Today’s news cycle is all about the impact that coronavirus/COVID-19 has been having within the world’s economy and health and welfare of most all individuals. I am sure you are prepared to handle the loss of a server or recover lost data, but what about your staff? Does your business continuity planning include the loss of people as part of your operational resources? If not, it should!
Wondering how all this aligns with the PCI Data Security Standard (DSS)? While PCI DSS Requirement 12.10 covers business continuity in the wake of a data breach event, what I’m about to share here follows the same organizational best practices.
“People Impact” and Business Continuity
When developing an Incident Response Plan (IRP) or Disaster Recovery Plan (DRP) you should plan and test for a loss of staffing as well, showing that you can still perform the required business recovery tasks without individuals or at least at a level of reduced resources. In today’s business environment, how have you addressed the loss of any critical staffing roles?
There are numerous scenarios that can be planned for:
- Serious Illness – Serious illness of one or more staff members have an impact on critical roles that are required to service your clients. In most cases, cross training of staff will eliminate a single point of failure in the process. In other cases you may have to rearchitect processes so there isn’t a single point of failure in your DRP. When testing your IRP and DRP, asking a critical individual to sit out will validate whether the organization can still recover.
- Weather-Based Events – Snowstorms, hurricanes, etc., have an impact on the availability of your in-office staff. Do you have a plan in place for departmental and/or organization-wide remote working? Employees who are normally in the office should understand how to connect to the office remotely when necessary, and your company’s VPN should be capable of handling the flux in remote employee traffic.
- Disgruntled Employees Leaving the Organization – We have all heard about the rogue admin later hacking into an organization for nefarious purposes after they have been terminated. Does your incident response plan account for these types of actions? If you terminate your administration staff, do you have the capacity to ensure that they are truly locked out?
Data Security and Business Continuity
Security continuity and business continuity go hand in hand. While you likely have a plan to make sure the phones are still being answered, you should also include those attributes which protect your client data are still being managed as well. The daily care and feeding of your security program are just as important as picking up the phone. Develop contingency plans to review your logs, remove accounts and physical access to individuals no longer employed.
Your Business Continuity Plan (BCP) should include controls that address people and processes and not just technology. As part of each of these attributes, the ability to recover the security functionality is paramount to customer confidence in the services you provide. Make sure you have an educated staff that can not only perform in stressful situations but that you have also planned for limited capacity during these times.
Test It Before You Have to Use It
In times like these and the other scenarios I’ve described above, it’s mission critical that each of your employees knows how to play their position. The only way to be confident that your incident response and disaster recovery plans provide for business continuity is to review and test them regularly.