Business Continuity Planning

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Design and Development Step 9

--Review and outline who (and how) the organization will interface with external groups -Customers -Shareholders -Civic officials -Community, region, and state emergency services groups -Utility providers -Industry group coalitions -Media

Design and Development Steps 1 - 4

-Determine management concerns and priorities. -Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan. -Establish outage assumptions. -Identify response procedures, such as ensuring evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams, relocating to alternate sites.

Phase II: Business Impact Analysis (BIA)

A functional analysis that identifies the impacts should an outage occur. Impact is measured by the following: -Allowable Business Interruption - the Maximum Tolerable Downtime -Financial and Operational Considerations -Regulatory Requirements -Organizational Reputation -The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.

The five main types of BCP testing strategies are:

Checklist Structured Walk-Through Simulation Parallel Full Interruption

User Recovery

Focus is on personnel requirements such as: -Manual procedures -Vital record storage (i.e. Medical, Personnel) -Employee transportation -Critical documentation and forms -User workspace and equipment -Alternate site access procedures

Design and Development Step 8

--Plan and implement the gathering of data required for plan completion. -Personnel information -Vendor services -Equipment, software, forms, supplies -Vital records -Technical information -Office space requirements

Salvage & Repair Example

-At the primary site, complete a detailed assessment of all damage at the primary site. -Initiate cleanup of the primary site. -If necessary, dispose of damaged equipment and procure new equipment. -Recover water soaked documents. -Review insurance policies and document information as needed -Coordinate activities to have repairs made to the damaged areas within the primary site including: -Facility structure - walls, floors, ceilings, etc. -Equipment -Support systems - HVAC, plumbing, etc.

Define Recovery Strategies Focus

-Meeting the pre-determined recovery time frames. -Maintaining the operation of the critical business functions. -Compiling the resource requirements. -Identifying alternatives that are available for recovery.

Potentially Disastrous Events

-Natural (i.e,. earthquakes, storms) -System/Technical (i.e., outages, malicious code) -Supply Systems (i.e., electrical power problems) -Human-Made/Political (i.e., disgruntled employees, riots, vandalism)

Categories of Recovery Strategies

1) Business Recovery 2) Facility and Supply 3) User 4) Operational 5) Data

Phase V: Testing, Maintenance, Awareness and Training

In this phase, plans for testing and maintaining the BCP are implemented and also awareness and training procedures are executed.

Phase V: Plan Testing

Plan testing ensures that the business continuity capability remains effective, regardless of the disaster. It includes: -Testing objectives -Measurement criteria -Test Schedules -Post-test reviews -Test results reported to management

What are the phases of business continuity planning?

The phases of BCP are: 1)Project Management and Initiation; 2) Business Impact Analysis; 3) Recovery Strategy; 4) Plan Design; and 5) Development, and Testing, Maintenance, Awareness, and Training.

What does Business Continuity Planning address?

The preservation and recovery of the business in the event of outages to normal business operations.

Design and Development Steps 11 - 13

- Develop support service plans, including human resources, public relations, transportation, facilities, information processing, telecommunications, etc. - Develop business function plans and procedures. - Develop facility recovery (i.e. the building) plans.

Design and Development Step 10

--Review and outline how the organization will cope with other complications beyond the actual disaster. -Responsibility to families -Coordination with human resource and legal departments -Fraud opportunities -Looting and vandalism -Ensuring primary site is protected during disaster -Safety and legal problems -Expenses exceeding emergency manager authority

Define Business Continuity Management

-A strategic and operational framework to review the way an organization provides its products and services while increasing its resilience to disruption, interruption or loss. -Provides a framework for building resilience and the capability for an effective response which safeguards the interests of a company's key stakeholders, reputation, brand and value creating activities.

Damage Assessment

-Determine the extent of damage to the facility. -Estimate the time needed to resume normal operations. -Notify management of the findings -If the time estimated to resume operations exceeds the Maximum Tolerable Downtime (MTD) for critical business functions, then management should consider declaring a disaster and implementing the BCP.

What does a BCP Planner/Coordinator do?

