Ch. 3.3
Business Continuity Plan
A plan for recovering critical functions after a catastrophic disaster or extended disruption.
Disaster Recovery Plan (DRP)
A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.
What is the primary goal of business continuity planning?
Maintaining business operations with reduced or restricted infrastructure capabilities or resources
Business Continuity ensures that critical business functions are available to customers, suppliers, regulators, and other entities that must have access to those functions. Business continuity:
Refers to activities performed daily to maintain service, consistency, and recover-ability. It is not something implemented at the time of a disaster.
You are a database administrator and the first responder for database attacks. You have decided to test one part of your current Business Continuity Plan (BCP) with two other database professionals. Which type of BCP test is this considered?
Tabletop exercise
Business Impact Analysis (BIA)
The identification and prioritization of BCF's, a calculation of a timeframe for recovering them, and estimation of the tangible and intangible act on the organization.
Keep in mind the following when creating the disaster recovery and business continuity plans:
*A good plan documents all important decisions before the disaster strikes. When a disaster occurs, staff members simply need to follow the documented procedures. Disaster response is typically divided into phases: 1.) Identify the disaster, ensure safety of personnel, and begin to implement recovery procedures. 2.) Implement short-term recovery mechanisms to bring mission-critical systems online. 3.) Stabilize operations by restoring supporting departments and functions. 4.)Implement measures to restore all functions to normal. Switch back from temporary measures to normal operating procedures. The order of restoration is defined in the BCP and then carried out in the last phase. A typical restoration order begins with the systems, databases. and applications that are most critical to the continued operation of business. The order of restoration will often vary significantly from one company to another. * Define processes for implementing, testing, and training team members. Team members should be representatives from all major parts of the corporation. *After this plan has been created, conduct regular practices and training exercises to test portions of the plan. Revise the plan or training as necessary. *As a BCP or DRP plan evolves over time, it is essential to collect and destroy all outdated copies of the plan as a new version of a plan is rolled out. *Assign responsibility for ongoing maintenance of the BCP and DRP plans.
A BCP:
*Identifies and prioritizes critical functions. *Calculates recovery timeframes. *Identifies plans, including resource dependencies and response options, to bring critical functions online within an established timeframe. These plans spell out a clear order of restoration based on company needs and priorities, as well as legal responsibilities to customers and shareholders. *Specifies procedures for security of unharmed assets. *Identifies procedures for salvage of damaged assets. *Identifies BCP team members who are responsible for plan implementation. *Should be tested on a regular basis to verify that the plan still meets recovery objectives. Three different types of tests are commonly used: *In a tabletop exercise, a small number of individuals get together and test just one part of the BCP. They typically work through a simple scenario and then analyze the plan to identify any changes that may be necessary. In a medium exercise, a larger number of individuals get together and work though a larger-scale simulation that incorporates many parts of the BCP. Medium exercises incorporate a higher degree of realism than a tabletop exercise. Once complete, the participants analyze the plan to identify any changes that may be necessary. A complex exercise involves a very large number of individuals and a very realistic scenario that may involve full-scale practice exercises.
Business Impact Analysis (BIA) focuses on the impact losses will have on the organization. A BIA:
*Identifies threats and can affect processes/assets *Identifies mission-essential functions *Identifies critical systems *Establishes the maximum downtime (MDT) the corporation can survive without the process/asset *Establishes other recovery benchmark values *Recovery Point Objective (RPO) *Recovery Time Objective (RTO) *Meantime between failures (MTBF) *Meantime to repair (MTTR) *Estimates tangible (financial loss) and intangible (loss of customer trust)impact on the organization. *Life *Property *Safety *Finance *Reputation
Succession planning:
*Increases the availability of experienced and capable employees that are prepared to assume specific roles as they become available. *Ensures that the right competencies are recruited into the organization, nurtured, and developed over time to guarantee smooth transitions for future vacancies. *Contrasts replacement planning, which focuses on identifying specific backup candidates for given positions.
The Disaster Recovery Plan (DRP) identifies short term actions necessary to stop the incident and restore critical functions so the organization can continue to operate. The DRP is a subset of the BCP, and is the plan for IT-related recovery and continuity. A disaster recovery plan should include:
*Plans for resumption of applications, data, hardware, communications, and other IT infrastructure in case of disaster. *Attempts to take into consideration every failure possible. *Plans for converting operations to alternate processing sites in case of disaster. *Plans for converting back to the original site after the disaster has concluded. *Disaster recovery exercises (such as fire drills) that simulate a possible disaster. Decisions about alternate site locations need to be guided by the following requirements: *Maintain adequate Geographic distance between primary and secondary sites. Such geographic diversity can minimize the possibility of a disaster bringing down both sites. *Site locations can have legal implications, especially when data is stored in multiple countries. Data sovereignty refers to the fact that every country has its own laws and regulations regarding digital data storage. Data safety and privacy concerns may need to be reassessed for each location. *Decide whether the backup site will be hot or cold. A hot site is set up with servers and workstations that have almost immediate access to data that is continuously replicated from the main site.If this it too expensive, a cold site, such as an empty warehouse, can be used. The disadvantage of a cold site is that it will take much longer to install the necessary hardware and software necessary to resume business operations. *Whether a hot or cold site is chosen as a backup, alternate business practices and processes need to be defined and stored in each location. Critical tasks should be described in sufficient detail to allow business staff to carry them out with minimal training.
A business continuity plan identifies actions required to restore the business to normal operation. It is designed to ensure that critical business functions (CBF) can be performed when operations are disrupted. Development of a BCP would include the following steps:
1.)Analysis 2,)Solution design 3.)Implementation 4.)Testing and organization acceptance 5.)Maintenance
Succession Planning
A process for identifying and developing internal people with the potential to fill key positions within the organization at some point in the future.
Critical Business Functions (CBF)
Activities that are vital to your organization's survival and the resumption of business operation's.
In business continuity planning, what is the primary focus of the Scope?
Business processes
A BCP or DRP plan evolves over time, what is the most important task to perform when rolling out a new version of the plan?
Collect and destroy all old plan copies.
When recovery is being performed due to a disaster, which services are to be stabilized first?
Mission critical
When is a BCP or DRP design and development actually completed?
Never complete, as they need constant improvement and updates.