Business Resumption Plan (The 12 Step Process to Creating an Effective BRP)

Max Pierce - FEBRUARY 18, 2022

A Business Resumption Plan, or BRP, is a document that outlines the steps a business will take to resume operations after a cyber event.

Insider Insight: A business resumption plan is useful for any event that occurs that may shut down business operations, this can include natural disasters, systems failures, or as we will cover in this article; cyber-attacks.

This document is critical for businesses of all sizes, as it serves as your roadmap to get back to an operating state following an incident.

Important: Developing (and maintaining) a business resumption plan is particularly important for businesses in “cyber-sensitive verticals”. If your business has access to confidential information, you likely are in a cyber-sensitive industry.

Why create a Business Resumption Plan?

To determine and document critical functions and/or processes.
To determine a tolerable amount of time that these functions could be unavailable
To determine and document the resources (people, systems, processes, equipment, & partner) required to support the processes outlined above under normal operating conditions.
To reduce the amount of testing and/or of development of new procedures when the normal functions have already failed ie. preparation.
To determine and document alternate methods of performing critical business functions.
To determine any single point of failure within a business system, especially those that have substantial business dependencies.
To lay a framework for decision-making following a business incident.
To provide a plan to notify necessary parties following a business incident. This includes people such as your insurance agent, board members, executive teams, owners, your customers, and local & federal authorities.

Insider Insight: As I’m sure you have gathered, this is not a trivial process. Developing an effective business resumption plan that is consistently tested is a large undertaking.

The best way to approach business resumption planning is to work with an expert team. For smaller businesses, a business resumption plan will be considerably less complex. You can likely create your own simplified business resumption plan if you are a very small business.

How to create your Business Resumption Plan

Step 1 -> Build your team & determine the scope

An effective business resumption plan will likely involve your entire team in some capacity. To properly utilize your team to their highest potential, you will need to have key members from each department contribute to your BRP.

A historically effective setup is:

Appoint a coordinator: This is your go-to person who will be responsible for creating, maintaining, & championing your business resumption plan within your organization. They will serve as the primary source of knowledge on your business resumption plan and will likely be a key player in your recovery process.
Assemble a team: These are your key contributors to your business resumption plan. They will handle the creation & execution of your business resumption plan if an event occurs

Important: It is vital to ensure that your BRP does not rely on a few individuals, your plan should be able to be realistically executed by a multitude of different parties. This ensures continuity in case those few key individuals are inaccessible.

Develop a work plan & schedule: This is your “pre-execution” phase where you get your loose plans together. This should include your key players and a general summary of your business resumption plan.

Insider Insight: Exceptionally complex plans with mountains of documentation often get ignored. Be precise when writing documentation and exclude everything that is not necessary. Remember, this needs to be executed in the event of an emergency. Time will be of the essence.

Step 2 -> Create a Business Impact Analysis

This analysis will help you understand the potential impacts of an incident on your business.

Here you will be identifying critical business processes and prioritizing those processes according to operating importance. When determining the importance of any given critical business process, it is important to remember to include the impact that this business process has on staff, equipment, and your systems. If this particular process has many high-dependency processes attached to it, it is a high-priority item.

Here you will also consider the impact of various emergency events. Remember, critical business failures can occur as a result of a variety of events.

For example, if a ransomware event occurs, how will you deal with your business network being inaccessible? How will you do payroll for your employees? How will coordinate with your partners? How will you ensure your invoices are paid on time? How will you manage the reputation impact?

Common business disasters include:

Cash flow interruptions
Personal injury lawsuits
Cyber-attacks
Intellectual property lawsuits
Natural disasters
Fraud
Scandals
Self-inflicted outages
Employee sabotage

Insider Insight: You should make educated assumptions of which emergency events are going to occur and the amount of time that critical business processes will be affected. Prioritize these events according to their likelihood of occurrence.

It is important to have this information before developing your plan, as it will help guide your decision-making process.

Step 3 -> Conduct a Risk Assessment

A comprehensive cybersecurity assessment is a critical component of determining an organization’s cybersecurity posture.

The goals of an assessment are as follows:

Identify vulnerabilities and mitigate gaps in your security. Save your business from substantial financial loss and protect your reputation.
Avoid data breaches. Losing your critical data typically has a huge financial impact on any business. If we can avoid this, we should.
Give you a baseline risk assessment template for future assessments. Cyber risk assessments are made to be repeatable, this is not a one-and-done kind of situation. For this practice to be effective it must be repeated.
Stay compliant and avoid costly regulatory issues. Avoid losing customer data being stolen because you failed to comply with HIPPA regulations.
Avoid data loss. Losing critical data could mean losing business to your competition.
Keep your systems up and running. Downtime is bad for everyone. Keeping your systems up and running is critical.

