BUSINESS CONTINUITY PLAN AND DISASTER RECOVERY PLAN Abdulrahim Al-Abri OUTLINE Definitions BCP Phases Project Management and intonation Conduct Business Impact Analysis Recovery Strategies Plan Design and Development Testing, maintenance, awareness and training DEFINITIONS Business Continuity: can refer to managed strategy considering plans, procedures and technical controls that make recovery of IT systems, business operations, and data possible after a disruption. Recovery for: • IT operations in alternative site. • IT operations using alternative hardware/software BC standards: ISO27002, ITIL, (ISC)2 , BS25999, ISO/PAS 22399 BCP PHASES Project Management and intonation Conduct Business Impact Analysis Recovery Strategies Plan Design and Development Testing, maintenance, awareness and training PROJECT MANAGEMENT AND INTONATION Developing and approval of BCP policy Define BCP committee: operational units representatives, senior management, IT security, IT specialized experts, and optionally support units like (technical affairs) Define BCP project scope and objectives Provide the necessary project funds and recourses BUSINESS IMPACT ANALYSIS Collect data through interviews, survey, documenting business functions, transactions. activities, Develop hierarchy of business functions and apply a classification scheme to indicate each individual function’s criticality level. Identify the resources that these functions depend upon Calculate Maximum Tolerable Time (MTD) for these functions Identify vulnerabilities and threats to these functions BUSINESS IMPACT ANALYSIS CONT. Calculate risk for each different business function Document findings and report them to management RECOVERY STRATEGIES Business process recovery Facility recovery Site Cost Hardware Equipment Telecommunications Setup Time Location Cold Site Low None None Long Fixed Warm Site Medium Partial Partial/Full Medium Fixed Hot Site Medium/High Full Full Short Fixed Mobile Site High Dependent Dependent Dependent Not Fixed Mirrored Site High Full Full None Fixed RECOVERY STRATEGIES CONT Supply and technology recovery Network and computer equipment Voice and data communications resources Human resources Transportation of equipment and personnel Environment issues (HVAC) Data and personnel security issues Supplies (paper, forms, cabling, and so on) Documentation Data recovery Restoring Backed-up data Plan Design and Development All finding and decisions should be developed and documented. Submission of document for approval Also, this phase define the execution procedure for the plan. Testing, maintenance, awareness and training This step to test that your decisions are suitable and correct. Type of tests: Checklist Test Structured Walk-Through Test Simulation Test Parallel Test Full-Interruption Test TESTING, MAINTENANCE, AWARENESS AND TRAINING CONT. Maintaining the plan: Make business continuity a part of every business decision. Insert the maintenance responsibilities into job descriptions. Perform internal audits that include disaster recovery and continuity documentation and procedures to update the plan. Integrate the BCP into the change management process Training and awareness program should be included in the BCP planning process. QUESTIONS