Many companies do not realize the importance of a business continuity plan (BCP) until an incident has occurred. A cybersecurity BCP includes a strategy of how the organization information technology would operate and recover after an incident that could be result of an intentional attack or caused by a natural disaster.
There are four critical steps when establishing a BCP, according to guidelines published by the Department of Homeland Security:
- conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them
- identify and document resource requirements, and implement strategies to recover critical business functions and processes
- organize a business continuity team and compile a continuity plan to manage a business disruption
- conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan
There are several recovery goals stated within a BCP, such as recovery point objective (RPO), recovery time objective (RTO), business recovery requirements, and technical recovery requirements. An RPO states how far back should an organization go in time in order to recover data after an incident. Think of clicking Ctrl+Alt+Shift+H on your computer in order to see the history of the websites you have visited. RTO is based on the idea of how long it takes to restore backup data to its original state in order to resume business operations.
One key component of an BCP is the well-being of employees. People should always be a priority when establishing a BCP. All other components of an organization can be replaced, rebuilt, or insured. According to the code of ethics of ISC2, the International Information System Security Certification Consortium, an information security professional must always "protect society, the common good, necessary public trust and confidence, and the infrastructure."
References
Department of Homeland Security. (n.d.). Business continuity plan. https://www.ready.gov/business/implementation/continuity
ISC2. (n.d.) ISC2 code of ethics. https://www.isc2.org/ethics/default.aspx?terms=code%20of%20ethics