Implementing NIST 800-171 to Manage & Measure Cybersecurity Efforts Read more
Even with the most carefully thought-out disaster planning, unintended consequences and sub-par performance can often be the result. In part, these undesirable outcomes occur because they are based on theory rather than actual experience.
In many areas subject to specific natural disasters, the incident response or disaster plan might be called, “Earthquake Preparedness Plan” or “Flood Response Protocol,” depending on location — the missing link in these cases lies in the fact that these plans likely don’t consider the totality of the circumstances of most disasters. In fact, many natural disaster incident response plans don’t consider the cybersecurity elements of a disaster sufficiently enough to keep a business up-and-running post-disaster, and they ultimately fail in protecting the business altogether.
What’s in a Typical Emergency Preparedness Plan?
When your IT disaster plan is really a natural disaster plan, then it likely includes required emergency supplies, a contact list or staff directory with alternate contact information, and a plan for a backup office or an alternate location. Typically, there are pages upon pages of information as to how to deal with the physical effects of a disaster, such as how to handle aftershocks, downed power lines, shattered glass, unstable masonry, power outages and data loss.
What’s Not Included in a Standard Emergency Preparedness Plan?
Most EPPs are not based on a realistic assessment of the risks to facilities, IT infrastructure, staff and operations. For example, there is unlikely to be an assessment of how the interior and exterior physical damage to a building will affect the IT infrastructure and hardware going forward. While an EPP might contain information that helps to prepare IT systems before a disaster, it probably doesn’t adequately address post-disaster measures that will support efforts to restore damaged IT assets.
Typical Gaps in Common Emergency Preparedness Plans
If it is primarily focused on natural disasters, your EPP probably has some glaring coverage gaps when it comes to the more common and more probable disasters such as burst plumbing and cybersecurity attacks. While an earthquake is much more dramatic than a burst pipe, a burst pipe with its related flooding is much more likely to occur. A comprehensive disaster plan will cover all risks to your IT systems and architecture, including data breach and data loss — in addition to other potential incidents such as fire, gas leaks, flooding, toxic spills, winter storms, power outages, high winds and pandemics. It will address how to deal with post-disaster shortages of water, food, prescription drugs, fuel and power.
In addition to being narrowly focused, many disaster plans fall short in the areas of adequately trained staff due to lack of effective training tools and education. A comprehensive disaster plan will include the following elements:
1. Inventory hardware and software.
An effective disaster response plan will include a complete inventory of hardware and applications in order of priority, with vendor contact and support information attached.
2. Define your business’s ability to withstand downtime and data loss.
A local handyman has a greater tolerance for downtime than a website designer, and finding out where your business is on the spectrum of downtime tolerance can help you define how much to invest in your disaster planning.
3. Lay out who is responsible for what – and identify backup personnel.
All employees should know where they stand in their respective disaster planning roles, including key roles, responsibilities, and parties involved for each level of response.
4. Create a communication plan.
Do your employees know how to communicate in the event of a disaster? Can they access the systems they need to perform their job duties in a post-disaster environment?
5. Let employees know where to go in case of emergency – and have a backup worksite.
Do you have an alternate site in mind if your primary office becomes unavailable? Ensure that all employees know where to go in a post-disaster scenario, including where their desks are and how to access applications and data.
6. Make sure your service-level agreements (SLAs) include incident response and disaster planning.
Make sure you have a defined, binding service-level agreement (SLA) with any incident response contractors you deal with. The agreement should clearly indicate the level of service and anticipated downtime in a post-disaster scenario.
7. Include how to handle sensitive information.
Your SLA should detail the specifics as to how to handle sensitive customer and company data.
8. Test your plan regularly.
All comprehensive incident response plans have regular testing as part of the maintenance of the plan. This not only ensures an effective response in the event of a disaster, it provides peace of mind that your business can stay up-and-running no matter what.
Radius Executive IT Solutions is your local IT incident response, disaster planning and business continuity expert. If you think your business could benefit from a more comprehensive incident response plan, contact us at (978) 528-0110 or send us an email at firstname.lastname@example.org for more information.