If the global COVID-19 pandemic wasn’t enough of a challenge for Houston businesses, we now have hurricane season to look forward to.
How are your disaster recovery preparations? Have you tested your plan and trained up your staff? Are your existing storage and backup tools fit for purpose? Do you even know where to start?
This article sets out what you need to know and do to prepare for a hurricane-borne IT disaster. We suggest you read it before June 1st so you can be as prepared as possible if and when your business is affected.
PennComp offers enterprise-grade backup and disaster recovery services for Houston businesses so reach out to us for any further assistance.
Meeting Your Responsibilities
As a Houston business, you don’t need reminding that hurricanes can have a catastrophic impact on businesses, the worst racking up hundreds of billions of dollars of cumulative damage.
But having a disaster recovery/business continuity plan in place for the most critical threats to your operational health is not just common business sense, it’s likely to form part of your corporate responsibilities under whatever regulatory frameworks you follow.
GDPR, PCI DSS, HIPAA, SOX and FedRAMP are just a few examples of frameworks which will have something to say if data is mismanaged during a disaster.
Fortunately, there is a policy framework that can cover most (if not all) of the areas of concern: the NIST Framework.
Using the NIST Framework to Create Your Disaster Recovery/Business Continuity Plan
The NIST Cybersecurity Framework is something of a bible to the info-sec community and it is worth you having a link to it as part of your intranet home page.
Clearly, the Recover (green) segment of the framework is where we need to cast our attention for guidance on disaster recovery and business continuity. It is divided into three categories as follows:
- Recovery Planning
The NIST Framework operates as a signposting system that points out relevant resources applicable to each subsection. Resources include but are not limited to NIST Special Publications. In relation to recovery planning, the Framework refers to document SP 800-53. Specifically, it refers to codes CP10, IR4 and IR8 which are fully detailed way down in Appendix F of the document.
We won’t detail everything covered in the codes in this blog post but to summarize, CP10 sets out the following recommendations:
- Organizations must prioritize which business systems are operationally critical, choose an objective which constitutes successful recovery and set metrics for measuring progress against this objective.
- Where transaction-based systems are in place, transaction recovery needs to be covered in your plan. Mechanisms include transaction rollback and transaction journaling.
- Reimaging, where data are restored to a previous known operational state, also needs to be in the plan.
- Protective measures for hardware, firmware and software backups need to be specified (more details on how PennComp can help source next-gen backup support is at the end of this guide).
- CP10 also covers the winding down of interim systems and the reauthorization, testing, monitoring and future-proofing of the recovered systems.
IR4 and IR8 then focus on incident handling and incident planning. These codes include the need to integrate incident handling with contingency planning as this will minimize costly downtime and ensure business continuity.
This category is subdivided into two. The first looks at incorporating the lessons learned from the hurricane (or other disaster). The second is focused on updating recovery strategies.
The supporting references include SP 800-53 CP2 and, again, IR4 and IR8.
Finally, this category is subdivided into three: PR, reputation management and internal and external communications
The supporting references include SP 800-53 CP2 and IR4.
A Six Step Plan to Full Disaster Recovery
If you don’t want to trawl through the NIST and its associated references, here is a digestible six step plan based on the Framework.
Step 1: Scoping your disaster recovery plan
Setting the scope of your disaster recovery plan is a vital first step because it enables you to organize your disaster response strategy around the specific risks you face. For example, if you have a sister office in Ohio, you are not going to be too concerned about including it in your hurricane season preparations (apart from as an emergency business center).
However, any offices in Texas and Florida should probably have a separate hurricane disaster recovery plan that forms part of your ongoing training and induction processes.
Other potential disasters include terrorist attacks and civil unrest; cybercrime (e.g. DDoS or ransomware attacks) and other natural disasters (forest fires, floods, earthquakes and, yes, global pandemics!)
While some disasters, like our hurricanes, will be place and/or time specific, others are less predictable. The purpose of the scoping exercise is to triage your threat landscape and come up with the most efficient responses based on your threat exposure and risk appetite (remembering that there is no such thing as a zero probability risk).
Step 2: Carry out a Business Impact Analysis (BIA)
This is where you decide upon which systems and components are most critical to your operations and assign a relative priority and action plan to them. Questions you need to ask include:
- What would happen if this system/component went down?
- How long could we handle downtime with this system?
- What resources would we need to bring this system back online?
- How much risk are we willing to bear?
From that information you can decide, for each component or system, whether you will prioritise its full recovery, establish a replacement system, decide on a minimum state of recovery or allow the system to go down (the automatic soda machine can probably take a hit).
Step 3: Look at prevention
As any hockey player will tell you, you don’t look for where the puck is – you look for where it’s going to be. This step is about putting measures in place to ward off disaster before it strikes. One example is to upgrade your backup and data storage solutions as we detail at the end of this guide.
Step 4: Create incident response and contingency strategies
Following on from Step 2, draw up an incident response plan and a contingency strategy ready for if and when the hurricane hits. Knit these together so you know exactly when and how to move to Plan B. Your incident response strategy should include named team members in key roles plus reserves in case of employee absence.
Step 5: Train and test
When is the worst time to train your team on your disaster recovery plan? Just after the hurricane has hit. As soon as you have a plan up and running you need to be integrating it into your ongoing and induction training program. As soon as possible, make sure everyone knows where to access the plan and what they are expected to do.
Where possible, use a pen test approach. Unleash a false flag attack on your own systems and ask your disaster recovery team to get you back online. Obviously we don’t recommend this for mission-critical processes.
Step 6: Review and upgrade
Your disaster recovery/business continuity plan should be treated as a living document. Schedule in regular reviews and supplement these with additional reviews whenever you online a new system or reorganize your corporate structure.
Do You Need to Upgrade Your Data Recovery, Storage and Protection Tools?
If you’ve taken your existing data backup and storage processes for granted up until now (after all, that’s what they are for!) you may well find that you are in need of an upgrade.
This is especially the case if you have recently migrated to a cloud or hybrid-based architecture but are still using backup and data recovery solutions built for on-prem usage.
Before you start working on an RFP, we recommend contacting the team at PennComp as we can help support your transition to a next gen solution.
For example, we can help you to integrate Veeam backup and data management solutions or StorageCraft next-gen ‘plug-and-play’ data protection into your business systems. For more information on disaster recovery plans and tools, including how PennComp IT Support can help you prepare for or recover from a hurricane hit, please don’t hesitate to contact us.