PP4 Design

Question 1

Solution design process should include the following

steps:

Answer 1

1. Identify and document the organization’s existing
   continuity capability (if this has not yet been done).
2. Identify suitable solutions that enable each RTO, RPO
   and MBCO to be achieved.
3. Adjust solutions to accommodate a phased level of
   recovery, as required. This may be driven by the MBCO
   requirements.
4. Analyse solutions for effectiveness and cost. High-level approximate costs may be used at this point to
   support decision making.
5. Provide top management with an evaluation of the range of solutions and obtain management approval
   on those selected.
6. Consolidate the selected solutions by resource type.
7. Provide top management with an evaluation of the
   consolidated requirements and budgetary
   requirements for procurement.
8. Obtain agreement from top management
   to provide the financial and resource provisions
   for the implementation of the agreed
   solutions.
9. Establish projects required to implement agreed
   solutions.

Question 2

BC solutions that can be used within an organization

Answer 2

1. Diversification: Separating activities &resources & running live activities at two or more locations so in event of disruption at one location, the activities can continue at alternate location.
2. Replication: Duplicating resources to enable activities to be recovered quickly is a variation on diversifcation.
3. Standby: Where the RTO allows for a longer response time, measured in days rather than hours, an appropriate solution may be to have a standby facility available that can be made operational within the RTO.
4. Post-incident acquisition: When prioritised activities have RTOs that are measured in days or weeks, organizations can consider a BC solution where the required resources are acquired after the disruption occurs.
5. Do nothing: This solution involves waiting until after the incident to decide what to do.

Question 3

Diversification

Answer 3

Office location: Separate premises where same activity occurs in parallel.

Remote working location: Operations are entirely remote or combination of personnel working remotely and at office.

People: People in separate locations that are concurrently undertaking the same activity.

IT: Two copies of system and its data in separate locations that are kept synchronised and live.

Equipment: Duplicated operational equipment held in separate location, with automatic transfer from one to
the other.

Consumables:Duplicated items held in separate locations with stock being supplied from both locations.

Suppliers: Separate suppliers that are currently providing the same product or service.

Question 4

Replication

Answer 4

Office location: Separate premises that have facilities required to undertake activity, but not currently being used.

Remote working location: Remote working is available and ready at any time with office equipment and ICT available, though not currently being used.

People: People in another location are experienced and able to undertake the same activity, but not yet doing so.

IT: Operational copy of system and its data held in a separate location that is periodically synchronised
with live version and needs switching to be made live.

Equipment: An exact non-operational copy of equipment held in separate location that can be rapidly live.

Consumables: Duplicated items held in a separate location that is not currently being used.

Suppliers:An alternate supplier that has already been contracted to provide same product or service as an
existing supplier, but is not currently doing so.

Question 5

Standby

Answer 5

Office location: Separate premises that have some facilities required to undertake an activity, but additional
facilities will be required before the activity can be
undertaken.

Remote working location:Remote working can be made ready following simple setup or partial acquisition.

People: Individuals in another location have been trained to do same activity, but are not yet experienced
and will require guidance.

IT: Operational copy of system held in a separate location and a backup of its data that needs to be
loaded and tested with manual switching to be live.

Equipment: Replacement equipment held in a separate location that needs to be made operational

Consumables: Replacement items held in a separate location that could be used with modification.

Suppliers: A pre-agreed supplier that can provide the same product or service as an existing supplier and has
agreed to do so when required, but there is currently no contract in place.

Question 6

Post-incident acquisition

Answer 6

Office location: Suitable premises can be acquired which may or may not already have facilities required to
undertake an activity.

Remote working location: Remote working generally not ready but can be made ready through acquisition of office equipment and ICT

People: External people skilled in undertaking activity can be hired, or internal personnel that can be
trained to undertake an activity.

IT: Backup copies of system and its data that need to be installed on equipment acquired after incident.

Equipment: Equipment that can be acquired from a supplier.

Consumables: Items that can be acquired from a supplier.

Suppliers: Suppliers that can be asked to supply a product or service.Suppliers that can be asked to supply a product or service.

Question 7

Safe separation distance

Answer 7

Many incidents, for example, earthquakes, wild fires, or major floods and other natural disasters, can result in loss of access to a wide geographic area, so organization should consider need for adequate
separation distance between original and duplicate resources.

Question 8

Selection of safe separation distance should consider:

Answer 8

1. Organization’s strategy, objectives, and culture.
2. Organization’s target market.
3. How far personnel are able or willing to travel to a relocation site.
4. RTOs and RPOs.
5. Organization’s geographic environment and it’s susceptibility to natural disasters.
6. How spread of a natural disaster is likely to affect the
   organization.
7. Any existing legal or regulatory requirements relating to safe separation distance.

Question 9

Main outcomes from designing BC solutions are:

Answer 9

1. Set of BC solutions which are agreed by top
   management.
2. BC capability, based on agreed solutions that should be used when developing and implementing plans.
3. Sufficient information and clarity of solutions to establish projects with appropriate funding and resources for implementing the agreed solutions
4. Consolidated set of resource requirements to be used when purchasing resources..

Question 10

The key steps when evaluating risk and threat

mitigation measures are:

Answer 10

1. Review output from BIA and risk and threat assessment to identify unacceptable levels of risk, single points of failure and threats to the organization’s prioritised activities.
2. Identify any measures that can be taken to reduce the
   likelihood or impact of a disruption to the organization’s prioritised activities.
3. Determine which risks and threats can be mitigated
   by having a business continuity plan in place.
4. Analyse the mitigation measures for effectiveness
   and cost.
5. Obtain agreement and sign-off from top management for the recommended mitigation measures, including acceptance of any identified risks and confirmation that financial and resource provisions will be available.
6. Establish and implement projects for each of the
   agreed mitigation measures.

Question 11

Ensure suppliers have effective and adequate business continuity arrangements in place by:

Answer 11

1. Including BC requirements in supply contracts.
2. Seeking evidence of compliance with recognised BC standard.
3. Reviewing each supplier’s BC programme to
   ensure it is effective and adequate.
4. Undertaking joint exercises with suppliers.
5. Agreeing realistic service levels for supply disruption