Download presentation
Presentation is loading. Please wait.
Published byMarsha Holt Modified over 8 years ago
1
Chapter 3: Business Continuity Planning
2
Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain continuity of being able to perform mission-critical business tasks Main steps: – Project scope and planning – Business impact assessment – Continuity planning – Approval and implementation
3
Project Scope and Planning Business organization analysis BCP team selection Resource requirements Legal and regulatory requirements
4
Business Organization Analysis Identify all departments Identify critical services Identify senior executives and key individuals
5
BCP Team Selection Needs members from every department/division Include members from: – IT – Senior management – Legal – Security
6
Resource Requirements BCP development BCP testing, training, and maintenance BCP implementation Mostly personnel but may include IT and physical resource allocation
7
Legal and Regulatory Requirements Federal, state, and local laws or regulations Emergency services Industry regulations Country-specific laws Service-level agreements
8
Business Impact Assessment Quantitative decision making vs. qualitative decision making Identify priorities Identify risk Assess likelihood Assess impact Prioritize resources
9
Identify Priorities Critical prioritization of business processes Assess by department, then organization Assign an AV (asset value) to each process Determine MTD (maximum tolerable downtime) Choose an RTO (recovery time objective)
10
Risk Identification Inventory-specific risks Natural and man-made Logical and physical and social Don’t overlook the cloud Get input from all departments
11
Likelihood Assessment Determine frequency of occurrence Establish an ARO (annualized rate of occurrence) Based on history, experience, and experts
12
Impact Assessment Evaluate consequences of a breach EF (exposure factor) SLE (single loss expectancy) – SLE = AV x EF ALE (annualized loss expectancy) – ALE = SLE x ARO Consider nonmonetary impacts
13
Resource Prioritization Biggest ALE is biggest risk concern Combine qualitative priorities with quantitative priorities Work at addressing each item from largest ALE value first
14
Continuity Planning Strategy development Provisions and processes Plan approval Plan implementation Training and education
15
Strategy Development Bridge between BIA and BCP crafting Determine which risks to address in this BCP crafting time frame Determine acceptable risks vs. those that require mitigation Commit sufficient resources to resolve priorities
16
Provisions and Processes People Building and facilities – Hardening provisions – Alternate sites Infrastructure – Physically hardening systems – Alternative systems
17
Plan Approval Top-level management endorsement Educate top executives about plan concepts and details Senior executive approval establishes plan credibility throughout organization
18
Plan Implementation Define an implementation schedule Use allocated implementation resources Achieve process and provisioning goals Implement BCP maintenance program
19
Training and Education Assign responsibilities Plan overview briefing Dedicated training for those with assigned responsibilities A backup or replacement person for each position
20
BCP Documentation Continuity planning goals Statement of importance Statement of priorities Statement of organizational responsibility Statement of urgency and timing Risk assessment Risk acceptance/mitigation Vital records program Emergency-response guidelines Maintenance Testing and exercises
21
Continuity Planning Goals To set goals To ensure the continuous operation of the business in the face of an emergency situation To meet organizational needs
22
Statement of Importance Reflects criticality of BCP Disclosed in a memo to all employees Should be signed by CEO to avoid compliance resistance
23
Statement of Priorities Directly reflects designed BCP priorities Includes evaluation of priorities Focuses on importance to the continued operation of business functions in the event of an emergency
24
Statement of Organizational Responsibility Business continuity is everyone’s responsibility Reinforces organization’s commitment to BCP Informs individuals of the expectation to assist and support
25
Statement of Urgency and Timing Stresses priority of implementation Defines the roll-out timetable
26
Risk Assessment A recap of the BCP decision-making process Summary of BIA Discloses quantitative and qualitative analysis results
27
Risk Acceptance/Mitigation Identifies those risks deemed acceptable Identifies those risks deemed unacceptable – List risk management provisions – Define processes and responses – Define how the risk is reduced or managed
28
Vital Records Program Determine where critical records will be stored Set procedures for backing up critical records Identity critical records Digital and paper should be considered Includes records needed to reconstruct the organization in the event of a disaster
29
Emergency-Response Guidelines Define responsibilities in an emergency Detail activation of BCP elements Immediate response procedures Individuals to notify of the incident Secondary response procedures Goal: to minimize response time
30
Maintenance The BCP is a living document. The BCP should be periodically updated. Drastic changes may require a complete re-design and re-crafting. You should practice good version control. Include the BCP in job descriptions/responsibilities.
31
Testing and Exercises Establish a formalized testing program Train personnel on their tasks and responsibilities See disaster recovery testing in Chapter 18
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.