In part one of our series on compliance, we tackled the various steps your organization’s compliance officer can take to ensure that sensitive data is protected. Part two of the series focused specifically on how to protect the PII your company might be handling but your strategy should also include plans surrounding disaster recovery AND business continuity. While they are complementary in nature, the two phrases are often used interchangeably and can sometimes be confusing.
Business Continuity vs Disaster Recovery
Your business continuity plan will act as the overarching strategy to continue operations should anything occur that disrupts aspects of the business. A Business Continuity Plan (BCP) is often larger in scope and incorporates the entire organization and all aspects a disaster may impact, such as a secondary site for staff in case of a primary site disaster, emergency staff scheduling, customer communications, alternate vendors, and more. Not only should your BCP speak to the strategy surrounding IT operations, but it should also include details to help businesses continue in the event that staff is unable to get to the office and must work remotely. The BCP may include the manual processes needed to sustain the business until IT operation can resume as well as details surrounding how your team will communicate with each other, vendors, customers, and other stakeholders.
On the other hand, your disaster recovery (DR) plan is a set of policies and procedures in place to ensure that your company has a documented method of recovering from an IT disaster – be it manmade or natural. The primary goal of your DR plan is to define what should be done to restore IT operations in the event of a worst-case scenario. Simply put, disaster recovery is a subset of business continuity and is necessary to ensure systems and data are continuously recoverable.
To effectively establish a DR plan, an organization must know their Recovery Point Objective (RPO) and Recovery Time Objective (RTO). An RPO dictates the amount of data the organization can afford to lose. On the other hand, RTO measures how long your organization can operate without a specific application or how long your organization can afford to be un-operational for. These two parameters will determine the type of technologies your organization must incorporate into their DR plan, as well as the procedures and strategies they must consider.
One organization may choose to hire a managed service provider to handle their DR, while others might prefer to manage their own. DR planning and replication may be one small part of Business Continuity Planning, but it impacts an organization’s ability to retain business continuity in case of a disaster situation.
Assess & Test
Creating your Disaster Recovery & Business Continuity plans is great, but have you TESTED them? These plans are only as good as your assess & test protocols. According to Cloud Carib compliance Manager Deno Cartwright, the ideal standard for testing is once per year. However, your company may opt for twice annually or even more frequently based on how quickly your environment may evolve. One such example might be the global shift toward remote work precipitated by the global pandemic. If your BCP previously focused on the on-premises environment, then it should be updated to accommodate work-from-home protocols.
In part one of this series, assessments were highlighted as a key element in determining where security vulnerabilities lie. Similarly, the ongoing assessment of your DR and BCP can help your compliance officer(s) determine where there is room for improvement. Your organization may opt for table-top testing which would allow your plans for specific scenarios and include the assistance of subject matter industry professionals, or you may opt for the sandbox testing method which would create a specific alternate environment that mimics your current company structure for the plan. This allows you to test your plans without having to interrupt the actual operation of your business.
No matter which option you choose, you MUST make assessing and testing both plans a priority of your Compliance Strategy.
Compliance plays a major role in all businesses and must be a central part of your digital transformation strategy. We hope this three-part series was valuable to you. Still have questions about compliance and how your organization can meet their requirements? Contact us today to speak with one of our experts.