COVID-19: Time to rethink BCP

Pandemic like COVID-19 has made us all rethink our Business Continuity Planning (BCP). For some organizations, BCP was just a term and a tick in the box until the arrival of COVID which has made every organization test and replan its defences. This implies that BCP should be a key element of your cybersecurity program.

But how to make sure what all to have in BCP and where to start from? Here are a few steps:

1. Determine Critical Elements – As a first step, you need to identify the projects, services and critical operations of your organization.
    
2. Form a BCP Team – It is important to have a well trained and competent team to manage any crisis situation. It is always a good idea to have members representing most of the functions in the organization rather than just leaving it to compliance & security personnel, for example representatives from HR, IT, Admin, PMO and Compliance. Regular training of team members as well as employees should be included in the BCP team roles and responsibilities.
    
3. Conduct BIA – Once the critical elements of your organization have been identified, the next step is to conduct a BIA (Business Impact Analysis) for the same. You can use any of the sample BIA templates available on web and customize the parameters based on your business needs. BIA is very helpful to understand mission critical vs normal projects or services. This can help prioritize the way in which these services or projects need to be managed during a crisis. For customer projects, it is very important to agree upon the BIA ratings with the customers and include RPO/RTO in the BIA template. This helps in setting up the right and measurable expectations with the customers for service resumption in case a crisis is invoked.
    
4. BCP & DR Plan – A BCP should be prepared based on the threat landscape of your organization. For example, organizations having offices in seismic areas would consider Earthquake as one of the threats while others may not. Once the top threats and risks of the organization are identified, BCP should be prepared and it should clearly identify the steps that need to be taken in case of a disaster. Some of the elements of BCP can be – communication plan (including internal employees and customers), call tree, trigger point for BCP or in which scenarios will BCP be invoked, infrastructure needs, DR site (backup site where operations would shift in case the primary site is affected), process flow/steps to be taken should a disaster occur (for example, evacuation, moving to DR site, remote working, etc.), backup strategy (backup of critical data, its storage, access control and accessibility). Another key element that should be part of BCP is the restoration process or DR plan. How will you restore the operations/functionality? How much time will it take? Who will be responsible to manage this? How will it be communicated? What all would be required to do this? All these and many more can be the starting points to create your DR plan based on your organization environment.

5. Test your BCP/DR Plan – A plan is as good as its implementation.  Since the risks & threats keep on changing every day, it is important to keep testing your BCP. These can be full-scale tests, mock drills or table top tests. Idea is to always keep the plan current and updated based on the changing landscape. For example, with the pandemic like COVID-19, people are suddenly looking at Digital Transformation and moving applications to cloud and encourage remote working, which were earlier long term goals. Such scenarios would require changes to BCP.

At the end of the day, objective should be to keep the business up and running with minimal or no disruptions. Therefore, having the right BCP and its effective implementation is the need of the hour.

The author is Corporate Risk, Compliance & Information Security Leader, SDG Software India and NEXT100 Winner 2016