- Project Initiation and Management
- Develop and Document Project Scope and Plan
- Conduct the Business Impact Analysis (BIA)
- Identify and Prioritize
- Assess exposure to Outages
- Recovery Point Objectives (RPO)
BC – Proper Planning
- An organization is more vulnerable after a disaster hits
- Organization still has responsibilities even after a disaster (protection of confidential and sensitive assets)
- Recovery is more than just having an offsite location
- People must be trained to know what to do
- Various recovery procedures need to be developed and documented
- Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
- Being proactive
- Implementing redundant power supplies
- Backing up communication mechanisms
- Identifying single points of failures
- Recognizing necessary fault tolerant solutions
- ETC., etc…….
Business Continuity Planning (BCP)
- How an organization can stay in business even in a crippled state
- Plan contains steps for continuing critical business functions using alternative mechanisms until normal operations can be resumed at the primary site or elsewhere.
- Reduce overall impact of business interruption
Disaster Recovery Planning (DRP)
- How to survive a disaster and how to handle the recovery process
- Emergency response responsibilities and procedures
- Plan lists and describes the efforts to resume normal operations at the primary site of business.
- BCP and DRP may sound like the same thing, BUT they are not the same.
Business Continuity Planning (BCP)
- Business Continuity (BC): represents the final response of the organization when faced with an interruption of its critical operations
- More than 50% of all organizations that close their doors for more than a week never reopen, due to lack of planning.
- BC is designed to get the organization’s most critical services up and running as quickly as possible.
- DR rather focuses on resuming operations at the primary site; BCP concentrates on resuming critical functions at an alternate site.
Where Do We Start From:
Project Initiation
- Management Support sought
- Make a business case
- Cost vs. benefit
- Regulatory requirement
- Current inherent vulnerabilities of organization
- Ramifications of similar organizations not having such plans
- Business issues of partners, insurance, and obtaining capital
Senior Executive Management’s Role
- Due diligence and Due care
- Drive all phases of the plan
- Consistent support and final approval
- Ensure that testing takes place
- Create a budget for this work
Why Is BCP/DRP a Hard Sell to Mgmt.
- Resource intensive and takes years to complete
- Direct return on investment (ROI) not perceived
- Rather a drain on organization’s bottom line
Importance of Plan
- Organization could vanish if not prepared
- Capability of staying “up and running”, avoiding any significant down time
- Lack of plan could affect insurance, liability, and business opportunities
- Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A Regulatory MUST)
- 9/11 Has Fueled Change of Attitudes About BCP
Who Does It?
BCP/DRP Teams
- Group that will perform risk assessment and analysis
- Representatives from different organization’s departments
- Analysis must be performed before developing plan
- A BCP coordinator must be appointed to oversee and execute:
- A Business Impact Analysis
- Plan development and implementation
- Testing and plan maintenance
BC Team Organization
- Emphasis should be on generalized business and technology skills
- BC team should have representatives from:
- Senior management
- Corporate functional units, including HR, Legal, and Accounting
- IT managers and a few technical specialists with broad technical skill sets
- InfoSec managers and a few technical specialists
- BC team members cannot also be on the DR team
- BC team may be divided into sub-teams:
- BC management team
- Operations team
- Computer setup (hardware) team
- Systems recovery (OS) team
- Network recovery team
- Applications recovery team
- Data management team
- Logistics team
- BC Management team:
- Command and control group responsible for all planning and coordination
- Facilitates the transfer to the alternate site
- Handles communications, business interface, and vendor contact functions
- Operations team:
- Works to establish core business functions needed to sustain critical business operations
- Computer setup (hardware) team:
- Sets up hardware in the alternate location
- Systems recovery (OS) team:
- Installs operating systems on hardware, sets up user accounts and remote connectivity with network team
- Network recovery team:
- Establishes short- and long-term networks, including hardware, wiring, and Internet and intranet connectivity
- Applications recovery team:
- Responsible to get internal and external services up and running
- Data management team:
- Responsible for data restoration and recovery
- Logistics team:
- Provides any needed supplies, materials, food, services, or facilities needed at the alternate site
BC Planning process
- Develop the BC planning policy statement
- Review the BIA
- Identify preventive controls
- Develop relocation strategies
- Develop the continuity plan
- Testing, training, and exercises
- Plan maintenance
- Purpose:
- Executive vision
- Primary purpose of the BC program
- Scope:
- Organizational groups and units to which the policy applies
- Roles and responsibilities:
- Identifies key players and their responsibilities
- Resource requirements:
- Allocates specific resources to be dedicated to the development of the BC
- Training requirements:
- Training for various employee groups
- Exercise and testing schedule:
- Stipulation for the frequency and type of testing for the BC plan
- Plan maintenance schedule:
- Frequency of review and who is involved
- Special considerations:
- Overview of information storage and retrieval plans and who is responsible
To Become Certified For CISSP Please Visit This Link;
