Business Continuity Planning
Disaster Recovery Planning
A Business Continuity Plan (BCP) is an approved set
of advanced arrangements and procedures that
enable an organization to:



 Facilitate the recovery of business operations to reduce
the overall impact of an event, while at the same time
resuming the critical business functions within a
predetermined period of time.
 Minimize the amount of loss.
 Repair or replace the damaged facilities as soon as
possible.
Traditionally, recovery plans focused on the recovery of
critical computer systems running at data centers (aka
“disaster recovery”).
Today, recovery plans must also focus on the critical
computer systems operating in a distributed environment
involving PCs, LANs, telecommunications, etc.
Essentially, continuity plans address every critical function of
an enterprise.
A disaster is something that interrupts normal
business processing.
A disaster is defined as a sudden, unplanned calamitous
event that brings about great damage or loss.
In the business environment, it is any event that creates
an inability to support critical business functions for
some predetermined period of time.
Reasons for BCP

It is better to plan activities ahead of time
rather than to react when the time comes
“Proactive” rather than “Reactive”
 Take the correct actions when needed
 Allow for experienced personnel to be absent
Maintain business operations
Saves time, mistakes, stress and $$
Keep the money coming in
Short and long term loss of business
Have necessary materials, equipment, information on
hand
 Planning can take up to 3 years




Effect on customers
 Public image
 Loss of life
BCP Requirements





Provide an immediate, accurate and measured
response to emergency situations.
Provide procedures and a listing of resources to
assist in the recovery process.
Identify vendors that may be needed in the
recovery process and put agreements in place
with selected vendors.
Avoid confusion experienced during a crisis by
documenting, testing and training plan
procedures.
Clear guidance for declaring a disaster.
BCP Requirements




Provide the necessary direction to ensure the timely
resumption of critical services.
Document storage, safeguarding and retrieval
procedures for critical systems and supporting
functions.
Describe the actions, resources and materials
required to restore critical operations at an
alternate site in the event that the primary site(s)
has suffered a serious outage.
Document recovery procedures so they can be
executed by knowledgeable people.
Developing the BCP
Project Management and Initiation



Determine the need for automated data collection
tools, including plans to provide training on how to
use the software.
Establish members of the BCP team, both technical
and functional representatives.
Prepare and present an initial report to management
on how the BCP will meet the objectives.
Developing the BCP
Project Management and Initiation

“Automated” plan development can help you:
Speed the process
Avoid missing critical elements
Organize teams
Maintain the plan
Developing the BCP
Project Management and Initiation
Team Members
 BCP Planner/Coordinator
 Senior management, CFO, etc.
 Legal, HR
 Business unit/functions
 Recovery team leaders
 InfoSec, Telecomm, etc.
The same people who would be responsible for executing the
plan in the event of an outage must also be involved in
preparing the BCP
Developing the BCP
Business Impact Analysis (BIA)
The BIA is a functional analysis that identifies the impacts
should an outage occur. Impact is measured by the
following:
 Allowable business interruption - the maximum
tolerable downtime (MTD)
 Financial and operational considerations
 Regulatory requirements
 Organizational reputation
The BIA sets the stage for determining a business-oriented
judgment concerning the appropriation of resources for
recovery planning efforts.
Developing the BCP - BIA
Impact Assessment
Purpose





Identify risks
Identify business requirements for continuity
Quantify impact of potential threats
Balance impact and countermeasure cost
Establish recovery priorities
Developing the BCP - BIA
Benefits



Relates security objectives to organization mission
Quantifies how much to spend on security measures
Provides long term planning guidance
 Site selection
 Building design
 HW configuration
 SW
 Internal controls
 Criteria for contingency plans
 Security policy
 Protection requirements
 Significant threats
 Responsibilities
Developing the BCP - BIA

Risk Assessment
Potential failure scenarios
Likelihood of failure
Cost of failure (loss impact analysis)




Dollar losses
Additional operational expenses
Violation of contracts, regulatory requirements
Loss of competitive advantage, public confidence
Assumed maximum downtime (recovery time
frames)
 Rate of losses
 Periodic criticality
 Time-loss curve charts
Developing the BCP - BIA

