Ensure DRP and BCP Compliance With Industry Standards

Cut through the noise to create an effective and compliant DRP and BCP as part of your overall business continuity management program.

Analyst Perspective

Treat standards as a checklist, not an instruction manual

Don't let the verbose nature of standards documentation such as NIST, HIPAA, PCI, and others overcomplicate your mandate to ensure your business continuity management (BCM) program, including disaster recovery planning, business continuity planning, and crisis management, is compliant.

Standards documents are intended to be comprehensive, not concise, and that often leads to requirements that seem more daunting. Adding to the potential complexity is the challenge of interpreting the specific language of each standard.

For example, NIST requires that you have a disaster recovery plan for site-wide events and a contingency plan for individual critical system outages, but it does not make it clear that much of the same documentation will meet both requirements.

If you are obligated to comply with multiple standards, understanding your requirements becomes that much more challenging.

This deck and the associated guides cut through the noise to provide a roadmap of the specific tasks you need to complete to create concise, effective, and compliant plans, using the standards NIST, HIPAA, and PCI DSS as examples. This approach can be applied to other international or country-specific standards such as ISO 22301 and PIPEDA (the Canadian equivalent to HIPAA).

Frank Trovato
Research Director, Infrastructure & Operations
Info-Tech Research Group

STOP: This deck is focused on BCM compliance. For guidance on security compliance, see the resources below.

For security compliance assistance, use the blueprint Build a Security Compliance Program; it includes a Security Compliance Management Tool (screenshots to the right) that provides a single framework to align and track multiple compliance obligations.
To reduce the complexity of ensuring disaster recovery plan (DRP) and business continuity plan (BCP) compliance, continue with the guidance and resources referenced in this deck.

Security Compliance Management Tool

Executive Summary

Your Challenge

• IT leaders are often responsible for not just the organization's IT DRP but also the BCP and other elements of overall resilience.
• Adding to the challenge are industry regulations or internal mandates demanding that resilience plans are compliant with specific standards. It's not enough to just have a plan that you think is good.
• Standards such as NIST, HIPAA, and PCI outline requirements for a range of resilience plans – not just security response (which is covered in our security research) but also DRP, BCP, and crisis management.

Common Obstacles

• Terminology can vary between standards, making it difficult to understand exactly what's required.
• Standards can take a siloed approach, specifying requirements for individual plans but not showing you how to pull it all together.
• For example, NIST 800-34 specifies eight different plans required to support resilience and continuity. It does not specify what information might be common to all eight documents, which would reduce your effort significantly.

Info-Tech's Approach

• Boil down the standards into core requirements.
• Identify opportunities for one document to meet the requirements of multiple plans (e.g. a recovery playbook that can satisfy NIST's requirement for a DRP and an information systems contingency plan).
• Summarize the tasks into a concise checklist, supported by mapping documents that will demonstrate how your plans meet the specific requirements of a particular standard.

Info-Tech Insight

Start with a goal of developing concise, effective plans that will inherently meet most requirements of common standards. This deck will help you close any gaps. If you instead follow the standards verbatim, you will have redundant, voluminous plans that will be difficult to maintain and too large to be effective in a crisis.

Additional resources included in this research

NIST 800-34 ISCP Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

HIPAA Requirements for BCM Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

PCI DSS Requirements for BCM Mapped to Info-Tech Resources

Use this guide to support your audit review and as a reference for the BCM Program Compliance Checklists tool

A consistent theme: Compliance starts with BCM best practices

Develop concise, effective plans and ensure you are meeting your specific compliance requirements

• Start with BCM best practices as outlined in Info-Tech research to establish a solid foundation and adjust where needed to meet specific compliance requirements.
• In contrast, using compliance documents as a guide to develop your DRP, BCP, or overall BCM program adds layers of complexity due to the need to parse their specific terminology and requirements, which are often redundant.
• This research helps you navigate this process by providing a roadmap to leverage Info-Tech BCM resources to develop concise, effective plans and ensure you are meeting your specific compliance requirements.

