Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Business Continuity

Business Continuity

Section titled “Business Continuity”

5 automated security scanners

Crisis Management Capability

Section titled “Crisis Management Capability”

Purpose: The purpose of this scanner is to analyze the crisis management capability of a given domain by evaluating its documented structure and practices related to emergency communications, incident command, exercise programs, and stakeholder engagement. This assessment helps in identifying gaps and vulnerabilities that could affect an organization’s resilience during crises.

What It Detects:

  • Crisis Management Team Structure: Evaluates whether the crisis management team (CMT) is documented and includes key roles such as incident commander.
  • Emergency Notification System: Assesses the presence of a documented system for mass communication during emergencies.
  • Incident Command Structure: Checks for the existence of an incident command structure that outlines hierarchy and procedures for handling incidents.
  • Crisis Simulation Exercises: Verifies whether there is a documented program for conducting tabletop exercises and full-scale simulations to test response strategies.
  • Stakeholder Communication Protocols: Evaluates the presence of protocols for communicating with stakeholders during crises, including customers, employees, and regulatory bodies.

Inputs Required:

  • Domain: The target domain whose crisis management capability is to be assessed.

Business Impact: This assessment is crucial as it directly impacts an organization’s ability to respond effectively to unexpected events or emergencies. Effective crisis management can minimize damage, protect assets, and maintain stakeholder trust. Poorly managed crises can lead to significant financial losses, legal repercussions, and loss of customer confidence.

Risk Levels:

  • Critical: If no CMT is documented, the risk is critical as it indicates a fundamental lack of preparedness for crisis management.
  • High: If there are gaps in emergency notification systems or incident command structures, the risk is high due to potential inability to respond swiftly and effectively during crises.
  • Medium: Partial documentation or incomplete practices can lead to medium risk levels, indicating significant but manageable vulnerabilities that need improvement.
  • Low: Well-documented and practiced crisis management protocols carry a low risk rating, signifying robust preparedness against potential threats.
  • Info: Informational findings such as the absence of certain documented elements might indicate areas for awareness or future planning rather than immediate concern.

Example Findings:

  1. A domain lacks any documentation of its crisis management team structure, indicating a critical risk due to unpreparedness in managing significant events.
  2. There is no evidence of an emergency notification system being implemented, which poses a high risk as it affects the organization’s capacity for timely communication during crises.

Vendor Continuity Management

Section titled “Vendor Continuity Management”

Purpose: The purpose of this scanner is to analyze and assess the vendor continuity management practices for a given domain. It aims to identify and evaluate the presence of documented processes, policies, and evidence related to vendor risk assessment, contractual requirements, monitoring, exit strategies, and incident response coordination.

What It Detects:

  • Vendor Risk Assessment: The scanner detects whether there are any disclosed processes or frameworks for assessing the risks associated with vendors (e.g., due diligence, TPM framework, security assessment).
  • Contractual Requirements: It checks for mentions of vendor service level agreements (SLAs) and other contractual obligations that could impact continuity.
  • Vendor Monitoring and Audit: The scanner identifies any documented monitoring or audit processes related to vendors.
  • Exit Strategy: It evaluates whether there are strategies in place for managing the exit from vendor relationships, including data portability considerations.
  • Incident Response Coordination: The scanner looks for evidence of how incidents with vendors are handled, indicating coordination and shared responsibility.

Inputs Required:

  • Domain: The domain name is essential as it represents the entity whose vendor continuity management practices are being assessed.

Business Impact: The continuous reliance on external vendors can pose significant risks to business operations if these vendors experience disruptions or fail to meet contractual obligations. Properly managing vendor relationships through documented processes and agreements is crucial for maintaining operational resilience and minimizing potential losses due to supplier failures.

