Picture it: As a part of your new job running a corporate SOC 2 compliance program, you’ve started the arduous process of reviewing old documentation. Most of it is in pretty good shape…until you come across the Business Continuity/Disaster Recovery (BC/DR) Plan. While your company’s name is all over it, the instructions for temporary physical office space are for an alternate building on the “university campus.” Your company has never been a part of the local university. The document isn’t just a blast from the past, it’s clearly been ripped off of the Internet!
Worse yet, even if the BC/DR wasn’t ripped from the local university’s IT department, your company migrated its resources to the cloud over five years ago and became a remote-first company shortly after COVID-19 lockdowns began. While NIST’s Computer Security Resource Center (CSRC) has many useful security guides and security policy templates, a BC/DR – considered a core business policy rather than a specific security policy – is not among them. That sinking feeling hits as you realize you’re going to have to scrap this BC/DR completely and start over.
You don’t have to write your BC/DR from scratch, but it will cost you either time or money, or both, to customize your BC/DR from a template. You could do a Google search for a BC/DR plan template and wade through hundreds of results, many of which even look to be from reputable sources, looking for one that works for your organization. Or you could buy policy templates from a vendor, though it’s a toss of the dice on how much time you’ll have to spend modifying them. At Fractional CISO, we do have templates to use as a starting point for our clients, but even then, it can be a few months of discussions and editing before the final policy is hammered out. In fact, we just updated our own BC/DR template…
[Note: Larger companies tend to split out the BC/DR into two plans, but since I primarily work with sub-200 employee organizations, I generally put them together in a single document.]
Why can’t I just use the university’s template?
You might be able to use the university’s template – if your business is in an office building where people gather to work, with a network full of laptops, desktops, printers and other resources – maybe even a data center. The university’s template is a reasonable start if you own some or all of the resources on which your business is built.
This is not the case if you’re a remote-first 200+ person eCommerce company, like one of my clients.
Many of my clients are cloud-first for both business applications and production environments. There is no central office with any kinds of services – the token office that serves as their headquarters has a Small Office/Home Office (SOHO) setup. There is no complex network to secure, the Internet in the office is purely for convenience. You don’t VPN into a corporate network to access anything.
Even before the pandemic, the power of going cloud-first was that founders could build software products and services quickly and affordably, and scale rapidly in response to growth. An organization no longer has to invest heavily in infrastructure in order to grow the business from seed to sprout.
Now that the cloud services ecosystem has matured, it’s incredibly easy to build a company without owning a single piece of infrastructure. You don’t even need to rent an office. Many of our startup clients are 100% remote-first, although some operate out of a shared or communal office space, while others rent a token office.
Our BC/DR template works well for a lot of Fractional CISO’s clients – including a small local college! But I tend to focus on SaaS and eCommerce startups, so that template needed a LOT of adjusting for my eCommerce client. In fact, it needed so much adjusting that we’ve saved it as an alternative template.
Okay, you’re right, we need to update our BC/DR plan. Where do I even start?!
Your business has 3 key components in your Business Continuity/Disaster Recovery plan:
Up until the most recent years of the Information Era, People and Resources were tied to specific Locations.
For most companies, especially smaller technology companies, this is simply no longer the case. Often, you don’t even own the resources that you’re using to build your business. From business productivity platforms to fully cloud-hosted data centers, businesses no longer have to invest in physical infrastructure at a specific location to get started and grow.
Now, with cloud-first remote-first workplaces, anyone in your organization whose role isn’t tied to a physical location can work from literally anywhere. Employees no longer need to connect to a corporate network in order to get their work done. That would actually slow them down!
For most of my clients, talent and resources are no longer tied to a location controlled by the company. In fact, the resources themselves aren’t controlled by the company, either. Many of my clients have given up their corporate offices in favor of flexible work spaces, while some keep a token office for sales or meetings. Even clients that started out with physical on-premise data centers have migrated to cloud platforms to lower costs, increase flexibility/scalability, and to keep their focus on what they do best: making software and delivery services.
Now that People and Resources are no longer dependent on a Location, we need to consider them individually for the BC/DR.
