Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Business Continuity/Disaster Recovery Mastery
Quick Take
On this episode of compliance unfiltered, the guys lay out the cold hard facts about Business Continuity/Disaster Recovery. Learn to master your approach, as the CU guys dive in head-first into critical topics like:
- What the hell is Business Continuity/Disaster Recovery?
- Why are these plans so important to virtually all businesses?
- What types of things should an organization’s plan include?
- And once you have one in place… What the hell do you do with it?
All this and more on this week’s Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man whose chair might be squeaking on this episode. Adam Goslin, how the heck are you? No squeaking, I just locked it. I’m good, how are you, Todd? I can’t complain, I can’t complain. Today, we’re going to talk about something that, well, unfortunately, everybody needs to talk about and nobody wants to.
What is business continuity, I guess, and disaster recovery? And how do you use it, prepare for it, get your shit together, as some might say? So, various companies are going to experience different circumstances and areas that occur. Poof, you lost power due to a tornado, and now you don’t have any reliable electricity, what do you do? Certainly, the advent of COVID has taught a lot of companies, a lot of things about where they fall short. The reality is , is there’re many standards, in fact, almost all of them, include new requirements for business continuity and disaster recovery. So, certainly PCI, SOC, ISO, and many others have these requirements. Business continuity is effectively outlining how your organization moves forward when you have some type of a disruptive event. How do you, you know, get through it? How do you maintain afterwards? Things along those lines. So, disaster recovery are plans for responding to those events that may occur within the organization. So, without these plans in place, the small events can have amplified impacts on business operations. And in some cases, there have been companies that have been shut down by having an event that they, certainly weren’t prepared for.
Well, I guess why are these plans important? Well, if you’re doing your business continuity and disaster recovery correctly, and then you’ve got a documented plan that’s been thought through and tested in real-world exercises, should cover multiple what-if scenarios.
And so if FIT’s hitting the proverbial shand, then everybody isn’t just looking right as to what the hell do we do now. Your organization isn’t susceptible to just one or two different types of scenarios. The incidents can come in a wide variety of forms. I’ll practically guarantee that prior to 2020, there were a few organizations that had nationwide quarantines outlined as to how they were going to function. There were a ton of organizations, they hadn’t even considered it, and they didn’t have a plan in place for when COVID-19 reared its head. And, for many of them, they really struggled out of the gate to make that transition from normal business operations to working in a full remote-style setting. So, it was a rough adjustment for a lot of folks.
Now, what types of things should be included in that? Well, your business continuity plan shouldn’t be limited to just these global, history-changing-style events. The reality is that there are commonplace situations that could be as mundane as late deliveries, or equipment failures, things along those lines. And so your plan should include a bunch of different scenarios that may arise across the board. No two businesses are going to end up with the same disaster recovery plan, because every business is different. The business continuity, and the disaster recovery plans are influenced by a myriad of factors, including what type of organization is it, what business model do they adopt, what’s the size and location of the organization, technologies they use, server locations, budget allocations, vendors that are involved. I could keep going, but you get the point. There’s a large variety of different things that are going to come into play. I’ve seen organizations that basically have done nothing for their business continuity and disaster recovery. In the same sense, I’ve seen businesses that go to the other extreme, where they’ve got hundreds or thousands of pages that covers everything under the sun ,and some poor set of souls had to go slave away to kind of think all of this stuff through, etc. In retrospect, are they well prepared for everything? Sure. I’m an efficiency guy, and that sounds terribly inefficient. Well, the reality is that there’s a middle point here. Somewhere between those two is where you want to land. You don’t want to try to cover every single possible scenario, etc. But you do need to get prepared for various situations that are most likely, and most disruptive. Well, I guess that makes sense.
Now once written, what should you do with it? Do you post it on the wall? Do you put it in a fancy Goldman folder? I got this invisionment of, you walk into the castle, and in the the middle of this storm courtyard, there’s a pedestal with some type of light on it, several spotlights, etc. And you known, a little gold shroud over it. The reality is, is that you know, they’re not intended to just go in and write it once, and put it under there, under the cover in the castle. There’s several different things that happen So most compliance requirements are gonna to require you to review, those policies, and those plans, doo some training Validation, annual testing, etc. The problem is, is that you’ve got organizations that, whatever, we pulled something together back in 2015. Then of course, it sat in the middle , on the pedestal, in the castle until 2023. And now all of a sudden there’s an issue, and the plan’s useless. People that were there no longer are, vendors that were involved, no longer are, we’ve moved where our hosting is, and, and , and. So, you’ve got new things happening every year, all year, new technologies are coming out, new risks are coming into play. So, as your business is growing, you’ve got new things that you need to account for. At a certain point in the game, the plan that you wrote, n number of years ago, really isn’t making any sense, and it’s about as useful as not having a plan.
So, you want to go through, do periodic ongoing reviews of your business continuity and disaster recovery plans. You can walk through, scenarios, in kind of a role playing style, you can physically go through all of the motions of the business continuity plan, just making sure that you’re using personnel that would be normally involved, so that they’re trained and knowledgeable, that’s one of the approaches. Certainly, as you’re going through those reviews, you’re looking for gaps that you need to get addressed, details that aren’t documented, updates that need to be made. Certainly, as you’re contemplating these new scenarios that you’ve got new technology changes in the organization, etc, that’s going to guide updates toward the various plans that you’ve got.
