Vendor Business Continuity and Disaster Recovery

Video Transcript

Welcome to this week’s Third Party Thursday! Hello, my name is Josh Steil, I’m one of the Information Security Specialists here at Venminder. 

Today we’re going to discuss what Business Continuity and Disaster Recovery Plans are, and what we look for when reviewing them.

Let’s define what Business Continuity and Disaster Recovery are.

Business Continuity allows for businesses to ensure that their key operations, products and services continue to be delivered either in full or at a predetermined, and accepted, level of availability.

Disaster Recovery allows a business to plan what needs to be done immediately after a disaster to begin recovery.

Business Continuity Plans include planning for loss of personnel, facilities or services;  planning with public entities such as emergency services, local or state disaster relief agencies; and communications with identified key vendors, clients, employees and the media.

Disaster Recovery includes things such as gathering of key personnel at a predetermined control center, retrieving items or information that have been stored offsite specifically for disasters, failing over to a cold, warm or hot site for data operations, assessment of damages, and if possible, salvage operations.

Disaster Recovery is not limited to just Information Technology disasters either, Disaster Recovery Plans should be created for all disaster scenarios.

A Business Continuity Program begins with the involvement and support of business leaders, such as senior level and or board level personnel. Without the involvement and commitment from this level of your vendor’s organization, funding is not available, policies cannot be approved and continuing evolution of plans falls to the wayside.

The next component of building a Business Continuity Plan involves assessing risks through a risk analysis and deciding to mitigate, transfer or accept the risk.

One commonly overlooked aspect of risk is the Reputational Impact that can occur to a business from the failure to respond in the event of a disaster or the failure to continue operations. Reputation is difficult to cultivate, easy to lose and very hard, if not impossible, to re-gain once lost.

The results of a Risk Assessment are used to create the Business Impact Analysis. Using standardized criteria to measure and assess the financial, operational, customer related, regulatory or reputational impacts Recovery Time Objectives and Recovery Point Objectives can be established for business processes.

• A Recovery Time Objective is the timeframe from the moment of disruption to the return to an accepted level of service.
• A Recovery Point Objective, sometimes referred to as Maximum Data Loss, is the point in time to which information has be restored to enable the business function to operate once resumed.

The Business Impact Analysis is then used to identify the gaps between what the business requires and what the actual resources and capabilities are.

Once a Business Continuity Plan and Disaster Recovery Plans are created they need to be exercised on a regular basis. These exercises ensure that everyone involved in the plan has knowledge and experience in the activities they will be required to perform. The results of these exercises allow a business to adjust and improve their plans.

Business Continuity, Disaster Recovery Plans and the Business Impact Analysis need to be reviewed and updated regularly or when significant change occurs within an organization. New risks and answers to those risks emerge and evolve constantly.

Regular reviews, along with plan exercises assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.

Ensuring that your critical vendor’s can survive in the face of disaster helps ensure that your business can also survive.

Thank you for viewing. I’m Josh. Don’t forget to subscribe to our Third Party Thursday series.