Understanding BCP, DRP, and COOP ◾ 277
© 2011 by Taylor & Francis Group, LLC
Project Reporting Structure
Business continuity and disaster recovery impact business processes across the orga-
nization. Accordingly, it is appropriate that the project team should comprise rep-
resentatives from each business process area dened in Figure4.6. To demonstrate
sponsorship and support, the BC and DR project team will report to a steering com-
mittee. e BC and DR project team may be led by a nontechnical project manager as
the team itself will comprise business and technical experts from each of the business
divisions. Representatives will dier according to the structure of your organization.
Business Continuity, Disaster Recovery, and Continuity of Operations Planning Life Cycle
Conduct a
business
impact analysis
Review existing
documentation
Develop
recovery
strategies
Develop
business
continuity,
disaster recovery
and continuity of
operations plans
Maintain and update
business continuity,
disaster recovery, and
continuity of
operations plans
Develop a
testing strategy
and policy
Develop training,
education and
awareness plans
Participate in
formal and
informal audit
reviews
Monitor
Control
Communicate
Figure 4.5 Detailed life cycle for continuous development and communication
of strategic policies to mitigate business risks and address vulnerabilities in a
dynamic environment where threats are constantly changing.
Project
Team
Workstreams
Business
Unit Leads
Governance
Steering
Committee
Business
Unit
Documentation
Business
Unit
Business
Unit
Figure 4.6 Business continuity and disaster recovery project reporting structure.
278 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Steering Committee
e purpose of the steering committee is to provide a strategic, holistic view of
business continuity, disaster recovery, and continuity of operations across the enter-
prise. e scope and mandate of the steering committee should be clearly dened
in the Terms of Reference. ese should be developed in full consultation with
representatives from the business, the technical, and the security domains across all
elements of the organization.
Business Managers
Business managers are key to any business continuity, disaster recovery, and continu-
ity of operations. ey understand the prioritization of the impact to the business of
the loss of any operational component at whichever layer of the security “onion” the
component may reside. eir role is to advise on the impact of a “systems” failure to
the business on scal, human, reputation, and operating activities. Accordingly, they
should determine strategic priorities where conicts of priorities arise.
Stakeholders
Other stakeholders may include customer-facing managers, business development
managers, and third-party managers.
The Business Continuity and Disaster
Recovery Project Steering Committee
In order for business continuity and disaster recovery to receive support within
your organization it should have champions and sponsors at the highest level. e
steering committee should comprise senior managers from the business and techni-
cal areas of the business to ensure that all areas of the business are protected.
The Project Team Identification of Roles,
Responsibilities, and Accountability
Disaster recovery planning involves more than o-site storage or backup process-
ing. Organizations should also develop written, comprehensive disaster recovery
plans that address all the critical operations and functions of the business. e plan
should include documented and tested procedures, which, if followed, will ensure
the ongoing availability of critical resources and continuity of operations.
Developing the Project Plan and Governance
Table4.2 is an example of the stages and activities you might consider for inclusion.
Understanding BCP, DRP, and COOP ◾ 279
© 2011 by Taylor & Francis Group, LLC
Table4.2 Stages and Activities in Developing the Project Plan and Governance
Project BC and DR Plans Owner
Planned
Start
Actual
Start
Planned
Finish
Actual
Finish
Key Milestones
Project Structure and
Governance Defined
Project roles and
responsibilities agreed
Project structure
agreed
Governance model
agreed
Governance model—
socialize with
leadership team
Governance model—
socialize and sign off
with Steering Group
Risk management
plan—review with
Project Team
Risk management plan
sign-off at Leadership
Team
Risk management plan
sign-off at Steering
Group
Communications and
Engagement plan
sign-off at Leadership
Team
Communications and
Engagement plan
sign-off at Steering
Group
(continued on next page)
280 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Table4.2 (continued) Stages and Activities in Developing the Project Plan
and Governance
Project BC and DR Plans Owner
Planned
Start
Actual
Start
Planned
Finish
Actual
Finish
Risk Analysis
Scope risk appetite
Business impact
analysis
E2E process risk
assessment
Data Gathering
Due diligence planning
workshop
Review evaluation
criteria
HR input to evaluation
criteria
Commercial input
Financial input
Operations input
Legal input
E2E service input
Systems input
Development of Plans
Develop Business
Continuity Plan
Develop Disaster
Recovery Plan
Develop Continuity of
Operations Plan
Develop Business
Recovery Plan
Understanding BCP, DRP, and COOP ◾ 281
© 2011 by Taylor & Francis Group, LLC
Business Continuity Plan and Disaster
Recovery Plan—Project Planning
Introduction
Developing the plan is a seven-stage process. However, you should remember from
your CISSP that this is not a linear process but an iterative one, and that there
should be continuous feedback between the stages.
Develop Contingency Planning Policy
While some may be tempted to miss this stage, it is probably the most important of
the seven steps. According to the National Institute of Technology (NIST) descrip-
tion, the “policy provides the authority and guidance necessary to develop an eec-
tive contingency plan.” Gaining the “authority and guidance necessary” is vital to
the success of the planning venture, for without these, you do not have a sponsor.
e policy statement is about eective communication between management
and those responsible for developing the plan. Using the business goals as drivers
Table4.2 (continued) Stages and Activities in Developing the Project Plan
and Governance
Project BC and DR Plans Owner
Planned
Start
Actual
Start
Planned
Finish
Actual
Finish
Test Plans
Desktop—Operational
Processes
Desktop—Tactical
End-to-End Processes
Desktop—Strategic
Live Exercise
Training, Education,
and Awareness
Plan and build
workshops
Deliver workshops
Review evaluation
criteria
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.