44 terms

Business Continuity Planning

STUDY
PLAY
What does Business Continuity Planning address?
The preservation and recovery of the business in the event of outages to normal business operations.
What is a disaster?
1) Something that interrupts normal business process.
-A sudden, unplanned calamitous event that brings about great damage or loss.
-In the business environment, it is any event that creates an inability on an organization's part to support critical business functions for some predetermined period of time.
Potentially Disastrous Events
-Natural (i.e,. earthquakes, storms)
-System/Technical (i.e., outages, malicious code)
-Supply Systems (i.e., electrical power problems)
-Human-Made/Political (i.e., disgruntled employees, riots, vandalism)
Defining a BCP
An approved set of advanced arrangements
and procedures that enable an organization to:
-Ensure the safety of people.
-Minimize the amount of loss.
-Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.
-Repair or replace the damaged facilities as soon as possible.
-Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers.
-Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving personal computers, LANs, telecommunications, etc.
-Essentially, continuity plans address every critical function of an enterprise.
Requirements of Business Continuity Planning
-Provide an immediate, accurate, and measured response to emergency situations, with the overall goal of ensuring the safety of individuals.
-Mitigate the damage you are experiencing as a result of the disaster.
-Ensure the survivability of the business.
-Provide procedures and a listing of resources to assist in the recovery process.
-Identify vendors that may be needed in the recovery process and put agreements in place with selected vendors.
-Avoid confusion experienced during a crisis by documenting, testing, and training plan procedures.
-Clear guidance for declaring a disaster.
-Provide the necessary direction to ensure the timely resumption of critical services.
-Document storage, safeguarding, and retrieval procedures for critical systems and supporting functions.
-Describe the actions, resources, and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage.
-Document recovery procedures so they can be executed by knowledgeable people.
Define BCP Scope
Should cover all aspects of an organization, including:
-Personnel
-Facilities
-Infrastructure
-Support systems
-Information systems
Define Business Continuity Management
-A strategic and operational framework to review the way an organization provides its products and services while increasing its resilience to disruption, interruption or loss.
-Provides a framework for building resilience and the capability for an effective response which safeguards the interests of a company's key stakeholders, reputation, brand and value creating activities.
Phase I: Project Management and Initiation
1) Establish the need for a BCP.
-Perform a focused risk analysis to identify and document potential outages to critical systems.
2)Obtain management support.
3)Identify strategic internal and external resources to ensure that BCP matches overall business and technology plans.
4)Establish the project management work plan that includes the:
-Scope of the project
-Identification of objectives
-Determination of methods for organizing and managing development of the BCP
-Identification of related tasks and responsibilities
-Scheduling of formal meetings and task completion dates
5)Determine the need for automated data collection tools, including plans to provide training on how to use the software.
6)Establish members of the BCP team, both technical and functional representatives.
7)Prepare and present an initial report to management on how the BCP will meet the objectives.
What does a BCP Planner/Coordinator do?
-Ensures that all elements of the plan are thoroughly addressed and an appropriate level of planning, preparation, and training have been accomplished.
-Serves as leader for the development team.
-Has direct access and authority to interact with all employees necessary to complete the plans.
-Is in a position within the organization to balance the needs of the organization with the needs of the individual business units that may be affected.
-Has knowledge of the business to be able to understand how a disaster can affect the organization.
-Has easy access to management.
-Is able to review the charter, mission statement, and executive viewpoint.
-Has the credibility and ability to influence senior management when decisions need to be made.
Define Team Members
Representatives also include, but are not limited
to:
-Senior Management, Chief Financial Officer, etc.
-Legal Staff
-Business Unit/Functions
-Support Systems
-Recovery Team Leaders
-Information Security Department
-Data Communications Department
-Communications Department

The same people who would be responsible for executing the plan in the event of an outage, must also be involved in preparing the BCP.
Define Project Plan
1)Identify and develop business continuity plan phases similar to traditional project plan phases.
-Including problem investigation, problem definition, feasibility study, systems description, implementation, installation, and evaluation.
2)Establish business continuity plan project characteristics.
-Such as goals/objectives, tasks, resources (personnel, financial), time schedules, budget estimates, and critical success factors
Phase II: Business Impact Analysis (BIA)
A functional analysis that identifies the impacts should an outage occur. Impact is measured by the following:
-Allowable Business Interruption - the Maximum Tolerable Downtime
-Financial and Operational Considerations
-Regulatory Requirements
-Organizational Reputation
-The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.
