What do you know about Business Continuity Management and Disaster Recovery Plan? Well, this is a very relevant topic because the companies that survive after a disaster are those that are prepared for it.
In fact, if one link fails, it will lead to problems. For example, the absence of a person, a link failure, the absence of a supplier, a compromised physical structure, etc. Not only that, but also if the continuity of a business process stops, it will inevitably lead to irreparable losses and damages.
The BCP (Business Continuity Plan) allows the company not to stop, since the plan will enable quick recovery after an incident, damage, or disaster. A BIA (Business Impact Analysis) is necessary to detect the most critical processes of an organization.
The DRP (Disaster Recovery Plan) guarantees the recovery of the organization after the shutdown. Business continuity management is due to the description in BS 25999. That is, a British standard made integrally throughout the organization, unlike ISO 27002, which is made only for IT.
1. Continuity
It refers to the availability of the system when requested. For example, a telephone center that works with 50 professionals in 24 hours. Therefore, it must have different availability requirements from another center that works only during business hours, with only one employee. That is, availability requirements can differ drastically.
2. What are catastrophes?
Even a simple failure becomes a catastrophe, not necessarily a terrorist attack. This will depend on the business process and its importance.
3. Disaster Recovery Plan – DRP (Disaster Recovery Plan)
If you still do not know the difference between DRP and BCP, pay attention! The DRP is responsible for minimizing the consequences and taking measures to return to normal operation in an acceptable time. It aims at recovery while the disaster is in progress.
On the other hand, the BCP aims at an alternative location, requires something more comprehensive, all focused on continuity, even if partially. The DRP is to return to production. That is, it deals with contingencies and alternative paths before the disaster.
-
Workplace alternatives
Evaluate the costs of maintaining a physical space as contingency for the operations of the main branch, in order to ensure that operations continue after a disaster.
-
Redundant Site
Good alternative when the company has several locations, especially when it comes to the Data Center. In this sense, the data modality must be replicated between the sites.
-
Hot Site on demand
Evaluate the possibility of a truck containing the necessary resources for the operation of a temporary Data Center. Are the possibilities limited? Yes! But it is a way to restart the operation of most critical processes.
-
Testing BCP
A good BCP/DRP should not go to the drawer after its preparation. There needs to be a plan to regularly test and, consequently, change it if necessary.
Therefore, changes occur in the company and must be reflected in the plans. Additionally, consider testing as a good tool for employee awareness. Sometimes it is better not to count on the existence of a plan than to have a completely outdated plan.
-
Personnel Measures
Also, evaluate the rapid replacement of employees. Because if there is a disaster, epidemic, strike, or something that makes the presence of employees impossible in the company, you will not suffer so much from the impacts.
Managing Communication and Operational Processes
1. Operational Procedures and Responsibilities
In order to maintain effective IT management, it is important to document procedures and assign responsibilities. But how? Through work instructions. Such as: system maintenance processes; backup procedures; how to turn on and off certain equipment; etc.
Certain items in these procedures must exist, such as how to handle information, a list of contacts after an incident, and the location where audit log files are generated, since these logs can be used as a way to discover any errors in the system after a problem or interruption.
2. Change Management
Implementing a change can lead to risks. And this is very serious. However, do you know how? For example, let’s imagine that a system has a vulnerability and a patch needs to be applied, but the system update can lead to unavailability or major failures. So, evaluate the change carefully.
Also, consider the replacement of a version of an application, in which the Service Desk needs to continue supporting and consequently, learn to support the new version. In other words, the consequences of changes must be known and prepared in advance.
Evaluate another point, the desire for a definition of roles and responsibilities in a change management process. Since, if each person could freely execute changes, there would inevitably be errors and stoppages.
Additionally, it would most likely make it difficult to detect the origin of a problem and the person responsible for the failure.
3. Segregation of Duties
It can be difficult for small businesses to apply segregation of duties. But this principle should be followed as much as possible and as practical.
Segregation helps to prevent unauthorized access to documentation, data or information, thus avoiding fraud, embezzlement, illegal actions that may generate losses and damage to the company.
4. Development, Testing, Homologation and Production
In order to ensure that changes do not become executed in a uncontrolled manner, it is also ideal to advise the creation of several physical environments, such as:
- Development: security requirements applied;
- Testing: determines if the development complies with the requirements;
- Homologation: the customer verifies if the product meets their specifications;
- Production: should have a plan to recover the latest version in case of a failure.
5. Third-Party Service Management
When a company decides to outsource some or all of its IT, a good contract must be signed with the third party providing this service, including security aspects and Service Level Agreements (SLA).
In this way, ensure that audits are also regularly performed to verify that these agreements are being respected.
I hope I have contributed to making this subject clearer in your mind with everything I have discussed in this text about “Business Continuity Management and Disaster Recovery Plan”.
English 
