The Basics of a Vendor Business Continuity Plan (BCP) Report

Podcast Transcript

Welcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder.

In today’s podcast we’re going to discuss the basics of a BCP report.

BCP stands for business continuity planning. Business continuity is what you do to ensure that key operations, products and services continue to be delivered either in full OR at a predetermined, and accepted, level of availability. Today, most people would have this outlined as part of a service level agreement (or SLA). When you think of business continuity and your vendor, it covers things like what would they do in the event of a loss of personnel, if their facilities or services were down; what their planning with public entities such as emergency services is like, and communications with their own identified key vendors, their clients like you, employees and the media.

Disaster recovery and business continuity usually go hand in hand as disaster recovery is a subset of business continuity.

The first thing you need to do is determine if your vendor’s BCP aligns with your needs and that it covers the key components needed to ensure continuity of operations. You want to review your vendor’s business continuity plan to verify adequate controls are in place covering the following 7 areas:

1. Personnel loss and planning
2. Relocation plans
3. Remote access availability
4. Facility loss contingencies
5. Pandemic contingencies
6. Breach/disruption notification procedures
7. Testing procedures which should include:
   • Annual testing and
   • Testing results showing room for growth should be reviewed and addressed during plan updates

Business continuity plans should also include information on your vendor’s Business Impact Analysis (BIA). You want to make sure a BIA is performed annually or when any major changes or incidents occur. 

Your vendor’s BIA should include the following:

• Recovery Time Objectives (RTO) – This is the targeted duration of time which a business process must be restored after a disruption in order to avoid unacceptable consequences associated with a break in business continuity.
• Recovery Point Objectives (RPO) – This is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system or network goes down as a result of a disruption. Or how much data you expect to lose in a worst-case scenario.
• Maximum Tolerable Downtime (MTD) – This specifies the maximum period of time that a given business process can be inoperative before the organization's survival is at risk.

You should ensure that your Vendor’s BIA information meets or exceeds your needs for RTO, RPO and MTD.

So, what can you expect as far as ongoing monitoring of BCP goes? Perform regular reviews, along with plan exercises, to assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.

Ultimately, understanding your vendor’s BCP is a critical component of your third party risk management process. Here are a few reasons why: 

1. First, if a part of your services were unavailable for an undetermined amount of time because of your vendor, that could significantly affect your operations and reputation.
2. Secondly, a commonly overlooked aspect of risk is the reputational impact that can occur to a business from failure to respond to the situation, or failure to continue operations. Reputation is difficult to cultivate, easy to lose and very hard, if not impossible to re-gain once lost.
3. Third, you should know how quickly your vendors plan to recover and if they will be able to quickly and effectively respond to the business impacting event so that you can plan accordingly with your own BCP plans.

Once you’ve reviewed the plan, it’s important to have a qualified expert write up an analysis documenting any gaps and the overall findings. A qualified expert will usually have certified credential levels such as a CISSP. Once the analysis is written up and signed off on, reach out to the vendor to discuss the findings and next steps to mitigate any risk. Additionally, you’ll want to mitigate any risk that is found.

Again, I’m Lisa-Mae and thanks for tuning in to this week’s third party Thursday; if you haven’t already done so, please subscribe to our series.