Business
Continuity Planning
1
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Introduction
The Business
Continuity Planning
(BCP) domain
addresses the
preservation and
recovery of the
business in the
event of outages to
normal business
operations.
2
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Objectives
•The CISSP should:
– Have an understanding of the
preparation of specific actions required
to preserve critical business operations
from the perspective of creating,
implementing, and updating a continuity
plan.
3
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Section Objectives
• Define business continuity plan
• Define disaster
• Describe the phases of business
continuity planning
• List restoration actions
4
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Goals of Information Security
As They Relate to BCP
• The common thread among good information security objectives is
that they address all three core security principles.
Prevents unauthorized
disclosure of systems
and information.
Prevents unauthorized
modification of systems
and information.
Availability
Prevents disruption of
service and productivity.
© Copyright 2005 (ISC)2®. All Rights Reserved.
5
Business Continuity Planning v5.0
What is a disaster?
• A disaster is something that interrupts
normal business process.
– A disaster is defined as a sudden, unplanned
calamitous event that brings about great
damage or loss.
– In the business environment, it is any event
that creates an inability on an organization’s
part to support critical business functions for
some predetermined period of time.
6
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Potentially Disastrous Events
• Natural (i.e,. earthquakes, storms)
• System/Technical (i.e., outages, malicious
code)
• Supply Systems (i.e., electrical power
problems)
• Human-Made/Political (i.e., disgruntled
employees, riots, vandalism)
7
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Defining a BCP
An approved set of advanced arrangements
and procedures that enable an organization to:
• Ensure the safety of people.
• Minimize the amount of loss.
• Facilitate the recovery of business operations to
reduce the overall impact of an event, while at
the same time resuming the critical business
functions within a predetermined period of time.
• Repair or replace the damaged facilities as soon
as possible.
8
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Defining a BCP (cont.)
• Traditionally, recovery plans focused
on the recovery of critical computer
systems running at data centers.
• Today, recovery plans must also
focus on the critical computer
systems operating in a distributed
environment involving personal
computers, LANs,
telecommunications, etc.
• Essentially, continuity plans address
every critical function of an
enterprise.
9
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Requirements of Business
Continuity Planning
• Provide an immediate, accurate, and measured
response to emergency situations, with the
overall goal of ensuring the safety of individuals.
• Mitigate the damage you are experiencing as a
result of the disaster.
• Ensure the survivability of the business.
• Provide procedures and a listing of resources to
assist in the recovery process.
• Identify vendors that may be needed in the
recovery process and put agreements in place
with selected vendors.
10
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Requirements of Business
Continuity Planning (cont.)
• Avoid confusion experienced
during a crisis by documenting,
testing, and training plan
procedures.
• Clear guidance for declaring a
disaster.
• Provide the necessary direction
to ensure the timely resumption
of critical services.
11
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Requirements of Business
Continuity Planning, cont.
• Document storage, safeguarding, and retrieval
procedures for critical systems and supporting
functions.
• Describe the actions, resources, and materials
required to restore critical operations at an
alternate site in the event that the primary site(s)
has suffered a serious outage.
• Document recovery procedures so they can be
executed by knowledgeable people.
12
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
BCP Scope
• The BCP should cover all aspects of
an organization, including:
– Personnel
– Facilities
– Infrastructure
– Support systems
– Information systems
13
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Subtopics
• Business Continuity
Management
• Phases of BCP
• Restoration Action
• Example of a
Recovery Process
14
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Business Continuity Management
• A strategic and operational framework to
review the way an organization provides
its products and services while increasing
its resilience to disruption, interruption or
loss.
• Provides a framework for building
resilience and the capability for an
effective response which safeguards the
interests of a company’s key stakeholders,
reputation, brand and value creating
activities.
