DCTR-12

Do you have Internet Service Provider (ISP) redundancy?

Explanation

This question is asking whether your organization has multiple Internet Service Providers (ISPs) to ensure continuous internet connectivity even if one provider experiences an outage. In a security assessment context, ISP redundancy is important because it directly impacts the availability aspect of the CIA triad (Confidentiality, Integrity, Availability). If your organization relies on cloud services, SaaS applications, or needs to maintain continuous external connectivity for your customers or employees, a single ISP failure could cause significant business disruption. ISP redundancy typically involves: 1. Having contracts with two or more different ISP providers 2. Implementing automatic failover mechanisms between these providers 3. Ensuring the ISPs use different physical infrastructure (different entry points to your facility, different backbone networks) When answering this question, you should clearly state whether you have ISP redundancy, how many providers you use, whether they're truly independent (different physical infrastructure), and how failover works. If you have partial redundancy (e.g., at some locations but not others), be specific about where redundancy exists and where it doesn't.

Example Responses

Example Response 1

Yes, our organization maintains full ISP redundancy across all our datacenters We contract with three tier-1 ISPs (AT&T, Verizon, and CenturyLink) at each location, with automatic BGP failover configured Each ISP enters our facilities through different physical paths to eliminate single points of failure We conduct quarterly failover tests to ensure our redundancy mechanisms function as expected Our network architecture is designed to maintain 100% uptime even if any single ISP experiences a complete outage.

Example Response 2

Yes, we have ISP redundancy in our primary datacenter with dual providers (Comcast Business and Spectrum Enterprise) These connections use different physical entry points to our facility and are configured with automatic failover using SD-WAN technology Our secondary disaster recovery site also has dual ISPs We test our failover capabilities semi-annually as part of our business continuity exercises and maintain sufficient bandwidth on each connection to handle our full production traffic load.

Example Response 3

No, we currently utilize a single ISP (Comcast Business) for our datacenter connectivity While we have implemented a high-availability service level agreement with our provider that guarantees 99.9% uptime, we recognize this represents a potential single point of failure We mitigate this risk through other means, including maintaining offline backups and having documented manual failover procedures to our disaster recovery site which uses a different ISP We are currently evaluating proposals from secondary ISPs and plan to implement full redundancy within the next 6 months.

Context

Tab
Infrastructure
Category
Datacenter

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron