Pub. 8 2019 Issue 5

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 30 BUSINESS CONTINUITY, DISASTER RECOVERY, AND INCIDENT RESPONSE: A RIDICULOUSLY BRIEF PRIMER I n the course of reviewing a financial institution’s information security program, we will invariably come to the point of assessing the organization’s business continuity plan. In doing so, it’s not uncommon to need to provide clarification as to the difference between business continuity planning, disaster recovery preparations, and incident management and response. There is certainly a degree of overlap or redundancy among each of these three strategies, but each has its place in an organization’s planning and preparing regimen, and each addresses its own collection of unique considerations. Those responsible for maintaining their financial institution’s information security program must have a clear understanding of each of these aspects of continuity planning, recognize their similarities and differences, and be able to integrate each into a comprehensive strategy for addressing interruptions in their organization’s processes. Though interpretations vary and often turn into little more than semantic debates, some generally- accepted distinctions may be made. One factor by which to evaluate the differences between disaster recovery, business continuity, and incident response may be that of the scope or scale of the particular events the plans address. Business Continuity Business continuity planning is the process of developing a comprehensive written plan that addresses recovery from interruptions in business processes at a detailed level. An organization’s business continuity plan will typically comprise a substantial document based on thorough risk assessments, prioritization of business processes, analysis of maximum allowable downtimes and other recovery timeframes, and much more. An organization’s business continuity plan is an umbrella of sorts. It considers all aspects of preparing for, mitigating against, and responding to reasonably foreseeable interruptions in business processes. It can serve as a playbook that details each person’s roles and responsibilities in recovering from all kinds of business disruptions, including such events as power outages, connectivity disruptions, biological pandemics, or branch closures. Disaster Recovery Disaster recovery planning has a much broader scope, taking into consideration such calamitous events as hurricanes, earthquakes, and other large-scale service and infrastructure disruptions. A disaster recovery plan is concerned with restoring at least minimal operational capacity after a catastrophic or otherwise substantial loss, and is necessarily less granular than a business continuity plan. Whereas the business continuity plan is developed using an in-depth, risk-based approach that is specific to the organization’s business processes, disaster recovery planning must instead take into consideration events that have little or nothing to do with the financial institution’s particular processes or operations. To put it another way, a tornado does Business Continuity, Disaster Recovery, and Incident Response: A Ridiculously Brief Primer In the cours f r viewing a inancial nstitution’s information security program, we will invariably come to the point of assessing the organization’s business continuity plan. In doing so, it’s not uncommon to need to provide clarification as to the diffe ence between business continuity planning, disaster recovery preparations, and incident manage ent and response. There is certainly a degree of overlap or redundancy among each of these three strategies, but each has its place in an organization’s planning and preparing regimen, and each addresses its own collection of unique considerations. Those responsible for maintaining their financial instituti ’s informatio security program must have a clear understandi g of each of these aspects of continuity planning, recognize their similarities and differences, and be able to integrate each into a compreh nsive strategy for addres i g interruption in their organiz tion’s processes. Thoug interpreta ns vary and ofte turn into little more than semantic debates, some generally-accepted distinctions may be made. One factor by which to evaluate the ifferences between disaster recovery, business continuity, and incident response may be that of the scope or scale of the particular events the plans address. Business Continuity Business continuity planning is the process of developing a comprehensive written plan that address s recovery from interruptions in business processes at a detailed level. An or aniz tio ’s bu e s continuity plan will typically comprise a substantial document based on Business Continuity Disaster Recovery Incident Response The relationships between business continuity, disaster recovery, and incident response for a hypothetical event By Joseph Ellis, CoNetrix Bu s Cont ity Dis r Re y In ent nse