Blog Home Page Next article:

Business Continuity Planning (BCP) – The Overlooked Control

Updated: February 18, 2019

Our NIST Cyber Security Frame Work (NIST CSF) and Enterprise Security Risk Assessment are  our most frequently requested services. These assessments are most often performed against industry best practice or can be mapped to several different regulatory compliance standards including: HIPAA, NIST-800-53, ISO/IEC 27001:2013, etc. The goal of this service is to not only evaluate the technical controls that are required to safeguard your sensitive data, but also the physical and administrative controls as well as lifecycle and security management that needs to be in place in order to have an effective security management program.

In our blog series, We will be walking you through many of the specific controls that fall into the domains mentioned above. The goal: Give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions to improve the posture of your own organization. No solution, remediation or mitigating countermeasure is one-size-fits-all;  however, I will do my best to provide information from a generic enough standpoint that you should be able to at least find value in the knowledge even if it is not relevant to your environment.

Business Continuity Planning (BCP) – The Overlooked Control

The NIST Cyber Security Frame Work (NIST CSF)and 0ur Enterprise Security Risk Assessment often reveal that organizations overlook or give lip service to a critical aspect of cyber security – the Business Continuity Plan (BCP). A complete and comprehensive BCP is a direct or implied requirement of many compliance directives (HIPAA, PCI-DSS, ISO…) and is a critical part of most security and governance frameworks include the NIST Cybersecurity Framework and COBIT 5/9/2019.

Business Continuity Planning is an enterprise-wide project that is used to create and validate a plan for how an organization will recover and restore partially or completely interrupted critical functions within a predetermined time after a disaster or extended disruption. Incidents include disasters such as building fires, hurricanes, floods, disease pandemics or terrorist attacks. A completed business continuity plan results in a formal document available for reference before, during, or after an incident has occurred. Its purpose is to reduce adverse stakeholder impacts determined by both the disruption’s scope of whom and how it affects and the duration of the incident.

The BCP is driven by an organization’s mission or function. The goal of business continuity planning is to allow an organization to continue functioning during an incident that significantly disrupts normal business operations. Though IT and Data Security play a critical role in BCP; it is not the sole responsibility of IT personnel, it should involve the entire organization. To produce a business continuity plan that accurately addresses the operational requirements of the organization, input is required from all departments. This input can be obtained through a business impact analysis that engages management across multiple departments.

There are several approaches to determining criticality of business processes. Factors that should be included are impacts on health, life, and safety; financial impacts; and regulatory requirements, such as protection of and access to credit card information. Departmental input often reveals dependencies among systems that may otherwise be missed. It also identifies the processes and resources that are most important to each department and which ones they can function without for a period of time.

Though the process of creating a BCP can be daunting, it is critical that all organizations plan and practice for both natural (fire, earthquake, hurricane) and manmade (ransomware, virus, sabotage or accident) disasters.    A complete and comprehensive BCP reduces recovery time, increases shareholder confidence (including customers) and meets many regulatory requirements.