Computer Security - Discussion
92
Chap ter 3 Busi ness Con ti nu ity Plan ning
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 1: Se cu rity and Risk Man age ment 1.7 Iden tify, an a lyze, and pri or i tize Busi ness Con ti nu ity (BC) re quire ments
1.7.1 De velop and doc u ment scope and plan
1.7.2 Busi ness Im pact Anal y sis (BIA)
Do main 7: Se cu rity Op er a tions 7.14 Par tic i pate in Busi ness Con ti nu ity (BC) plan ning and ex er cises
De spite our best wishes, dis as ters of one form or an other even tu ally strike ev ery or ga ni za tion. Whether it’s a nat u ral dis as ter such as a hur ri cane or earth quake or a man-made calamity such as a build ing fire or burst wa ter pipes, ev ery or ga ni za tion will en counter events that threaten their op er a tions or even their very ex is tence.
Re silient or ga ni za tions have plans and pro ce dures in place to help mit i gate the ef fects a dis as ter has on their con tin u ing op er a tions and to speed the re turn to nor mal op er a tions. Rec og niz ing the im por tance of plan ning for busi ness con ti nu ity (BC) and dis as ter re cov ery (DR), the In ter na tional In for ma tion Sys tems Se cu rity Cer ti fi ca tion Con sor tium (ISC)2 in cluded these two pro cesses in the Com mon Body of Knowl edge (CBK) for the CISSP pro gram. Knowl edge of these fun da men tal top ics will help you pre pare for the exam and help you pre pare your or ga ni za tion for the un ex pected.
In this chap ter, we’ll ex plore the con cepts be hind busi ness con ti nu ity plan ning (BCP). Chap ter 18, “Dis as ter Re cov ery Plan ning,” will con tinue the dis cus sion and delve into the specifics of the tech ni cal con trols that or ga ni za tions can put in place to re store op er a tions as quickly as pos si ble af ter a dis as ter strikes.
Plan ning for Busi ness Con ti nu ity Busi ness con ti nu ity plan ning (BCP) in volves as sess ing the risks to or ga ni za tional pro cesses and cre at ing
poli cies, plans, and pro ce dures to min i mize the im pact those risks might have on the or ga ni za tion if they were to oc cur. BCP is used to main tain the con tin u ous op er a tion of a busi ness in the event of an emer gency sit u a tion. The goal of BCP plan ners is to im ple ment a com bi na tion of poli cies, pro ce dures, and pro cesses such that a po ten tially dis rup tive event has as lit tle im pact on the busi ness as pos si ble.
BCP fo cuses on main tain ing busi ness op er a tions with re duced or re stricted in fra struc ture ca pa bil i ties or re sources. As long as the con ti nu ity of the or ga ni za tion’s abil ity to per form its mis sion-crit i cal work tasks is main tained, BCP can be used to man age and re store the en vi ron ment.
93
Busi ness Con ti nu ity Plan ning vs. Dis as ter Re cov ery Plan ning
CISSP can di dates of ten be come con fused about the dif fer ence be tween busi ness con ti nu ity plan ning (BCP) and dis as ter re cov ery plan ning (DRP). They might try to se quence them in a par tic u lar or der or draw firm lines be tween the two ac tiv i ties. The re al ity of the sit u a tion is that these lines are blurry in real life and don’t lend them selves to neat and clean cat e go riza tion.
The dis tinc tion be tween the two is one of per spec tive. Both ac tiv i ties are de signed to help pre pare an or ga ni za tion for a dis as ter. They in tend to keep op er a tions run ning con tin u ously, when pos si ble, and re cover op er a tions as quickly as pos si ble if they are dis rupted. The per spec tive dif fer ence is that busi ness con ti nu ity ac tiv i ties are typ i cally strate gi cally fo cused at a high level and cen ter them selves on busi ness pro cesses and op er a tions. Dis as ter re cov ery plans tend to be more tac ti cal in na ture and de scribe tech ni cal ac tiv i ties such as re cov ery sites, back ups, and fault tol er ance.
In any event, don’t get hung up on the dif fer ence be tween the two. We’ve yet to see an exam ques tion force any one to draw a solid line be tween the two ac tiv i ties. It’s much more im por tant that you un der stand the pro cesses and tech nolo gies in volved in these two re lated dis ci plines.
You’ll learn more about dis as ter re cov ery plan ning in Chap ter 18.
The over all goal of BCP is to pro vide a quick, calm, and ef fi cient re sponse in the event of an emer gency and to en hance a com pany’s abil ity to re cover from a dis rup tive event promptly. The BCP process has four main steps.
Project scope and plan ning
Busi ness im pact as sess ment
Con ti nu ity plan ning
Ap proval and im ple men ta tion
The next four sec tions of this chap ter cover each of these phases in de tail. The last por tion of this chap ter will in tro duce some of the crit i cal el e ments you should con sider when com pil ing doc u men ta tion of your or ga ni za tion’s busi ness con ti nu ity plan.
The top pri or ity of BCP and DRP is al ways peo ple. The pri mary con cern is to get peo ple out
of harm’s way; then you can ad dress IT re cov ery and restora tion is sues.
Project Scope and Plan ning As with any for mal ized busi ness process, the de vel op ment of a strong busi ness con ti nu ity plan re quires
the use of a proven method ol ogy. This re quires the fol low ing:
Struc tured anal y sis of the busi ness’s or ga ni za tion from a cri sis plan ning point of view
The cre ation of a BCP team with the ap proval of se nior man age ment
An as sess ment of the re sources avail able to par tic i pate in busi ness con ti nu ity ac tiv i ties
An anal y sis of the le gal and reg u la tory land scape that gov erns an or ga ni za tion’s re sponse to a cat a strophic event
The ex act process you use will de pend on the size and na ture of your or ga ni za tion and its busi ness. There isn’t a “one-size-fits-all” guide to busi ness con ti nu ity project plan ning. You should con sult with project plan ning pro fes sion als within your or ga ni za tion and de ter mine the ap proach that will work best within your or ga ni za tional cul ture.
Busi ness Or ga ni za tion Anal y sis One of the first re spon si bil i ties of the in di vid u als re spon si ble for busi ness con ti nu ity plan ning is to
per form an anal y sis of the busi ness or ga ni za tion to iden tify all de part ments and in di vid u als who have a stake in the BCP process. Here are some ar eas to con sider:
Op er a tional de part ments that are re spon si ble for the core ser vices the busi ness pro vides to its clients
Crit i cal sup port ser vices, such as the in for ma tion tech nol ogy (IT) de part ment, fa cil i ties and main te nance per son nel, and other groups re spon si ble for the up keep of sys tems that sup port the op er a tional
94
de part ments
Cor po rate se cu rity teams re spon si ble for phys i cal se cu rity, as they are many times the first re spon ders to an in ci dent and are also re spon si ble for the phys i cal safe guard ing of the pri mary fa cil ity and al ter nate pro cess ing fa cil ity
Se nior ex ec u tives and other key in di vid u als es sen tial for the on go ing vi a bil ity of the or ga ni za tion
This iden ti fi ca tion process is crit i cal for two rea sons. First, it pro vides the ground work nec es sary to help iden tify po ten tial mem bers of the BCP team (see the next sec tion). Sec ond, it pro vides the foun da tion for the re main der of the BCP process.
