Business Continuity Planning

Don't let Mother Nature get your business down.

Here in the midwest, summer storms can really take their toll on business operations.  We were especially hit hard this last weekend and it got me thinking about business continuity planning. Business Continuity Planning (BCP for short) is exactly what it says: planning for the continuation of your business when something crazy happens. An extended power outage because of a thunderstorm is just the tip of the iceberg, BCP can come into play for any of the following:

• Server Crash
• Virus/malware
• Robbery
• Security Breach
• Snow/Ice
• Flooding
• ISP Outage
• Loss of key employee(s)

And waiting for one of these events to occur to create a plan is a really bad idea. The best advice is to start today.  Sit with your team and go through the following steps.  Make sure to include all the major stakeholders; you want everyone on the same page when stuff hits the fan.

1. Prioritize your assets - make a list of the key components of what makes your business run.  Rank them based on their importance.  What would you want recovered first? You should be able to pull this information from your current Business Impact Analysis. If not, this article spells out on how to make your BIA the solid foundation for your Business Continuity Plan.
   
   
2. Create recovery procedures on those assets - Start with your highest priority from step 1 and work your way down the list.  Include steps to restore a service, and any support phone numbers that may be able to help.
   
   
3. Establish communication methods - How will you let employees and other key stakeholders know that the BCP is in effect?  Make sure to document procedures on doing this as well.
   
   
4. Assign responsibilities - Be clear on who will do what; create a succession list on who the backups are in the event that your primary is out.
   
   
5. Other items - Some other items to possibly include: operations procedures; supplier lists; emergency contacts; router/hardware configurations.
   
   
6. Document - Compile all this information in a master document or central repository.  Store copies in places that are accessible when needed.
   
   
7. Test and Train - Tabletop testing is a great way to accomplish both at the same time.  Brainstorm some scenarios that you'd like to test preparedness for, toss them out to the group and see where the discussion goes.  The team will begin to discover necessary changes and will get a better feel for what would be expected of them.
   
   
8. Update - Unfortunately, just like every other aspect of information security, this is a process not an event.  You can't just do this once, file it away, and expect to have something useful when the need arises.  This is an iterative process that needs to take place annually or as major changes to your business occur.

Discussion: Do you have some level of business continuity plan in place at your business?  What's the most difficult part of creating a plan?