KBA Sept./Oct 2019In the course of reviewing a financial institution's information security program, we will invariably come to the point of assessing the organization's business continuity plan. In doing so, it's not uncommon to need to provide clarification as to the difference between business continuity planning, disaster recovery preparations, and incident management and response.

There is certainly a degree of overlap or redundancy among each of these three strategies, but each has its place in an organization's planning and preparing regimen, and each addresses its own collection of unique considerations. Those responsible for maintaining their financial institution's information security program must have a clear understanding of each of these aspects of continuity planning, recognize their similarities and differences, and be able to integrate each into a comprehensive strategy for addressing interruptions in their organization's processes.

Though interpretations vary and often turn into little more than semantic debates, some generally-accepted distinctions may be made. One factor by which to evaluate the differences between disaster recovery, business continuity, and incident response may be that of the scope or scale of the particular events the plans address.

Business Continuity

Business continuity planning is the process of developing a comprehensive written plan that addresses recovery from interruptions in business processes at a detailed level. An organization's business continuity plan will typically comprise a substantial document based on thorough risk assessments, prioritization of business processes, analysis of maximum allowable downtimes and other recovery timeframes, and much more.

An organization's business continuity plan is an umbrella of sorts. It considers all aspects of preparing for, mitigating against, and responding to reasonably foreseeable interruptions in business processes. It can serve as a playbook that details each person's roles and responsibilities in recovering from all kinds of business disruptions, including such events as power outages, connectivity disruptions, biological pandemics, or branch closures.

Disaster Recovery

Disaster recovery planning has a much broader scope, taking into consideration such calamitous events as hurricanes, earthquakes, and other large-scale service and infrastructure disruptions. A disaster recovery plan is concerned with restoring at least minimal operational capacity after a catastrophic or otherwise substantial loss, and is necessarily less granular than a business continuity plan.

Whereas the business continuity plan is developed using an in-depth, risk-based approach that is specific to the organization's business processes, disaster recovery planning must instead take into consideration events that have little or nothing to do with the financial institution's particular processes or operations. To put it another way, a tornado does not care about the significance of your vendor relationships or the controls you've put in place to mitigate the risk of malware infections.

Incident Response

Incident response serves as a point of contact or commonality between business continuity and disaster recovery. While business continuity and disaster recovery planning encompass the relatively broad scopes of general operational continuity and major catastrophic events respectively, incident response planning instead addresses particular, discrete, time-based incidents that may occur in the course of any disruption of an organization's operations. It is the development of tactical, systematic response and recovery procedures for specific events such as man-in-the-middle or denial-of-service attacks on your network, unauthorized access to sensitive assets or information, power outages, or any other particular event that has affected your organization.

An incident response plan may be a subset of either your business continuity plan or your disaster recovery plan, depending on the scope and nature of the event that has occurred. For example, if the event is merely a half-day power outage, your incident response may fall within the context of business continuity – just keeping operations running in the face of the event. Alternatively, if the event is a major disaster such as a tornado or other widespread infrastructure breakdown, you may have to execute multiple incident response plans in the course of a more broadly-scoped disaster recovery effort.

Relationship between BCP, Disaster Recovery, and Incident Response

Business continuity, disaster recovery, and incident response planning each play an important role in an organization's preparedness program. Though there are certainly similarities between the three, it's important to be aware of the differences that make each strategy unique and needed. The absence of any of these three considerations renders an organization's continuity planning incomplete and increases the risk of delayed, incomplete, or ineffective responses to operational interruptions, large-scale disasters, and other disruptive events. It's important that those responsible for developing their financial institution's information security program recognize the roles each of these strategies play, and ensure they are integrating each into their organization's continuity planning program.