Aim for Effective Incident Response, Not Just Disaster Recovery

Business disruptions that can’t be contained using Standard Operating Procedures (SOP’s) can be classified as Incidents.  An Incident may cause Disaster Recovery and/or Business Continuity Plans to be invoked.

Those invoked activities are an Incident Response.

Think of Incident Response in three distinct parts:

  • Activation. Knowing which Plans to invoke requires an Assessment of what assets (hardware, applications, interfaces, etc.) and services have been impacted.  Assessments focus the scope of the Incident Response.  Intelligent assessments, combined with situational awareness information, allow Incident Managers to invoke the appropriate Plans, Recovery Teams and Resources.  Plans based on scenarios (failover to an alternate datacentre, or reconstruction at a DR site, restore Tier 0 & Tier 1 Apps…) can be a quick-start Incident Response without conducting a detailed assessment.
  • Recovery. After Plan activation, monitoring of execution is critical to the effectiveness and success of the Response.  Plans constructed as a series of Tasks (rather than broad instructions) make it possible to monitor task status (on hold, in progress, completed, skipped, etc.) and judge Plan progress relative to expectation (from Plan tests).  Monitoring must enable Incident Managers to resolve escalated issues to remove roadblocks.  Status dashboards should be automated, not manual whiteboards or post-it notes.
  • After Action. Following closure of an Incident, participants should validate expectations against actual outcomes (Was RTO achieved? Were other objectives met?).  They should review response activities to understand what happened,  what worked, what went wrong, what could be improved upon and what planning, resources or teams should be changed or added.  Improvement efforts should be assigned, completion monitored and results applied to update existing plans – in preparation for revised Plan testing.

Disaster Recovery is more than just Plans.  Success relies on effective Incident Response.

SHARE:
Ramesh Warrier

Ramesh Warrier

eBRP Founder and Chief Designer of eBRP Suite, Ramesh is a proponent of constant change, a visionary who believes that the practice of Business Continuity can deliver improved operational efficiency. Ramesh, B.Tech in Electrical Engineering, has nearly 30 years experience in Business & Technology roles. His thoughts are expressed in blogs, white-papers, frequent webcasts and speaking engagements at industry conferences.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…