Fastly Web Outage: Why Third-Party Business Resilience Is Important

Use these 10 questions as a baseline to assess your critical suppliers’ business resilience processes.
By:
Scott Lang
,
VP, Product Marketing
June 09, 2021
Share:
Blog fastly outage 0621

Fastly, a content delivery network service widely used by web publishers, experienced an outage on June 8, 2021 that had global consequences with major news sites, Amazon, and even the United Kingdom’s government websites impacted. Although not cybersecurity related, this outage still provides an example of why organizations that rely on third parties to deliver critical services should continually assess the business resilience practices of those suppliers.

Critical Elements of a Third-Party Business Resilience Plan

At a minimum, a third-party business resilience questionnaire should assess:

  • Continuity of operations – Ensuring that an organization's mission-critical functions can continue to be performed during a wide range of emergencies.
  • Crisis communications – Raising awareness of a specific type of threat, its magnitude, potential outcomes, and specific behaviors to reduce the threat.
  • Critical infrastructure protection – Protecting services critical for the company to function.
  • Information system contingencies – Planning for restoration of services after a disruption.
  • Incident response and management – Identifying, eliminating, and recovering from cybersecurity threats.
  • Disaster recovery – Recovering and protecting a business IT infrastructure.

10 Business Resilience Questions to Ask All Critical Services Suppliers

To determine a baseline of business resilience practices, Prevalent recommends that organizations require all their critical suppliers to answer the following 10 questions. These questions are meant to be a starting point; the answers should dictate next steps and vulnerable parts of the vendor’s business resilience plan should be addressed immediately.

Questions Potential Responses

1) Does your organization have a Business Resilience Plan in place? Which of the following apply?

Please select all that apply.

a) We have a documented Business Resilience plan or similar in place.
b) The plan is reviewed on at least an annual basis or following significant change.
c) The plan has a formal owner.
d) The plan is communicated and available to all necessary representatives.

2) Which of the following aspects are included within the Business Resilience Plan?

Please select all that apply.

a) Activation criteria
b) Roles and responsibilities
c) Impact to provided services
d) Regular testing of resiliency measures
e) Personnel
f) Systems and Assets
g) Facilities
h) Communication processes
i) Supply chain and logistics
j) Security controls

3) Has the organization identified call trees for both internal and external parties?

Please select all that apply.

a) Our Business Resilience Plan includes communication call trees.
b) Our call trees identify whom to contact and time and frequency of communication for external parties.
c) We have identified roles responsible for communicating to our internal staff should the organization be impacted by an outage.
d) We have identified roles responsible for communicating to our customers should the organization be impacted by an outage.
e) We have identified roles responsible for communicating to our Third Parties should the organization be impacted by an outage.

4) Which of the following are applicable when describing your organization's approach to conducting Business Impact Assessments?

Please select all that apply.

a) Impact assessments have been conducted on all systems, assets, and functions.
b) Impact ratings have been determined following conclusion of the Impact Assessment process.
c) Recovery Time Objectives (RTOs) have been defined where applicable.
d) Recovery Point Objectives (RPOs) have been defined where applicable.
e) Testing of RTOs and RPOs take place on a regular basis.

5) Does your organization have a dedicated system outage plan in place? If no, is your organization creating one?

Please select a single response.

a) Yes, we have developed an outage plan, as part of our wider business resilience planning.
b) No, we have not developed an outage plan, but we are in the process of creating one.
c) No, we have not developed an outage plan, and are not in the process of creating one.

6) Does your organization’s Incident Management Plan consider the response to potential non-cyber outages?

Please select all that apply.

a) We have a formally documented Incident Management Plan.
b) Our Incident Management Plan includes identification, response, escalation and recovery of services following an incident.
c) Our Incident Management Plan includes methods to address potential non-cyber events.
d) Our Incident Management Plan provides staff guidance on how to identify and report potential outages.

7) At what level within your organization are decisions being made concerning continuity and outage planning?

Please select all that apply.

a) Decisions concerning continuity planning are managed at a board level.
b) Decisions concerning continuity planning are managed by an individual responsible for business continuity.
c) Decisions are made at a local level only (e.g., site-specific).
d) Decisions are made by individual functions.
e) Responsibility for decisions concerning continuity planning have not been assigned within the organization.

8) In the case of an outage, will Service Level Agreements (SLAs) with customers be adjusted in line with the impact of the outage?

Please select all that apply.

a) We will adjust our SLAs for all critical and non-critical services that have been impacted, based on our business impact analysis.
b) We will adjust our SLAs for critical services only that have been impacted, based on our business impact analysis.
c) We will adjust our SLAs for any critical or non-critical services that have been impacted, based on our business impact analysis.
d) We have reviewed SLAs with customers and there will be no degradation to service based on our business impact analysis.

9) What is your organization's timeline for providing accurate and up-to-date information to customers if services are impacted?

Please select all that apply.

a) We provide initial communication to our customers upon activation of our outage plan.
b) We provide regular communication for the duration of which services remain impacted.
c) We provide ongoing communication to our customers when changes impact our ability to provide products and services.

10) Which of the following processes does your organization have in place for public communications?

Please select all that apply.

a) Public statement is made available.
b) Regular updates are provided to customers and prospects.
c) Public communication requirements are determined and conducted in line with a formal triage process.
d) We monitor Third-Party and supply chain public communications.

Next Steps

A critical supplier’s or 4th party’s outage can have a domino effect on your own organization’s ability to deliver products and services, with revenue, customer satisfaction and more at risk. Get started assessing your critical third parties’ processes for responding to crises with our free business resilience resources or contact us for a strategy session.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo