One of the most important aspects of a small business Information Security Policy is the Business Continuity/Disaster Recovery Plan (BCP). The BCP basically covers what your small business should do in the event of anything from losing your network server to losing complete access to your office space. It is your plan to ensure that you can continue to offer your products and/or services to your client base in the event of any business operation downtime…essentially keeping your business up and running and your data secure.
I covered some basic steps in my 5 Step Data Security Plan for Small Businesses, and first let’s recap.
- A BCP is a plan to determine who is in charge and who is responsible for each action.
- Key personnel contact information – Obviously for contact but also to set in motion pre-assigned duties and responsibilities.
- Key contact information for service providers such as third party network administrators, security monitoring, phone, internet, etc.
- Key contact information for your local police in addition to your legal representation
- Backup communications plan
All of the above points are essential elements of a well defined BCP, but let’s now expand on what the small business BCP should include.
- You need to define your BCP (what scenarios it covers) and who is responsible for activating and coordinating the plan.
- Setup a timeline for testing, reviewing, and making changes to your plan. Generally a good rule of thumb for testing (items such as restoring your backups) should be done twice a year, while reviewing your BCP can be done yearly.
- How is your data backed up? How long will it take to restore the data? And can you access it remotely?
- What should you do in the event you lose access to your office? Do you have an alternate location? How will employees be able to contact each other, clients, and login to your network?
- What if you can’t reach key employees? Who are the backups, and who is responsible for what scenario?
- What about a loss of communications? Can you access your email in the event your server is down? Do you have mobile phone communications for all key employees?
- What about if you lose your equipment and/or software? Do you have a replacement list of essential assets and software? Do you have mobile backups, such as laptops, you can use for access until you can replace equipment and software?
- What about your important documentation? Is it properly secured and protected? Have you copied important documents and filed them electronically so you can access them?
- And finally, although it is not necessary, you may want to include a list of likely scenarios and how you would react to each scenario.
Follow these simple steps, and you can easily create Business Continuity Plan for your small business. And remember to make sure key personnel have copies so they know exactly what to do in the event of an emergency.