Chapter 3: Business Continuity Planning

Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain continuity of being able to perform mission-critical business tasks Main steps: – Project scope and planning – Business impact assessment – Continuity planning – Approval and implementation

Project Scope and Planning Business organization analysis BCP team selection Resource requirements Legal and regulatory requirements

Business Organization Analysis Identify all departments Identify critical services Identify senior executives and key individuals

BCP Team Selection Needs members from every department/division Include members from: – IT – Senior management – Legal – Security

Resource Requirements BCP development BCP testing, training, and maintenance BCP implementation Mostly personnel but may include IT and physical resource allocation

Legal and Regulatory Requirements Federal, state, and local laws or regulations Emergency services Industry regulations Country-specific laws Service-level agreements

Business Impact Assessment Quantitative decision making vs. qualitative decision making Identify priorities Identify risk Assess likelihood Assess impact Prioritize resources

Identify Priorities Critical prioritization of business processes Assess by department, then organization Assign an AV (asset value) to each process Determine MTD (maximum tolerable downtime) Choose an RTO (recovery time objective)

Risk Identification Inventory-specific risks Natural and man-made Logical and physical and social Don’t overlook the cloud Get input from all departments

Likelihood Assessment Determine frequency of occurrence Establish an ARO (annualized rate of occurrence) Based on history, experience, and experts

Impact Assessment Evaluate consequences of a breach EF (exposure factor) SLE (single loss expectancy) – SLE = AV x EF ALE (annualized loss expectancy) – ALE = SLE x ARO Consider nonmonetary impacts

Resource Prioritization Biggest ALE is biggest risk concern Combine qualitative priorities with quantitative priorities Work at addressing each item from largest ALE value first

Continuity Planning Strategy development Provisions and processes Plan approval Plan implementation Training and education

Strategy Development Bridge between BIA and BCP crafting Determine which risks to address in this BCP crafting time frame Determine acceptable risks vs. those that require mitigation Commit sufficient resources to resolve priorities

Provisions and Processes People Building and facilities – Hardening provisions – Alternate sites Infrastructure – Physically hardening systems – Alternative systems

Plan Approval Top-level management endorsement Educate top executives about plan concepts and details Senior executive approval establishes plan credibility throughout organization

Plan Implementation Define an implementation schedule Use allocated implementation resources Achieve process and provisioning goals Implement BCP maintenance program

Training and Education Assign responsibilities Plan overview briefing Dedicated training for those with assigned responsibilities A backup or replacement person for each position

BCP Documentation Continuity planning goals Statement of importance Statement of priorities Statement of organizational responsibility Statement of urgency and timing Risk assessment Risk acceptance/mitigation Vital records program Emergency-response guidelines Maintenance Testing and exercises

Continuity Planning Goals To set goals To ensure the continuous operation of the business in the face of an emergency situation To meet organizational needs

Statement of Importance Reflects criticality of BCP Disclosed in a memo to all employees Should be signed by CEO to avoid compliance resistance

Statement of Priorities Directly reflects designed BCP priorities Includes evaluation of priorities Focuses on importance to the continued operation of business functions in the event of an emergency

Statement of Organizational Responsibility Business continuity is everyone’s responsibility Reinforces organization’s commitment to BCP Informs individuals of the expectation to assist and support

Statement of Urgency and Timing Stresses priority of implementation Defines the roll-out timetable

Risk Assessment A recap of the BCP decision-making process Summary of BIA Discloses quantitative and qualitative analysis results

Risk Acceptance/Mitigation Identifies those risks deemed acceptable Identifies those risks deemed unacceptable – List risk management provisions – Define processes and responses – Define how the risk is reduced or managed

Vital Records Program Determine where critical records will be stored Set procedures for backing up critical records Identity critical records Digital and paper should be considered Includes records needed to reconstruct the organization in the event of a disaster

Emergency-Response Guidelines Define responsibilities in an emergency Detail activation of BCP elements Immediate response procedures Individuals to notify of the incident Secondary response procedures Goal: to minimize response time

Maintenance The BCP is a living document. The BCP should be periodically updated. Drastic changes may require a complete re-design and re-crafting. You should practice good version control. Include the BCP in job descriptions/responsibilities.

Testing and Exercises Establish a formalized testing program Train personnel on their tasks and responsibilities See disaster recovery testing in Chapter 18