15
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Stages of BCM
16
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Subtopics
• Business Continuity
Management
• Phases of BCP
• Restoration Action
• Example of a
Recovery Process
17
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Project
Mgmt/Initiation
Business Impact
Assessment
Recovery
Strategy
Plan Design &
Development
Implementation
Maintenance
Testing
18
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Subtopics
1. Project Management and Initiation
2. Business Impact Analysis
3. Recovery Strategy
4. Plan Design and Development
5. Testing, Maintenance, Awareness,
and Training
19
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase I: Project Management and
Initiation
• Establish the need for a BCP.
– Perform a focused risk analysis to identify and
document potential outages to critical
systems.
• Obtain management support.
• Identify strategic internal and external
resources to ensure that BCP matches
overall business and technology plans.
20
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase I: Project Management
and Initiation (cont.)
• Establish the project management work
plan that includes the:
– Scope of the project
– Identification of objectives
– Determination of methods for organizing and
managing development of the BCP
– Identification of related tasks and
responsibilities
– Scheduling of formal meetings and task
completion dates
21
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase I: Project Management
and Initiation (cont.)
• Determine the need for automated data
collection tools, including plans to provide
training on how to use the software.
• Establish members of the BCP team, both
technical and functional representatives.
• Prepare and present an initial report to
management on how the BCP will meet
the objectives.
22
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Products That Can Help
“Automated” plan development can
help you:
– Speed the process
– Avoid missing critical elements
– Organize teams
– Maintain the plan
23
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
BCP Planner/Coordinator
• Ensures that all elements of the plan are
thoroughly addressed and an appropriate level of
planning, preparation, and training have been
accomplished.
• Serves as leader for the development team.
• Has direct access and authority to interact with all
employees necessary to complete the plans.
• Is in a position within the organization to balance
the needs of the organization with the needs of the
individual business units that may be affected.
24
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
BCP Planner/Coordinator (cont.)
• Has knowledge of the business to be able
to understand how a disaster can affect
the organization.
• Has easy access to management.
• Is able to review the charter, mission
statement, and executive viewpoint.
• Has the credibility and ability to influence
senior management when decisions need
to be made.
25
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Team Members
Representatives also include, but are not limited
to:
• Senior Management, Chief Financial Officer, etc.
• Legal Staff
• Business Unit/Functions
• Support Systems
• Recovery Team Leaders
• Information Security Department
• Data Communications Department
• Communications Department
26
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Team Members (cont.)
The same people who
would be responsible for
executing the plan in the
event of an outage,
must also be involved in
preparing the BCP.
27
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Project Plan
• Identify and develop business continuity plan
phases similar to traditional project plan phases.
– Including problem investigation, problem definition,
feasibility study, systems description, implementation,
installation, and evaluation.
• Establish business continuity plan project
characteristics.
– Such as goals/objectives, tasks, resources (personnel,
financial), time schedules, budget estimates, and
critical success factors
28
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Subtopics
1. Project Management and Initiation
2. Business Impact Analysis
3. Recovery Strategy
4. Plan Design and Development
5. Testing, Maintenance, Awareness,
and Training
29
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase II: Business Impact
Analysis (BIA)
The BIA is a functional analysis that identifies
the impacts should an outage occur. Impact
is measured by the following:
• Allowable Business Interruption – the
Maximum Tolerable Downtime
• Financial and Operational Considerations
• Regulatory Requirements
• Organizational Reputation
30
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase II: Business Impact Analysis
(BIA)
• The BIA sets the stage
for determining a
business-oriented
judgment concerning the
appropriation of
resources for recovery
planning efforts.
31
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Eight Steps of the BIA
Step 1: Select Interviewees
Step 2: Determine information gathering
techniques
Step 3: Customize questionnaire to gather
economic and operational impact
information (quantitative and
qualitative questions)
Step 4: Analyze information
32
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Eight Steps of the BIA (cont.)
Step 5: Determine time-critical business
systems
Step 6: Determine maximum tolerable
downtimes
Step 7: Prioritize critical business systems
based on maximum tolerable
downtimes
Step 8: Document findings and report
recommendations
33
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Maximum Tolerable Downtime
34
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Subtopics
1. Project Management and Initiation
2. Business Impact Analysis
3. Recovery Strategy
4. Plan Design and Development
5. Testing, Maintenance, Awareness,
and Training
35
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase III: Recovery Strategies
• Recovery strategies are a set of predefined and management approved
actions that will be followed and
implemented in response to a
business interruption.
