In a context where many companies have faced significant difficulties in adapting the way their employees work, others, better prepared, have simply had to implement a plan, the BCP (Business Continuity Plan) for the security of their information system.
BCP = Business Continuity Plan
The BCP represents all the measures aimed at ensuring the maintenance, in degraded mode if necessary, of the company’s important activities or tasks. In a second step, the Disaster Recovery Plan (DRP) will plan the recovery of activities. The BCP meets, in particular, requirements in terms of availability, integrity, confidentiality and traceability.
What does it consist of?
The BCP, in its comprehensive version, is composed of the following elements:
- Identification of sensitive assets and activities (which maintain the company’s core business);
- Risks relating to sensitive assets and activities;
- The business continuity strategy;
- The role of the various managers;
- The crisis management system;
- The communication plan (internal and external);
- Operational maintenance of the plan;
- Continuous improvement (feedback, corrective actions, etc.).
Is this relevant to every company?
The BCP is generally recommended, regardless of the size or line of business of the company. Nevertheless, the cost of implementing a “comprehensive” BCP may be higher than the amount of the loss incurred in the event of a crisis or incident. In this case, that kind of BCP is not recommended. It would be more appropriate to establish a “light” BCP (Business Resumption Plan), also known as a “standard” BCP. This BCP will be less suitable overall and will not take into account the company’s issues. This is not an optimal choice, but it will help to “limit the damage” in the event of an incident.
It should be noted that in companies with an ISMS (Information Security Management System), and in particular those certified ISO 27001, the BCP (in its comprehensive version) is already included.
Triggering the BCP
In the event of a crisis, the BCP manager will set up a crisis unit. This crisis unit will decide whether or not to execute the BCP depending on the risk and its seriousness.
Once the decision has been taken to activate the BCP (if applicable), a procedure will have to be carried out, which will include the following:
– A communication plan, to inform on the one hand the company’s employees but also, if necessary, external stakeholders (customers, partners, service providers, authorities, etc.);
– The implementation of the planned solutions. These solutions can be multiple and are adapted to the needs (closing down the premises, making backups, setting up a VPN connection, isolating an infected PC, forensic investigation, changing working hours, etc.).
In the current context, take, for instance, a company that was not familiar with teleworking and whose employees only worked on fixed PCs. The company would either have to buy or ask the staff to use their own PCs. The second solution would have to be supported by the purchase of an Office 365 license, for example, and other licenses depending on the employee’s job function.
Apart from this financial aspect, there will be many questions regarding security. Does the personal PC have an up-to-date anti-virus software? Does the PC have a password? If so, does it comply with the requirements of the Company Information Security Policy? A VPN may be set up between the employee’s personal PC and the company. Is it reasonable to give an uncontrolled asset access to the company network?
The above examples are just a few of many, but they show the complexity of acting efficiently and securely without a predefined plan.
During the BCP
Once the BCP has been applied, it should be evaluated on a regular basis to ensure that it is still appropriate to apply it. The evaluation will be done against many criteria (legal, financial, material, etc.) depending on the situation.
During these crisis meetings, different decisions can be taken:
- Going ahead with the BCP;
- Launching the DRP (Disaster Recovery Plan);
- The total cessation of activity or bankruptcy (in extreme cases).
It should be noted that the BCP is intended to be temporary and is valid for a limited period of time. At the end of this deadline, one of the solutions seen above must be applied.
The Disaster Recovery Plan (DRP) allows, as its name indicates, to restart the activity after a phase of activity in degraded mode. The DRP is very often associated / included in the BCP.
The crisis unit will decide whether to relaunch the activity if the threat becomes acceptable to the company or if it is no longer relevant. This revival will be gradual, moving from a degraded mode to a “normal” mode.
The BCP is not only valid for sanitary crises such as the one we are currently experiencing. It can also be useful in the case of computer attacks, network or power cuts, etc.
To sum up, a BCP is recommended for all companies, regardless of their line of business, size or financial means. Nevertheless, this solution alone is not sufficient to completely manage your information system. To take it to the next level, think about the ISMS (Information Security Management System)!
Given the current situation related to COVID-19, many companies have had to switch to a teleworking mode. Teleworking is clearly an advantage in the fight against COVID-19 but also a new opportunity for hackers. In order to participate in the general COVID-19 mobilization, Positive Thinking Company joins the collective effort by offering free expertise and analysis of your company’s cyber security.