Nor mally, the busi ness or ga ni za tion anal y sis is per formed by the in di vid u als spear head ing the BCP ef fort. This is ac cept able, given that they nor mally use the out put of the anal y sis to as sist with the se lec tion of the re main ing BCP team mem bers. How ever, a thor ough re view of this anal y sis should be one of the first tasks as signed to the full BCP team when it is con vened. This step is crit i cal be cause the in di vid u als per form ing the orig i nal anal y sis may have over looked crit i cal busi ness func tions known to BCP team mem bers that rep re sent other parts of the or ga ni za tion. If the team were to con tinue with out re vis ing the or ga ni za tional anal y sis, the en tire BCP process might be neg a tively af fected, re sult ing in the de vel op ment of a plan that does not fully ad dress the emer gency-re sponse needs of the or ga ni za tion as a whole.
When de vel op ing a busi ness con ti nu ity plan, be sure to ac count for both your head quar ters
lo ca tion and any branch of fices. The plan should ac count for a dis as ter that oc curs at any lo ca tion where your or ga ni za tion con ducts its busi ness.
BCP Team Se lec tion In many or ga ni za tions, the IT and/or se cu rity de part ments are given sole re spon si bil ity for BCP, and no
ar range ments are made for in put from other op er a tional and sup port de part ments. In fact, those de part ments may not even know of the plan’s ex is tence un til dis as ter strikes or is im mi nent. This is a crit i cal flaw! The iso lated de vel op ment of a busi ness con ti nu ity plan can spell dis as ter in two ways. First, the plan it self may not take into ac count knowl edge pos sessed only by the in di vid u als re spon si ble for the day-to-day op er a tion of the busi ness. Sec ond, it keeps op er a tional el e ments “in the dark” about plan specifics un til im ple men ta tion be comes nec es sary. This re duces the pos si bil ity that op er a tional el e ments will agree with the pro vi sions of the plan and work ef fec tively to im ple ment it. It also de nies or ga ni za tions the ben e fits achieved by a struc tured train ing and test ing pro gram for the plan.
To pre vent these sit u a tions from ad versely im pact ing the BCP process, the in di vid u als re spon si ble for the ef fort should take spe cial care when se lect ing the BCP team. The team should in clude, at a min i mum, the fol low ing in di vid u als:
Rep re sen ta tives from each of the or ga ni za tion’s de part ments re spon si ble for the core ser vices per formed by the busi ness
Busi ness unit team mem bers from the func tional ar eas iden ti fied by the or ga ni za tional anal y sis
IT sub ject-mat ter ex perts with tech ni cal ex per tise in ar eas cov ered by the BCP
Cy ber se cu rity team mem bers with knowl edge of the BCP process
Phys i cal se cu rity and fa cil ity man age ment teams re spon si ble for the phys i cal plant
At tor neys fa mil iar with cor po rate le gal, reg u la tory, and con trac tual re spon si bil i ties
Hu man re sources team mem bers who can ad dress staffing is sues and the im pact on in di vid ual em ploy ees
Pub lic re la tions team mem bers who need to con duct sim i lar plan ning for how they will com mu ni cate with stake hold ers and the pub lic in the event of a dis rup tion
Se nior man age ment rep re sen ta tives with the abil ity to set vi sion, de fine pri or i ties, and al lo cate re sources
Tips for Se lect ing an Ef fec tive BCP Team
Se lect your team care fully! You need to strike a bal ance be tween rep re sent ing dif fer ent points of view and cre at ing a team with ex plo sive per son al ity dif fer ences. Your goal should be to cre ate a group that is as di verse as pos si ble and still op er ates in har mony.
Take some time to think about the BCP team mem ber ship and who would be ap pro pri ate for your or ga ni za tion’s tech ni cal, fi nan cial, and po lit i cal en vi ron ment. Who would you in clude?
95
Each one of the in di vid u als men tioned in the pre ced ing list brings a unique per spec tive to the BCP process and will have in di vid ual bi ases. For ex am ple, the rep re sen ta tives from each of the op er a tional de part ments will of ten con sider their de part ment the most crit i cal to the or ga ni za tion’s con tin ued vi a bil ity. Al though these bi ases may at first seem di vi sive, the leader of the BCP ef fort should em brace them and har ness them in a pro duc tive man ner. If used ef fec tively, the bi ases will help achieve a healthy bal ance in the fi nal plan as each rep re sen ta tive ad vo cates the needs of their de part ment. On the other hand, if proper lead er ship isn’t pro vided, these bi ases may de volve into de struc tive turf bat tles that de rail the BCP ef fort and harm the or ga ni za tion as a whole.
Se nior Man age ment and BCP
The role of se nior man age ment in the BCP process varies widely from or ga ni za tion to or ga ni za tion and de pends on the in ter nal cul ture of the busi ness, in ter est in the plan from above, and the le gal and reg u la tory en vi ron ment in which the busi ness op er ates. Im por tant roles played by se nior man age ment usu ally in clude set ting pri or i ties, pro vid ing staff and fi nan cial re sources, and ar bi trat ing dis putes about the crit i cal ity (i.e., rel a tive im por tance) of ser vices.
One of the au thors re cently com pleted a BCP con sult ing en gage ment with a large non profit in sti tu tion. At the be gin ning of the en gage ment, he had a chance to sit down with one of the or ga ni za tion’s se nior ex ec u tives to dis cuss his goals and ob jec tives for their work to gether. Dur ing that meet ing, the se nior ex ec u tive asked him, “Is there any thing you need from me to com plete this en gage ment?”
The se nior ex ec u tive must have ex pected a per func tory re sponse be cause his eyes widened when the re sponse be gan with, “Well, as a mat ter of fact….” He then learned that his ac tive par tic i pa tion in the process was crit i cal to its suc cess.
When you work on a busi ness con ti nu ity plan, you, as the BCP team leader, must seek and ob tain as ac tive a role as pos si ble from a se nior ex ec u tive. This con veys the im por tance of the BCP process to the en tire or ga ni za tion and fos ters the ac tive par tic i pa tion of in di vid u als who might oth er wise write BCP off as a waste of time bet ter spent on op er a tional ac tiv i ties. Fur ther more, laws and reg u la tions might re quire the ac tive par tic i pa tion of those se nior lead ers in the plan ning process. If you work for a pub licly traded com pany, you may want to re mind ex ec u tives that the of fi cers and di rec tors of the firm might be found per son ally li able if a dis as ter crip ples the busi ness and they are found not to have ex er cised due dili gence in their con tin gency plan ning.
