It’s that time of the year where hurricanes and blizzards start impacting business continuity, and disaster recovery becomes the hot topic. While most companies need a policy covering the business issues needed to maintain ongoing operations and get back to business after an event. However, the difference between business continuity and disaster recovery means employing different strategies.
The Difference Between Business Continuity and Disaster Recovery
What is business continuity?
According to the International Standards Organization (ISO), business continuity arose out of governments and regulators recognizing the need to mitigate the effects that disruptive evens have on society, and businesses recognizing their interdependence on one another.
A variety of industry-specific requirements such as the Federal Deposit Insurance Corporation and the Payment Card Security Standards Council also incorporate business continuity as part of their compliance management programs.
All of the definitions incorporate a requirement to create a business continuity plan (BCP) as part of business continuity management (BCM). A BCM must incorporate a comprehensive written plan for maintaining or resuming business operations when a natural or cybersecurity event occurs. Moreover, regardless of the standard or regulatory requirement, definitions of business continuity focus on implementing risk management strategies that set clear objectives and criteria for measuring success.
You BCP should incorporate alternatives that allow you to maintain customer services. These alternatives can include emergency office locations, data backup, and emergency information technology administrative rights.
What is disaster recovery?
Disaster recovery assumes the interuption of business operations “as usual.” Rather than simply finding a way to mitigate the damage caused by the event, the disaster recovery requirement focuses on how you plan to get business back to normal.
A disaster recovery plan recognizes that an event occured and requires you to create a plan for transitioning from the alternative business processes back to your regular processes.
What is the key difference between business continuity and disaster recovery?
The key difference is when the plan takes effect. For example, business continuity requires you to keep operations functional during the event and immediately after. Disaster recovery focuses on how you respond after the event has completed and how you return to normal.
While both functionally incorporate the “after” response, disaster recovery is about getting yourself back to where you started before the event occurred. Although they overlap, they remain distinct in how they operate.
For example, if a hurricane destroys your office building, your business recovery solution may be to allow employees to work remotely. However, this solution only works as part of an emergency response and is not sustainable long term. Your disaster recovery plan focuses on ways to get employees back in a single location and how to replace equipment.
What are business continuity risks?
In some cases, business continuity risks are easy. Natural disasters can more easily be identified than cyber events. For example, if you do business in Florida or Louisiana, you know that you’re at a higher risk of business interruption from a hurricane. Simulataneously, businesses on the west coast, such as in California or Oregon, may need to account for business interuption arising out of wildfires.
Increasingly, business continuity strategies need to focus on IT risks. For example, in Q2 2018, Verisign noted a 35% increase in Distributed Denial of Service (DDoS) attacks compared to Q1. A DDoS attack occurs when a malicious actors overwhelms servers with requests thus causing the server to slow down or stop working entirely. Whether you provide services to customers that use the internet, such as online banking, or use a Software-as-a-Service platform to enable internal business operations, these attacks interrupt your business.
How to identify business continuity risks
As with any risk identification process, you need to understand your IT infrastructure. Some questions to incorporate when determining their scope include:
- What information is critical to maintaining business operations?
- What systems are critical to maintain business operations?
- What networks are critical to maintaining business operations?
- What software is critical to maintain business operations?
- What natural disaster risks can impact these critical systems, networks, and software?
- What cyber risks impact these systems, networks, and software?
- What third-party services or vendors are critical to maintaining busienss operations?
- What controls are in place to prevent cyber risks to your critical systems, networks, and software?
- What controls are in place to prevent critical third-party services and vendors from impacting business operations?
- Do you have a data center or other data backup and recovery service off-site?
- Do you maintain in-transit encryption for remote access in the event of a business interruption?
- Do you maintain endpoint encryption in the event of business interruption?
- Do you have a process for implementing emergency administrative authorizations to maintain continued business operations?
How to incorporate disaster recovery planning
Once you’ve created a risk list for potental system, network, software, or third-party outages, you need to establish policies that enable you to recover from your interruption. Some questions to ask as part of recovery planning include:
- Do you have individuals responsible for the tasks necessary to recover?
- Is there an official, documented chain of command for recovering from the event?
- Do you have a timeline for recovery?
- Did you comply with your interal timeline for recovery?
- What documentation proves full recovery?
- How do you implement data recovery?
- How do you manage reinstating normal administrative authorizations once the event is over?
- How do you measure compliance with your user authorization policy?
- How do you measure efficacy of incident response?
- Do you have documentation of corrective actions?
- Do you review nonconformities and actions taken to address them?
- Did you interview individuals involved in the disaster recovery process?
How ZenGRC Enables Business Continuity Planning and Disaster Recovery
Business continuity planning and disaster recovery planning require communication across the enterprise. In order to efficiently communicate and establish the appropriate risk management review, you need to be able to work as a team.
With ZenGRC workflows, you can create an overarching program that focuses on the risk management, incident response handling, documentation, and recovery process.
With Task Management, you can assign tasks to the responsible parties across the enterprise, tracking task completion.
The SaaS platofrm allows you to maintain operations even when your physical location may not be in service.
With a single centralized dashboard, management and your Board of Directors can review the activities, time frames, and key performance indicators over your business continuity and disaster recovery programs.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.