Chapter 3: Business Continuity
Planning
Planning for Business
Continuity
• Assess risks to business processes
• Minimize impact from disruptions
• Maintain continuity of being able to
perform mission-critical business
tasks
• Main steps:
– Project scope and planning
– Business impact assessment
– Continuity planning
– Approval and implementation
Project Scope and Planning
•
•
•
•
Business organization analysis
BCP team selection
Resource requirements
Legal and regulatory requirements
Business Organization
Analysis
• Identify all departments
• Identify critical services
• Identify senior executives and key
individuals
BCP Team Selection
• Needs members from every
department/division
• Include members from:
– IT
– Senior management
– Legal
– Security
Resource Requirements
• BCP development
• BCP testing, training, and
maintenance
• BCP implementation
• Mostly personnel but may include IT
and physical resource allocation
Legal and Regulatory
Requirements
• Federal, state, and local laws or
regulations
• Emergency services
• Industry regulations
• Country-specific laws
• Service-level agreements
Business Impact Assessment
• Quantitative decision making vs.
qualitative decision making
• Identify priorities
• Identify risk
• Assess likelihood
• Assess impact
• Prioritize resources
Identify Priorities
• Critical prioritization of business
processes
• Assess by department, then
organization
• Assign an AV (asset value) to each
process
• Determine MTD (maximum tolerable
downtime)
• Choose an RTO (recovery time
objective)
Risk Identification
•
•
•
•
•
Inventory-specific risks
Natural and man-made
Logical and physical and social
Don’t overlook the cloud
Get input from all departments
Likelihood Assessment
• Determine frequency of occurrence
• Establish an ARO (annualized rate of
occurrence)
• Based on history, experience, and
experts
Impact Assessment
• Evaluate consequences of a breach
• EF (exposure factor)
• SLE (single loss expectancy)
– SLE = AV x EF
• ALE (annualized loss expectancy)
– ALE = SLE x ARO
• Consider nonmonetary impacts
Resource Prioritization
• Biggest ALE is biggest risk concern
• Combine qualitative priorities with
quantitative priorities
• Work at addressing each item from
largest ALE value first
Continuity Planning
•
•
•
•
•
Strategy development
Provisions and processes
Plan approval
Plan implementation
Training and education
Strategy Development
• Bridge between BIA and BCP
crafting
• Determine which risks to address in
this BCP crafting time frame
• Determine acceptable risks vs. those
that require mitigation
• Commit sufficient resources to
resolve priorities
Provisions and Processes
• People
• Building and facilities
– Hardening provisions
– Alternate sites
• Infrastructure
– Physically hardening systems
– Alternative systems
Plan Approval
• Top-level management
endorsement
• Educate top executives about plan
concepts and details
• Senior executive approval
establishes plan credibility
throughout organization
Plan Implementation
• Define an implementation schedule
• Use allocated implementation
resources
• Achieve process and provisioning
goals
• Implement BCP maintenance
program
Training and Education
• Assign responsibilities
• Plan overview briefing
• Dedicated training for those with
assigned responsibilities
• A backup or replacement person for
each position
BCP Documentation
•
•
•
•
•
•
•
•
•
•
•
Continuity planning goals
Statement of importance
Statement of priorities
Statement of organizational responsibility
Statement of urgency and timing
Risk assessment
Risk acceptance/mitigation
Vital records program
Emergency-response guidelines
Maintenance
Testing and exercises
Continuity Planning Goals
• To set goals
• To ensure the continuous operation
of the business in the face of an
emergency situation
• To meet organizational needs
Statement of Importance
• Reflects criticality of BCP
• Disclosed in a memo to all
employees
• Should be signed by CEO to avoid
compliance resistance
Statement of Priorities
• Directly reflects designed BCP
priorities
• Includes evaluation of priorities
• Focuses on importance to the
continued operation of business
functions in the event of an
emergency
Statement of
Organizational Responsibility
• Business continuity is everyone’s
responsibility
• Reinforces organization’s
commitment to BCP
• Informs individuals of the
expectation to assist and support
Statement of Urgency and
Timing
• Stresses priority of implementation
• Defines the roll-out timetable
Risk Assessment
• A recap of the BCP decision-making
process
• Summary of BIA
• Discloses quantitative and
qualitative analysis results
Risk Acceptance/Mitigation
• Identifies those risks deemed
acceptable
• Identifies those risks deemed
unacceptable
– List risk management provisions
– Define processes and responses
– Define how the risk is reduced or
managed
Vital Records Program
• Determine where critical records will
be stored
• Set procedures for backing up critical
records
• Identity critical records
• Digital and paper should be considered
• Includes records needed to
reconstruct the organization in the
event of a disaster
Emergency-Response
Guidelines
• Define responsibilities in an
emergency
• Detail activation of BCP elements
• Immediate response procedures
• Individuals to notify of the incident
• Secondary response procedures
• Goal: to minimize response time
Maintenance
• The BCP is a living document.
• The BCP should be periodically
updated.
• Drastic changes may require a
complete re-design and re-crafting.
• You should practice good version
control.
• Include the BCP in job
descriptions/responsibilities.
Testing and Exercises
• Establish a formalized testing
program
• Train personnel on their tasks and
responsibilities
• See disaster recovery testing in
Chapter 18