Posted filed under CISSP.

    • Project Initiation and Management
    • Develop and Document Project Scope and Plan

  • Conduct the Business Impact Analysis (BIA)
  • Identify and Prioritize
  • Assess exposure to Outages
  • Recovery Point Objectives (RPO)


BC –   Proper Planning

  • An organization is more vulnerable after a disaster hits
  • Organization still has responsibilities even after a disaster (protection of confidential and sensitive assets)
  • Recovery is more than just having an offsite location
    • People must be trained to know what to do
    • Various recovery procedures need to be developed and documented
    • Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
  • Being proactive
    • Implementing redundant power supplies
    • Backing up communication mechanisms
    • Identifying single points of failures
    • Recognizing necessary fault tolerant solutions
    • ETC., etc…….



Business Continuity Planning (BCP)

  • How an organization can stay in business even in a crippled state
  • Plan contains steps for continuing critical business functions using alternative mechanisms until normal operations can be resumed at the primary site or elsewhere.
  • Reduce overall impact of business interruption


Disaster Recovery Planning (DRP)

  • How to survive a disaster and how to handle the recovery process
  • Emergency response responsibilities and procedures
  • Plan lists and describes the efforts to resume normal operations at the primary site of business.
  • BCP and DRP may sound like the same thing, BUT they are not the same.


Business Continuity Planning (BCP)

  • Business Continuity (BC): represents the final response of the organization when faced with an interruption of its critical operations
  • More than 50% of all organizations that close their doors for more than a week never reopen, due to lack of planning.
  • BC is designed to get the organization’s most critical services up and running as quickly as possible.
  • DR rather focuses on resuming operations at the primary site; BCP concentrates on resuming critical functions at an alternate site.


Where Do We Start From:

Project Initiation

  • Management Support sought
  • Make a business case
  • Cost vs. benefit
  • Regulatory requirement
  • Current inherent vulnerabilities of organization
  • Ramifications of similar organizations not having such plans
  • Business issues of partners, insurance, and obtaining capital


Senior Executive Management’s Role

  • Due diligence and Due care
  • Drive all phases of the plan
  • Consistent support and final approval
  • Ensure that testing takes place
  • Create a budget for this work



Why Is BCP/DRP a Hard Sell to Mgmt.

  • Resource intensive and takes years to complete
  • Direct return on investment (ROI) not perceived
  • Rather a drain on organization’s bottom line



Importance of Plan

  • Organization could vanish if not prepared
  • Capability of staying “up and running”, avoiding any significant down time
  • Lack of plan could affect insurance, liability, and business opportunities
  • Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A Regulatory MUST)
  • 9/11 Has Fueled Change of Attitudes About BCP



Who Does It?


  • Group that will perform risk assessment and analysis
  • Representatives from different organization’s departments
  • Analysis must be performed before developing plan
  • A BCP coordinator must be appointed to oversee and execute:
    • A Business Impact Analysis
    • Plan development and implementation
    • Testing and plan maintenance


BC Team Organization

  • Emphasis should be on generalized business and technology skills
  • BC team should have representatives from:
    • Senior management
    • Corporate functional units, including HR, Legal, and Accounting
    • IT managers and a few technical specialists with broad technical skill sets
    • InfoSec managers and a few technical specialists
  • BC team members cannot also be on the DR team
  • BC team may be divided into sub-teams:
    • BC management team
    • Operations team
    • Computer setup (hardware) team
    • Systems recovery (OS) team
    • Network recovery team
    • Applications recovery team
    • Data management team
    • Logistics team
  • BC Management team:
    • Command and control group responsible for all planning and coordination
    • Facilitates the transfer to the alternate site
    • Handles communications, business interface, and vendor contact functions
  • Operations team:
    • Works to establish core business functions needed to sustain critical business operations
  • Computer setup (hardware) team:
    • Sets up hardware in the alternate location
  • Systems recovery (OS) team:
  • Installs operating systems on hardware, sets up user accounts and remote connectivity with network team
  • Network recovery team:
    • Establishes short- and long-term networks, including hardware, wiring, and Internet and intranet connectivity
  • Applications recovery team:
    • Responsible to get internal and external services up and running
  • Data management team:
  • Responsible for data restoration and recovery
  • Logistics team:
  • Provides any needed supplies, materials, food, services, or facilities needed at the alternate site



BC Planning process

  • Develop the BC planning policy statement
  • Review the BIA
  • Identify preventive controls
  • Develop relocation strategies
  • Develop the continuity plan
  • Testing, training, and exercises
  • Plan maintenance


  • Purpose:
    • Executive vision
    • Primary purpose of the BC program
  • Scope:
    • Organizational groups and units to which the policy applies
  • Roles and responsibilities:
    • Identifies key players and their responsibilities
  • Resource requirements:
    • Allocates specific resources to be dedicated to the development of the BC


  • Training requirements:
    • Training for various employee groups
  • Exercise and testing schedule:
    • Stipulation for the frequency and type of testing for the BC plan
  • Plan maintenance schedule:
    • Frequency of review and who is involved
  • Special considerations:
    • Overview of information storage and retrieval plans and who is responsible








To Become Certified For CISSP Please Visit This Link;

Comments are closed.