We run in AWS, GCP, Azure, etc. Do we need a BCP, DR Plan, or Incident Response Plan?
YES! This is one of those questions that we hear a lot. But you will still need the Business Continuity Plan (BCP), Disaster Recovery (DR) Plan, and Incident Response (IR) Plan and test them at least annually. Basically, the cloud provider (AWS, Azure, GCP, Heroku, etc.) is highly available, and you are probably running a multi-Availability Zone (AZ) architecture, but these documents are critical for contingency planning in the event that something goes wrong with the cloud provider.
Why do I need a BCP?
The BCP will cover the entire business including things not in the cloud provider like HR, Finance, Sales, etc. It is meant to inform your personnel of how to respond when some level of business disruption event occurs. Even in completely remote organizations, you should still list out a requirement that says that if a business interruption event such as a flood, wildfires, pandemic, etc. occurs in a specific location and only some remote employees are affected, that personnel are required to find an alternate location to work from and who they should report their safety to. In simpler terms, the BCP covers the human element of contingency planning and what systems are required for personnel to perform their job functions.
Why do I need a DR Plan?
The DR Plan could more appropriately be titled “IT Disaster Recovery Plan”. It will cover the recovery steps to restore functionality to IT systems that your platform is made up of. You are going to want to write the plan to address situations such as an AZ going down. How does traffic get rerouted to another AZ? Is this an automated process? If it is, note that. Once the original AZ comes back up, how will you verify that everything is correct before rerouting traffic back to the original endpoint? And what will you do if your primary DB fails? What are the specific steps you will take to restore data from backups? This document should be more specific than the BCP and personnel should be able to take this document and recover IT systems if a disaster occurs.
Why do I need an IR Plan?
Cloud providers do not provide much for incident response. They may provide tools for detecting things like malicious traffic, malware, etc. But it is up to your organization to take the alerts generated by those tools and respond to them. If malware was detected on your servers, how would you contain the malware, remove the malware, verify that the server is free from malware, and document these actions? That is what the IR Plan is meant to address. One thing to note here is that there are vendors who provide Incident Response Services. If your business uses these vendors, your IR Plan should address how and when to contact the vendor, as well as how to document any actions the vendor takes.