When planning for any disaster or major disruption, it’s important to plan for communications. If you’re planning on taking the Security+ exam, you should have a basic understanding of a communication plan. For example, can you answer this question?
Q. Your organization is updating its disaster recovery documents. You’re asked to review the communication plans for possible updates. Which of the following should you ensure is included in the communication plan?
A. A list of test plans and procedures
B. The succession plan
C. Methods used to communicate with response team members, employees, suppliers, and customers
D. List of scenarios with potential loss statements
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Understanding the Communication Plan
When planning for any disaster or major disruption, it’s important to plan for communications. Normal communications methods might not be available during an incident. For example, personnel might commonly communicate via email, but email services might be down during an emergency. Similarly, cell-based phone lines might not be operational.
One alternate method of communications is the use of a war room. This can be as simple as a conference room, but transformed into a central command center. Response team members report on their progress to people in the war room, and if anyone needs to get up-to-date information, they go to the war room to get it.
A communication plan will include methods of communicating with the following entities:
- Disaster response team members. This might be to inform them of an impending disaster or to keep in touch during the recovery. Some organizations use push-to-talk phones that aren’t affected by cell-phone outages.
- Employees. It’s common for a plan to require mission-essential employees to come to work, but tell non-mission-essential personnel to stay home. Many organizations coordinate with TV and radio stations to advertise their decisions during many weather disasters such as hurricanes.
- Customers. Many organizations let customers know that they are responding to a disaster via a web page. This is especially useful if the disaster prevents the organization from providing certain services. As an example, an online banking site might post a notification stating that the bank is implementing a disaster recovery plan in response to an emergency. It would include information on when they expect services to return. Customers will understand this much better than going to their online bank and simply finding that it is down.
- Suppliers. In some cases, suppliers might need to halt deliveries for a period of time. By calling them before the delivery, it prevents unnecessary problems.
- Media. Whenever possible, it’s best to defer all media requests to a public relations (PR) expert within the organization. They know how to project the right image to the media to prevent miscommunication problems. For example, a TV reporter might ask a technician for a comment and he might reply, “We got slammed! It’s chaos in there!” In contrast, a PR expert might say something like, “This disaster hit us hard. However, we are putting our recovery plans into action and facing this disaster with all available resources.” The second response projects much more confidence than the first. The communication plan can also include templates to respond to media requests. For example, a template might include, “We are putting our recovery plans into action and facing this disaster with all available resources. We expect to have more information on the impact soon.”
- Regulatory agencies. Some organizations must report certain events to regulatory agencies. For example, if an attack results in a data breach of customer Personally Identifiable Information (PII), the organization might have a legal obligation to report it. It’s important to document what must be reported, and how to do so.
Remember this
BCPs and DRPs commonly include a communication plan. It identifies alternate methods of communication, such as a war room or push-to-talk phones. It also identifies who must be contacted, such as response team members, employees, suppliers, customers, media, and regulatory agencies.
Q. Your organization is updating its disaster recovery documents. You’re asked to review the communication plans for possible updates. Which of the following should you ensure is included in the communication plan?
A. A list of test plans and procedures
B. The succession plan
C. Methods used to communicate with response team members, employees, suppliers, and customers
D. List of scenarios with potential loss statements
Answer is C. A communication plan includes methods used to communicate with response team members, employees, suppliers, and customers. Although not available as a possible answer, it would also include methods used to respond to media requests, including basic templates. None of the other answers are part of a communication plan.
Both DRPs and BCPs might include a list of test plans and procedures.
Succession planning clarifies who can make decisions during a disaster.
A BIA typically includes a list of scenarios with potential loss statements.