Continuity Planning
Work with the best to prepare for the worst.
Plans you’ll be glad you have or wish you did.
Organizations must plan for response and recovery from all types of disruptions—pandemics, data breaches, civil unrest, environmental disasters, and everything in between. If it’s plausible to occur, a plan is needed. Assura helps you develop a complete organizational Continuity Planning solution.
What do the plans include?
• An assessment by continuity experts
• Strategy development
• All necessary elements of planning
• Help with strategy implementation
• Management of the program going forward if needed
As a part of this, everyone in the organization needs to know their roles and responsibilities before, during, and after an event. So make no mistake about it, continuity planning isn’t solely an IT initiative. It’s something the whole organization must own and drive, from top leadership down to the employees. That’s the only way a Continuity Program can be successful. And Assura can help make it happen.
Our Continuity Planning Process
1. Policy Development & Leadership Commitment
First Foundational Steps in the Program
- Policy is the construct for organizational commitment now and in the future.
- Key executives and performers are identified and given essential responsibilities.
- These steps ensure planning is conducted, resources are obtained, and the organization is always ready.
2. Business Impact Analysis & Continuity Risk Assessment
Business Impact Analysis (BIA)
How do you know what to plan for, what should be recovered, and in what timeframe? The BIA helps to answer these questions. The analysis performed by our consultants gathers information from every department in the organization. They dissect their business processes, the impact on the organization if those processes are not available at different times, and the resources (people and technology) needed. The BIA takes the guesswork out of recovery to avoid playing whack-a-mole with your response.
- The BIA details all processes performed (not just critical or mission essential).
- Establishes Recovery Time Objectives (RTO) for businesses processes and IT systems, and Recovery Point Objectives (RPO) for data recovery.
Continuity Risk Assessment
The world is dangerous, and various threats can affect your operations. So how does one know which to plan for and how they may impact the organization? The answer is a Risk Assessment. Without it, you could be planning for the wrong events.
Through research and analysis, we determine which threats to your operations are most likely to occur and reveal their impact. This process helps narrow the planning focus to first address the most credible threats. While this will include IT risks, that is just one part. We look at all business risks from various sectors, both natural and human-caused events.
- Establishes potential and likely risks to the organization by determining probability and impact.
- Risk Assessment data is then combined with the impact data from the BIA to prioritize the most critical risks that must be addressed.
3. Recovery Strategy Development
You’ve mapped your business processes, know your risks, and what needs remediation first—now what?
You need to develop organizational strategies that address the most risks, ensure availability, reduce cost, improve operations, and maintain compliance with various regulations all at the same time.
These requirements may seem overwhelming, but our planners develop recovery strategies that address these items for you. We also take leadership through the decision-making process to determine the right-sized strategy for the organization and the available resources.
Strategies can include:
- Adding recovery capabilities to the organization
- Engaging recovery vendors
- Entering into agreements with other organizations to share joint recovery responsibilities
4. Continuity Plan Development
Each area of your organization has a part to play in recovery, but do they know that?
Assura’s continuity plans are right-sized for the various aspects of the organization and the critical role they play in recovery. Since we take a holistic view of recovering the entire organization (and not just one division), we develop plans that work together with a common command and control structure. It contains action items appropriate for personnel if and when they are called on for recovery. This process ensures your recovery is coordinated and controlled.
Listed below are just some of the continuity plans we develop. Wherever your organization is on its recovery planning journey, we can create a plan that meets your needs.
(Note: Many of our clients get a foundational plan in place and then develop more over time as their program matures.)
Emergency Response Plan – Maintains life safety. Can include actions to shelter-in-place, evacuate the building, or provide temporary medical treatment until EMTs arrive.
Crisis Management Plan – An executive command-and-control plan for major events.
Continuity Plan – Organization-wide recovery plan that details activities for recovery of all business processes.
IT Disaster Recovery Plan – A plan that details the resources and activities necessary to recover the IT environment. Includes cloud services.
Department Recovery Plan – Plans developed for each department that provides detailed department process recovery information and can go to the procedure level if necessary.
Incident Response Plan – Commonly referred to as Incident Response (IR) or CIRT (Computer Incident Response Team) plans. Focus on preparation, detection, response (including containment and forensic analysis activities), and recovery (including restoration of systems and data and other activities) to return to “normal” operations for breached systems.
5. Implementation and Maintenance
Implementation
Now that your program and plans are in place, it’s time for implementation. Your folks need to be set up for success by receiving world-class training on their plan and how to maintain a state of readiness for any business interruption. We then will conduct an exercise so people can practice their new skills.
Training and Skills Building
Implementation activities can include performing various types of training to subject matter experts, executives, and employees based upon their roles and responsibilities during a disaster.
Continuity and Disaster Recovery Exercises
Continuity exercises take participants through a disaster scenario and have them practice their actions to return to “normal” operations (as it aligns with the Continuity Program and their respective recovery plans).
Maintenance
You have spent all of the time and effort building a new recovery capability, training your people, and creating a culture of awareness and response. Don’t let it go by the wayside. With just a little time, Assura can make sure that your program is maintained and able to address any new business interruption threat that may occur.
This maintenance includes all the activities necessary to keep the program actionable and responsive to the organization’s recovery requirements.
Typical activities include:
- Annual recovery requirements review (i.e., annual BIA review, refresh, or after major changes).
- Annual review and updates of plans.
- Updates of plans after training and exercises.
- Performing regular program compliance activities (ex. scheduling program audits, exercises, and evaluations).
Compliance and security for any industry.
Guaranteed compliance with the following standards and regulations.
ISO 22301 Business Continuity Management System
NIST 800-34 Continuity Planning
DRI International Professional Practices
BCI Good Practice Guidelines
CJIS
COBIT
FERPA
FFIEC
FFIEC CAT
CMMC (RPO) Registered provider organization
GDPR
HIPAA/HITECH
HITRUST CSF
ISO 27001/27002
ISO 31000
IRS 1075
NIST CSF
NIST SP 800-53
NIST SP 800-37
NIST SP 800-171
PCI DSS
GLBA
SOX
SSAE-18/SOC 2 & SOCfor Cybersecurity
State-level data breach reporting and cyber security standards and data protection laws
If you get audited, Assura has you covered. Our AuditArmor® Audit Defense Guarantee means that we guarantee our work to be compliant with the identified cybersecurity frameworks and regulatory requirements (unless waived by you). We defend our work at no additional cost. Yes, we’re serious. And yes, we’re that confident in the quality of our work. We have you covered from entrance conference to exit conference and will work with your auditor or regulator to defend our work. On the off chance that a change needs to be made to the deliverable, we’ll do that for free. It’s that simple.
How we’ve helped to protect industries like yours.
A university approached Assura with a unique challenge that most other organizations don’t have. Because they employ students to help run various aspects of the school, they needed a way to ensure these work-study employees didn’t accidentally put the university’s data at risk.
With attacks on municipalities on the rise, a midsized county in Virginia knew it needed to improve its cybersecurity posture. The problem was they were not sure where to begin. So they enlisted our services to help them determine their strengths and vulnerabilities.
Organizations are inundated with hundreds of thousands of vulnerabilities every year. After years of experience, we know most organizations can only patch about 1 in 10 (10%) vulnerabilities discovered in their environment based on resource capacity.