You may also have to con vince man age ment that BCP and DRP spend ing should not be viewed as a dis cre tionary ex pense. Man age ment’s fidu ciary re spon si bil i ties to the or ga ni za tion’s share hold ers re quire them to at least en sure that ad e quate BCP mea sures are in place.
In the case of this BCP en gage ment, the ex ec u tive ac knowl edged the im por tance of his sup port and agreed to par tic i pate. He sent an email to all em ploy ees in tro duc ing the ef fort and stat ing that it had his full back ing. He also at tended sev eral of the high-level plan ning ses sions and men tioned the ef fort in an or ga ni za tion-wide “town hall” meet ing.
Re source Re quire ments Af ter the team val i dates the busi ness or ga ni za tion anal y sis, it should turn to an as sess ment of the
re sources re quired by the BCP ef fort. This in volves the re sources re quired by three dis tinct BCP phases.
The BCP team will re quire some re sources to per form the four el e ments of the BCP process (project scope and plan ning, busi ness im pact as sess ment, con ti nu ity plan ning, and ap proval and im ple men ta tion). It’s more than likely that the ma jor re source con sumed by this BCP phase will be ef fort ex pended by mem bers of the BCP team and the sup port staff they call on to as sist in the de vel op ment of the plan.
The test ing, train ing, and main te nance phases of BCP will re quire some hard ware and soft ware com mit ments, but once again, the ma jor com mit ment in this phase will be ef fort on the part of the em ploy ees in volved in those ac tiv i ties.
When a dis as ter strikes and the BCP team deems it nec es sary to con duct a full-scale im ple men ta tion of the busi ness con ti nu ity plan, this im ple men ta tion will re quire sig nif i cant re sources. This in cludes a large amount of ef fort (BCP will likely be come the fo cus of a large part, if not all, of the or ga ni za tion) and the uti liza tion of hard re sources. For this rea son, it’s im por tant that the team uses its BCP im ple men ta tion pow ers ju di ciously yet de ci sively.
An ef fec tive busi ness con ti nu ity plan re quires the ex pen di ture of a large amount of re sources, rang ing all the way from the pur chase and de ploy ment of re dun dant com put ing fa cil i ties to the pen cils and pa per used by
96
team mem bers scratch ing out the first drafts of the plan. How ever, as you saw ear lier, per son nel are one of the most sig nif i cant re sources con sumed by the BCP process. Many se cu rity pro fes sion als over look the im por tance of ac count ing for la bor, but you can rest as sured that se nior man age ment will not. Busi ness lead ers are keenly aware of the ef fect that time-con sum ing side ac tiv i ties have on the op er a tional pro duc tiv ity of their or ga ni za tions and the real cost of per son nel in terms of salary, ben e fits, and lost op por tu ni ties. These con cerns be come es pe cially para mount when you are re quest ing the time of se nior ex ec u tives.
You should ex pect that lead ers re spon si ble for re source uti liza tion man age ment will put your BCP pro posal un der a mi cro scope, and you should be pre pared to de fend the ne ces sity of your plan with co her ent, log i cal ar gu ments that ad dress the busi ness case for BCP.
Ex plain ing the Ben e fits of BCP
At a re cent con fer ence, one of the au thors dis cussed busi ness con ti nu ity plan ning with the chief in for ma tion se cu rity of fi cer (CISO) of a health sys tem from a medium-sized United States (U.S.) city. The CISO’s at ti tude was shock ing. His or ga ni za tion had not con ducted a for mal BCP process, and he was con fi dent that a “seat-of-the-pants” ap proach would work fine in the un likely event of a dis as ter.
This “seat-of-the-pants” at ti tude is one of the most com mon ar gu ments against com mit ting re sources to BCP. In many or ga ni za tions, the at ti tude that the busi ness has al ways sur vived and the key lead ers will fig ure some thing out in the event of a dis as ter per vades cor po rate think ing. If you en counter this ob jec tion, you might want to point out to man age ment the costs that will be in curred by the busi ness (both di rect costs and the in di rect cost of lost op por tu ni ties) for each day that the busi ness is down. Then ask them to con sider how long a “seat-of-the-pants” re cov ery might take when com pared to an or derly, planned con ti nu ity of op er a tions.
Le gal and Reg u la tory Re quire ments Many in dus tries may find them selves bound by fed eral, state, and lo cal laws or reg u la tions that re quire
them to im ple ment var i ous de grees of BCP. We’ve al ready dis cussed one ex am ple in this chap ter—the of fi cers and di rec tors of pub licly traded firms have a fidu ciary re spon si bil ity to ex er cise due dili gence in the ex e cu tion of their busi ness con ti nu ity du ties. In other cir cum stances, the re quire ments (and con se quences of fail ure) might be even more se vere. Emer gency ser vices, such as po lice, fire, and emer gency med i cal op er a tions, have a re spon si bil ity to the com mu nity to con tinue op er a tions in the event of a dis as ter. In deed, their ser vices be come even more crit i cal in an emer gency when pub lic safety is threat ened. Fail ure on their part to im ple ment a solid BCP could re sult in the loss of life and/or prop erty and the de creased con fi dence of the pop u la tion in their gov ern ment.
In many coun tries, fi nan cial in sti tu tions, such as banks, bro ker ages, and the firms that process their data, are sub ject to strict gov ern ment and in ter na tional bank ing and se cu ri ties reg u la tions. These reg u la tions are nec es sar ily strict be cause they are in tended to en sure the con tin ued op er a tion of the in sti tu tion as a cru cial part of the econ omy. When phar ma ceu ti cal man u fac tur ers must pro duce prod ucts in less-than-op ti mal cir cum stances fol low ing a dis as ter, they are re quired to cer tify the pu rity of their prod ucts to gov ern ment reg u la tors. There are count less other ex am ples of in dus tries that are re quired to con tinue op er at ing in the event of an emer gency by var i ous laws and reg u la tions.
Even if you’re not bound by any of these con sid er a tions, you might have con trac tual obli ga tions to your clients that re quire you to im ple ment sound BCP prac tices. If your con tracts in clude com mit ments to cus tomers ex pressed as ser vice-level agree ments (SLAs), you might find your self in breach of those con tracts if a dis as ter in ter rupts your abil ity to ser vice your clients. Many clients may feel sorry for you and want to con tinue us ing your prod ucts/ser vices, but their own busi ness re quire ments might force them to sever the re la tion ship and find new sup pli ers.
On the flip side of the coin, de vel op ing a strong, doc u mented busi ness con ti nu ity plan can help your or ga ni za tion win new clients and ad di tional busi ness from ex ist ing clients. If you can show your cus tomers the sound pro ce dures you have in place to con tinue serv ing them in the event of a dis as ter, they’ll place greater con fi dence in your firm and might be more likely to choose you as their pre ferred ven dor. That’s not a bad po si tion to be in!
