This moves us really nicely onto our second module, Business Continuity. We'll look at the goal of business continuity, a business continuity planning, and also just a very brief discussion about business continuity in practice. Again, we can think about this as being broadly linear. We have an incident, business continuity helps us keep those things that are critical to our organization running and then we move on to disaster recovery. Here we are at business continuity then. At NIST in SP800-34, Special Publication 800-34 talks about business continuity as sustaining business operations while recovering from a significant disruption. What's really important here is to understand what must continue to operate or what do we want to continue to operate during this disruption. Because it may be possible to see some activities or at least to pause them. When we're in the middle of this adverse event, this contingency state, what do we want to continue? We can look at trying to understand this by using business impact analysis. We can create a scenario to understand which things are more critical. Typically, we cannot pause legal, IT, and security. Some areas like planning, if you're an architect or you're dealing with strategic functions, they can be paused. Understanding which functions can and cannot is really important for your business continuity plan. The more things you have to keep running, typically, the more complex it becomes. We'll look at some controls in our next chapter, things for business continuity that might help us include an uninterruptible power supply, for example, continuing to provide power when perhaps the mains power has been disrupted or when there's a surge of electricity. A business continuity plan ultimately, whatever the recommendations we may need signing off by a C-level officer. This is the documentation, that of a predetermined set of instructions or procedures that describe how an organization's mission or business processes can be sustained. We need to understand who we're involving, but also what needs protecting, what needs to continue. As I said, we can come up with a scenario to help us identify those things that need to continue running. Just as within our incident response, we need to understand when we're going to invoke our business continuity plan. Some controls then are mentioned, an uninterruptible power supply, an alternate site. Another site that has perhaps live available equipment to help us keep running. High availability, instead of one power supply in our servers or network equipment, we might want two power supplies. That way, if the first fails or fuses, the second can take over. Also, some preventative controls we link to business continuity planning. We want to consider the people, the communication, and the authority that we need and all plans need testing. Again, some industries are regulated that may specify not only that you need a plan, but how often you need to test the plan. We can actually mature into our business continuity so for incident response, business continuity, and disaster recovery. If we're just starting to do these things as an organization, unless regulation requires it, we can start off with what we would call a tabletop exercise. We can read through the plan, look at the documentation, make sure it all makes sense that it hangs together, that it's right, it reflects what we need. Then we could walk through, we could actually physically follow the plan around the organization. We're relying on these components, so things do they actually exist, are they in the right place? If we're saying we're relying on spare communications handsets, do they exist? Let's go and look at them. Then ultimately, we can test individual elements of the plan, and then once we're mature enough, we can test the entire plan. Actually, invoke the entire plan. In practice, just think about the pandemic for you. How did organizations continue to operate? If you think about this, if you're not employed within an organization, think about education, if you're in school, high school, university, think about your household. How did you continue to operate? Supply chain problems apply to all three of those examples, at home, the workplace, education establishments, shortages of people, commodities. Did we have enough to survive? Commonly, I saw people not having enough bandwidth as we push more people to work from home. To continue operations during periods of lockdown, people needed Internet connectivity and a lot of residential connectivity providers had not created enough capacity. Lots of supply chain issues, not having the right components because everybody was working from home all of a sudden some of the Cloud-based services struggled for short periods of time, usually, pretty short periods of time, but also things like VPN services. There was a shortage of hardware. At least I experienced a shortage of hardware. Some of the people of organizations I worked alongside. Invoking the plan. How did you communicate or how were changes communicated to you? Again, think about the home, education, your workplace. Did you have the right capacity? Were we able to work remotely? Did we have the right tools, but also the right training? How many of us have actually documented the lessons that we learned during the pandemic? As we move towards the end of the pandemic, for most of us, how many of us have actually documented effectively what worked well and what we need to improve? Really interesting.
