From the operations security perspective, BCP is to ensure that the continuity of IT operations is maintained from the primary or alternate locations during an incident or disastrous events based on the business continuity requirements. An important consideration is that the security levels are maintained during such operations.
Before we plunge deeper into the myriad concepts of the BCP domain, let's recap some of important concepts in the risk assessment and risk management areas:
- Risk is the probability that a threat agent could exploit vulnerability and the resulting impact. The impact may be related to the loss of money, resources, customer confidence, reputation, or legal and regulatory noncompliance and related issues.
- Threat is an event that could affect business operations.
- Vulnerability is a weakness in the system that a threat could exploit.
In the BCP domain, our focus will be on specific threat events that could cause devastating impacts on the functioning of the organization as a whole, and the IT infrastructure in particular. The examples of such events are fire, flood, earthquake, tornado, or terrorist attacks. Generally, an organization may not have controls to prevent such events. Such events are termed as disruptive events. In other words, an event that could impact regular operations for a prolonged period of time can be termed as a disruptive event.
Business Continuity Planning (BCP) is a process that proactively addresses the continuation of business operations during and in the aftermath of such disruptive events. The aim is to prevent interruptions to operations.
BCP requires coordinated efforts by a team of personnel drawn from different business functions of an organization. Let's quickly review the goal and objectives pertaining to the BCP process.
The goal of BCP is to ensure the continuity of business operations without affecting the organization as a whole.
While designing the BCP, availability should be considered as the most important factor.
People are the most important assets in business operations. Hence, life safety or preventing human loss is one of the primary objectives of BCP. Another important objective of BCP is to avoid any serious damage to the business.
BCP involves the following steps. These simplified steps form a life cycle model for the BCP process:
- Scoping should be thought of in terms of assets, operations, and business processes.
Scoping is a very important activity in a BCP process. The scope of a BCP primarily focuses on a business process. For example, if the scope of BCP is Customer Relationship Management (CRM) processes, then we're looking at the CRM-related information systems: data, people associated with customer management, and facilities such as the servers, data center, backup media, and so on. By focusing on a business process and defining the scope, we will be able to see an end-to-end link of all the associated assets, operations, and processes. Therefore, the primary criterion of BCP scoping is to ensure that it is appropriate, which means ensuring that the scoping process covers all the essential resources.
- Initiating the planning process.
The Business Continuity Planning process is initiated by establishing the roles and responsibilities of personnel involved. Generally, a BCP committee is formed with personnel drawn from critical business units. The function of a BCP committee is to create, test, and implement the plans. The critical component in planning this process is the support and involvement of senior management throughout the process, life cycle.
- Performing Business Impact Analysis (BIA).
BIA is a type of risk assessment exercise that tries to assess qualitative and quantitative impacts on the business due to a disruptive event. Qualitative impacts are generally operational impacts such as inability to deliver, whereas quantitative impacts are related to financial losses. In general, BIA uses What-If scenarios to assess the risks. For example, take a look at the following:
- What will be the financial loss if CRM server is down for 4 hours?
- What will be the operational issues if the system administrator is not available during an emergency update of the system?
- What will be the legal ramifications if the customer data is corrupted or stolen? A matrix of What-If is created and analyzed to develop suitable mitigation strategies for the risks. In BCP terminology, such a risk mitigation strategy is called a continuity plan.
- Developing the BCP.
Business Continuity Plans are proactive measures that identify critical business processes required for the continuity and sustainability of the business based on BIA. For example, let's assume if the organization has a Service Level Agreement (SLA) with its customers and a maximum of 2 hours of continuous downtime of its CRM services, then continuity plans need to address the systems that are needed to ensure an adherence to the SLA proactively. The organization needs a strategy or plan, and the same should be consistent across all business units. Defining the continuity strategy and documenting the same are two important functions that constitute the development of BC plans.
- BC plan implementation, testing the plans, and creating awareness to the personnel.
The senior management must approve the properly documented business continuity plans and, upon approval, the plans are implemented. Personnel associated with business continuity strategy and operations must be made aware of the continuity processes; the plans have to be periodically tested and updated based on the lessons learned from such tests.
- The BC plan maintenance.
The BCP life cycle also includes the maintenance of the plans. The primary driver for plan update is based on incidents, periodic risk assessments, and changes to the business environment. The plans need to be periodically reviewed and updated based on business changes, technology changes, and/or policy changes.
The following best practices are gleaned from many BCP-related standards and guidelines. They form the base for a successful BC Planning process.
BCP should be as follows:
- Appropriate: The scoping process should be covering the essential resources
- Adequate: Based on Business Impact Analysis, the adequacy of available resources pertaining to continuity and recovery should be established
- Complete: The plan should include all the resources required based on the analysis
BCP resources should include the following:
- An availability of processes
- An availability of people to implement the processes
BCP processes should include the following:
- Testing the plans
- Day-to-day functions/activities to be performed to make the plan effective and ready at all times
BCP measures should include the following:
- Preventative measures to control known issues
- Facilitating measures to act in a timely manner on issues that are reasonably not under the control of the organization
BCP should identify the following:
- Mission-critical systems
- Business impact due to nonavailability of critical systems (loss of revenue, loss of profits, inability to comply with laws, damage to reputation, and so on)
- Preventive controls
- Recovery controls
BCP objectives include the following:
- Recovery Time Objective (RTO): This is a timeframe within which the systems should be recovered (indicated in terms of hours or days)
- Recovery Point Objective (RPO): This is the maximum period of time (or amount of transaction data) that the business can afford to lose during a successful recovery
BCP procedures include the following:
- Procedure for testing the plans
- Procedure for updating the plans
BCP plans should contain the following:
- Notification: To whom and, in case the concerned personnel is not available, who holds the secondary responsibility.
- Call trees: The list of personnel associated with continuity operations and their contact details.
- Response teams: Who should respond during a disruptive event? For example, an event such as fire requires trained teams to handle evacuation and other specific procedures.
- Updating mechanism for contacts.
- A step-by-step procedure for recovery.
- Appropriate testing.
- Restoring a primary site to normalcy or a stable state.
- Required records and the format of the same.
- The awareness of people.