All of these con cerns point to one con clu sion—it’s es sen tial to in clude your or ga ni za tion’s le gal coun sel in the BCP process. They are in ti mately fa mil iar with the le gal, reg u la tory, and con trac tual obli ga tions that ap ply to your or ga ni za tion and can help your team im ple ment a plan that meets those re quire ments while en sur ing the con tin ued vi a bil ity of the or ga ni za tion to the ben e fit of all—em ploy ees, share hold ers, sup pli ers, and cus tomers alike.
97
Laws re gard ing com put ing sys tems, busi ness prac tices, and dis as ter man age ment change
fre quently and vary from ju ris dic tion to ju ris dic tion. Be sure to keep your at tor neys in volved through out the life time of your BCP, in clud ing the test ing and main te nance phases. If you re strict their in volve ment to a pre-im ple men ta tion re view of the plan, you may not be come aware of the im pact that chang ing laws and reg u la tions have on your cor po rate re spon si bil i ties.
Busi ness Im pact As sess ment Once your BCP team com pletes the four stages of pre par ing to cre ate a busi ness con ti nu ity plan, it’s time
to dive into the heart of the work—the busi ness im pact as sess ment (BIA). The BIA iden ti fies the re sources that are crit i cal to an or ga ni za tion’s on go ing vi a bil ity and the threats posed to those re sources. It also as sesses the like li hood that each threat will ac tu ally oc cur and the im pact those oc cur rences will have on the busi ness. The re sults of the BIA pro vide you with quan ti ta tive mea sures that can help you pri or i tize the com mit ment of busi ness con ti nu ity re sources to the var i ous lo cal, re gional, and global risk ex po sures fac ing your or ga ni za tion.
It’s im por tant to re al ize that there are two dif fer ent types of analy ses that busi ness plan ners use when fac ing a de ci sion.
Quan ti ta tive de ci sion-mak ing Quan ti ta tive de ci sion-mak ing in volves the use of num bers and for mu las to reach a de ci sion. This type of data of ten ex presses op tions in terms of the dol lar value to the busi ness.
Qual i ta tive de ci sion-mak ing Qual i ta tive de ci sion-mak ing takes non-nu mer i cal fac tors, such as rep u ta tion, in vestor/cus tomer con fi dence, work force sta bil ity, and other con cerns, into ac count. This type of data of ten re sults in cat e gories of pri or i ti za tion (such as high, medium, and low).
Quan ti ta tive anal y sis and qual i ta tive anal y sis both play an im por tant role in the BCP
process. How ever, most peo ple tend to fa vor one type of anal y sis over the other. When se lect ing the in di vid ual mem bers of the BCP team, try to achieve a bal ance be tween peo ple who pre fer each strat egy. This will re sult in the de vel op ment of a well-rounded BCP and ben e fit the or ga ni za tion in the long run.
The BIA process de scribed in this chap ter ap proaches the prob lem from both quan ti ta tive and qual i ta tive points of view. How ever, it’s tempt ing for a BCP team to “go with the num bers” and per form a quan ti ta tive as sess ment while ne glect ing the some what more dif fi cult qual i ta tive as sess ment. It’s im por tant that the BCP team per forms a qual i ta tive anal y sis of the fac tors af fect ing your BCP process. For ex am ple, if your busi ness is highly de pen dent on a few im por tant clients, your man age ment team is prob a bly will ing to suf fer sig nif i cant short-term fi nan cial loss to re tain those clients in the long term. The BCP team must sit down and dis cuss (prefer ably with the in volve ment of se nior man age ment) qual i ta tive con cerns to de velop a com pre hen sive ap proach that sat is fies all stake hold ers.
Iden tify Pri or i ties
The first BIA task fac ing the BCP team is iden ti fy ing busi ness pri or i ties. De pend ing on your line of busi ness, there will be cer tain ac tiv i ties that are most es sen tial to your day-to-day op er a tions when dis as ter strikes. The pri or ity iden ti fi ca tion task, or crit i cal ity pri or i ti za tion, in volves cre at ing a com pre hen sive list of busi ness pro cesses and rank ing them in or der of im por tance. Al though this task may seem some what daunt ing, it’s not as hard as it seems.
A great way to di vide the work load of this process among the team mem bers is to as sign each par tic i pant re spon si bil ity for draw ing up a pri or i tized list that cov ers the busi ness func tions for which their de part ment is re spon si ble. When the en tire BCP team con venes, team mem bers can use those pri or i tized lists to cre ate a mas ter pri or i tized list for the en tire or ga ni za tion. One cau tion with this ap proach—if your team is not truly rep re sen ta tive of the or ga ni za tion, you may miss crit i cal pri or i ties. Be sure to gather in put from all parts of the or ga ni za tion, even if some ar eas are not in cluded on the team.
This process helps iden tify busi ness pri or i ties from a qual i ta tive point of view. Re call that we’re de scrib ing an at tempt to si mul ta ne ously de velop both qual i ta tive and quan ti ta tive BIAs. To be gin the quan ti ta tive as sess ment, the BCP team should sit down and draw up a list of or ga ni za tion as sets and then as sign an as set value (AV) in mon e tary terms to each as set. These num bers will be used in the re main ing BIA steps to de velop a fi nan cially based BIA.
98
The sec ond quan ti ta tive mea sure that the team must de velop is the max i mum tol er a ble down time (MTD), some times also known as max i mum tol er a ble out age (MTO). The MTD is the max i mum length of time a busi ness func tion can be in op er a ble with out caus ing ir repara ble harm to the busi ness. The MTD pro vides valu able in for ma tion when you’re per form ing both BCP and DRP plan ning.
This leads to an other met ric, the re cov ery time ob jec tive (RTO), for each busi ness func tion. This is the amount of time in which you think you can fea si bly re cover the func tion in the event of a dis rup tion. Once you have de fined your re cov ery ob jec tives, you can de sign and plan the pro ce dures nec es sary to ac com plish the re cov ery tasks.
The goal of the BCP process is to en sure that your RTOs are less than your MTDs, re sult ing in a sit u a tion in which a func tion should never be un avail able be yond the max i mum tol er a ble down time.
Risk Iden ti fi ca tion The next phase of the BIA is the iden ti fi ca tion of risks posed to your or ga ni za tion. Some el e ments of this
or ga ni za tion-spe cific list may come to mind im me di ately. The iden ti fi ca tion of other, more ob scure risks might take a lit tle cre ativ ity on the part of the BCP team.
