BCP/DR

Business Continuity Plan

Business continuity planning describes the process of documenting a holistic set of protocols
and procedures to help businesses maintain a certain minimum level of functionality when a
crisis hits. The outcome of that planning process is the business continuity plan, or BCP. It is
a strategy designed to help businesses continue operating with minimal disruption during a
disruptive event.
The BCP is a master document that details your organization’s entire prevention, mitigation,
response, and recovery protocols for all kinds of threats and disasters.

Disaster Recovery Plan

At a high level, a disaster recovery plan is a formal document containing clear action plans
for rapidly responding to, dealing with, and recovering from disruptive contingencies. A DR
plan helps organizations reduce the impact and duration of unexpected disruptions by
minimizing the downtime of key IT infrastructure and critical operations.
The goal of a DRP is to minimize downtime and data loss as much as possible.
DR planning has three primary considerations:

 Preparation: How well a company prepares for an IT-related incident.

 Reaction: How the company responds to an incident and ensures systems and data
maintain availability.
 Recovery: What steps the business takes to restore IT operations to their original
state.
Disaster recovery is a subset of business continuity planning, and no BC strategy is
complete without a plan for restoring IT functions. DR prepares for the same accidents as
BC (natural disasters, cyber-attacks, insider threats, etc.) but focuses solely on restoring
software and IT-related assets, such as:
 In-house servers and other hardware.
 Network infrastructure and endpoints.
 Valuable business data.
 Customer-facing apps.
 Off-site edge servers.
 Mission-critical apps and software.
 Cloud computing assets.

Business Continuity Plan and Disaster Recovery Plan

An organization's ability to remain operational after an incident relies on both BC and DR
procedures. The goal of BCDR is to limit risk and get an organization running as close to
normal as possible after an unexpected interruption. These practices also reduce the risk of
data loss and decrease the chance of emergencies, which helps maintain and even improve
the organization's reputation.
The trend of combining business continuity and disaster recovery into a single term, BCDR,
is the result of a growing recognition that business and technology executives need to
collaborate closely when planning for incident responses instead of developing schemes in
isolation.

Importance of BCP/DR
The role of BCDR is to minimize the effects of outages and disruptions on business
operations. BCDR practices enable an organization to get back on its feet after problems
occur, reduce the risk of data loss and reputational harm, and improve operations while
decreasing the chance of emergencies.
Some businesses might have a head start on BCDR. DR is an established function in many
IT departments with respect to individual systems. However, BCDR is broader than IT,
encompassing a range of considerations -- including crisis management, employee safety
and alternative work locations.
A holistic BCDR approach requires thorough planning and preparation. BCDR professionals
can help an organization create a strategy for achieving resiliency. Developing such a
strategy is a complex process that involves conducting a business impact analysis (BIA) and
risk analysis as well as developing BCDR plans, tests, exercises, and training.
Components of BCP
 An executive summary with a term glossary.
 Up-to-date risk analysis, vulnerability assessments, and business impact analysis
(BIA).
 A distribution list that explains where you store copies of the plan, who needs access
to the document, and links to any relevant files (e.g., an evacuation plan).
 All relevant legal, contractual, coverage, and regulatory obligations.
 An overview of who, when, and why worked on the plan.
 The objectives of the BC plan.
 An overview of geographical risks and factors.
 A list of the most critical aspects of the business, plus an explanation of how quickly
(and to what extent) they must be back online in case of an incident.
 Guidelines on how and when to use the plan.
 An overview of the incident response team, plus contacts of all go-to personnel in
times of crisis.
 Detailed guides for preventing incidents from happening.
 Instructions on how to identify different threats.
 Step-by-step response plans for each disaster scenario.
 Any changes in management procedures that take effect during and following an
incident.
 Lists of secondary office sites and instructions for work-from-home and BYOD
policies.
 A schedule for BCP reviewing, testing, and updating.
 A clear-cut communications plan for dealing with suppliers, third-party partners, and
the media.
 Training instructions for team leaders and individual employees.

Components of DR
 A statement of intent and the plan goals.
 An overview of who and when created the plan.
 A thorough analysis of the IT system, networks, and data you protect with a DR plan.
 Inventory of all relevant hardware and software.
 An in-depth IT risk analysis.
 An overview of the system's current tech stack.
 Guidelines for when to use the plan.
 A list of all go-to recovery personnel responsible for managing the DR plan's
execution.
 Step-by-step instructions on how to restart, reconfigure, rehost, and recover systems
in times of crisis.
 List of all the tools needed for the DR execution (plus guides on how to use them
properly).
 All necessary authentication assets and all the required passwords.
 Detailed instructions on preventing incidents and proactively protecting the system
(e.g., using anti-malware tools, setting up an IDS, creating daily backups, etc.).
 The critical functions that suffer downtime if the IT system goes down.
 All the relevant info about the secondary IT infrastructure that takes operation over in
case of an incident.
 A schedule for planned reviews and updates to the strategy.
  Training instructions for employees responsible for managing the IT system and
spearheading the DR process (penetration testing is a common way companies test
the readiness of their disaster recovery team).

Difference Between BCP and DR

Case Study
The City of Atlanta is Hobbled by Ransomware.
There has been no shortage of other headline-making ransomware attacks over the last few
years. But one that stands out (and whose impact reverberated for at least a year after the
incident) was the March 2018 SamSam ransomware attack on the City of Atlanta.
The attack devastated the city government’s computer systems:

 Numerous city services were disrupted, including police records, courts, utilities,
parking services and other programs.
 Computer systems were shut down for 5 days, forcing many departments to
complete essential paperwork by hand.
 Even as services were slowly brought back online over the following weeks, the full
recovery took months.
Attackers demanded a $52,000 ransom payment. But when all was said and done, the full
impact of the attack was projected to cost more than $17 million. Nearly $3 million alone was
spent on contracts for emergency IT consultants and crisis management firms.
In many ways, the Atlanta ransomware attack is a lesson in inadequate business continuity
planning. The event revealed that the city’s IT was woefully unprepared for the attack. Just
two months prior, an audit found 1,500 to 2,000 vulnerabilities in the city’s IT systems, which
were compounded by “obsolete software and an IT culture driven by ‘ad hoc or
undocumented’ processes,” according to StateScoop.
Which vulnerabilities allowed the attack to happen? Weak passwords, most likely. That is a
common entry point for SamSam attackers, who use brute-force software to guess
thousands of password combinations in a matter of seconds. Frankly, it’s an unsophisticated
method that could have been prevented with stronger password management protocols.
Despite the business continuity missteps, credit should still be given to the many IT
professionals (internal and external) who worked to restore critical city services as quickly as
possible. What’s clear is that the city did have some disaster recovery procedures in place
that allowed it to restore critical services. If it hadn’t, the event likely would have been much
worse.