Eight Steps of the BIA
Step 1: Select Interviewees
Step 2: Determine information gathering techniques
Step 3: Customize questionnaire to gather economic and operational impact information (quantitative and qualitative questions)
Step 4: Analyze information
Step 5: Determine time-critical business systems
Step 6: Determine maximum tolerable downtimes
Step 7: Prioritize critical business systems based on maximum tolerable downtimes
Step 8: Document findings and report recommendations
Phase III: Recovery Strategies
A set of pre-defined and management approved actions that will be followed and implemented in response to a business interruption.
Define Recovery Strategies Focus
-Meeting the pre-determined recovery time frames.
-Maintaining the operation of the critical business functions.
-Compiling the resource requirements.
-Identifying alternatives that are available for recovery.
Recovery Strategies Key Element
The key element of developing a recovery strategy is to base it on the recovery time for mission critical business systems -- as outlined in the Business Impact Analysis.
Recovery Strategies Development Steps(5)
1. Document all costs with each alternative.
2. Obtain cost estimates for any outside services.
3. Develop written agreements for such services.
4. Evaluate resumption strategies based on a full loss of the facility.
5. Document recovery strategies and present to management for comments and approval.
Categories of Recovery Strategies
1) Business Recovery
2) Facility and Supply
3) User
4) Operational
5) Data
Business Recovery
Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may include the identification of:
-Critical IT system hardware, software, and data
-Critical equipment, supplies, furniture, and office space
-Key personnel for each business unit and support unit, such as Operations, Facilities, Security, etc.
Facility and Supply Recovery
Focus is on restoration and recovery such as:
1) Facility - main building, remote facilities
2) Inventory - supplies, equipment, paper, forms
3) Equipment - network environments, servers, mainframe, microcomputers, etc.
4) Telecommunications - voice and data
5) Documentation - application, technical materials
6) Transportation - movement of equipment, personnel
7) Supporting equipment - HVAC, safety, security
User Recovery
Focus is on personnel requirements such as:
-Manual procedures
-Vital record storage (i.e. Medical, Personnel)
-Employee transportation
-Critical documentation and forms
-User workspace and equipment
-Alternate site access procedures
Operational Recovery
1) Determine the necessary equipment configurations such as:
-Mainframes, LANs, microcomputers, peripherals
-Explore opportunities for integration/consolidation
-Usage parameters
2) Data communications configurations include:
-Switching equipment, Routers, Bridges, Gateways
3) Outline alternative strategies for technical capabilities, such as network infrastructure components.
4) Options include:
-Hot Site, Warm Site, Cold Site, Mobile Site
-Reciprocal or Mutual Aid Agreements
-Multiple Processing Centers
Service Bureaus
Software and Data Recovery
Focus is on the recovery of information (the data).
Options include:
-Backing up and Off-site storage
-Electronic vaulting
-On-line tape vaulting
-Remote journaling
-Database Shadowing
-Standby Services
-Software Escrow
Phase IV: BCP Design and Development
In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include:
-Business and Service Recovery Plans
-Plan Maintenance Programs
-Employee Awareness and Training Programs
-Test Method Descriptions
-Restoration Plans
Design and Development Steps 1 - 4
-Determine management concerns and priorities.
-Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan.
-Establish outage assumptions.
-Identify response procedures, such as ensuring evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams, relocating to alternate sites.
Design and Development Steps 5 - 7
5. Identify resumption strategies for mission critical- and non-mission critical-systems at alternate sites.
6. Identify the location for the emergency operations center/command center.
7. Identify restoration procedures for salvage, repair, and return to the primary site. Also, the procedures to deactivate the recovery site.
Design and Development Step 8
--Plan and implement the gathering of data required for plan completion.
-Personnel information
-Vendor services
-Equipment, software, forms, supplies
-Vital records
-Technical information
-Office space requirements
Design and Development Step 9
--Review and outline who (and how) the organization will interface with external groups
-Customers
-Shareholders
-Civic officials
-Community, region, and state emergency services groups
-Utility providers
-Industry group coalitions
-Media
Design and Development Step 10
--Review and outline how the organization will cope with other complications beyond the actual disaster.
-Responsibility to families
-Coordination with human resource and legal departments
-Fraud opportunities
-Looting and vandalism
-Ensuring primary site is protected during disaster
-Safety and legal problems
-Expenses exceeding emergency manager authority
Design and Development Steps 11 - 13
- Develop support service plans, including human resources, public relations, transportation, facilities, information processing, telecommunications, etc.