You then can use your findings to make informed decisions about how security strategies can be implemented in your business.

Insider Insight: An effective assessment will likely vary quite significantly from one organization to the next. Your business industry, location, and regulatory requirements will change your specific process. The core foundation of an effective cyber security assessment does however remain the same, regardless of the aforementioned complexities.

Follow these 5 steps when conducting your cyber security assessment:

1 .Figure out the scope of your assessment.

This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated to accurately determine the full scope of the project. We would recommend starting small with a single asset type and moving systematically through in that fashion.

Once you have chosen your asset type, you will need to determine the assets dependencies.

Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored. The likelihood is that you will find that your network is a complex spider-web of information.

2. Determine the value of each asset

For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.

Insider Insight: It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.

Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.

3. Identify gaps in your security

This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.

What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.

The most common threats that affect every organization typically include:

Unauthorized access: from attackers, malware, or employee error.

Misuse of info by authorized users: data may be altered, deleted, or used without approval.

Leaked data: identifiable information being leaked intentionally by attackers or unintentionally by poorly configuring systems.

Business disruption: loss of revenue/reputation damage due to business downtime.

I have oversimplified the process here. I would recommend visiting the NIST framework page to get a much deeper dive into cyber security practices.

4. Perform an info value vs cost of prevention analysis

This is the way you figure out what to prioritize first and what is most immediately beneficial.

What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.

To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.

Important: Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.

5. Document your findings.

This report doesn’t mean a lot if you cant reference it later. This report will serve as an invaluable tool you can use to complete the rest of your business resumption plan. It is critical that you meticulously document your findings.

You can also use your report as a training tool for new hires coming into your organization.

Quick Tip: Take your time here. Meticulously organize your findings, you won’t regret it.

Step 4 -> Develop a Strategic Outline for Recovery

The objective of a recovery strategy is to reduce the impact that an outage will have on your business. Your recovery strategy should determine how each of the critical assets we defined in our Business Impact Analysis will be recovered.

We will determine:

What resources will be required to recover each of the critical business assets
How long do we have for these critical business assets to be recovered
What external resources we will need to recover these critical business assets
What is your tolerance for downtime and how we will deal with unforeseen contingencies

The recovery process will consist of 5 key stages:

Your immediate response to the incident
How you will go about restoring your business environment.
Restoring functional resources
Restoring digital assets & data
Restoring business operations

Step 5 -> Review Backups and Your Recovery Procedures

Determine the vital records required to maintain critical business functions determined previously by the Business Impact Analysis. Verify those vital records and develop procedures to recover/reconstruct those vital records. You should also take the time to develop procedures for building and/or maintaining your offsite backups. Review all procedures & procedure language to ensure they are functional in case of an emergency.

Insider Insight: In the event of a critical business failure, your offsite backups become your most valuable asset. A properly configured network should make it nearly impossible for a threat actor to encrypt properly segregated backups. Even then, procedure failures have caused these seemingly impenetrable backups to fail. It pays to be careful and meticulously follow the best procedures, especially when dealing with critical business data.

Step 6 -> Creating and Testing Your Business Resumption Plan

Now that we have all the pieces in place, we can get to creating our business resumption plan. If each of the previous steps were completed as directed, creating the plan should simply be a matter of organizing documentation and maximizing efficiency.

Important: Remember to specifically document how every critical business function will be restored. Focus on the highest dependency functions first and work your way down. It is important to be caught in the minutia while developing these plans but it’s just as important to take a 1000ft view and ensure that each moving part moves together cohesively and efficiently.

To fully uncover every possible hiccup, you have to rigorously test your plan for the entire life of the plan. To be prepared for all contingencies, you need to test your plan frequently (and to the fullest extent) possible.

Step 6.1 -> Maintaining Your Business Resumption Plan

As your business environment changes, your plan must change as well. This is why it is so important to appoint a coordinator. As the champion of your business resumption plan, they will be responsible for recognizing when changes need to be made to your BRP and then facilitating those changes.

It also pays to occasionally audit your business resumption plan to ensure that it still aligns with your organization’s requirements.

There you go, you are well on your way to creating a more secure business that is substantially more prepared for an emergency.

Getting Expert Help With Your Business Resumption Plan

This is a complex topic, if you have more specific questions please reach out to our team here at Techfive.

Techfive focuses on what is called “digital transformation”. Meaning we partner with organizations that recognize the power of technology in their business. We use technology to drive businesses towards their long-term goals (and protect them along the way).

Our advisors would love to have a chat with you.