Risks come in two forms: nat u ral risks and man-made risks. The fol low ing list in cludes some events that pose nat u ral threats:
Vi o lent storms/hur ri canes/tor na does/bliz zards
Light ning strikes
Earth quakes
Mud slides/avalanches
Vol canic erup tions
Man-made threats in clude the fol low ing events:
Ter ror ist acts/wars/civil un rest
Theft/van dal ism
Fires/ex plo sions
Pro longed power out ages
Build ing col lapses
Trans porta tion fail ures
In ter net dis rup tions
Ser vice provider out ages
Re mem ber, these are by no means all-in clu sive lists. They merely iden tify some com mon risks that many or ga ni za tions face. You may want to use them as a start ing point, but a full list ing of risks fac ing your or ga ni za tion will re quire in put from all mem bers of the BCP team.
The risk iden ti fi ca tion por tion of the process is purely qual i ta tive in na ture. At this point in the process, the BCP team should not be con cerned about the like li hood that each type of risk will ac tu ally ma te ri al ize or the amount of dam age such an oc cur rence would in flict upon the con tin ued op er a tion of the busi ness. The re sults of this anal y sis will drive both the qual i ta tive and quan ti ta tive por tions of the re main ing BIA tasks.
99
Busi ness Im pact As sess ment and the Cloud
As you con duct your busi ness im pact as sess ment, don’t for get to take any cloud ven dors on which your or ga ni za tion re lies into ac count. De pend ing on the na ture of the cloud ser vice, the ven dor’s own busi ness con ti nu ity ar range ments may have a crit i cal im pact on your or ga ni za tion’s busi ness op er a tions as well.
Con sider, for ex am ple, a firm that out sourced email and cal en dar ing to a third-party Soft ware as a ser vice (SaaS) provider. Does the con tract with that provider in clude de tails about the provider’s SLA and com mit ments for restor ing op er a tions in the event of a dis as ter?
Also re mem ber that a con tract is not nor mally suf fi cient due dili gence when choos ing a cloud provider. You should also ver ify that they have the con trols in place to de liver on their con trac tual com mit ments. Al though it may not be pos si ble for you to phys i cally visit the ven dor’s fa cil i ties to ver ify their con trol im ple men ta tion, you can al ways do the next best thing—send some one else!
Now, be fore you go off iden ti fy ing an emis sary and book ing flights, re al ize that many of your ven dor’s cus tomers are prob a bly ask ing the same ques tion. For this rea son, the ven dor may have al ready hired an in de pen dent au dit ing firm to con duct an as sess ment of their con trols. They can make the re sults of this as sess ment avail able to you in the form of a Ser vice Or ga ni za tion Con trol (SOC) re port.
Keep in mind that there are three dif fer ent ver sions of the SOC re port. The sim plest of these, an SOC-1 re port, cov ers only in ter nal con trols over fi nan cial re port ing. If you want to ver ify the se cu rity, pri vacy, and avail abil ity con trols, you’ll want to re view ei ther an SOC-2 or SOC-3 re port. The Amer i can In sti tute of Cer ti fied Pub lic Ac coun tants (AICPA) sets and main tains the stan dards sur round ing these re ports to main tain con sis tency be tween au di tors from dif fer ent ac count ing firms.
For more in for ma tion on this topic, see the AICPA’s doc u ment com par ing the SOC re port types at https://www.aicpa.org/in ter estar eas/frc/as sur ancead vi so ry ser vices/down load able doc u ments/com par i s ion-soc-1-3.pdf.
Like li hood As sess ment The pre ced ing step con sisted of the BCP team’s draw ing up a com pre hen sive list of the events that can be a
threat to an or ga ni za tion. You prob a bly rec og nized that some events are much more likely to hap pen than oth ers. For ex am ple, an earth quake is a much more lik ley risk than a trop i cal storm for a busi ness lo cated in South ern Cal i for nia. A busi ness based in Flor ida might have the ex act op po site like li hood that each risk would oc cur.
To ac count for these dif fer ences, the next phase of the busi ness im pact as sess ment iden ti fies the like li hood that each risk will oc cur. To keep cal cu la tions con sis tent, this as sess ment is usu ally ex pressed in terms of an an nu al ized rate of oc cur rence (ARO) that re flects the num ber of times a busi ness ex pects to ex pe ri ence a given dis as ter each year.
The BCP team should sit down and de ter mine an ARO for each risk iden ti fied in the pre vi ous sec tion. These num bers should be based on cor po rate his tory, pro fes sional ex pe ri ence of team mem bers, and ad vice from ex perts, such as me te o rol o gists, seis mol o gists, fire pre ven tion pro fes sion als, and other con sul tants, as needed.
In ad di tion to the gov ern ment re sources iden ti fied in this chap ter, in sur ance com pa nies
de velop large repos i to ries of risk in for ma tion as part of their ac tu ar ial pro cesses. You may be able to ob tain this in for ma tion from them to as sist in your BCP ef forts. Af ter all, you have a mu tual in ter est in pre vent ing dam age to your busi ness!
In many cases, you may be able to find like li hood as sess ments for some risks pre pared by ex perts at no cost to you. For ex am ple, the U.S. Ge o log i cal Sur vey (USGS) de vel oped the earth quake haz ard map shown in Fig ure 3.1. This map il lus trates the ARO for earth quakes in var i ous re gions of the United States. Sim i larly, the Fed eral Emer gency Man age ment Agency (FEMA) co or di nates the de vel op ment of de tailed flood maps of lo cal com mu ni ties through out the United States. These re sources are avail able on line and of fer a wealth of in for ma tion to or ga ni za tions per form ing a busi ness im pact as sess ment.
100
FIG URE 3.1 Earth quake haz ard map of the United States
Im pact As sess ment As you may have sur mised based on its name, the im pact as sess ment is one of the most crit i cal por tions of
the busi ness im pact as sess ment. In this phase, you an a lyze the data gath ered dur ing risk iden ti fi ca tion and like li hood as sess ment and at tempt to de ter mine what im pact each one of the iden ti fied risks would have on the busi ness if it were to oc cur.
From a quan ti ta tive point of view, we will cover three spe cific met rics: the ex po sure fac tor, the sin gle loss ex pectancy, and the an nu al ized loss ex pectancy. Each one of these val ues is com puted for each spe cific risk/as set com bi na tion eval u ated dur ing the pre vi ous phases.
The ex po sure fac tor (EF) is the amount of dam age that the risk poses to the as set, ex pressed as a per cent age of the as set’s value. For ex am ple, if the BCP team con sults with fire ex perts and de ter mines that a build ing fire would cause 70 per cent of the build ing to be de stroyed, the ex po sure fac tor of the build ing to fire is 70 per cent.
The sin gle loss ex pectancy (SLE) is the mon e tary loss that is ex pected each time the risk ma te ri al izes. You can com pute the SLE us ing the fol low ing for mula:
Con tin u ing with the pre ced ing ex am ple, if the build ing is worth $500,000, the sin gle loss ex pectancy would be 70 per cent of $500,000, or $350,000. You can in ter pret this fig ure to mean that a sin gle fire in the build ing would be ex pected to cause $350,000 worth of dam age.
