Business Continuity and Disaster Recovery

• Understand the impact of their cloud services to revenue, life, or death. Understand how each service impacts business operations and what the impact would be if it were to cease unexpectedly.

• Understand the importance of the cloud to their business continuity and ensure the CSC reconfirmed this solution and answer every year, as service consumption’s change.

• Understand the disaster recovery and determine the fault-tolerant architecture employed for those critical assets.

• Ask for the BCP, including the CSP services utilized, and ensure it addresses mitigation of the effects of and recovery from a cybersecurity incident.

  • Ensure that the RPO and RTO in the plan are in line with the business criticality.

  • Ensure that CSP is included in the emergency preparedness and crisis management elements, senior manager oversight responsibilities, and the testing plan.

• Understand how the CSC is using the cloud for recoverability focusing on their use (for e.g. hot site), classification of recoverability times, testing the recoverability by falling back to the cloud.

• Look at contingency planning policies, procedures, alternate storage and processing, backup, recovery and reconstitution. Distinguish between data loss and continued operations. The different risks are determined for different sets. Specifically, for SaaS, which tend to be more volatile, understand how the CSC has prepared for a scenario where the SaaS provider shuts down.

• Ensure Business Continuity Plan has been tested.

• Review the CSC’s periodic test of their backup system for CSP services. The cloud gives you the ability to do snapshots easier, ask how long the CSC is storing them. Are they encrypted?

• Review inventory of data backed up to CSP services as off-site backup