Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2020
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Rethinking Resilience: Tips for Your Disaster Recovery Plan

As more organizations face disruptions, a defined approach to recovery is imperative so they can successfully recover, experts say.

The worst time to learn your disaster recovery plan is outdated is when a disaster occurs. As more businesses are prompted to turn to recovery plans, many have learned there is room for improvement to create a defined approach to recovery so they can bounce back from incidents.

Between 70% and 75% of organizations activated recovery plans in the last two years, Gartner research vice president Roberta Witty said in a talk during this week's Security and Risk Management Summit. Of the 298 that did IT disaster recovery, 23% report addressing one incident; 22% report two; 16%, three; 7%, four; and 8% report at least five events.

Related Content:

Security Through an Economics Lens: A Guide for CISOs

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

"With so many organizations having disruptions — up to five events over the last 24 months — having a defined approach for a recovery plan is imperative so you can successfully recover from all types of events," Witty explained.

There are several reasons why existing business recovery plans aren't effective. Many of these plans are outdated, for one, and often organizations lack the situational awareness they need to properly respond to any given security incident.

"Lots of times, you don't have enough information about the actual crisis at hand," she said. "The plans and procedures you've defined don't really align with what's taking place in that moment." Other problems include the development of an enterprisewide plan and neglecting to use automation, without which it's harder for businesses to align, update, and use plans.

Of course, there's no such thing as a generic recovery plan. Each plan has to be specific to the company using it, she added, and a strong plan starts with a strong program and governance structure. This means taking the time to detail each phase of business continuity management: program development and governance, recovery requirements, risk mitigation, recovery plan development, exercises and staff training, and program maintenance and management.

"Failing to document plans appropriately, and at the appropriate level of detail, may lead to a delayed or incomplete recovery," Witty said.

She detailed some key challenges that organizations are likely to face as they build disaster recovery plans. The first is lack of strong support for business continuity management at the executive level. Business and executive teams may not think a crisis will happen or feel overconfident in their ability to handle it. If the company is large and complex, it may not understand the full scope of a plan. "Business units think business continuity is all IT's problem," she added.

The solution here is to define a strategy that details each executive's responsibility across the organization. A crisis or emergency management, for example, may fall to the CEO, president, or legal department; an IT disaster would fall under the purview of the CIO. Third-party contingency processes may fall to procurement.

Another key challenge is not having a recovery plan framework in place — or having a recovery plan that is so complicated or high-level that it's almost unusable, Witty said. The most common types of recovery plans include business continuity plans, IT disaster recovery plans, third-party contingency plans, and crisis management and communications plans. Others include pandemic plans, return-to-workplace plans, or succession management plans.

The amount of plans an organization has largely depends on its footprint: Is it a global business, or does it only have one operating location? Are there multiple business units, or regional distribution of the business? All of these can dictate the kinds of plans that are most relevant.

"Businesses are still not taking recovery seriously," said David Gregory, senior director and analyst in Gartner's risk and security division, in a separate session focused on business continuity management. As more organizations depend on digital infrastructure, the need to adopt an integrated approach will continue to grow.

"Security and risk management leaders will need to look beyond IT failures to ensure there are resilient structures in place," Gregory said. 

Writing Tips for Recovery Plan Development
Witty encouraged businesses to be "prescriptive, not narrative" when writing disaster recovery plans. Include the who, when, and how of the way processes should unfold. Include sections to detail specific scenarios or hazards that people might face should a specific incident take place.

"Don't recreate standard operating procedures," she emphasized. "A recovery plan is not to redo what's already documented." She suggested using graphics whenever possible, as readers can consume content by viewing a graphic faster than they can reading blocks of text. 

When writing out procedures, avoid using data that can easily change. Instead of referring to people by name, write their role instead. In the appendix, list which people hold each position for reference.

While every recovery plan may look different, aspects of the table of contents should look the same. Witty advised including a document management section to detail what the plan is for, a change history, and a glossary of terms. It should also include a reference guide that defines the scope and purpose of plans, and sections for how to use the plan and overview of strategy.

Each plan should have roles and responsibilities defined, along with an overview of procedures, she continued. Five sections are crucial: how to activate the plan, how to respond to the event, how to recover, how to restore and move back to production, and how to deactivate the plan.

It helps to have sections on how the plan will be maintained and how often it will be exercised. Appendices can include additional information such as maps and checklists, role-to-person mapping, and lists of vendors and trusted sources to contact when an incident occurs.

Witty advised creating disaster declaration levels, something that "few organizations do well, and when they do it well, it really makes a difference. What are those thresholds that would make you have to declare a crisis?" Having an outline for what constitutes a crisis will cut down on the guesswork for when it's time to declare an emergency.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
CVE-2020-25646
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-26205
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.