For Business Continuity, your priority when it comes to people is increasing your “bus number” – the minimum number of team members that have to suddenly disappear before your business goes under.
Rapidly growing companies, especially, tend to have small bus numbers; two or three critical team members suddenly being unavailable could potentially bring their business to its knees.
Key consideration here:
Executives, Board members, and individuals with overlapping job responsibilities should not travel together.
For Disaster Recovery, consider how your teams are geographically distributed. If your team members are well distributed across a wide geographic area (i.e., all of the United States), focus your plan on giving a clear communication path from team members to managers to executives and HR for known potential regional disasters, like a hurricane or inclement weather. Include a clause to suspend or hold any HR policies related to attendance if an employee has experienced a personal, local or regional disaster that prevents them from notifying management ahead of time.
If a particular team, such as engineering/development, is concentrated in a specific geographic location (even if it’s not related to a physical office), determine how that affects your bus number and consider how your business needs to build resilience in that area.
I also like to add links to helpful resources for managers/HR, such as FEMA’s Declared Disasters webpage, and employees, such as the US Government’s household planning guide on Ready.Gov.
The reliance on third party vendors, such as AWS and Microsoft O365 or Google Cloud Platform and Google Workspace, makes business continuity and disaster recovery simultaneously much simpler and much more difficult.
Business continuity is simpler because those systems are much more resilient and secure than most organizations could have made them for themselves. If there’s a disruption or service loss, it’s likely to be minimal and there’s little for your team to do other than communicate with your internal/external users and wait things out.
Business continuity is more difficult because in the highly unlikely but not completely impossible event that AWS, Microsoft or Google are down for an extended period of time, you are completely dead in the water.
Similarly, these vendors take disaster recovery off your plate – except for when they themselves are in the middle of a catastrophic disaster.
For these resources that you don’t own:
- Include business-critical vendor SLAs and contact paths in your BC/DR; include a link to your vendor management policy for information on non-critical vendors
- Ensure more than one person has root or master access to the platform
- Whenever possible, backup your critical data outside of the vendor platform
- For AWS, backing up to a different account in a different region is a possible alternative, but I still highly recommend something outside of the platform
- Define in your BC/DR your threshold and process for migrating away from a vendor that’s unable to fulfill their obligation to you.
- In other words, at what point is it more cost effective for your business to abandon a failing critical vendor than wait for them to recover?
Most of my clients no longer have more than a token office, with some even opting for flex work space. While this is not true of all of Fractional CISO’s clients, it’s a large enough percentage that we need to take flex space, event space, and completely office-less models into consideration.
Of the nine clients I have direct insight into:
- 5 are Remote-first with flex space or a token office
- 4 are Hybrid office model – some significant portion of the business is in a physical location (for example, an art gallery or a educational institution) while some staff and resources are remote
An advantage of a remote-first model is that, whether you have a dedicated office, flex space or no office at all, most companies no longer need to outline temporary office space in their BC/DR plans. The plans should also expressly state that employees are to work from home in the case of a disaster unless working from home poses a similar threat.
If there are no resources or physical backups in your token office, all of that can now fall under the resource planning of the BC/DR as above.
Keep in mind that you are responsible for abiding by and enforcing regulations from the US Department of Labor’s Occupational Safety and Health Administration (OSHA) or the Canadian Centre for Occupational Health and Safety (CCOHS) for even a token office. In the US, see OSHA’s How to Plan for Workplace Emergencies and Evacuations guide for building out your response plan for when you control an entire building; otherwise, check your governing body’s website for a comparable document.
Your BC/DR should at least point to, if not include, a copy of your rental or flex space emergency response and evacuation plans. When renting event space for a company-wide or large group gathering, make sure the event leader has reviewed the evacuation plan of your event space and knows they are responsible for ensuring your employees evacuate if there is an emergency.
A Quick Recap of things to Consider for your BC/DR Update
Between the rise of the cloud and remote-first workplaces, businesses have changed extremely rapidly over the last few years. It’s time to start reviewing your BC/DR with a critical eye. While I hope you never have to write or update a business continuity and disaster recovery plan from scratch, I hope this article has given some good pointers on what should be included in your BC/DR update.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.