Understanding BCP, DRP, and COOP ◾ 267
© 2011 by Taylor & Francis Group, LLC
Table4.1 Library of Plans That Collectively Reflect All Aspects of the
Business and the Different Perspectives Affected by an Event or Incident
Plan Purpose Scope
Business
Continuity Plan
(BCP)
To provide procedures to
sustain core business
operations while recovering
from significant disruption
Addresses business
functions,
accommodating
Information Technology
in the context of
supporting the impacted
business processes
Business
Recovery Plan
(BRP)
To provide procedures for
recovering business
operations immediately
following a disaster
Addresses the business
processes and is not
Information Technology
focused
Continuity of
Operations Plan
(COOP)
Identifies and establishes
procedures and capabilities to
sustain an organization’s
essential, strategic functions
for a limited period of time
while reparation takes place
(usually a time limit of 30 days)
Addresses the
organization’s mission-
critical functions and is
not usually Information
Technology focused
Continuity of
Support Plan
(COSP)
Establishes procedures and
capabilities to recover major
applications or general
support systems
This plan addresses the
Information Technology
system disruption and is
not business focused
Disaster
Recovery Plan
(DRP)
Provides details of procedures
to facilitate recovery
capabilities at the original or
another permanent site
Often Information
Technology focused;
implemented when
maximum tolerable
downtime has been
exceeded and in response
to long-term effects
Incident
Response Plan
Defines the strategies to
detect, respond to, and limit
the consequences of incidents
that can impact the business
Focuses on information
security responses to
incidents affecting
systems or networks
Occupant
Emergency Plan
Provides coordinated
procedures for minimizing
loss of life or injury and
protecting property damage in
response to a physical threat
Focuses on personnel and
property particular to the
specific facility and is not
business or IT focused
268 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Business Drivers
e benets of developing a comprehensive disaster recovery plan include the
following:
◾ Minimizing potential economic loss
◾ Decreasing potential exposures
◾ Reducing the probability of occurrence
◾ Reducing disruptions to operations
◾ Ensuring organizational stability
◾ Providing an orderly recovery
◾ Minimizing insurance premiums
◾ Reducing reliance on certain key individuals
◾ Protecting the assets of the organization
◾ Ensuring the safety of personnel and customers
◾ Minimizing decision making during a disastrous event
◾ Minimizing legal liability
Understanding BCP, DRP, and COOP
In Figure 4.3 we identify the dierent plans in our library. Each entry shows the
focus of the plan and the perspective—whether a business focus or a technical
focus. Each of the plans should:
Continuity
and
Recovery
Trefoil
PROTECT
Continuity
of
Operations
Plan
Occupant Emergency Plan
Crisis Communication Plan
IT Continuity Plan
Cyber Incident Response Plan
Continuity of Support Plan
Disaster Recovery Plan
Business Recovery Plan
RECOVER/
RESUME
SUSTAIN
Figure 4.3 Positioning of the library of plans that collectively reflect all aspects
of the business and the different perspectives affected by an event or incident.
Understanding BCP, DRP, and COOP ◾ 269
© 2011 by Taylor & Francis Group, LLC
Be developed in consultation with the key stakeholders as appropriate
Be developed in alignment with core business objectives
Take account of the business risk appetite
Mitigate current threat vectors
What should be clear from this list of conditions is that we are reminded that
each of the plans must be considered as living documents. As core business objec-
tives, key stakeholders; risk parameters, and threat vectors change, so we must
update the library of plans.
e next section examines the concepts of policy development and the con-
tent and production of policies and plans from a generic perspective. e formal
approach to development provides a baseline for inclusion, and these may be adapted
to meet your organization’s needs.
Policy Development and Planning the
Strategy for Business Continuity, Disaster
Recovery, and Continuity of Operations
Introduction
ere are few “green sites” whereby organizations have no BC, DR, or COOP plans
at all. True to say that many have been created and placed on a shelf to collect dust,
only to see the light of day during an audit or if an incident occurs (when it is too late
to ensure that the plans reect the current processes and systems in place). However,
in our dynamic climate, as organizations grow from local to national to international
and beyond, or merge with or take over other organizations, downsize, outsource, or
oshore, we need to reconsider our strategic plans to promote secure business conti-
nuity, appropriate disaster recovery, and applicable restoration of business processes.
Determining what measures we need to have in place can be a lengthy task. e
steps to conduct a thorough analysis of the core functions of the business against the
potential threats and vulnerabilities were discussed during your CISSP (refer to the
Ocial (ISC)
2
Guide to the CISSP CBK, Business Continuity and Disaster Recovery
Planning Domain). However, we need to go a step further now and consider these
issues from a strategic and holistic perspective, taking into account the supply chain
of end-to-end processes, both internal as we move toward federated organizations and
external as we extend our outsourcing and oshoring to rationalize the business.
