Many organizations consolidate their disaster recovery and security recovery plans into one package without asking if this approach makes sense.
IT security and disaster recovery plans are related but they are not the same, and at MHA Consulting, we advise against combining them.
How Disaster Recovery and Security Recovery Plans Differ
DR and IT security recovery plans appear to be very similar. Both plans include procedures to minimize the impact of an event. They also have procedures to recover from the event and return to production, and will likely have a process to minimize the possibility of a similar event occurring again. Yet, beyond that, disaster recovery and IT security recovery plans are fundamentally different.
The core difference between these plans is that disaster recovery is about business continuity, while IT security is about information protection. Therefore, disaster recovery plans tend to be actionable while security plans tend to be more validation and configuration driven. Part of the disaster recovery tasks performed to make applications or environments available include the necessary security architecture and settings that might also be found in an IT security recovery plan.
Security plans include the items to be validated and ensure these are in place and functional. Security testing to restore functionality related to data breaches or cyber-attacks may not require a disaster recovery environment. You can do penetration testing and access segregation in a production environment. The security component of DR testing ( i.e., are the recovered systems in compliance with an organization’s security policies) is part of your DR testing.
Why Separating Your Plans Makes More Sense
While an all-in-one approach can seem like a more convenient solution, consolidated plans tend to not have as much detail or get too unwieldy in size.
Another reason to separate your plans: stealth. DR and IT security plans contain specific security and non-security (infrastructure or application) tasks. By nature, business continuity and DR plans contain more public-facing information, while security recovery often calls for a more closed-off investigation and analysis. There is sensitive information you may not want to have people from other areas see.
Using separate plans (or documents) makes it easier to use during testing or in a real event. Testing is critical to the success of each plan. Separate plans make it easier for the individuals performing the tasks to identify and find the appropriate actions and sections faster with less extraneous information. This includes not only security, but infrastructure, network and applications.
Managing and Updating Your Disaster Recovery and Security Recovery Plans
Security and disaster recovery plans are managed and maintained by different teams. Disaster recovery plans have multiple sections and associated components similar to the IT security plan, but they also have many components that need the attention of different departments. The complexity of each plan and its content should be managed and performed by the appropriate team – information security, infrastructure, and application.
Management includes updating. Consolidated plans are often more difficult to maintain. Why? Information gets misplaced and it can be difficult to locate. This brings on unnecessary complications because you should update the information in all plans, no matter their purpose, on a regularly scheduled basis. In today’s volatile security environment, you may need to ensure that the security plan and strategy are reviewed more frequently as the risk probability for certain events may change. However, non-security related changes in the IT environment change even more often; so to ensure proper functional recovery, all plans should be updated as changes occur. DR plans and strategies should be an integral part of the change management process.
Take a look at the primary objective of your disaster recovery and IT security recovery plans. A disaster recovery plan is created to give an organization business continuity after a disaster. You design your IT security recovery plan to protect your assets after a breach. Two plans with varied objectives should not be combined together. If not separated, the effectiveness of response and overall plan management will suffer. As your organization matures, it should have develop a more nuanced approach to each plan.