Continuity
How to Build Your Security Continuity Program
If a disaster strikes, you probably have a business continuity plan that will guide your organization through the crisis with your business functions uninterrupted. But what about your security force? They’re likely to be working through a crisis, but how will their department stay up and running during a catastrophe?
Because security is the department that responds to incidents, it sometimes can be taken for granted when disaster plans are put together. Crises affect everyone however, including your officers and other security personnel. A security business continuity plan can help your security department stay functional while officers are responding to an incident.
What is a security business continuity plan?
A security business continuity plan is a business continuity plan which focuses on the integral functions specific to an organization’s security department. It helps you game out what your department would do during a loss of critical services, taking into account the areas that would be affected by a disaster, and the critical functions performed by your security team.
As with any business continuity plan, a security business continuity plan should cover a wide range of scenarios, including weather events, planned attacks, loss of power, or any other incident that disrupts business.
It’s crucial that your security department has such a policy; in times of crisis, all security personnel should be put on 12 hour shifts and focused on responding to incidents, so it’s important the department has a clear plan to follow when a crisis is taking place and does not need to worry about administrative or operational issues.
What should your security business continuity plan include?
A security business continuity policy should be crafted within the framework of risk analysis. The first step in developing one is an assessment of your own department.
Assessment
What are the critical functions performed by your security organization? Assess the critical functions your team performs. You should also assess your staffing, taking into account potential emergency 12-hour staffing rather than the typical 8-hour schedules.
What are the necessary system requirements to keep the department viable? This includes looking at your critical functions from an IT perspective and also knowing how many of those functions can be done offline or analog while your systems are down. For example, manually numbering incident reports so that when systems come back online, it’s easier to enter them into your system.
You should also assess your company’s disaster plan. It’s the responsibility of security to check on all employees to make sure they are safe. Create a plan that will allow your personnel to efficiently check in with team members on and off-site.
Creation
When crafting your security business continuity plan, your policy should include the following key items:
Detailed instructions for the operation and/or lockdown of each post
An emergency staffing schedule and an updated call hierarchy
Additional equipment appropriate by scenario and the locations where that equipment is stored
An online/offline employee accountability roster to ensure you can account for employee safety
Well-defined muster points and an employee check-in process
A clause telling security when they are exempt from directives to send employees home
Analysis
Not every scenario will require the same response. What is the business impact of a crisis on your department and the organization as a whole? Examine foreseeable threats, and prioritize their effects, from most impactful to least impactful. Don’t ignore scenarios that seem unlikely. Some unlikely incidents, like a pandemic, can be catastrophic.
Implementation
Once you create your plan, be sure it is disseminated to everyone including your personnel and coworkers in other departments. Be sure that it’s available to read offline if systems go down, but also practice good information security; people outside your organization should not necessarily have access to it.
Test the plan
Having a plan is not enough; it has to be managed as well. Set up times to test the plan, and reflect on what happened during those tests by discussing the lessons you learned as a team. You should also create a review process so that your plan is continuously improved using those learned lessons.
Planning for a crisis has to include your security personnel. Circadian Risk can help you create a business continuity plan, not only for your security department, but organization-wide through our risk analysis process. Contact us now to schedule a demo.
About the Author