- Develop business function plans and procedures.
- Develop facility recovery (i.e. the building) plans.
BCP Document
The final aspect of this phase is to combine all of the various steps into the organization's BCP. This plan should then be interfaced with the organization's other emergency plans.
Phase V: Testing, Maintenance, Awareness and Training
In this phase, plans for testing and maintaining the BCP are implemented and also awareness and training procedures are executed.
Phase V: Plan Testing
Plan testing ensures that the business continuity capability remains effective, regardless of the disaster. It includes:
-Testing objectives
-Measurement criteria
-Test Schedules
-Post-test reviews
-Test results reported to management
The five main types of BCP testing
strategies are:
Checklist
Structured Walk-Through
Simulation
Parallel
Full Interruption
Phase V: Plan Maintenance Goal
Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization's strategic direction. This includes:
-Changing management procedures
-Resolving problems found during testing
-Building maintenance procedures into the process
-Centralizing responsibility for updates
-Reporting results regularly to team members
Phase V: Plan Maintenance Functions
Functions are:
-Receive and monitor input on needed revisions - maintain revision history
-Plan maintenance reviews as needed
-Monitor changes within business units, such as upgrades to systems
-Control plan maintenance distribution (who receives a copy of plan updates)
-Ensuring version control - obsolete editions of the plan are collected and destroyed.
Damage Assessment
-Determine the extent of damage to the facility.
-Estimate the time needed to resume normal operations.
-Notify management of the findings

-If the time estimated to resume operations exceeds the Maximum Tolerable Downtime (MTD) for critical business functions, then management should consider declaring a disaster and implementing the BCP.
Restoration Actions
Involve restoring the primary site to normal operation conditions.
-Complete an assessment of all damage.
-Initiate cleanup of the primary site.
-Implement necessary replacement procedures.
-Move unused backup materials (i.e., supplies, magnetic media, backup documentation) from the alternate site to the primary site.
-Do least critical work first.
-Perform installations and updates of programs and data.
-Certify and accredit the system at the primary site.
-Initiate normal processing.
Example of a Recovery Process
1) Respond to the Disaster
2) Recover Critical Functions
3) Recover Non-critical Functions
4) Salvage and Repair
5)Return to Primary Site
Disaster Activity Example
1) Assemble emergency operations team.
2) Contact recovery team members to participate in the initial damage assessment.
3) Determine the extent of damage to the primary site facility, including:
-Building structure
-Damage to utilities
-Access to different areas within the building, including capability to secure the building.
4) Calculate the time required to resume critical and non-critical business operations.
5) Notify management of the results.
6) Declare a disaster and begin implementation of continuity/recovery plans.
7) Maintain a log of all steps taken after a disaster. Be sure to note time, location, what has been done, who did it, and any expenses incurred.
8) Establish the command center to provide management control, administrative, logistic, and communications support.
9) Move backup resources to the appropriate recovery site.
10) Allocate the required office space and recovery resources to the recovery teams
11) Resume critical business functions at recovery site.
12) Resume critical business functions at recovery site.
13) Resume critical business at recovery site
14) Resume non-critical business at recovery site.
Salvage & Repair Example
-At the primary site, complete a detailed assessment of all damage at the primary site.
-Initiate cleanup of the primary site.
-If necessary, dispose of damaged equipment and procure new equipment.
-Recover water soaked documents.
-Review insurance policies and document information as needed
-Coordinate activities to have repairs made to the damaged areas within the primary site including:
-Facility structure - walls, floors, ceilings, etc.
-Equipment
-Support systems - HVAC, plumbing, etc.
Return to Primary Site Example
-Plan for the return.
-Reactivate fire protection and other alarm systems.
-Planning is different from recovery plan - least critical work should be initiated first.
-Implement and test the network system.
-Certify and accredit the system ready for operations.
-When notified that normal operations have resumed at the primary site, shutdown operations at the alternate site and return backup materials to storage.
What is a business continuity plan?
An approved set of advanced arrangements and procedures that enable an organization to facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.
What are the phases of business continuity planning?
The phases of BCP are: 1)Project Management and Initiation; 2) Business Impact Analysis; 3) Recovery Strategy; 4) Plan Design; and 5) Development, and Testing, Maintenance, Awareness, and Training.
YOU MIGHT ALSO LIKE...