Activity: Modify the prepopulated checklists for the standard you need to meet

1-3 hours

• If you need to meet one of the standards profiled in this research (NIST 800-34, HIPAA, or PCI DSS):
  1. Review the relevant mapping guide (see the remaining slides in this deck for NIST 800-34, HIPAA, and PCI DSS) for context and to help you demonstrate to your auditor how your plans comply with the standard.
  2. Modify the relevant checklist in the BCM Program Compliance Checkliststoolto suit your specific current state.
• If you are required to meet a different standard that is not profiled here:
  1. Select the checklist in the BCM Program Compliance Checklists toolthat is the closest fit and use that as your starting point.
  2. Modify the checklist to suit your specific current state and requirements.

Excerpt from the BCM Program Compliance Checklists Tool

Materials

• Relevant mapping guide from this research for the standard you need to meet (NIST 800-34, HIPAA, or PCI). If you need to meet a different standard, consult the requirements identified by your auditor.
• BCM Program Compliance Checklists tool

Participants

• IT and business leaders tasked with developing a DRP, BCP, or other resilience documents
• Internal audit team or equivalent (e.g. business leaders tasked with compliance oversight)

What is NIST 800-34 and what does it mean for your BCM program?

NIST compliance is typically focused on security practices but also sets expectations for overall resilience through NIST 800-34

The National Institute of Standards and Technology (NIST) provides standards, guidelines, and resources to support efforts to comply with the Federal Information Security Management Act (FISMA).

NIST Special Publication 800-34 Rev. 1 – Contingency Planning Guide for Federal Information Systems (i.e. NIST 800-34) is focused specifically on implementing plans to recover information systems following a disruption – in other words, developing information system contingency plans (ISCP).

ISCPs support a broader goal of resilience and therefore need to align with several other plans that support this goal, such as a DRP and BCP, as part of a business continuity management (BCM) program. With that in mind, NIST 800-34 provides a summary of what it expects to be in the broader set of resilience plans.

Note: NIST 800-53 also includes contingency planning requirements; however, it relies heavily on NIST 800-34 as the source for additional details.

Resilience plans that support NIST 800-34 requirements

Source: NIST Special Publication 800-34 Rev. 1 – Contingency Planning Guide for Federal Information Systems

Identify NIST requirements for your BCM program and the resources to meet those requirements

Leverage the NIST 800-34 ISCP Mapped to Info-Tech Resources guide to expedite this task

The NIST 800-34 ISCP Mapped to Info-Tech Resources guide outlines the specific tasks and outputs required to be compliant. This includes:

• NIST 800-34's list of resilience and continuity plans mapped to relevant Info-Tech resources (e.g. blueprints to develop a continuity of operations plan and crisis communications plan).
• NIST 800-34's list of detailed process steps to develop information system contingency plans mapped to relevant Info-Tech resources (e.g. tools and templates to document business impact analysis, incident response teams, and recovery procedures).
• Roadmap of Info-Tech resources to leverage (in order of use) to meet the above requirements.

Excerpt from NIST 800-34 ISCP Mapped to Info-Tech Resources

What is HIPAA and what does it mean for your BCM program?

HIPAA has driven healthcare information privacy and protection standards. Your BCM program must adhere to and support those standards.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to address a range of issues such as health insurance portability (e.g. continuity of coverage when people leave their jobs), healthcare fraud/abuse, and standards for the management of health information.

A key outcome was establishing standards for the privacy and protection of healthcare information, outlined on the U.S. Department of Health & Human Services (HHS) website. These standards affect a wide range of business and IT operations,

from governance over data usage to security requirements.

For your organization's business continuity management program (which includes the development and governance of your DRP, BCP, and crisis management plan):

• The relevant requirements are outlined in the Contingency Planning section in the Administrative Safeguards standards, which you can find in the Security Rule Guidance Material on the HHS website.
• The Administrative Safeguards standards align with normal BCM best practices, so your efforts to comply with HIPAA will help you also mature your overall BCM program.

