A key section of your written security policy should address business continuity planning (BCP) and disaster recovery processes. This really leads to the continuous operation of your organization if there is a prolonged outage, or a service interruption, or some type of natural disaster. These should include emergency response phases: a recovery phase, and then the return to normal operations phase. You also want to identity the responsibilities of the key personnel, and kind of a chain of commands so that if something happens to certain people, who is going to be responsible. Also what resources do you have available during a particular emergency. You also want to make sure that you have scenarios thought out – possible scenarios for flood, hurricane, power outage, things like that – and then make sure that you, if you can, go through some testing.
You're thinking about things that could most likely occur, okay. If you don't live in a part of the country that is going to have earthquakes very often, then you won't want to spend time in resources preventing or protecting yourself against earthquake, you know, you're going to be realistic.
Business continuity planning is going to provide a framework for short to medium time continuous operations. There is really two objectives here – being able to move or relocate your critical business components (your hardware, your software, and your people) to a nearby location while you can fix the original location, and then having multiple channels of communication to be able to talk to your customers, your vendors, your shareholders, and your partners until the time that business operations get back to normal.
Disaster recovery is really exactly what it is. That's recovering from some disastrous or catastrophic situation where you can get access again to hardware, and software – and the data that resides in that hardware and software, whatever you need to do to get back to your business operations after some type of natural or manmade event. This should include plans for unexpected or sudden loss of important personnel as well, so contingency plans for that. Disaster recovery plan is typically part of a larger plan known as BCP or business continuity planning. So there are really four key points here: protecting data (making sure it's not compromised during the emergency), keeping employees and personnel safe as possible, making sure business functionality is not compromised and can be resumed in a timely way, and then minimize the decision making that's needed during a disaster. And again, that may involve doing some scenarios, or some testing, or we could call them drills.
Business continuity planning
Here are three critical acronyms or terms that relate to business continuity:
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
There is the MTD (the Maximum Tolerable Downtime), this is the total amount of time that really is tolerable. It's what you're willing to accept for an outage or a disruption, and includes all of your impact considerations.
The RTO (the Recovery Time Objective) is the maximum amount of time that a resource can be unavailable before we consider to be an unacceptable impact on other resources, on our overall corporate mission, or on key business processes.
The Recovery Point Objective (the RPO) is a particular point in time, before a disruption or before a system outage, where the business scope or the business process data can be recovered. So, for example the most recent backup copy of the data or the most recent replication of data to another location after an outage. All of these three things require extensive planning and also a broad knowledge of the business necessities – the requirements, the budgets, and the level of acceptable risk that your organization has decided upon.