Risk Assessment/Analysis

Key
Potential failure scenarios (risks)
Likelihood of failure
Cost of failure, quantify impact of threat
Assumed maximum downtime
Annual Loss Expectancy
Worst case assumptions
Based on business process model? Or IT model?
Identify critical functions and supporting resources
Balance impact and countermeasure cost
Potential damage
Likelihood
Developing the BCP - BIA
Definitions
 Quantitative Risk Analysis
quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
Powerful aid to decision making
Difficult to do in time and cost

Qualitative Risk Analysis

Risk Analysis is performed as a continuum from fully
qualitative to less than fully quantitative
minimally quantified estimates
Exposure scale ranking estimates
Easier in time and money
Less compelling
Developing the BCP - BIA
Goals
Understand economic & operational impact
 Determine recovery time frame
(business/DP/Network)
 Identify most appropriate strategy
 Cost/justify recovery planning
 Include BCP in normal decision making process

Developing the BCP - BIA
Risk Analysis Steps
1 - Identify essential business functions
Dollar losses or added expense
Contract/legal/regulatory requirements
Competitive advantage/market share
Interviews, questionnaires, workshops
2 - Establish recovery plan parameters
Prioritize business functions
Developing the BCP - BIA
Risk Analysis Steps
3 - Gather impact data/Threat analysis
Probability of occurrence, source of help
Document business functions
Define support requirements
Document effects of disruption
Determine maximum acceptable outage period
Create outage scenarios
Developing the BCP - BIA
Risk Analysis Steps
4 - Analyze and summarize
Estimate potential losses






Destruction/theft of assets
Loss of data
Theft of information
Indirect theft of assets
Delayed processing
Consider frequency
Combine potential loss & probability
Magnitude of risk is the ALE (Annual Loss
Expectancy)
Guide to security measures and how much to
spend
Developing the BCP - BIA
Maximum tolerable downtime (MTD)
Item
Required recovery time
following a disaster
Non-essential
Normal
Important
Urgent
Critical/essential
30 days
7 days
72 hours
24 hours
minutes to hours
Developing the BCP
Recovery Strategies
Business Recovery
 Focus is on the critical resources and the maximum
tolerable downtime for each business/support unit system.
This may included identification of:
 Critical IT system hardware, software and data
 Critical equipment, supplies, furniture and office
space
 Key personnel for each business unit and support
unit, such as Operations, Facilities, InfoSec, etc.
Developing the BCP
Recovery Strategies
Facility and Supply Recovery
 Focus is on restoration and recovery, such as:
 Facility - main building, remote facilities
 Inventory - supplies, equipment, paper, forms
 Equipment - network environments, servers, mainframe,
PCs, etc.
 Telecomm - voice and data
 Documentation - application, technical materials
 Transportation - movement of equipment, personnel
 Supporting equipment - HVAC, safety, security
21
Developing the BCP
Recovery Strategies
User Recovery

Focus is on personnel requirements, such as:

Manual procedures

Vital record storage (i.e., medical, personnel)

Employee transportation

Critical documentation and forms

User workspace and equipment

Alternate site access procedures
User Recovery (continued)

Procedures for the organization’s employees to follow during the outage include
items such as:

Team responsibilities

Distribution of information

Manual processing techniques

Disaster policies

Notification procedures

High priority tasks

Emergency accounting

Checklists
Developing the BCP
Recovery Strategies
Operational Recovery
 Determine the necessary equipment
configurations such as:
 Mainframes, LANs, PCs, peripherals
 Explore opportunities for integration/consolidation
 Usage parameters

Data communications configurations include:
 Switching equipment, routers, bridges, gateways
23
Developing the BCP
Recovery Strategies
Operational Recovery (continued)
 Outline alternative strategies for technical
capabilities, such as network infrastructure
components. Options include:




Hot site, warm site, cold site, mobile site
Reciprocal or mutual aid agreements
Multiple processing centers
Service bureaus
24
Developing the BCP
Recovery Strategies
Software and Data Recovery