Risk Levels:

  • Critical: If no evidence of any form of vendor risk assessment, contractual requirements, monitoring, exit strategies, or incident response coordination is found, this represents a critical risk as it could lead to severe operational disruptions.
  • High: If multiple gaps in the documented processes are identified, such as missing SLAs or incomplete exit strategies, this would be considered a high risk scenario.
  • Medium: A mixed bag of findings where some but not all necessary elements are present indicates a medium risk level, suggesting potential operational challenges that could escalate with more severe consequences if left unaddressed.
  • Low: If comprehensive documentation and evidence across all areas are evident, the risk is considered low as it demonstrates effective vendor continuity management practices in place.

Example Findings:

  1. The domain does not disclose any formal processes for assessing risks associated with its vendors.
  2. There are no mentions of service level agreements (SLAs) that outline performance expectations from vendors.

Recovery Strategy Assessment

Section titled “Recovery Strategy Assessment”

Purpose: This scanner analyzes a company’s recovery strategy by assessing its offsite backup plan, alternate processing capabilities, and automation of recovery processes. It evaluates the presence of physical and digital backups, as well as their encryption status, to determine if they meet the minimum requirements for business continuity during critical incidents. Additionally, it checks for the existence of alternative sites for operation in case of a primary site failure.

What It Detects:

  • Recovery Sites: The scanner identifies whether there are physical or cloud-based alternatives for operating the business in case of a disaster. This includes detection of hot, warm, cold sites, and cloud recovery options.
  • Backup Strategy: It evaluates if there is an offsite backup strategy documented and checks for encryption status and immutability of backups to ensure data integrity during disasters.
  • Alternate Processing Capabilities: The scanner assesses the presence of redundant physical locations or cloud services as a fallback in case the primary operations site becomes unavailable.
  • Recovery Automation: It looks for automated processes that can be triggered to resume business functions after an incident, including failover mechanisms and software orchestration tools.
  • Supply Chain Recovery Planning: The scanner examines if there is any planning for recovery of the supply chain, which includes sourcing from alternate locations geographically distributed or different suppliers.

Inputs Required:

  • domain: The target domain name (e.g., acme.com) to be analyzed for its operational resilience.

Business Impact: This assessment is crucial as it directly influences a company’s ability to continue operations during and after disruptive events such as cyber attacks, natural disasters, or system failures. Effective recovery strategies can minimize downtime, protect reputation, and maintain customer trust.

Risk Levels:

  • Critical: If no alternate recovery site strategy is disclosed, the risk is critical. This could lead to immediate operational disruption with high financial and reputational costs.
  • High: A lack of offsite backup or documented plans for alternate processing capabilities can result in significant risks during a disaster, potentially leading to substantial losses.
  • Medium: Partial coverage or incomplete documentation in recovery strategies might still cause disruptions but at a lower severity compared to high risk scenarios.
  • Low: Well-documented and comprehensive recovery strategies with multiple redundant backups and automated processes indicate low vulnerability.
  • Info: Provides informational findings about the presence of certain elements like backup plans, which is beneficial but does not directly impact security posture as severely.

Example Findings:

  1. The company has no documented offsite backup strategy, posing a high risk of operational disruption during disasters.
  2. There are no indications of alternate processing capabilities, making the business vulnerable to significant disruptions in case of primary site failures.

Business Impact Analysis

Section titled “Business Impact Analysis”

Purpose: The purpose of this scanner is to analyze and assess the maturity level of a business impact analysis (BIA) for given domains. It aims to identify critical functions, recovery time objectives, dependency mapping, financial impacts, and recovery prioritization frameworks. The findings are used to determine the risk level of each domain based on identified gaps in BIA documentation.

What It Detects:

  • Critical Functions Identification: This scanner checks for documented critical business functions within the organization’s records.
  • Recovery Time Objectives (RTO/RPO/MTD): It evaluates whether recovery time objectives are disclosed and if they meet specific criteria.
  • Dependency Mapping: The scanner looks for any documentation that maps out dependencies crucial to the operation of the business, including technology and third-party dependencies.
  • Financial Impact Assessment: This includes assessing how financial impacts are considered in BIA processes, particularly focusing on revenue loss quantification and compliance with regulations.
  • Recovery Prioritization Framework: The scanner identifies whether there is a framework for prioritizing recovery efforts based on criticality.

Inputs Required:

  • Domain Name: The domain for which the BIA needs to be assessed. This input allows the scanner to target specific organizations or websites.

Business Impact: A comprehensive business impact analysis (BIA) is crucial for understanding the potential consequences of disruptions in critical functions and services. By identifying gaps in RTOs, dependency mapping, financial impacts, and recovery prioritization frameworks, security teams can better prepare for and mitigate risks associated with operational failures. This proactive approach helps ensure that organizations are resilient against various threats and can quickly recover from disruptive events.

Risk Levels:

  • Critical: If the scanner does not find any critical functions documented or if there are significant gaps in RTOs, dependency mapping, financial impacts, or recovery prioritization frameworks, the risk level is considered critical.
  • High: If multiple indicators point to high vulnerability (e.g., more than two major gaps), the risk level is set to high.
  • Medium: This severity applies when there are fewer but still significant gaps in BIA documentation.
  • Low: The lowest risk level indicates that the BIA appears comprehensive and well-documented, with minimal identified gaps.
  • Info: Used for findings that do not necessarily indicate a vulnerability but highlight areas for improvement or specific issues that need attention.

If the README doesn’t specify exact risk levels, we infer them based on the scanner’s purpose and impact: Critical is reserved for severe vulnerabilities, High for significant gaps, Medium for moderate risks, Low for minimal flaws, and Info for informational purposes.

Example Findings:

  • No critical business function documentation disclosed: This indicates a high risk level as it suggests that the organization has not identified or prioritized its critical functions.
  • Incomplete financial impact assessment: A situation where the scanner finds insufficient data on how financial aspects are considered in BIA, which could lead to operational risks and increased vulnerability.

BC Plan Testing

Section titled “BC Plan Testing”

Purpose: This scanner analyzes the business continuity planning and testing for a given domain to assess its resilience and preparedness against potential disruptions. It checks for evidence of annual BC testing, participation in third-party testing, and compliance with regulatory requirements.

What It Detects:

  1. Detection of whether there is an annual commitment to BC testing.
  2. Identification of tabletop exercises or full-scale tests as part of a BC exercise program.
  3. Review of test scope documentation for critical systems, cross-functional involvement, and supply chain continuity.
  4. Assessment of the presence of post-test reports and lessons learned from previous tests.
  5. Examination of regulatory compliance with BC testing requirements in financial services and healthcare sectors.
  6. Evaluation of third-party participation in BC testing to ensure external oversight and validation of preparedness.

Inputs Required:

  1. Domain: The target website’s domain for analysis.
  2. URL: Full URL including protocol (http or https) if applicable.
  3. Additional parameters as required by specific checks within the scanner.

Business Impact: Assessing business continuity planning is crucial for maintaining operational resilience in the face of potential disruptions. Effective BC planning can significantly reduce downtime, minimize financial loss, and uphold customer trust during crises.

Risk Levels:

  • Critical: If no annual BC testing commitment is disclosed, or if there are significant gaps in test scope documentation, post-test reporting, and regulatory compliance with critical standards, the risk level is considered critical.
  • High: A medium to high risk level is indicated when there are notable deficiencies in BC testing practices without clear mitigation strategies, such as incomplete disclosure of tabletop exercises or lack of participation in third-party tests.
  • Medium: When some aspects of BC planning are present but insufficient, leading to potential vulnerabilities that could be mitigated with improved practices, the risk level is medium.
  • Low: Minimal deficiencies and a robust testing program indicate a low risk level, suggesting minimal exposure to significant operational disruptions.
  • Info: Provides informational findings for areas where no issues were detected, highlighting existing strengths in BC planning and testing.

Example Findings:

  1. A domain does not disclose any evidence of annual BC testing, indicating a critical risk as it suggests unpreparedness against potential crises.
  2. Incomplete documentation of test scope and lack of participation in third-party tests suggest high risks due to insufficient preparedness for disruptions.