[Webinar Recap] I Need A Compliant Business Continuity Strategy. Now What?
After the show, participants had several great questions for Brandon, so we’ve featured a few highlights below.
Q: How do I know which recovery time objectives (RTOs) and recovery point objectives (RPOs) are applicable to my organization?
A: I would start with asking, “What does our business impact analysis say today? What are our established RTOs and RPOs?”
Then I’d go and I take a look at the regulatory bodies that are tied to your particular organization and industry and look to identify any areas where you’re told how to classify your data (for instance, critical or urgent) and given timelines associated with those. Also consult with some of your peers that may have information on that piece.
Finally you’ll want to look at service level agreements (SLAs) that your organization has tied to service delivery.
Those three things allow you to come to a reasoned framework for determining the appropriate RTOs and RPOs. If there’s a gap, you have a tool for discussing how to prioritize each of those requirements. You’ll want to meet the most aggressive requirement.
Q: Who needs to have a SOC 2 and how is it different from a business associate agreement (BAA)?
A: Any critical vendor you’re dependent on and that is tied to your compliance requirements and service level agreements should have that SOC 2 report because you need to have visibility into what they’re doing.
A BAA is an agreement between the organizations. It does tie into HIPAA and how the data you deal with is protected, but what’s to validate that what’s in the BAA is actually happening? Now, obviously if the agreement has been signed and something does happen, there’s liability associated with it, but in a SOC 2 there’s actually validation from third parties. If you’re a healthcare organization, I’d require a SOC 2 and a BAA.
Q: What is the best approach to getting critical third-party providers to embrace BC compliance?
A: If you’ve got critical third-party vendors that are resistant to BC compliance, I would look for alternative vendors. But I would also say if you’re struggling there, it’s an executive-level decision.
If your business arrangements or compliance requirements are tied to that vendor embracing business continuity, whoever manages the business relationship should have those requirements written into the documentation. There should be a service level agreement tied to it and expectations that they will comply to those standards. The SLA needs to be tested, so the vendor needs to be able to prove to your organization that they have validated the requirements. Once you get that far, now you’re most likely talking again about the SOC 2.
To see the complete webinar, get it on demand here.