36
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Recovery Strategies Focus
• Meeting the pre-determined recovery
time frames.
• Maintaining the operation of the
critical business functions.
• Compiling the resource requirements.
• Identifying alternatives that are
available for recovery.
37
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Recovery Strategies Key Element
The key element of developing a
recovery strategy is to base it on the
recovery time for mission critical
business systems -- as outlined in the
Business Impact Analysis.
38
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Recovery Strategies
Development Steps
1. Document all costs with each alternative.
2. Obtain cost estimates for any outside
services.
3. Develop written agreements for such
services.
4. Evaluate resumption strategies based on
a full loss of the facility.
5. Document recovery strategies and
present to management for comments
and approval.
39
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Categories of Recovery Strategies
1.
2.
3.
4.
5.
Business Recovery
Facility and Supply
User
Operational
Data
40
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Business Recovery
• Focus is on the critical resources and the
maximum tolerable downtime for each
business/support unit system. This may
include the identification of:
– Critical IT system hardware, software, and
data
– Critical equipment, supplies, furniture, and
office space
– Key personnel for each business unit and
support unit, such as Operations, Facilities,
Security, etc.
41
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Facility and Supply Recovery
• Focus is on restoration and recovery such as:
– Facility - main building, remote facilities
– Inventory - supplies, equipment, paper, forms
– Equipment - network environments, servers,
mainframe, microcomputers, etc.
– Telecommunications - voice and data
– Documentation - application, technical materials
– Transportation - movement of equipment, personnel
– Supporting equipment - HVAC, safety, security
42
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
User Recovery
• Focus is on personnel requirements such
as:
– Manual procedures
– Vital record storage (i.e. Medical, Personnel)
– Employee transportation
– Critical documentation and forms
– User workspace and equipment
– Alternate site access procedures
43
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
User Recovery (cont.)
Procedures for the
organization’s employees to
follow during the outage
include items such as:
• Team responsibilities
• Distribution of information
• Manual processing
techniques
• Disaster policies
•
•
•
•
Notification procedures
High priority tasks
Emergency accounting
Checklists
44
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Operational Recovery
• Determine the necessary equipment
configurations such as:
– Mainframes, LANs, microcomputers,
peripherals
– Explore opportunities for
integration/consolidation
– Usage parameters
• Data communications configurations include:
– Switching equipment, Routers, Bridges,
Gateways
45
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Operational Recovery (cont. )
• Outline alternative strategies for technical
capabilities, such as network infrastructure
components.
• Options include:
– Hot Site, Warm Site, Cold Site, Mobile Site
– Reciprocal or Mutual Aid Agreements
– Multiple Processing Centers
– Service Bureaus
46
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Operational Recovery (cont.)
Alternate Site Choices
COST
MIRROR
SITE
HOT SITE
WARM SITE
Actively
running
identical
processes in
parallel
Instant
COLD SITE
Fully
Operational
Except
data/staff
Partially
Prepared for
Operations
Basic HVAC
and
Connections
Minutes-Hours Days - Week Weeks/Months
47
Maximum Tolerable Downtime
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Software and Data Recovery
• Focus is on the recovery of information the data. Options include:
– Backing up and Off-site storage
– Electronic vaulting
– On-line tape vaulting
– Remote journaling
– Database Shadowing
– Standby Services
– Software Escrow
48
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Subtopics
1. Project Management and Initiation
2. Business Impact Analysis
3. Recovery Strategy
4. Plan Design and Development
5. Testing, Maintenance, Awareness,
and Training
49
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase IV: BCP Design and
Development
In this phase the team prepares and
documents a detailed plan for recovery of
critical business systems. End products
include:
–
–
–
–
–
Business and Service Recovery Plans
Plan Maintenance Programs
Employee Awareness and Training Programs
Test Method Descriptions
Restoration Plans
50
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Design and Development Steps 1 - 4
1. Determine management concerns and
priorities.
