At this point, you should have a comprehensive Incident Response Plan (IRP) and Disaster Recovery Plan (DRP) for your business. However, there is one critical plan that still needs to be created, and that is a Business Continuity Plan. While an IR Plan guides you on responding to cyber attacks as they happen, and a DR Plan guides you on recovering business assets and operations after the incident is resolved, a Business Continuity Plan lays out guidelines for continuing critical business operations while the incident is being resolved. Even with a strong IR Plan, there is still the chance that a cyber attack will severely derail your infrastructure and take hours, days, or even weeks to recover from. That downtime means lost productivity and capital, so something needs to be in place to allow employees to use alternate channels to continue their work. A BCP will serve as the official guide for implementing this cleanly.
Much of the BCP will mirror the DCP. The differences are in the ultimate end goal that the policy builds up to. The BCP should start with a clearly defined scope. In most organization's this will be the same devices, networks, systems, and personnel outlined in the DRP. Any person or thing whose regular operations would be interrupted by a significant cyber crisis should be considered in scope.
The BCP should also outline the key roles and responsibilities, as well as the communication channels for coordinating continuity. Usually, the business owner and managers will work with the IT director to determine the status of the cyber crisis, and thus determine how long continuity practices need to be in place. The continuity methods will usually have been configured by a combination of the IT director and the Security Engineer, who will be in charge of ensuring that the continuity platforms are accessible. For better assurance, there should be a policy for the necessary IT/cybersecurity personnel to regularly test the continuity platforms to ensure they are always accessible. If your IT and business continuity platforms are hosted by a third party, then you will need to outline proper communication channels with those parties.
The Business Impact Analysis conducted in Stage 1 serves as a precursor to the BCP. In the BIA, you determined the critical technical assets that power your organization. These assets should be prioritized in the BCP, with some sort of continuity method implemented for each of them. Just like in the DRP, the BCP should contain an overview of the top risks posed to your organization.
Next, the BCP needs to provide a clear explanation of which continuity platforms are in place for critical assets, and how employees can access them. Earlier, this framework mentioned Alternate Sites as a powerful continuity method. An Alternate Site hosts a mirror copy of all of your organization's critical assets, usually including network connectivity and endpoints. Depending on the size of your organization, an Alternate Site could be a physical location such as a spare office, a rented space in a distant building, or a 100% cloud-based copy of your entire network infrastructure. However, you must remember that business continuity prioritizes the key assets needed for regular business operations, so you do not need to implement every last piece of technology. Prioritize having continuity options for network connectivity, access to critical business files, access to digital identities, and access to company-approved computers. This is part of what makes storing an off-site backup so important. You can back up files to an office file server all you want, but during a crisis, employees will need to be able to access the files from outside the office. There are other, more basic continuity methods for incidents that are not as severe, but do require employees to avoid using the company network for a while. For example, you could purchase a few extra laptops and image them with all of your important business applications, and set them aside in a secure location to be given to employees during a crisis. Another good strategy is to identify the hardware components of your important servers and workstations (hard drives, RAM, fans, peripherals) and keep hot spares on hand to be quickly swapped out in the event of a failure.
A good example of a stable business continuity plan for a small office would look something like the following:
The company has several laptops imaged with the company's Windows image for use. When a crisis occurs, the laptops are given to employees to take and work from home. At home, they use their company identities to log onto the company's AWS infrastructure, which hosts mirror images of the critical servers. Employee OneDrive accounts are pre-configured to back up their local files to the cloud, allowing them to continue working on documents at home. Meanwhile, the IT team works on replacing damaged assets with hot spare hardware components. When the company network is functioning again, the business owner will send a formal email to all employees notifying them that on-site work will resume the next day.
Once the scope has been determined and the methods for business continuity have been outlined, the BCP needs to define the procedures for switching environments during a crisis. A cyber attack is unexpected, and you and your entire staff will usually be caught off guard. To better prepare, the BCP should give a general list of procedures to follow when an incident is first announced. All staff should maintain a calm, professional attitude and focus on performing their required roles and responsibilities for switching over to a continuity state. Much of this step lines up with the playbooks outlined in the IR Plan.
Just like the DRP, the BCP should be stored and distributed to all necessary parties. The IRP, DRP, and BCP are all segments of a larger policy that aims to improve company response and security in the event of a cyber attack. The BCP should be regularly tested, including simulations where employees are directed to access the continuity platforms to test their effectiveness. After a cyber attack, the cybersecurity team should make sure to note the effectiveness of the continuity platform and identify areas for improvement.