The COVID-19 pandemic is top of mind. The interruption of our lives is far reaching.
There are so many needs that as a business executive you must address, it is simply overwhelming. The first, of course is being in business when the world returns to a happier place.
A required area of oversight is that of Vendor management. There are two specific plans that you must require of your vendors. These are their Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
As part of the CSRPS educational series on compliance please find below a road map of how you should evaluate your vendors as it relates to both BCP and DRP.
Oversee vendors as you would any department in your company, regardless of the vendor’s reputation or apparent ability to comply with consumer protection laws and regulations.
A crucial component of vendor management is verifying that your vendors are correctly implementing strong BCP and DRP. These plans must demonstrate the level of preparedness to minimize and/or prevent operational downtime and data loss risks.
If it does not, then this is a red flag.
BUSINESS CONTINUITY PLAN (BCP)
A properly implemented BCP ensures your organization’s critical operations, products and services are always delivered as expected and as specified in your organization’s vendor contracts.
A BCP provides an overview of the safeguards, analysis, testing and trainings in place to ensure measures have been established to prevent the cessation of operations in case of a business interruption event.
A BCP must address:
When reviewing a vendor’s BCP, ensure it covers:
DISASTER RECOVERY PLAN (DRP)
The DRP details the processes and procedures to be followed as soon as a business suffers a disaster. The DRP is in effect a until normal operations resume.
The DRP provides details regarding:
A vendor’s DRP must be reviewed to verify they are prepared and have trained their staff on items, such as:
The above is a basic guide and not all inclusive.
It is important you understand your vendors’ operations, testing procedures and schedules. A vendor’s processes should equal or exceed your organization’s data privacy and data protection processes.
A strong vendor risk management program is key to maintaining compliance and avoiding claims of improper treatment of your customers and your customers’ data.
For more information on best practices and guidance, visit https://csrcyberprivacy.com.
Michelle Johnston, CIPM, CIPP/US