Business Continuity Planning (BCP)
Business Continuity Plan - Emergency operations
Business Recovery Plan - Salvage, restoration, recovery
404
Business Continuity Planning (BCP)
- Business Continuity Planning (BCP) reduces risks related to onset of disasters or other disruptive events
- Primary objective - Improve changes organisation will survive a disaster without costly or fatal damage to critical activities
404
BCP - Disasters
DIsasters are unexpected or unplanned events that result in disruption of business operations. Types include;
- Natural Disasters
- Human-Caused Disasters
405
BCP - Risk Analysis
- During risk analysis, primary, secondary, upstream and downstream effects of a disaster scenario must be identified and considered
- The person performing the analysis needs a broad understanding of interdependencies of business processes and IT systems
- Personnel developing continguency and recovery plans need to be familiar with the effects of a disaster also to help plan adequately
410
BCP
BCP process is a life-cycle process. A set of activities that result in ongoing preparedness and need for review
- Assign ownership of program
- Develop BCP policy
- Conduct business impact analysis
- Perform criticality analysis
- Establish recovery targets
- Define KRIs and KPIs
- Develop Recovery and continuity strategies and plans
- Test recovery and continity plans and procedures
- Test intergration of business continuity and disaster recovery plans
- Train personnel
- Maintain strategies, plans, and procedures through periodic reviews and updates
BCP and COBIT
The COBIT objective lists 8 specific controls that constitute the BCP continuity life cycle;
- Define the business continuity policy, objectives, and scope
- Maintain business resilience
- Develop and implement a business continuity response
- Exercise, test, and review the BCP and DRP
- Review, maintain, and improve the continuity plans
- Conduct conttinuity plan training
- Manage backup arrangements
- Conduct post-resumption review
413
Developing Continuity Plans
An organisation must develop the following procedures to be prepared;
- Personnel safety procedures
- Disaster declaration procedures
- Responsibilities
- Contact information
- Recovery procedures
- Continuing operations
- Restoration procedures
413
Personnel safety procedures
Measures to ensure safety of personnel are first priority
Disaster declaration procedures
Initiated when a disaster is declared
Responsibilities
Assigning resposibilities for the execution and management of important tasks
Contact information
Recovery procedures
Processes and sequences (instructions) personnel use to recover critical systems
Continuing operations
Aligned more with business processes than IT operations. Procedures for continuing operations however may include IT systems and as such, both are related
Restoration procedures
Processes and procedures for transitioning back to normal business operations
Maintaining Recovery and Continuity Plans
BCPs are likely to be out of date within months, and obsolete within a year. A schedule should be implemented to review the plan as a minimum once a year, or when there is a major change
429
Maintaining Recovery and Continuity Plans
Periodic testing of a disaster recovery plan and validation of dcuments is a vital activity
429
Sources of Best Pracitce
THere are several sources of best practices and methodologies for BCP/DR planning;
- National Institute of Standards and Technology (NIST)
- National Incident Management Systems (NIMS)
- Business Continuity Institute (BCI)
- National Fire Protection Agency (NFPA)
- Federal Emergency Management Agency (FEMA)
- Disaster Recovery Institute Intenratioanl (DRI International)
- Business Continnuity Management Institute (BCM Institute)
430