The an nu al ized loss ex pectancy (ALE) is the mon e tary loss that the busi ness ex pects to oc cur as a re sult of the risk harm ing the as set over the course of a year. You al ready have all the data nec es sary to per form this cal cu la tion. The SLE is the amount of dam age you ex pect each time a dis as ter strikes, and the ARO (from the like li hood anal y sis) is the num ber of times you ex pect a dis as ter to oc cur each year. You com pute the ALE by sim ply mul ti ply ing those two num bers:
Re turn ing once again to our build ing ex am ple, if fire ex perts pre dict that a fire will oc cur in the build ing once ev ery 30 years, the ARO is ~1/30, or 0.03. The ALE is then 3 per cent of the $350,000 SLE, or $10,500. You can in ter pret this fig ure to mean that the busi ness should ex pect to lose $10,500 each year due to a fire in the build ing.
Ob vi ously, a fire will not oc cur each year—this fig ure rep re sents the av er age cost over the 30 years be tween fires. It’s not es pe cially use ful for bud get ing con sid er a tions but proves in valu able when at tempt ing to pri or i tize the as sign ment of BCP re sources to a given risk. These con cepts were also cov ered in Chap ter 2, “Per son nel Se cu rity and Risk Man age ment Con cepts.”
Be cer tain you’re fa mil iar with the quan ti ta tive for mu las con tained in this chap ter and the
con cepts of as set value, ex po sure fac tor, an nu al ized rate of oc cur rence, sin gle loss ex pectancy, and an nu al ized loss ex pectancy. Know the for mu las and be able to work through a sce nario.
101
From a qual i ta tive point of view, you must con sider the non mon e tary im pact that in ter rup tions might have on your busi ness. For ex am ple, you might want to con sider the fol low ing:
Loss of good will among your client base
Loss of em ploy ees to other jobs af ter pro longed down time
So cial/eth i cal re spon si bil i ties to the com mu nity
Neg a tive pub lic ity
It’s dif fi cult to put dol lar val ues on items like these in or der to in clude them in the quan ti ta tive por tion of the im pact as sess ment, but they are equally im por tant. Af ter all, if you dec i mate your client base, you won’t have a busi ness to re turn to when you’re ready to re sume op er a tions!
Re source Pri or i ti za tion The fi nal step of the BIA is to pri or i tize the al lo ca tion of busi ness con ti nu ity re sources to the var i ous risks
that you iden ti fied and as sessed in the pre ced ing tasks of the BIA.
From a quan ti ta tive point of view, this process is rel a tively straight for ward. You sim ply cre ate a list of all the risks you an a lyzed dur ing the BIA process and sort them in de scend ing or der ac cord ing to the ALE com puted dur ing the im pact as sess ment phase. This pro vides you with a pri or i tized list of the risks that you should ad dress. Se lect as many items as you’re will ing and able to ad dress si mul ta ne ously from the top of the list and work your way down. Even tu ally, you’ll reach a point at which you’ve ex hausted ei ther the list of risks (un likely!) or all your avail able re sources (much more likely!).
Re call from the pre vi ous sec tion that we also stressed the im por tance of ad dress ing qual i ta tively im por tant con cerns. In pre vi ous sec tions about the BIA, we treated quan ti ta tive and qual i ta tive anal y sis as mainly sep a rate func tions with some over lap in the anal y sis. Now it’s time to merge the two pri or i tized lists, which is more of an art than a sci ence. You must sit down with the BCP team and rep re sen ta tives from the se nior man age ment team and com bine the two lists into a sin gle pri or i tized list.
Qual i ta tive con cerns may jus tify el e vat ing or low er ing the pri or ity of risks that al ready ex ist on the ALE- sorted quan ti ta tive list. For ex am ple, if you run a fire sup pres sion com pany, your num ber-one pri or ity might be the pre ven tion of a fire in your prin ci pal place of busi ness de spite the fact that an earth quake might cause more phys i cal dam age. The po ten tial loss of rep u ta tion within the busi ness com mu nity re sult ing from the de struc tion of a fire sup pres sion com pany by fire might be too dif fi cult to over come and re sult in the even tual col lapse of the busi ness, jus ti fy ing the in creased pri or ity.
Con ti nu ity Plan ning The first two phases of the BCP process (project scope and plan ning and the busi ness im pact as sess ment)
fo cus on de ter min ing how the BCP process will work and pri or i tiz ing the busi ness as sets that must be pro tected against in ter rup tion. The next phase of BCP de vel op ment, con ti nu ity plan ning, fo cuses on de vel op ing and im ple ment ing a con ti nu ity strat egy to min i mize the im pact re al ized risks might have on pro tected as sets.
In this sec tion, you’ll learn about the sub tasks in volved in con ti nu ity plan ning.
Strat egy de vel op ment
Pro vi sions and pro cesses
Plan ap proval
Plan im ple men ta tion
Train ing and ed u ca tion
Strat egy De vel op ment The strat egy de vel op ment phase bridges the gap be tween the busi ness im pact as sess ment and the
con ti nu ity plan ning phases of BCP de vel op ment. The BCP team must now take the pri or i tized list of con cerns raised by the quan ti ta tive and qual i ta tive re source pri or i ti za tion ex er cises and de ter mine which risks will be ad dressed by the busi ness con ti nu ity plan. Fully ad dress ing all the con tin gen cies would re quire the im ple men ta tion of pro vi sions and pro cesses that main tain a zero-down time pos ture in the face of ev ery pos si ble risk. For ob vi ous rea sons, im ple ment ing a pol icy this com pre hen sive is sim ply im pos si ble.
The BCP team should look back to the MTD es ti mates cre ated dur ing the early stages of the BIA and de ter mine which risks are deemed ac cept able and which must be mit i gated by BCP con ti nu ity pro vi sions. Some of these de ci sions are ob vi ous—the risk of a bliz zard strik ing an op er a tions fa cil ity in Egypt is neg li gi ble
102
and would be deemed an ac cept able risk. The risk of a mon soon in New Delhi is se ri ous enough that it must be mit i gated by BCP pro vi sions.
Once the BCP team de ter mines which risks re quire mit i ga tion and the level of re sources that will be com mit ted to each mit i ga tion task, they are ready to move on to the pro vi sions and pro cesses phase of con ti nu ity plan ning.
Pro vi sions and Pro cesses The pro vi sions and pro cesses phase of con ti nu ity plan ning is the meat of the en tire busi ness con ti nu ity
plan. In this task, the BCP team de signs the spe cific pro ce dures and mech a nisms that will mit i gate the risks deemed un ac cept able dur ing the strat egy de vel op ment stage. Three cat e gories of as sets must be pro tected through BCP pro vi sions and pro cesses: peo ple, build ings/fa cil i ties, and in fra struc ture. In the next three sec tions, we’ll ex plore some of the tech niques you can use to safe guard these cat e gories.
