Get our next post right to your inbox.

July 15, 2021

Understanding your Software Vendor’s Disaster Recovery and Business Continuity Plan

Why it’s important to review your vendor’s DR/BCP plans and what it should include

It’s not often that businesses face catastrophic events, but they should still plan for natural disasters, security threats, and power outages. If organizations want to ensure a smooth recovery process and continuity of operations, developing their own Disaster Recovery (DR) and Business Continuity Plan (BCP) - as well as reviewing the plans of their vendors - can help.  

While IT teams have long thought through how to manage potential disturbances to their information systems, it’s no longer only for IT to consider. BC/DR has been thrust into mainstream consciousness, in large part due to the COVID-19 pandemic and its impact on businesses.  

While we hope to never rely on a DR/BCP, they provide teams and customers with the peace of mind that their data is secure and reachable if anything were to happen.  

What is Business Continuity Planning?

BCP specifies how an organization will prevent disruption in the event of an unexpected outage or disaster. It also lays out how they plan to circumvent potential threats. The main goal of the BCP is to inform how a company ensures operations continue uninterrupted during extenuating circumstances or an unforeseen disaster.

What is Disaster Recovery Planning?

While similar to a BCP, Disaster Recovery specifies how an organization plans to return a platform or service to working order after a disaster. Thus, the DR assumes there may be a period where systems and processes are not functioning properly. The goal of an effective Disaster Recovery Plan is to minimize disruption time. As such, it includes protocols to help get all aspects of a business running again quickly.

Business Continuity vs Disaster Recovery

Although both ensure that an organization is prepared for emergencies, the difference between disaster recovery planning and business continuity planning is important to understand. Disaster recovery involves getting all essential processes, such as IT infrastructure and operations, running after an unexpected outage. Business continuity, however, explains how operations will be maintained during a pandemic or disaster.

What does your software vendor’s DR/BCP look like?

It’s important to remember that your BCP/DR extend to your software vendors, too.

When considering a software vendor or re-evaluating an existing investment, understanding their DR/BCP is an important step. If your vendor doesn’t have a plan in place before a crisis, your business processes could come to a halt. These plans should also be regularly reviewed. Here at Rethink, we ensure our DR/BCP are up to date with regular audits and SOC reports.

Below are some important criteria to consider when reviewing a vendor’s DR/BCP frameworks.

Does the vendor have an alternate location of operations in the event their physical business is damaged?

Your vendor should be able to work remotely or from a separate location if their physical business is inaccessible for any reason. Thus, the vendor should document how staff will access tools and administrative portals remotely, such as through a VPN. Essentially, a disruption to your vendor’s physical offices should not equate to a change in your service.  

How will your data security be maintained in the event of an emergency?

Regardless of a disaster or pandemic, your data security should always be top of mind. Your vendor should have clear safeguards to ensure your data is never compromised.  

Is your data being regularly backed up to a secure location?

If the vendor has to execute their disaster recovery plan, the time to getting your services back up and running should be minimal.  secure backup location ensures your data is accessible. For example, if you rely on a vendor to host your data, a server outage should not impact your ability to access the data from a secure backup location.

Is it clear how the organization will communicate with you in the event of a crisis?

If a data breach or unforeseen crisis occurs, your vendor should have clear protocols and multiple options for contacting you. That way, your team is kept in the loop and can plan accordingly.  

Some questions regarding the vendor’s communication practices may include:

  1. Does the vendor have more than one contact on file that they’ll get in touch with?
  2. What is their protocol for follow-up? Will they reach out more than once and give advance notice if possible?
  3. Will they get in touch with you via email, phone, or a combination of methods?
  4. Do they require consent or acknowledgment on your side, or are they only required to notify their end users?

How does the vendor maintain security standards when working with third parties?

Today, most software systems you rely on will work with third parties of their own. Thus, understanding how they vet and monitor the protocols of their third-party providers is an important step, as their data management policies essentially become your own.  

A software vendor should have clear policies for reviewing and auditing their third parties DR and BCP.  

Choose a vendor with the right DR/BCP for your organization

When we create a disaster recovery and business continuity plan, our goal is to be as prepared as possible for any unforeseen disasters. Along with developing your own policies, you also want to ensure your software vendors have effective DR/BCPs to guarantee the security of your data and continuity of operations.

This article was originally published in April 2020.

Related Posts

Join our global community of property tax professionals

Subscribe to our newsletter for the latest property tax management tips, tools, and resources right to your inbox

© 2023 Rethink Solutions Inc. All Rights Reserved.
Twitter logoLinkedIn logoFacebook logo
© 2023 Rethink Solutions. All Rights Reserved
Twitter logoLinkedIn logoFacebook logo
© 2023 Rethink Solutions. All Rights Reserved