-Ensures that all elements of the plan are thoroughly addressed and an appropriate level of planning, preparation, and training have been accomplished. -Serves as leader for the development team. -Has direct access and authority to interact with all employees necessary to complete the plans. -Is in a position within the organization to balance the needs of the organization with the needs of the individual business units that may be affected. -Has knowledge of the business to be able to understand how a disaster can affect the organization. -Has easy access to management. -Is able to review the charter, mission statement, and executive viewpoint. -Has the credibility and ability to influence senior management when decisions need to be made.

Return to Primary Site Example

-Plan for the return. -Reactivate fire protection and other alarm systems. -Planning is different from recovery plan - least critical work should be initiated first. -Implement and test the network system. -Certify and accredit the system ready for operations. -When notified that normal operations have resumed at the primary site, shutdown operations at the alternate site and return backup materials to storage.

Requirements of Business Continuity Planning

-Provide an immediate, accurate, and measured response to emergency situations, with the overall goal of ensuring the safety of individuals. -Mitigate the damage you are experiencing as a result of the disaster. -Ensure the survivability of the business. -Provide procedures and a listing of resources to assist in the recovery process. -Identify vendors that may be needed in the recovery process and put agreements in place with selected vendors. -Avoid confusion experienced during a crisis by documenting, testing, and training plan procedures. -Clear guidance for declaring a disaster. -Provide the necessary direction to ensure the timely resumption of critical services. -Document storage, safeguarding, and retrieval procedures for critical systems and supporting functions. -Describe the actions, resources, and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage. -Document recovery procedures so they can be executed by knowledgeable people.

Disaster Activity Example

1) Assemble emergency operations team. 2) Contact recovery team members to participate in the initial damage assessment. 3) Determine the extent of damage to the primary site facility, including: -Building structure -Damage to utilities -Access to different areas within the building, including capability to secure the building. 4) Calculate the time required to resume critical and non-critical business operations. 5) Notify management of the results. 6) Declare a disaster and begin implementation of continuity/recovery plans. 7) Maintain a log of all steps taken after a disaster. Be sure to note time, location, what has been done, who did it, and any expenses incurred. 8) Establish the command center to provide management control, administrative, logistic, and communications support. 9) Move backup resources to the appropriate recovery site. 10) Allocate the required office space and recovery resources to the recovery teams 11) Resume critical business functions at recovery site. 12) Resume critical business functions at recovery site. 13) Resume critical business at recovery site 14) Resume non-critical business at recovery site.

Operational Recovery

1) Determine the necessary equipment configurations such as: -Mainframes, LANs, microcomputers, peripherals -Explore opportunities for integration/consolidation -Usage parameters 2) Data communications configurations include: -Switching equipment, Routers, Bridges, Gateways 3) Outline alternative strategies for technical capabilities, such as network infrastructure components. 4) Options include: -Hot Site, Warm Site, Cold Site, Mobile Site -Reciprocal or Mutual Aid Agreements -Multiple Processing Centers Service Bureaus

Phase I: Project Management and Initiation

1) Establish the need for a BCP. -Perform a focused risk analysis to identify and document potential outages to critical systems. 2)Obtain management support. 3)Identify strategic internal and external resources to ensure that BCP matches overall business and technology plans. 4)Establish the project management work plan that includes the: -Scope of the project -Identification of objectives -Determination of methods for organizing and managing development of the BCP -Identification of related tasks and responsibilities -Scheduling of formal meetings and task completion dates 5)Determine the need for automated data collection tools, including plans to provide training on how to use the software. 6)Establish members of the BCP team, both technical and functional representatives. 7)Prepare and present an initial report to management on how the BCP will meet the objectives.

Example of a Recovery Process

1) Respond to the Disaster 2) Recover Critical Functions 3) Recover Non-critical Functions 4) Salvage and Repair 5)Return to Primary Site

What is a disaster?

1) Something that interrupts normal business process. -A sudden, unplanned calamitous event that brings about great damage or loss. -In the business environment, it is any event that creates an inability on an organization's part to support critical business functions for some predetermined period of time.

Define Project Plan

1)Identify and develop business continuity plan phases similar to traditional project plan phases. -Including problem investigation, problem definition, feasibility study, systems description, implementation, installation, and evaluation. 2)Establish business continuity plan project characteristics. -Such as goals/objectives, tasks, resources (personnel, financial), time schedules, budget estimates, and critical success factors

Recovery Strategies Development Steps(5)

1. Document all costs with each alternative. 2. Obtain cost estimates for any outside services. 3. Develop written agreements for such services. 4. Evaluate resumption strategies based on a full loss of the facility. 5. Document recovery strategies and present to management for comments and approval.

