In the midst of the COVID-19 pandemic, as businesses are in work-from-home mode and commerce has slowed considerably, Business Continuity is top of mind. We know hindsight is 20/20, and we also know the best time to act is when the pain is acute. Here are steps to help you organize, prioritize, and ask the right questions to modify your Business Continuity Plan (BCP) to be airtight for the next business-impacting disaster.

 

#1: Conduct an Asset Inventory

Take an inventory of your IT assets, including all servers, storage devices, applications, data, network switches, access points, and network appliances. Then map where each asset is physically located, which network it’s on, and identify any dependencies.

It’s obvious you need to identify the business solutions that need to be recovered, but the list of individual applications may not show the entire picture. For example, if all your business solutions use Active Directory or some sort of Lightweight Directory Access Protocol (LDAP) provider within your network, then that also needs to be on the list, and it must be linked to the apps that depend on it:

 

server management
Figure 1 – Example Application Map

Creating this dependency matrix will help you better understand the complexities of your system and what steps are needed to return to normal in the event of an emergency, like the one we’re in now.

 

#2 Perform a Data Mapping Exercise

Imagine the worst-case scenario, like COVID-19, or natural disasters on down to mundane IT failures and data breaches. Understand the impact of these failures with the service or application owner(s) to assess the varying disaster recovery strategies.

Next, include the probability these events may happen and the impact. How will it affect business continuity if each scenario were to occur?

Create a table similar to the below example to get you started.  Note: our engineers perform Data Mapping for our SEC Cybersecurity Governance Program clients, should this be something you’d like support on in the future.

See also  What Types of Devices are Hackable?

 

server managementFigure 2 – Example Threat Matrix
 

#3 Identify & Formulate Recovery Strategies

In this phase, the first step is to classify your applications and data according to their criticality. Get input from your support team as they often bear the brunt of user frustrations when a system is unavailable.

Group your data and applications with similar characteristics into Low, Medium and High impact categories, which enables you to implement a less complex strategy to recover.

As you create your BCP, you need to consider certain elements:

  • What data can you afford to be without?
  • What data, if lost, would devastate your business?
  • How long can your company get along without certain data?
  • What is the prioritization and timeline for certain tools and resources to come back online?
  • And then, how do you go back to normal once the storm has passed?

 

In many cases, the best solution is a combination: a backup of files plus a failover solution to mitigate and minimize downtime.

 

#4:  Test (and Train)

Many companies got caught with their pants down when COVID-19 hit because they never thoroughly tested their BCP. We recommend testing once a year to ensure your plan is up-to-date, and the failover works as expected.  Executive buy-in from the top certainly helps, and be sure to train employees as well.

Your resources and business needs will change over time (e.g., location, personnel, and data among other things). If your business goals change, so should your plan.

 

In Conclusion

BCP isn’t a problem, until it is. Leverage what’s happening today to create a better plan tomorrow. And if it’s about lack of resources or expertise, contact us.  We can help.

Learn More