2 1.1 Business Continuity Planning
plan should be very clearly stated. The plan should include a general time-
line or some other relevant schedule of activity information. There should
be a section describing key outcomes and benefits expected when the plan is
executed. Allocated budget information (often allocated by activity) is
important and should be included. A table of resource requirements is a
critical component of the plan. Since resource allocation may be dependent
on contracts, the specific details of all pertinent contracts should be
included in the plan. A section discussing the various risks and issues
should be a part of the plan. Finally, it is the responsibility of the plan
owner to provide details of distribution and storage (showing how people
will get a copy of the plan so that they can take the appropriate action).
Business continuity (BC) refers to the ability of a business to maintain
continuous operations in the face of disaster [1]. How does one plan for that?
Why plan for a disaster when the chances are so remote? We live in an age
where environmental disasters are almost commonplace. They probably
always have been commonplace, but with the instantaneous news reporting
we have become accustomed to, it is not uncommon to hear of a typhoon
striking the Japanese coast, a forest fire raging out of control in the western
section of the United States, extreme flooding in Europe, and earthquakes
in Turkey—all in the same week! The devastating tsunami that hit South-
east Asia in late December 2004 is one of the most recent examples of why
business continuity planning is so necessary. What is often not mentioned
in the news is the havoc that is wreaked on the businesses and organizations
that have to cope with the aftermath of such disasters.
1.1 Business Continuity Planning
Business continuity planning and disaster recovery planning are subsets of a
more wide-ranging discipline: business contingency. Business contingency
is the practice of formally preparing for variations in the business environ-
ment. These variations can be of any kind, but the primary aim of business
contingency planning is to ensure the survival of an organization by prepar-
ing for, reacting to, and adjusting to those variations.
Business continuity is a subset of business contingency targeted specifi-
cally at measures required to ensure that business processes can be main-
tained under adverse, sudden changes (crises). Disaster recovery planning
is a subset of business continuity—it focuses on extreme examples of busi-
ness interruption (disasters). Another subset to business continuity, known
as continuous availability, has emerged since organizations have become
dependent on technology. This discipline emerged because if an organiza-
1.1 Business Continuity Planning3
Chapter 1
tion’s information technology (IT) resources suddenly become unavailable,
all supporting business processes of that organization generally cannot con-
tinue, and this threatens the survival of an organization.
Disasters can take many forms. We can survive and recover from envi-
ronmental disasters such as those mentioned above, of course. However,
the events of September 11, 2001 also showed us that disasters of an orga-
nized and deliberate nature can cause severe disruption to business opera-
tions. Disruptions can occur from a loss of utilities and services such as
water or gas, from failures in equipment, and from system failures. Each of
these types of disasters forces businesses and other organizations to cope
with them in order to preserve their unique continuity of operations. Disas-
ter can also occur from compromise of information, creating a serious
information security incident. Look what happened to Enron when their
sad story of stock manipulation, illegal trading, and shell company money-
laundering schemes emerged [2].
1.1.1 Building the Business Continuity Plan
When first initiating the business continuity planning (BCP) project, it is a
good idea to form a core team from all segments of the business or organi-
zation. As part of the project initiation (kick-off) process, the core team
should gather up and review all of the existing BC plans (if available). The
core team should understand the benefits of developing a BCP policy state-
ment. This policy statement formalizes their purpose for being! (We will
discuss this in further detail later, in Section 1.3.4, Establish Project Objec-
tives and Deliverables.) The general process of building a BCP is outlined in
six steps below:
Step 1. Project Initiation
Identify customer and business requirements
Identify external dependencies (i.e., government, industry, and legal)
Perform a business risk assessment
Obtain management support
Implement project planning and control process
4 1.1 Business Continuity Planning
Step 2. Business Impact Analysis
Define criticality criteria
Identify vital business processes, applications, data, equipment, etc.
Determine impact on business processes
Identify interdependencies
Define recovery time objectives
Step 3. Recovery Strategies
Identify process and processing alternatives and offsite data backup
alternatives
Identify communications backup alternatives
Identify recovery strategy alternatives (replace, outsource, manual,
etc.)
Formulate strategy based on optimum cost-benefit and risk
Review strategy with recovery teams, management, and customers
Step 4. Plan Development
Define disaster recovery teams, authority, roles, and responsibilities
Develop notification and plan activation procedures
Create emergency response procedures
Create detailed recovery procedures
Develop plan distribution and control procedures
Step 5. Plan Validation/Testing
Develop test plans and objectives
Conduct simulations
Perform tests
Evaluate test results
Perform plan process improvements based on test results
Step 6. Maintenance and Training
Develop BCP maintenance process
Consolidate revision information
1.1 Business Continuity Planning5
Chapter 1
Develop revised BCP, as required
Create corporate awareness program
Develop BCP-specific training program
1.1.2 Types of Contingency Plans
In general, universally accepted definitions for IT contingency planning
and these related planning areas have not been available. Occasionally, this
unavailability has led to confusion regarding the actual scope and purpose
of various types of plans. To provide a common basis of understanding
regarding contingency planning, this section identifies several other types of
plans and describes their purpose and scope relative to contingency plan-
ning. Because of the lack of standard definitions for these types of plans, the
scope of actual plans developed by organizations may vary somewhat from
the descriptions below. However, when these plans are discussed in this
book, the following descriptions apply.
1.1.2.1 Business Continuity Plan (BCP)
The BCP focuses on sustaining an organization’s business functions during
and after a disruption. An example of a business function may be an organi-
zation’s payroll process or consumer information process. A BCP may be
written for a specific business process or may address all key business pro-
cesses. IT systems are considered in the BCP in terms of their support to the
business processes. In some cases, the BCP may not address long-term recov-
ery of processes and return to normal operations, solely covering interim
business continuity requirements. A Disaster Recovery Plan, Business
Resumption Plan, and Occupant Emergency Plan may be appended to
the BCP. Responsibilities and priorities set in the BCP should be coordi-
nated with responsibilities found in the Continuity of Operations Plan
(COOP) to eliminate possible conflicts. The National Institute of Standards
and Technology (NIST) has an excellent graphic illustrating the interrela-
tionships of these plans [3], shown in Figure 1.1.
1.1.2.2 Business Recovery Plan (BRP)
The BRP (also called a Business Resumption Plan) addresses the restoration
of business processes after an emergency has occurred. However, unlike the
BCP, the BRP generally lacks procedures to ensure the continued operation
of critical business processes during the course of an emergency or disrup-
6 1.1 Business Continuity Planning
tion. Development of the BRP should be coordinated with the Disaster
Recovery Plan (DRP) and BCP. The BRP may be appended to the BCP.
1.1.2.3 Continuity of Operations Plan (COOP)
The COOP focuses on restoring essential functions at an alternate site and
performing those functions for an extended period of time before returning
to normal operations. A COOP addresses company-wide issues, so it is usu-
ally developed and executed independently from the BCP. Because the
COOP emphasizes the recovery of an organization’s operational capability
at an alternate site, the plan often does not include IT operations. However,
in today’s business environment, it is unlikely that any organization could
return to normal operations without including IT operations as a part of
the COOP. Additionally, minor disruptions that do not require relocation
actions are typically not addressed in the COOP. However, the COOP may
include the BCP, BRP, and DRP as appendices.
1.1.2.4 Continuity of Support Plan/IT Contingency Plan
For federal systems, Office of Management and Budget (OMB) Circular A-
130, Appendix III, requires the development and maintenance of continuity
of support plans for general support systems and contingency plans for
major applications. Because an IT contingency plan should be developed for
Figure 1.1
Interrelationship of
emergency
preparedness plans.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.