Design and Development Steps 5 - 7

5. Identify resumption strategies for mission critical- and non-mission critical-systems at alternate sites. 6. Identify the location for the emergency operations center/command center. 7. Identify restoration procedures for salvage, repair, and return to the primary site. Also, the procedures to deactivate the recovery site.

Phase III: Recovery Strategies

A set of pre-defined and management approved actions that will be followed and implemented in response to a business interruption.

Defining a BCP

An approved set of advanced arrangements and procedures that enable an organization to: -Ensure the safety of people. -Minimize the amount of loss. -Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time. -Repair or replace the damaged facilities as soon as possible. -Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers. -Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving personal computers, LANs, telecommunications, etc. -Essentially, continuity plans address every critical function of an enterprise.

What is a business continuity plan?

An approved set of advanced arrangements and procedures that enable an organization to facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.

Phase V: Plan Maintenance Goal

Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization's strategic direction. This includes: -Changing management procedures -Resolving problems found during testing -Building maintenance procedures into the process -Centralizing responsibility for updates -Reporting results regularly to team members

Facility and Supply Recovery

Focus is on restoration and recovery such as: 1) Facility - main building, remote facilities 2) Inventory - supplies, equipment, paper, forms 3) Equipment - network environments, servers, mainframe, microcomputers, etc. 4) Telecommunications - voice and data 5) Documentation - application, technical materials 6) Transportation - movement of equipment, personnel 7) Supporting equipment - HVAC, safety, security

Business Recovery

Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may include the identification of: -Critical IT system hardware, software, and data -Critical equipment, supplies, furniture, and office space -Key personnel for each business unit and support unit, such as Operations, Facilities, Security, etc.

Software and Data Recovery

Focus is on the recovery of information (the data). Options include: -Backing up and Off-site storage -Electronic vaulting -On-line tape vaulting -Remote journaling -Database Shadowing -Standby Services -Software Escrow

Phase V: Plan Maintenance Functions

Functions are: -Receive and monitor input on needed revisions - maintain revision history -Plan maintenance reviews as needed -Monitor changes within business units, such as upgrades to systems -Control plan maintenance distribution (who receives a copy of plan updates) -Ensuring version control - obsolete editions of the plan are collected and destroyed.

Phase IV: BCP Design and Development

In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include: -Business and Service Recovery Plans -Plan Maintenance Programs -Employee Awareness and Training Programs -Test Method Descriptions -Restoration Plans

Restoration Actions

Involve restoring the primary site to normal operation conditions. -Complete an assessment of all damage. -Initiate cleanup of the primary site. -Implement necessary replacement procedures. -Move unused backup materials (i.e., supplies, magnetic media, backup documentation) from the alternate site to the primary site. -Do least critical work first. -Perform installations and updates of programs and data. -Certify and accredit the system at the primary site. -Initiate normal processing.

Define Team Members

Representatives also include, but are not limited to: -Senior Management, Chief Financial Officer, etc. -Legal Staff -Business Unit/Functions -Support Systems -Recovery Team Leaders -Information Security Department -Data Communications Department -Communications Department The same people who would be responsible for executing the plan in the event of an outage, must also be involved in preparing the BCP.

Define BCP Scope

Should cover all aspects of an organization, including: -Personnel -Facilities -Infrastructure -Support systems -Information systems

Eight Steps of the BIA

Step 1: Select Interviewees Step 2: Determine information gathering techniques Step 3: Customize questionnaire to gather economic and operational impact information (quantitative and qualitative questions) Step 4: Analyze information Step 5: Determine time-critical business systems Step 6: Determine maximum tolerable downtimes Step 7: Prioritize critical business systems based on maximum tolerable downtimes Step 8: Document findings and report recommendations

BCP Document

The final aspect of this phase is to combine all of the various steps into the organization's BCP. This plan should then be interfaced with the organization's other emergency plans.

Recovery Strategies Key Element

The key element of developing a recovery strategy is to base it on the recovery time for mission critical business systems -- as outlined in the Business Impact Analysis.


Ensembles d'études connexes

ch. 4 cost accounting study quiz

View Set

Chapter 13 Brain & Cranial Nerves

View Set

my frog internal audit review questions 505

View Set