organization’s risk management strategy
Basic areas in which Business Continuity Planning needs to be considered:
- IT Service Continuity
- Disaster Recovery (DR)
- Pandemic Planning:
- People Continuity
HOW TO DEVELOP BUSINESS CONTINUITY PLAN?
Development of business Continuity plan includes following steps:
STEP 1 First of all, perform need analysis and define strategy objectives and an implementation framework should be created
STEP 2 Next, business value of organisational applications should be identified and RTO (Recovery Time Objectives) and RPO (Recovery Point Objectives) through data risk should be determined
STEP 3 Next, match technologies for safeguarding data, including backup, disaster recovery, vaulting, snapshot and replication, based upon business value
STEP 4 Next, infrastructure and personnel plans, including organizational and communications processes should be defined. A business continuity team should be formulated and business continuity plan should be complied to manage a business disruption.
STEP 5 Next, required technologies should be implemented and training and awareness to critical personnel as to which business processes are impacted
STEP 6 Table Top exercise and BCP drills of the documented plan should be conducted, in different scenario. Outcomes should be documented.
STEP 7 Next, Measure and validate test results relative to the plan overall objectives
STEP 8 Further, required enhancements that have been prioritized as a result of continuous testing and evaluation should be implemented
STEP 9 Next, continuously review, enhance and improve the business continuity plan with respect to organizational changes, fluctuating business conditions and the addition of new technologies
STEP 10 Finally, remember to repeat the entire process continuously.
BUSINESS CONTINUITY PLAN CONTAINS:
- Purpose and scope of BCP
- Initial data, including important contact information of all important stakeholders, located at the beginning of the plan
- Change management procedures
- Business Impact Analysis(BIA) and Risk Assessment(RA)
- How to use the business continuity plan, including guidelines as to when the BCP will be initiated
- Business Continuity Policy
- Emergency response and management
- Step-by-step procedures for Data Recovery
- Checklists and data flow diagrams
- Review ,test and update schedule for BCP
WHY BUSINESS CONTINUITY MANAGEMENT IS IMPORTANT FOR IT SERVICE PROVIDERS
Since most of our businesses are digitizes and IT is playing an important role everywhere like ERP, CRM, databases etc. So it’s mandatory for the IT service providers to consider Business continuity in order to keep business up and running in case of disaster. Features of BCP:
- Business Continuity Planning helps to identify all the critical processes and assets of the organisation and all the risk associated with them.
- Business Continuity planning is helpful in continuing the operations case of disasters like fire, cyber-attacks, natural calamities, civil unrest etc.
- Business Continuity Planning prepares the organisation for any kind of disruption and thus minimise the effect of a disruption on an organisation.
- It reduces the risk of financial loss in the organisation.
- This helps the organisation to meet legal and statutory requirements.
- RTO and RPO enables recovery of critical systems within an agreed timeframe.
- This helps in retaining organisation’s brand and image and give employees, clients and suppliers confidence in the organisation’s services.
- Frequent BCP drills help the organisation to react and re-establish the services quickly in case of disaster.
- BCP involves documentation of all the activities which should be performed in case of disruption and a well-tested & document process help to revive the business easily.
- BCP provides an advantage of working from remote location in case of disaster, thus no interruption in operations.
- A well planned BCP helps reducing downtime in case of disruption.
- Taking backups is an integral part of BCP, so organisations can recover data without much loss and can resume their business.
Business Continuity and disaster Recovery cannot be achieved by a single employee or person, it’s a team effort. A single person or an untrained staff cannot deal with disastrous situations. And, like most of the team activities, it requires practice and adequate competence in order to perform effectively in adverse situations like disaster. A proper planning is required.
Proper planning means that a thorough assessment and relevant controls shall be implemented and tested. A proper planning will tell who shall do what and how it shall be performed provides a set of well tested instructions in case of contingency.
If the stakeholders are not informed and not practiced in their roles, they cannot perform well.In that regard, business continuity planning is a sign of inclusion and commitment for a company to have a real plan.
CYBER CRISIS MANAGEMENT
A click on a malicious link, any unwanted services open, using any obsolete OS can be much more catastrophic for the organisation beyond one’s imagination and can lead to cyber crisis.
So what exactly Cyber Crisis is?
Cyber crisis is a situation of compromise, disruption or breach for the organisation’s critical information systems and data which is often known as Cyber Security Incident but these are beyond just incidents which can impact the reputation, financial outcomes and sometimes end up facing huge penalties.
Few of the Cyber Crisis situations are
- Breach in networks
- Credit card data or health data stolen
- Personal data compromise
- Denial of services
- Website crash
- Email hacking
- Zero day attack
Few of the very famous Examples of worldwide Cyber Crisis are:
WannaCry: In 2017 this ransom ware infected computers and encrypted content of hard drives and demanded ransom in order to decrypt the same. Many organisations suffered by this attack.
NonPetya:This is again a ransomware started phishing spam in 2016 which affected master boot record. It has also impacted many organisation having the vulnerabilities.
How to Develop Cyber Crisis Response Capabilities
- Identification of the key stakeholders at executive level from legal, finance, IT, Information Security and Physical Security and formulate a Crisis Management Team (CMT).
- Roles and responsibilities of each stakeholder shall be clearly defined, documented and communicated.
- Identify different scenarios of crisis and evaluate all the aspect by performing “What if” analysis and prepare responses accordingly for all the possible scenario. Organisation can take help of internal and external stakeholders as well as some expert consultants for this.
- Procedures for communication during any cyber shall be prepared according to different compliances pertaining to the organisation. These shall be readily available in case of contingency.
- Communication plans for external stakeholders, customers, media and external agencies shall be prepared.
- All the responsible stakeholders shall be trained and evaluated by performing drills or table top exercises on regular intervals.
- Identification of forensics experts within the organisation or some expert external agency like CERT for performing forensics and malware analysis to check the degree of damage done by incident.
- Last but not the least have someone who can handle the media for PR and as well as negotiate in case on ransomware.
Cyber Crisis is just like any other Information Security Incident, which can become a disaster if not addressed properly and diligently at right time. Cyber crisis can lead to huge penalties and business loss.
Cyber Crisis has following impacts:
- Damage to company reputation and brand image
- Loss of sensitive data and intellectual property
- Loss in business opportunities
- Cost of replacing the systems.
- Penalties from regulatory bodies or contractual compensation
List of few known Cyber Threats
- Trojan Horses
In a nutshell Cyber Crisis Management Plan help the organisation to manage post crisis chaos. When everything is defined and everyone is trained to handle the adverse situation like cyber crisis it becomes much easier to resume business operations. Sometimes few situations are unavoidable even after having a robust system in place, CCMP help the organisations to deal in such situations and thus helpful in Business Continuity purpose.