Peo ple
First, you must en sure that the peo ple within your or ga ni za tion are safe be fore, dur ing, and af ter an emer gency. Once you’ve achieved that goal, you must make pro vi sions to al low your em ploy ees to con duct both their BCP and op er a tional tasks in as nor mal a man ner as pos si ble given the cir cum stances.
Don’t lose sight of the fact that peo ple are your most valu able as set. The safety of peo ple
must al ways come be fore the or ga ni za tion’s busi ness goals. Make sure that your busi ness con ti nu ity plan makes ad e quate pro vi sions for the se cu rity of your em ploy ees, cus tomers, sup pli ers, and any other in di vid u als who may be af fected!
Peo ple should be pro vided with all the re sources they need to com plete their as signed tasks. At the same time, if cir cum stances dic tate that peo ple be present in the work place for ex tended pe ri ods of time, ar range ments must be made for shel ter and food. Any con ti nu ity plan that re quires these pro vi sions should in clude de tailed in struc tions for the BCP team in the event of a dis as ter. The or ga ni za tion should main tain stock piles of pro vi sions suf fi cient to feed the op er a tional and sup port teams for an ex tended pe riod of time in an ac ces si ble lo ca tion. Plans should spec ify the pe ri odic ro ta tion of those stock piles to pre vent spoilage.
Build ings and Fa cil i ties
Many busi nesses re quire spe cial ized fa cil i ties in or der to carry out their crit i cal op er a tions. These might in clude stan dard of fice fa cil i ties, man u fac tur ing plants, op er a tions cen ters, ware houses, dis tri bu tion/lo gis tics cen ters, and re pair/main te nance de pots, among oth ers. When you per form your BIA, you will iden tify those fa cil i ties that play a crit i cal role in your or ga ni za tion’s con tin ued vi a bil ity. Your con ti nu ity plan should ad dress two ar eas for each crit i cal fa cil ity.
Hard en ing Pro vi sions Your BCP should out line mech a nisms and pro ce dures that can be put in place to pro tect your ex ist ing fa cil i ties against the risks de fined in the strat egy de vel op ment phase. This might in clude steps as sim ple as patch ing a leaky roof or as com plex as in stalling re in forced hur ri cane shut ters and fire proof walls.
Al ter nate Sites In the event that it’s not fea si ble to harden a fa cil ity against a risk, your BCP should iden tify al ter nate sites where busi ness ac tiv i ties can re sume im me di ately (or at least in a pe riod of time that’s shorter than the max i mum tol er a ble down time for all af fected crit i cal busi ness func tions). Chap ter 18 de scribes a few of the fa cil ity types that might be use ful in this stage.
In fra struc ture
Ev ery busi ness de pends on some sort of in fra struc ture for its crit i cal pro cesses. For many busi nesses, a crit i cal part of this in fra struc ture is an IT back bone of com mu ni ca tions and com puter sys tems that process or ders, man age the sup ply chain, han dle cus tomer in ter ac tion, and per form other busi ness func tions. This back bone con sists of a num ber of servers, work sta tions, and crit i cal com mu ni ca tions links be tween sites. The BCP must ad dress how these sys tems will be pro tected against risks iden ti fied dur ing the strat egy de vel op ment phase. As with build ings and fa cil i ties, there are two main meth ods of pro vid ing this pro tec tion.
Phys i cally Hard en ing Sys tems You can pro tect sys tems against the risks by in tro duc ing pro tec tive mea sures such as com puter-safe fire sup pres sion sys tems and un in ter rupt ible power sup plies.
Al ter na tive Sys tems You can also pro tect busi ness func tions by in tro duc ing re dun dancy (ei ther re dun dant com po nents or com pletely re dun dant sys tems/com mu ni ca tions links that rely on dif fer ent fa cil i ties).
These same prin ci ples ap ply to what ever in fra struc ture com po nents serve your crit i cal busi ness pro cesses —trans porta tion sys tems, elec tri cal power grids, bank ing and fi nan cial sys tems, wa ter sup plies, and so on.
103
Plan Ap proval and Im ple men ta tion Once the BCP team com pletes the de sign phase of the BCP doc u ment, it’s time to gain top-level
man age ment en dorse ment of the plan. If you were for tu nate enough to have se nior man age ment in volve ment through out the de vel op ment phases of the plan, this should be a rel a tively straight for ward process. On the other hand, if this is your first time ap proach ing man age ment with the BCP doc u ment, you should be pre pared to pro vide a lengthy ex pla na tion of the plan’s pur pose and spe cific pro vi sions.
Se nior man age ment ap proval and buy-in is es sen tial to the suc cess of the over all BCP ef fort.
Plan Ap proval If pos si ble, you should at tempt to have the plan en dorsed by the top ex ec u tive in your busi ness—the chief
ex ec u tive of fi cer, chair per son, pres i dent, or sim i lar busi ness leader. This move demon strates the im por tance of the plan to the en tire or ga ni za tion and show cases the busi ness leader’s com mit ment to busi ness con ti nu ity. The sig na ture of such an in di vid ual on the plan also gives it much greater weight and cred i bil ity in the eyes of other se nior man agers, who might oth er wise brush it off as a nec es sary but triv ial IT ini tia tive.
Plan Im ple men ta tion
Once you’ve re ceived ap proval from se nior man age ment, it’s time to dive in and start im ple ment ing your plan. The BCP team should get to gether and de velop an im ple men ta tion sched ule that uti lizes the re sources ded i cated to the pro gram to achieve the stated process and pro vi sion goals in as prompt a man ner as pos si ble given the scope of the mod i fi ca tions and the or ga ni za tional cli mate.
Af ter all the re sources are fully de ployed, the BCP team should su per vise the con duct of an ap pro pri ate BCP main te nance pro gram to en sure that the plan re mains re spon sive to evolv ing busi ness needs.
Train ing and Ed u ca tion Train ing and ed u ca tion are es sen tial el e ments of the BCP im ple men ta tion. All per son nel who will be
in volved in the plan (ei ther di rectly or in di rectly) should re ceive some sort of train ing on the over all plan and their in di vid ual re spon si bil i ties.
Ev ery one in the or ga ni za tion should re ceive at least a plan over view brief ing to pro vide them with the con fi dence that busi ness lead ers have con sid ered the pos si ble risks posed to con tin ued op er a tion of the busi ness and have put a plan in place to mit i gate the im pact on the or ga ni za tion should busi ness be dis rupted.
Peo ple with di rect BCP re spon si bil i ties should be trained and eval u ated on their spe cific BCP tasks to en sure that they are able to com plete them ef fi ciently when dis as ter strikes. Fur ther more, at least one backup per son should be trained for ev ery BCP task to en sure re dun dancy in the event per son nel are in jured or can not reach the work place dur ing an emer gency.