2. Determine planning scope such as
geographical concerns, organizational issues,
and the various recovery functions to be
covered in the plan.
3. Establish outage assumptions.
4. Identify response procedures, such as
ensuring evacuation and safety of personnel,
notification of disaster, initial damage
assessment, activating teams, relocating to
alternate sites.
© Copyright 2005 (ISC)2®. All Rights Reserved.
51
Business Continuity Planning v5.0
Design and Development Steps 5 - 7
5. Identify resumption strategies for mission
critical- and non-mission critical-systems
at alternate sites.
6. Identify the location for the emergency
operations center/command center.
7. Identify restoration procedures for
salvage, repair, and return to the primary
site. Also, the procedures to deactivate
the recovery site.
52
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Design and Development Step 8
8. Plan and implement the gathering of
data required for plan completion.
– Personnel information
– Vendor services
– Equipment, software, forms, supplies
– Vital records
– Technical information
– Office space requirements
53
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Design and Development Step 9
9. Review and outline who (and how) the
organization will interface with external groups.
• Customers
• Shareholders
• Civic officials
• Community, region,
• Utility providers
• Industry group
•
coalitions
Media
and state emergency
services groups
54
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Design and Development Step 10
10. Review and outline how the organization will cope with
other complications beyond the actual disaster.
– Responsibility to families
– Coordination with human resource and legal
departments
– Fraud opportunities
– Looting and vandalism
– Ensuring primary site is protected during disaster
– Safety and legal problems
– Expenses exceeding emergency manager
authority
55
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Design and Development Steps 11 - 13
11. Develop support service plans, including
human resources, public relations,
transportation, facilities, information
processing, telecommunications, etc.
12. Develop business function plans and
procedures.
13. Develop facility recovery (i.e. the building)
plans.
56
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
BCP Document
The final aspect of this phase is to combine
all of the various steps into the
organization’s BCP. This plan should then
be interfaced with the organization’s other
emergency plans.
57
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phases of the BCP
Subtopics
1. Project Management and Initiation
2. Business Impact Analysis
3. Recovery Strategy
4. Plan Design and Development
5. Testing, Maintenance, Awareness,
and Training
58
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase V: Testing, Maintenance,
Awareness and Training
In this phase, plans for
testing and maintaining
the BCP are implemented
and also awareness and
training procedures are
executed.
59
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase V: Plan Testing
• Plan testing ensures that the business
continuity capability remains effective,
regardless of the disaster. It includes:
– Testing objectives
– Measurement criteria
– Test Schedules
– Post-test reviews
– Test results reported to management
60
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase V: Plan Testing
The five main types of BCP testing
strategies are:
1. Checklist
2. Structured Walk-Through
3. Simulation
4. Parallel
5. Full Interruption
61
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase V: Plan Maintenance Goal
• Develop processes that maintain the currency of
continuity capabilities and the BCP document in
accordance with the organization's strategic
direction. This includes:
– Changing management procedures
– Resolving problems found during testing
– Building maintenance procedures into the
process
– Centralizing responsibility for updates
– Reporting results regularly to team members
62
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Phase V: Plan Maintenance
Functions
• Plan maintenance functions are:
– Receive and monitor input on needed revisions
- maintain revision history
– Plan maintenance reviews as needed
– Monitor changes within business units, such as
upgrades to systems
– Control plan maintenance distribution - who
receives a copy of plan updates
– Ensuring version control - obsolete editions of
the plan are collected and destroyed.
63
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Subtopics
• Business Continuity
Management
• Phases of BCP
• Restoration Action
• Example of a
Recovery Process
64
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Damage Assessment
• Determine the extent of damage to the
facility.
• Estimate the time needed to resume
normal operations.
• Notify management of the findings.
65
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Damage Assessment (cont.)
If the time estimated to
resume operations
exceeds the Maximum
Tolerable Downtime (MTD)
for critical business
functions, then
management should
consider declaring a
disaster and implementing
the BCP.
