CISOaaS
8. Business continuity
Roberto Perelli
September 12, 2022
4:58 pm
A sustainable Operational Continuity Plan represents an important corporate value that can be spent both with Customers and Suppliers.

When do we talk about?business continuity? it is often mentally associated with catastrophic situations such as the COVID pandemic, the inaccessibility of the office (e.g. fire, flooding), unavailability of IT systems due to ransomware, technical failure (e.g. the OVH data center fire in Strasbourg) and so on .


There business continuity however, it has a broad and strategic scope, it is a permanent company policy which has the objective of keeping the Company operational in all its functions, even in adverse situations;

it is reflected in all choices concerning critical elements for normal operations, not only those relating to disastrous events.


Some examples:

- connect to two internet connectivity carriers of 500 Mbps instead of one of 1 Gbps, to parallelize the traffic and in case of unavailability of a carrier, continue to be connected and operate;


- install critical equipment (routers, switches, firewalls, critical servers) in redundant clusters (High Availability);


- adopt Fault-tolerant configurations (eg RAID5 disks);


- have a systematic staff training plan to cover critical tasks in the event of unavailability of the owners;


- choose reliable suppliers and prepare supply alternatives;


- etc.


The universally adopted standard is the ISO 22301.


Not all companies are able to undertake the certification process, but all should, in the measure of their resources, adopt decisions that increase their resilience and prepare their own Business Continuity Plan (BCP).


Also for the BCP the indispensable bases are risk management and the inventory of information, processes, tools and people.


It is important that the company defines the Permanent group project Manager BCP clearly defining roles and responsibilities, the Fractional CISO for example it coordinates the activities related to the Information Security.


The Group, with the essential contribution of Company experts identifies the main risk scenarios and elaborates for each one Business Impact Analysis (BIA) to establish and quantify what would happen in terms of damage and operation.


Based on what emerges, priorities are assigned to the scenarios to determine the allocation of resources to prepare, where possible and convenient, containment measures to reduce the risk or impact (e.g. relocation of the plant to an area with a lower risk of floods or installation of basins and pumps that contain any flooding) and the action plan to restore operational activities (e.g. alternative emergency site, transfer of machinery, activation of an alternative data center, provision of safe access for work from employees' homes, etc,)


In case of ?disaster?, for each company function the criticality for the company and the dependencies must be defined in order to establish priorities in the recovery activities (see 11. Disaster Recovery).


The success of the BCP at the time of its implementation will depend on how much has been shared and made? familiar? with the people of? Agency, in particular those that have an operational role in the BCP And how up-to-date with respect to the current situation of the company.

Category: Fractional CISO? Instructions for Use