Enterprise Recovery Strategy Development
Management involvement is not the only driving force behind repeatable, organi-
zational performance. Short, concise policy statements also set expectations and
drive consistent performance. Regardless of the size or culture of an organization,
a policy statement can be a tool to drive business continuity program performance,
270 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
particularly in organizations where business professionals perform planning in a
decentralized manner.
A business continuity policy is a document written to convey management expecta-
tions regarding long-term, life-cycle-oriented business continuity program performance.
In order to be eective, it should be signed, communicated, and enforced throughout
the organization by senior management. e contents of a policy statement should
rarely change and are such that they dene particular actions from every employee in
the organization related to the business continuity program. A policy statement should
provide a high-level overview of the objectives and expectations. A growing number of
organizations supplement a high-level policy statement with a management reviewed
and approved program charter and framework documentation. e charter and frame-
work provide the additional level of detail needed to explain how the business will
perform key program activities—short and long term. Many organizations remain
skeptical regarding the need for an organization-wide business continuity program
policy, so it is important to understand the benets of authoring and approving one.
A well-written policy that describes the program’s key role players and their
responsibilities provides clear expectations for business continuity personnel, senior
management, key program contributors, and all other employees. A policy prevents
the need for the program to waste valuable time reinventing itself year after year.
Instead, it allows the organization to align its culture and operations around a sin-
gle, simple, and repeatable vision for organizational resiliency and recoverability.
Because many business continuity programs ght for attention among all the
other priorities of an organization, a business continuity program’s worst enemy
can be inconsistent execution. Consistent execution provides the basis for a pro-
gram to integrate with the organization’s strategy, operations, and even other risk
management disciplines. In many cases, a program’s eectiveness is only as strong
as its weakest link. For example, a program that consistently updates plan docu-
mentation but fails to perform exercises or train its personnel continues to take on
unnecessary business risk. Policy statements set organizational and management
objectives, which in turn provide the necessary motivation to complete needed
business continuity activities and remove such risk.
Business continuity program benchmarking can be challenging. When
comparing a variety of program capabilities and elements across the organiza-
tion, it can be dicult to evaluate progress or performance; however, the policy
can serve as that internal benchmark for management’s review of the program.
Each year, a policy should be reviewed and re-evaluated in light of the strate-
gic vision management sets for the organization and the business continuity
program. is process of reviewing and updating the policy, when necessary,
provides an up-to-date and measurable benchmark for how the business con-
tinuity program aligns with the organization’s goals. When the cliché “what
gets measured gets done” holds favorably with senior management, the business
continuity program can leverage its policy to provide a measurable evaluation
of the program’s performance.
Understanding BCP, DRP, and COOP ◾ 271
© 2011 by Taylor & Francis Group, LLC
A business continuity policy can also play the important role of casting vision
for organizational continuity and recoverability when dedicated program personnel
are few to none. e policy, when communicated across the entire organization,
provides a common set of expectations.
Objections to developing a business continuity policy are often culturally driven.
In many cases, objections to policy statements occur because the organization has
few policies governing other business activities. ese concerns are understandable
in organizations that do not have policies in the format described above or cultures
where policy alone does not have the power to create change. In these situations, less
formal methods of communicating expectations may suce, even if the tool is not
a formal policy statement. A management-approved alignment to a standard may
be the answer or a less formal email or letter from a senior executive. Overall, it may
take some creativity, but a management-approved mandate is necessary to build a
repeatable program that consistently executes necessary program elements, enables
performance measurement, and clearly communicates program expectations.
Whether or not an organization historically creates policy statements, leader-
shp should consider developing formal business continuity program expectations.
When done right, all of an organization’s stakeholders align behind a common set
of expectations. Competition in the marketplace and reliance on intrinsic informa-
tion systems are critical elements that are driving organizations to recognize the
need for business continuity and disaster recovery to support continuity of opera-
tions. Accordingly, many now employ teams of dedicated business continuity and
disaster recovery professionals. Establishing management expectations by focusing
on the core business functions is critically important to the successful development
and adoption of any business continuity and disaster recovery policy.
Aligning Your Business Continuity and Disaster Recovery
Policies with the Human Resource Policy
e importance of aligning the BC, DR, and COOP policies and plans with human
resource (HR) policies cannot be emphasized enough.
Part of the dilemma in planning for business continuity is the myriad of human
issues to be dealt with—the human resource policies and procedures that impact
employees involved in the response to disaster. Human resources encompasses so many
factors that it is dicult to identify and plan for all the issues in a logical manner.
However, using the phases of the BC and DR plans, we can identify four key phases:
1. Pre-disaster (planning phase)
2. Emergency response (what do you do when the event occurs?)
3. Recovery (what do you do while you are in the process of using that part of
your plan which recovers your business?)
4. Post-recovery (what are the long-term recovery issues?)
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.