Identify HIPAA requirements for your BCM program and the resources to meet those requirements

Leverage the HIPAA Requirements for BCM Mapped to Info-Tech Resources guide to expedite this task

The HIPAA Requirements for BCM Mapped to Info-Tech Resources guide outlines the specific tasks and outputs required to be compliant. This includes:

• A summary of HIPAA's impact on your BCM program.
• Requirements for your BCM program to comply with HIPAA regulations mapped to relevant Info-Tech resources (e.g. tools and templates to document your data backup plan, DRP, BCP, and emergency mode operations).
• Roadmap of Info-Tech resources to leverage (in order of use) to meet the above requirements.

Excerpt from HIPAA Requirements for BCM Mapped to Info-Tech Resources

What is PCI DSS and what does it mean for your BCM program?

Overall resilience is part of the expectation defined by PCI DSS to ensure payment card account data and transactions are secured

The Payment Card Industry Data Security Standard (PCI DSS) was created to establish security requirements for payment card account data. Organizations that process payment card account data and/or transactions (e.g. retail, e-commerce sites) must adhere to PCI DSS, which includes technical and operational requirements.
PCI DSS requirements are primarily focused on security technology and operations but also include expectations for your business continuity management program (which includes the development and governance of your DRP, BCP, and crisis management plan). For example:

• A security incident response plan may require invoking your DRP and/or BCP – as a result, you are expected to have IT and business recovery procedures documented.
• Your backups, disaster recovery environment, and business process workarounds must also meet PCI DSS requirements (i.e. they are not just for your production environment).

BCM requirements are outlined primarily in the section "Requirement 12: Support Information Security with Organizational Policies and Programs" in the PCI DSS 4.0 (the current standard at the time of this writing).

Identify PCI DSS requirements for your BCM program and the resources to meet those requirements

Leverage the PCI DSS Requirements for BCM Mapped to Info-Tech Resources guide to expedite this task

The PCI DSS Requirements for BCM Mapped to Info-Tech Resources guide outlines the specific tasks and outputs required to be compliant. This includes:

• A summary of PCI DSS' impact on your BCM program.
• Requirements for your BCM program to comply with PCI DSS mapped to relevant Info-Tech resources (e.g. tools and templates to document and test your data backup plan, DRP, and BCP).
• Roadmap of Info-Tech resources to leverage (in order of use) to meet the above requirements.

Excerpt from PCI DSS Requirements for BCM Mapped to Info-Tech Resources

Summary of Accomplishment

Project roadmap to achieve BCM compliance

• You now have a checklist of specific tasks to meet your compliance requirements, based on the BCM Program Compliance Checklists tool, which provides prepopulated checklists of tasks to complete to meet default compliance requirements.
• For NIST 800-34, HIPAA, or PCI DSS: Our resource guides will help you demonstrate to your auditor how your BCM plans comply with their requirements. Specifically, the resource guides map the compliance requirements (e.g. specific sections or specifications in the compliance standards) to the Info-Tech blueprints, tools, and templates you can follow to meet the requirements.

If you would like additional support, have our analysts guide you through this research as part of an advisory call.

Contact your account representative for more information.

Related Info-Tech Research

• IT DRP Maturity Assessment
  • Get an objective assessment of your DRP program and recommendations for improvement.
• Create a Right-Sized Disaster Recovery Plan
  • Close the gap between your DR capabilities and service continuity requirements.
• Develop a Business Continuity Plan
  • Streamline the traditional approach to make BCP development manageable and repeatable.
• Implement Crisis Management Best Practices
  • Don't be another example of what not to do. Implement an effective crisis response plan to minimize the impact on business continuity, reputation, and profitability.

Works Cited

"Document Library." PCI Security Standards Council, n.d. Accessed Sept. 2022.
HHS.gov. U.S. Department of Health and Human Services, n.d., www.hhs.gov. Accessed Sept. 2022.
"PCI DSS: v.4.0." PCI Security Standards Council, March 2022. Accessed Sept. 2022.
"Security Rule Guidance Material." U.S. Department of Health and Human Services, 2022. Accessed Sept. 2022.
Swanson, Marianne, et al. "NIST Special Publication 800-34 Rev. 1 – Contingency Planning Guide for Federal Information Systems." National Institute of Standards and Technology, May 2010. Accessed Sept. 2022.
"What is Considered PHI Under HIPAA?" HIPAA Journal, 28 Jan. 2022. Accessed Sept. 2022.