Focus is on the recovery of information - the data. Options include:
 Backing up and off-site storage
 Electronic vaulting
 Online tape vaulting
$<P*V
 Remote journaling
 Database shadowing
$ = expense of backup
 Standby services
P = probability of loss
 Software escrow
V = cost of recreating lost data
 Manuals and documentation
 Backup frequency - criticality and rate of change
25
Developing the BCP
Recovery Strategies
Software and Data Recovery (continued)
 Security and controls of backup data and materials
 While being transported to the offsite facility
 While stored at the offsite facility
 Backup site may need even better protection than
primary site
 Data at backup facility is not accessed very often
 Problems could go undetected for a long time
 Consider encryption of backup data
 Too much processing overhead?
 Bank of America lost backup tapes
26
Developing the BCP
Plan Design and Development

In this phase the team prepares and
documents a detailed plan for recovery of
critical business systems.
End products include:





Business and service recovery plans
Test method descriptions
Restoration plans
Plan maintenance programs
Employee awareness and training programs
27
Developing the BCP
Plan Design and Development
1. Determine management concerns and priorities.
2. Determine planning scope such as geographical concerns,
organizational issues, and the various recovery functions to be
covered in the plan.
3.
Establish outage assumptions.
4.
Identify response procedures, such as ensuring evacuation and
safety of personnel, notification of disaster, initial damage
assessment, activating teams and relocating to alternate sites.
. Identify resumption strategies for mission-critical and non-missioncritical systems at alternate sites.
6. Identify the location for the emergency operations
center/command center.
7. Identify restoration procedures for salvage, repair and return to
the primary site. Also, the procedures to deactivate the recovery
site
28
Developing the BCP
Plan Design and Development
8. Plan and implement the gathering of data required
for plan completion.






Personnel information
Vendor services
Equipment, software, forms, supplies
Vital records
Technical information
Office space requirements
29
Developing the BCP
Plan Design and Development
9. Review and outline who (and how) the
organization will interface with external groups.
Customers
Shareholders
Civic officials
Community, region, and state emergency services
groups
 Utility providers
 Industry group coalitions
 Media




30
Developing the BCP
Plan Design and Development
10. Review and outline how the organization will cope with
other complications beyond the actual disaster.
 Responsibility to families
 Coordination with human resource and legal
departments
 Fraud opportunities
 Exposure of sensitive data
 Looting and vandalism
 Ensuring primary site is protected during disaster
 Safety and legal problems
 Expenses exceeding emergency manager authority
 Insurance coverage and timing of claim payment
31
Developing the BCP
Plan Design and Development
11. Develop support service plans, including human
resources, public relations, transportation,
facilities, IT, telecomm, etc.
12. Develop business function plans and procedures.
13. Develop facility recovery (i.e., the building)
plans.
32
Plan Testing



Proves feasibility of recovery process
Verifies compatibility of backup facilities
Ensures adequacy of team procedures
Identifies deficiencies in procedures
Trains team members
 Provides mechanism for maintaining/updating
the plan
 Upper management comfort

33
Plan Testing





Desk checks/checklist
Structured walkthroughs
Simulations
Parallel tests
Full interruption tests
34
Plan Maintenance

Develop processes that maintain the currency of
continuity capabilities and the BCP document in
accordance with the organization’s strategic
direction. This includes:
Changing management procedures
Resolving problems found during testing
Building maintenance procedures into the process
Centralizing responsibility for updates
Reporting results regularly to team members
35
Plan Maintenance

Plan maintenance functions are:
Receive and monitor input on needed revisions
- maintain revision history
Plan maintenance reviews as needed
Monitor changes within business units, such as
upgrades to systems
Control plan maintenance distribution - who
receives a copy of plan updates
Ensuring version control - obsolete editions of
the plan are collected and destroyed.
36
Awareness and Training




The goal is to design and develop a program to
create corporate awareness and enhance the
skills required to develop, implement, maintain
and execute the plans.
The objectives should cover a range of outcomes
from simple awareness of the major provisions
to the ability to carry out specific procedures.
Train the teams used for recovery strategies.
Train those employees who will have specific
roles in the recovery process, such as systems
staff, team leaders, etc.
37