Now, I guess I like to be prepared for things. Should you do tabletop exercises, or real world exercises of your plans, or is that just a lot of monotonous, tedious work for no reason? Most of the standards out there are going to require, at bare minimum a tabletop walkthrough, some use that tabletop exercise as an alternative to, real-world walkthroughs, doing role-playing, you do it around a table, you’re talking through the scenarios if it’s happening, etc. Well, the problem that I’ve seen with the tabletop exercises is, they’re only as good as the person that’s running the tabletop exercises, the scenario that they happen to pick, and quite frankly the imagination of the of the participants that are involved, and honestly how seriously are they taking it? If any of those variables are lacking, you start to lose benefit. When you’re walking through a scenario, leveraging your plans in a real world exercise, then you actually have to go and solve the problem, and leverage the framework. You’re literally forced to go through that scenario, and honestly discovering issues that you didn’t even think about during the tabletop exercise. Oh gosh, we totally forgot, Bob needed to do this, and Mary needed to do that, etc. So, the real world walkthroughs really ensures that your spotting gaps in your game plans that you’ve got going on, and allows you to make some more solid updates to your business continuity and disaster recovery plans.
And ultimately, that’s what you’re trying to do. You’re not trying just to rearrange chairs and tables in a room. You’re actually, legitimately trying to make efficiency-based improvements.
Is that accurate? I mean, you want the plan to have some real world exercising, have it make sense to people, etc. And certainly, there’s lessons to be learned, especially as you’re going through those real world exercises, because you’re literally tripping across stuff that, oh crap, we’ve totally forgot to do fill in the blank, and it’s not written down type of thing. So, as you go through those incidents, having one of the back stops at the back end of it being going back to your plans, making material enhancements, updates, etc, that way, it might be two months from now, it might be two years from now that you experience a similar incident, but now you don’t have to lose the learning that’s already happened, if you will.
Yeah, that makes a ton of sense. Parting thoughts and shots for the folks this week? Well, the one thing that drives me nuts is, you’ve got these organizations that put these plans together. We talked about, you know, putting them up on the shelf and somebody kind of waves their sector over, yeah, yeah , yeah, we reviewed it once a year type of thing, but they’re not really taking it seriously. And organizations, generally speaking, they seem to be reluctant to declare some type of an incident or a disaster. They don’t want to make any declarations that invoke their plans, and instead are, under this continuous insistence that, oh, no, we haven’t had any incidents, you know, blah, blah, blah, like it’s some badge of honor. The reality is, you know, companies feel some type of a stigma about those declarations, and the folks that are involved, and the organization itself has more of a tendency to look at it negatively. But keeping in mind, the disasters, and the business continuity things that we need to get addressed, we’re taking a span of everything from asteroids taking out the eastern seaboard, to losing power in a thunderstorm. Not everything’s the end of the world or some failure of the organization. The bottom line is that shit happens. Nothing’s 100% perfect ever. And because of the fact that you are invoking your plans, it’s not a bad thing. It really matters how you’re dealing with them, not the fact that it occurred.
The interesting part is that, you know, assessors will, you know, be hearing this bullshit coming from the from the organization about, we haven’t had any incidents all year, you know, blah, blah, blah. The assessors, honestly, will start to ask more questions if they hear that coming out of these people, because there’s no possible way you’ve kind of got these level one, holy crap emergencies, all the way down to level four, do some investigation style approach. There’s no way you didn’t have anything happen all year long. So, the assessors, it’s funny, because I’ve seen them, they’ll start digging when they when they hear that. I’ve watched it unfold.
And the reality is, is that, you know, not only is the company worse off for not having leveraged their plans, but you’re also placing yourself under that greater scrutiny with the assessor, who is now, more likely than less likely to try to find stuff,ect, to try to incent that organization to actually leverage their plans rather than let them collect dust on the shelf type of thing. The assessors as a group, they have this general notion or approach where they want to find improvements so that they feel like they’ve done their jobs properly. So, at the end of the day, it’s a lot easier for you to come to them and say, yeah, here’s a list of all of the things that we declared, either our business continuity or disaster recovery over, here’s a list of them that we went through, and this is how we handled it, here’s where we made improvements and things along those lines. If you’re making those declarations, then as an organization, you’re better off because you field tested the business continuity and disaster recovery plans, you’ve checked the box of going through and making improvements to those plans, you’ve incorporated lessons learned to make those things better. The assessors, now they don’t have to walk in with scrutiny, now they actually feel more confident. They’re less stressed and more confident in the fact that, hey, this organization gets it, they’re doing all of these right things. The assessor feels like the organization is kind of better armed for being able to handle this type of stuff. So, as you’re going through, handling the incident properly, following your documented procedures, doing the after event analysis, and turning that into improvements in your planning, etc. Oh, the assessors are absolutely gonna love what they see. And it’s really, it’s kind of funny how organizations will take this notion of, you know, not wanting to declare this incident, etc. And really, they’re almost shooting themselves in the foot in the grand scheme of things. So, that’s the one big thing that I would encourage organizations to do is, stop being scared of declaring incidents, use these plans, get them buttoned up, make improvements to them, have a list for the assessor next go around. You’re gonna actually see a much better and different reaction out of your assessor, versus just telling them, no, no, no, nothing’s happened and everything was perfect.
That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
