Every organization needs a solid disaster response plan to recover from unexpected natural and man-made disasters. The plan should be well-documented, approved by leadership, communicated to all stakeholders, and tested regularly. It's critical to keep the plan up-to-date, reviewing it at least annually or after any significant changes to the organization or IT environment.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full CCM here. The CCM provides a comprehensive set of cloud security controls aligned to industry standards like ISO, NIST, PCI DSS, and HIPAA. For more background, check out CSA's overview of the CCM.

Who should care?

This control is relevant for:

• Business continuity managers responsible for keeping the organization running during a crisis
• IT managers who need to recover systems after a disaster
• Security professionals that want to ensure systems remain protected during an emergency
• Compliance officers validating the organization's resilience capabilities

What is the risk?

Without a solid disaster response plan, an organization may not be able to effectively recover from catastrophic events like:

• Natural disasters - fires, floods, hurricanes, earthquakes
• Man-made disasters - terrorist attacks, active shooters, hazardous material spills
• Pandemics that limit physical access to facilities

The impact could range from extended downtime of critical systems to loss of data, revenue, and reputation. In a worst case scenario, a botched disaster response could put the organization out of business permanently.

What's the care factor?

Disaster response planning should be a top priority for any organization. While the likelihood of a major disaster may seem low, the consequences of being unprepared could be existential. Gartner estimates the average cost of IT downtime is $5,600 per minute. For many businesses, even a few hours of an outage is unacceptable.

Regulated industries like healthcare, finance, and government services have an even higher duty of care. An ineffective disaster response could mean failing to meet citizen needs in a crisis. There may also be legal and compliance ramifications.

When is it relevant?

Disaster response planning is relevant for:

• All organizations, regardless of size or industry
• Organizations with strict uptime, data protection, and resilience requirements
• Businesses operating in areas prone to natural disasters
• Companies handling sensitive data that could be targeted by bad actors

That said, the scope and complexity of the plan can vary based on the organization's risk profile. A hospital or nuclear power plant needs more rigorous measures than a small marketing agency.

What are the trade-offs?

Creating and maintaining a disaster response plan requires an investment of time and resources, including:

• Staffing a dedicated business continuity team
• Deploying redundant and resilient infrastructure
• Regularly testing plans with tabletop exercises and failover drills
• Keeping plans and runbooks up-to-date as the environment changes

These measures often involve trade-offs in cost, performance, and agility. Active-active multi-region architectures are great for availability but complex to build. Extensive change management controls add overhead to deployments.

Leadership must strike the right balance based on the organization's risk appetite and regulatory needs. Avoid planning for every conceivable scenario. Focus on probable, high-impact events.

How to make it happen?

Here's a high-level plan for implementing this control:

1. Assign ownership
   • Designate a business continuity manager to lead the effort
   • Identify representatives from each department to provide input
2. Assess risks
   • Inventory critical assets - systems, data, facilities, people
   • Identify probable disaster scenarios based on geography, threat intel
   • Analyze business impact of each scenario - financial, reputational, legal
3. Develop response procedures
   • Define RTO and RPO targets for critical systems
   • Document manual workarounds for disrupted systems and processes
   • Specify emergency communication protocols and contact info
   • Identify roles and responsibilities for incident response teams
   • Coordinate with emergency services and external partners as needed
4. Implement resilient architectures
   • Deploy critical systems across multiple availability zones or regions
   • Establish hot standbys, active-active, and active-passive failover
   • Ensure sufficient capacity to handle failover traffic
   • Replicate and backup data to support RPO targets
   • Secure systems against inadvertent access during an incident
5. Test and refine
   • Conduct regular tabletop exercises with all stakeholders
   • Perform technical recovery drills on a scheduled basis
   • Update plan based on lessons learned and environmental changes
   • Provide training to response teams and general staff
6. Communicate and distribute
   • Brief leadership and obtain formal approval of plan
   • Publish plan on internal web portals, intranets, and wikis
   • Include disaster response training in new hire orientation
   • Regularly promote awareness of procedures through multiple channels

What are some gotchas?

Some considerations when developing your disaster response plan:

• Leadership buy-in is critical. Align plan to strategic priorities.
• Compliance requirements like ISO 27001 A.17 mandate specific inclusions.
• Regularly review external dependencies in your plan. Ensure partners and vendors have sufficient resiliency.
• Technical recovery drills require careful coordination. Avoid scheduling during peak events. Have a roll-back plan.
• Regional regulations may limit ability to distribute plans outside the country.
• Law enforcement involvement for man-made disasters adds complexity.

Some key permissions to enable in the environment:

• IAM roles for fail-over and recovery like AWSSystemsManager
• Cross-account access for backup and replication like rds:CreateDBInstanceReadReplica
• Automated deployment pipelines for re-building infrastructure like CodeBuild:StartBuild

What are the alternatives?

Some additional best practices to consider beyond the CCM spec:

• Establish Chaos Engineering practices to proactively expose weaknesses
• Leverage AWS Resilience Hub to assess and improve application resiliency
• Adopt a multi-cloud deployment strategy for critical workloads
• Cross-train teams to maintain critical capabilities during staff disruptions
• Engage third-party experts to assess plans and facilitate testing

Explore further

• NIST SP 800-34 Rev. 1 - Contingency Planning Guide for Federal Information Systems
• ISO 22301:2019 - Security and resilience — Business continuity management systems

‍