Welcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder. In today’s podcast we’re going to discuss the basics of a BCP report.
BCP stands for business continuity planning. Business continuity is what you do to ensure that key operations, products and services continue to be delivered either in full OR at a predetermined, and accepted, level of availability. Today, most people would have this outlined as part of a service level agreement (or SLA). When you think of business continuity and your vendor, it covers things like what would they do in the event of a loss of personnel, if their facilities or services were down; what their planning with public entities such as emergency services is like, and communications with their own identified key vendors, their clients like you, employees and the media.
Disaster recovery and business continuity usually go hand in hand as disaster recovery is a subset of business continuity.
The first thing you need to do is determine if your vendor’s BCP aligns with your needs and that it covers the key components needed to ensure continuity of operations. You want to review your vendor’s business continuity plan to verify adequate controls are in place covering the following 7 areas:
Business continuity plans should also include information on your vendor’s Business Impact Analysis (BIA). You want to make sure a BIA is performed annually or when any major changes or incidents occur.
Your vendor’s BIA should include the following:
You should ensure that your Vendor’s BIA information meets or exceeds your needs for RTO, RPO and MTD.
So, what can you expect as far as ongoing monitoring of BCP goes? Perform regular reviews, along with plan exercises, to assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.
Ultimately, understanding your vendor’s BCP is a critical component of your third party risk management process. Here are a few reasons why:
Once you’ve reviewed the plan, it’s important to have a qualified expert write up an analysis documenting any gaps and the overall findings. A qualified expert will usually have certified credential levels such as a CISSP. Once the analysis is written up and signed off on, reach out to the vendor to discuss the findings and next steps to mitigate any risk. Additionally, you’ll want to mitigate any risk that is found.
Again, I’m Lisa-Mae and thanks for tuning in to this week’s third party Thursday; if you haven’t already done so, please subscribe to our series.