Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

A Guide to Business Continuity Planning
This publication provides a summary and general guidelines for business continuity planning (BCP)
...
Although they differ
in goals and functions, BCP can be applied by all organizations
...
A Disaster Recovery Plan deals with
recovering Information Technology (IT) assets after a disastrous interruption
...

Recognizing that some services or products must be continuously delivered without interruption, there has been a shift
from Business Resumption Planning to Business Continuity Planning
...
Instead of focusing on
resuming a business after critical operations have ceased, or recovering after a disaster, a business continuity plan
endeavors to ensure that critical operations continue to be available
...

Even though buildings were destroyed and blocks of Manhattan were affected, businesses and institutions with good
continuity plans survived
...


all types of threats must be considered;
dependencies and interdependencies should be carefully analyzed;
key personnel may be unavailable;
telecommunications are essential;
alternate sites for IT backup should not be situated close to the primary site;
employee support (counselling) is important;
copies of plans should be stored at a secure off-site location;
sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and
can impede personnel from returning to buildings;

Emerging issues
Continuous Service Delivery Assurance (CSDA) is a commitment to continuous delivery of critical services that avoids
immediate severe disruption to an organization
...

Continuous risk management lowers the risk of disruption and assesses the potential impacts of disruptions when they
occur
...


What is business continuity planning?
Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or
other obligations of an organization
...

A Business Continuity Plan includes:



Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which
permits the organization to recover its facility, data and assets
...


Having a BCP enhances an organization's image with employees, shareholders and customers by demonstrating a
proactive attitude
...


Why is business continuity planning important
Every organization is at risk from potential disasters that include:









Natural disasters such as tornadoes, floods, blizzards, earthquakes and fire
Accidents
Sabotage
Power and energy disruptions
Communications, transportation, safety and service sector failure
Environmental disasters such as pollution and hazardous materials spills
Cyber attacks and hacker activity
...


Creating a business continuity plan
A BCP typically includes five sections:
1
...

3
...

5
...


The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of
the BCP
...

Senior managers or a BCP Committee would normally:





approve the governance structure;








provide strategic direction and communicate essential messages;

clarify their roles, and those of participants in the program;
oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the
plan;
approve the results of the BIA;
review the critical services and products that have been identified;
approve the continuity plans and arrangement;
monitor quality assurance activities; and
resolve conflicting interests and priorities
...




BCP Coordinator secures senior management's support; estimates funding requirements; develops BCP policy;
coordinates and oversees the BIA process; ensures effective participant input; coordinates and oversees the
development of plans and arrangements for business continuity; establishes working groups and teams and defines
their responsibilities; coordinates appropriate training; and provides for regular review, testing and audit of the BCP
...




Chief Information Officer (CIO) cooperates closely with the BCP coordinator and IT specialists to plan for effective
and harmonized continuity
...


The BCP committee is commonly co-chaired by the executive sponsor and the coordinator
...


Identify the mandate and critical aspects of an organization
This step determines what goods or services it must be delivered
...


Prioritize critical services or products
Once the critical services or products are identified, they must be prioritized based on minimum acceptable delivery levels
and the maximum period of time the service can be down before severe damage to the organization results
...


Identify impacts of disruptions
The impact of a disruption to a critical service or business product determines how long the organization could function
without the service or product, and how long clients would accept its unavailability
...


Identify areas of potential revenue loss
To determine the loss of revenue, it is necessary to determine which processes and functions that support service or
product delivery are involved with the creation of revenue
...
Loss of image or
reputation is especially important for public institutions as they are often perceived as having higher standards
...

When considering insurance options, decide what threats to cover
...
Some aspects of an operation may be overinsured, or
underinsured
...

Document the level of coverage of your institutional policy, and examine the policy for uninsured areas and non specified
levels of coverage
...
Coverage for such eventualities is available as an extension in the
policy
...
Ensure that the
adjustor understands the expected full recovery time when documenting losses
...

Include an expert or an insurance team when developing the response plan
...
Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would
cause
...


Identify dependencies
It is important to identify the internal and external dependencies of critical services or products, since service delivery
relies on those dependencies
...