66
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Restoration Actions
• Restoration operations involve
restoring the primary site to normal
operation conditions.
– Complete an assessment of all
damage.
– Initiate cleanup of the primary site.
– Implement necessary replacement
procedures.
67
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Restoration Actions (cont.)
– Move unused backup materials (i.e., supplies,
magnetic media, backup documentation) from
the alternate site to the primary site.
– Do least critical work first.
– Perform installations and updates of programs
and data.
– Certify and accredit the system at the primary
site.
– Initiate normal processing.
68
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Subtopics
• Business Continuity
Management
• Phases of BCP
• Restoration Action
• Example of a
Recovery Process
69
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Example of a Recovery Process
70
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Subtopics
Example of a Recovery Process
1.
2.
3.
4.
5.
Respond to the Disaster
Recover Critical Functions
Recover Non-critical Functions
Salvage and Repair
Return to Primary Site
71
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example
• Assemble emergency operations team.
• Contact recovery team members to
participate in the initial damage
assessment.
• Determine the extent of damage to the
primary site facility, including:
– Building structure
– Damage to utilities
– Access to different areas within the building,
including capability to secure the building.
72
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example (cont.)
• Calculate the time required to resume critical
and non-critical business operations.
• Notify management of the results.
• Declare a disaster and begin implementation
of continuity/recovery plans.
• Maintain a log of all steps taken after a
disaster. Be sure to note time, location, what
has been done, who did it, and any expenses
incurred.
73
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example (cont.)
• Establish the command center to provide
management control, administrative,
logistic, and communications support.
• Move backup resources to the appropriate
recovery site.
• Allocate the required office space and
recovery resources to the recovery teams.
74
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example (cont.)
• Resume critical business functions at
recovery site.
– Go to recovery site to confirm the
following:
• Space needs
• Security needs
• Fire protection
• Infrastructure requirements
75
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example (cont.)
• Resume critical business functions at
recovery site.
– Install, activate and test all equipment.
– Install & activate necessary software and data
from backup.
– Test the system and certify it is ready for
operation.
– Begin critical application processing in
accordance with established priorities.
– Configure and test voice communications
systems.
76
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Disaster Activity Example (cont.)
• Resume critical business at recovery site.
– Verify that media, forms, supplies,
documentation, and equipment at an offsite storage site have been transferred to
the recovery site
– Notify users of schedule and site.
• Resume non-critical business at recovery site.
• Follow similar procedures of critical
business function recovery.
77
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Salvage & Repair Example
• At the primary site, complete a detailed
assessment of all damage at the primary
site.
• Initiate cleanup of the primary site.
• If necessary, dispose of damaged
equipment and procure new equipment.
• Recover water soaked documents.
• Review insurance policies and document
information as needed.
78
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Salvage & Repair Example (cont.)
• Coordinate activities to have repairs
made to the damaged areas within
the primary site including:
– Facility structure - walls, floors, ceilings,
etc.
– Equipment
– Support systems - HVAC, plumbing, etc.
79
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Return to Primary Site Example
• Plan for the return.
• Reactivate fire protection and other alarm systems.
• Planning is different from recovery plan - least
critical work should be initiated first.
• Implement and test the network system.
• Certify and accredit the system ready for
operations.
• When notified that normal operations have resumed
at the primary site, shutdown operations at the
alternate site and return backup materials to
storage.
80
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Quick Quiz
• What is a business continuity plan?
• What are the phases of business
continuity planning?
81
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
Section Summary
• A business continuity plan (BCP) is an approved
set of advanced arrangements and procedures
that enable an organization to facilitate the
recovery of business operations to reduce the
overall impact of an event, while at the same
time resuming the critical business functions
within a predetermined period of time.
• The phases of BCP are: 1)Project Management
and Initiation; 2) Business Impact Analysis; 3)
Recovery Strategy; 4) Plan Design; and 5)
Development, and Testing, Maintenance,
Awareness, and Training.
82
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
83
© Copyright 2005 (ISC)2®. All Rights Reserved.
Business Continuity Planning v5.0