External dependencies include suppliers, any external corporate assets such as equipment, facilities, computer
applications, data, tools, vehicles, and any external support services such as facility management, utilities,
communications, transportation, finance institutions, insurance providers, government services, legal services, and health
and safety service
...
These
plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum
service levels within tolerable down times
...


Mitigating threats and risks
Threats and risks are identified in the BIA or in a full-threat-and-risk assessment
...
For example, if an organization requires electricity for
production, the risk of a short term power outage can be mitigated by installing stand-by generators
...

Communications failures can be minimized by using alternate communications networks, or installing redundant systems
...
Include them in
the BCP if they are relevant
...
Ensure that plans are made for
increasing levels of severity of impact from a disruption
...
If water rises to the first floor, work could be moved to another company
building or higher in the same building
...

Another example would be a company that uses paper forms to keep track of inventory until computers or servers are
repaired, or electrical service is restored
...

The risks and benefits of each possible option for the plan should be considered, keeping cost, flexibility and probable
disruption scenarios in mind
...


Response preparation
Proper response to a crisis for the organization requires teams to lead and support recovery and response operations
...

The number and scope of teams will vary depending on organization's size, function and structure, and can include:



Command and Control Teams that include a Crisis Management Team, and a Response, Continuation or Recovery
Management Team
...

For the teams to function in spite of personnel loss or availability, it may be necessary to multitask teams and provide
cross-team training
...
There are three types of alternate facility:

1
...

3
...
Proper equipment and furnishings
must be installed before operations can begin, and a substantial time and effort is required to make a cold site fully
operational
...

Warm site is an alternate facility that is electronically prepared and almost completely equipped and furnished for
operation
...
Warm sites are more expensive than cold sites
...
Hot sites can be activated within minutes or
seconds
...


When considering the type of alternate facility, consider all factors, including threats and risks, maximum allowable
downtime and cost
...
Hardened sites contain security features that
minimize disruptions
...


Readiness procedures
Training
Business continuity plans can be smoothly and effectively implemented by:




Having all employees and staff briefed on the contents of the BCP and aware of their individual responsibilities
Having employees with direct responsibilities trained for tasks they will be required to perform, and be aware of
other teams' functions

Exercises
After training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence
and readiness
...
The
following items should be incorporated when planning an exercise:
Goal
The part of the BCP to be tested
...
Objectives should be challenging, specific, measurable, achievable, realistic and timely
...

Artificial aspects and assumptions
Defines which exercise aspects are artificial or assumed, such as background information, procedures to be
followed, and equipment availability
...

Exercise Narrative
Gives participants the necessary background information, sets the environment and prepares participants for
action
...

Communications for Participants
Enhanced realism can be achieved by giving participants access to emergency contact personnel who share in
the exercise
...

Testing and Post-Exercise Evaluation
The exercise should be monitored impartially to determine whether objectives were achieved
...
Debriefing should be short, yet comprehensive, explaining what did and did not work, emphasizing
successes and opportunities for improvement
...

Exercise complexity level can also be enhanced by focusing the exercise on one part of the BCP instead of involving the
entire organization
...
It should also uncover which aspects of
a BCP need improvement
...
The appraisal can
be performed by an internal review, or by an external audit
...


External audit
When auditing the BCP, consultants nominally verify:




Procedures used to determine critical services and processes
Methodology, accuracy, and comprehensiveness of continuity plans

What to do when a disruption occurs
Disruptions are handled in three steps:
1
...

3
...
The following tasks are
accomplished during the response phase:





Incident management
Communications management
Operations management

Incident management
Incident management includes the following measures:








notifying management, employees, and other stakeholders;
assuming control of the situation;
identifying the range and scope of damage;
implementing plans;
identifying infrastructure outages; and
coordinating support from internal and external sources
...
Communications management requirements
may necessitate building redundancies into communications systems and creating a communications plan to adequately
address all requirements
...
Having a
centralized EOC where information and resources can be coordinated, managed and documented helps ensure effective
and efficient response
...


Recovery and restoration
The goal of recovery and restoration operations is to, recover the facility or operation and maintain critical service or
product delivery
...
All organizations are at risk and face
potential disaster if unprepared
...




---