BCP Doc u men ta tion Doc u men ta tion is a crit i cal step in the busi ness con ti nu ity plan ning process. Com mit ting your BCP
method ol ogy to pa per pro vides sev eral im por tant ben e fits.
It en sures that BCP per son nel have a writ ten con ti nu ity doc u ment to ref er ence in the event of an emer gency, even if se nior BCP team mem bers are not present to guide the ef fort.
It pro vides a his tor i cal record of the BCP process that will be use ful to fu ture per son nel seek ing to both un der stand the rea son ing be hind var i ous pro ce dures and im ple ment nec es sary changes in the plan.
It forces the team mem bers to com mit their thoughts to pa per—a process that of ten fa cil i tates the iden ti fi ca tion of flaws in the plan. Hav ing the plan on pa per also al lows draft doc u ments to be dis trib uted to in di vid u als not on the BCP team for a “san ity check.”
In the fol low ing sec tions, we’ll ex plore some of the im por tant com po nents of the writ ten busi ness con ti nu ity plan.
Con ti nu ity Plan ning Goals
First, the plan should de scribe the goals of con ti nu ity plan ning as set forth by the BCP team and se nior man age ment. These goals should be de cided on at or be fore the first BCP team meet ing and will most likely re main un changed through out the life of the BCP.
The most com mon goal of the BCP is quite sim ple: to en sure the con tin u ous op er a tion of the busi ness in the face of an emer gency sit u a tion. Other goals may also be in serted in this sec tion of the doc u ment to meet
104
or ga ni za tional needs. For ex am ple, you might have goals that your cus tomer call cen ter ex pe ri ence no more than 15 con sec u tive min utes of down time or that your backup servers be able to han dle 75 per cent of your pro cess ing load within 1 hour of ac ti va tion.
State ment of Im por tance
The state ment of im por tance re flects the crit i cal ity of the BCP to the or ga ni za tion’s con tin ued vi a bil ity. This doc u ment com monly takes the form of a let ter to the or ga ni za tion’s em ploy ees stat ing the rea son that the or ga ni za tion de voted sig nif i cant re sources to the BCP de vel op ment process and re quest ing the co op er a tion of all per son nel in the BCP im ple men ta tion phase.
Here’s where the im por tance of se nior ex ec u tive buy-in comes into play. If you can put out this let ter un der the sig na ture of the chief ex ec u tive of fi cer (CEO) or an of fi cer at a sim i lar level, the plan will carry tremen dous weight as you at tempt to im ple ment changes through out the or ga ni za tion. If you have the sig na ture of a lower-level man ager, you may en counter re sis tance as you at tempt to work with por tions of the or ga ni za tion out side of that in di vid ual’s di rect con trol.
State ment of Pri or i ties
The state ment of pri or i ties flows di rectly from the iden tify pri or i ties phase of the busi ness im pact as sess ment. It sim ply in volves list ing the func tions con sid ered crit i cal to con tin ued busi ness op er a tions in a pri or i tized or der. When list ing these pri or i ties, you should also in clude a state ment that they were de vel oped as part of the BCP process and re flect the im por tance of the func tions to con tin ued busi ness op er a tions in the event of an emer gency and noth ing more. Oth er wise, the list of pri or i ties could be used for un in tended pur poses and re sult in a po lit i cal turf bat tle be tween com pet ing or ga ni za tions to the detri ment of the busi ness con ti nu ity plan.
State ment of Or ga ni za tional Re spon si bil ity
The state ment of or ga ni za tional re spon si bil ity also comes from a se nior-level ex ec u tive and can be in cor po rated into the same let ter as the state ment of im por tance. It ba si cally echoes the sen ti ment that “busi ness con ti nu ity is ev ery one’s re spon si bil ity!” The state ment of or ga ni za tional re spon si bil ity re states the or ga ni za tion’s com mit ment to busi ness con ti nu ity plan ning and in forms em ploy ees, ven dors, and af fil i ates that they are in di vid u ally ex pected to do ev ery thing they can to as sist with the BCP process.
State ment of Ur gency and Tim ing
The state ment of ur gency and tim ing ex presses the crit i cal ity of im ple ment ing the BCP and out lines the im ple men ta tion timetable de cided on by the BCP team and agreed to by up per man age ment. The word ing of this state ment will de pend on the ac tual ur gency as signed to the BCP process by the or ga ni za tion’s lead er ship. If the state ment it self is in cluded in the same let ter as the state ment of pri or i ties and state ment of or ga ni za tional re spon si bil ity, the timetable should be in cluded as a sep a rate doc u ment. Oth er wise, the timetable and this state ment can be put into the same doc u ment.
Risk As sess ment
The risk as sess ment por tion of the BCP doc u men ta tion es sen tially re caps the de ci sion-mak ing process un der taken dur ing the busi ness im pact as sess ment. It should in clude a dis cus sion of all the risks con sid ered dur ing the BIA as well as the quan ti ta tive and qual i ta tive analy ses per formed to as sess these risks. For the quan ti ta tive anal y sis, the ac tual AV, EF, ARO, SLE, and ALE fig ures should be in cluded. For the qual i ta tive anal y sis, the thought process be hind the risk anal y sis should be pro vided to the reader. It’s im por tant to note that the risk as sess ment must be up dated on a reg u lar ba sis be cause it re flects a point-in-time as sess ment.
Risk Ac cep tance/Mit i ga tion
The risk ac cep tance/mit i ga tion sec tion of the BCP doc u men ta tion con tains the out come of the strat egy de vel op ment por tion of the BCP process. It should cover each risk iden ti fied in the risk anal y sis por tion of the doc u ment and out line one of two thought pro cesses.
For risks that were deemed ac cept able, it should out line the rea sons the risk was con sid ered ac cept able as well as po ten tial fu ture events that might war rant re con sid er a tion of this de ter mi na tion.
For risks that were deemed un ac cept able, it should out line the risk man age ment pro vi sions and pro cesses put into place to re duce the risk to the or ga ni za tion’s con tin ued vi a bil ity.
105
It’s far too easy to look at a dif fi cult risk mit i ga tion chal lenge and say “we ac cept this risk”
be fore mov ing on to eas ier things. Busi ness con ti nu ity plan ners should re sist these state ments and ask busi ness lead ers to for mally doc u ment their risk ac cep tance de ci sions. If au di tors later scru ti nize your busi ness con ti nu ity plan, they will most cer tainly look for for mal ar ti facts of any risk ac cep tance de ci sions made in the BCP process.
Vi tal Records Pro gram
The BCP doc u men ta tion should also out line a vi tal records pro gram for the or ga ni za tion. This doc u ment states where crit i cal busi ness records will be stored and the pro ce dures for mak ing and stor ing backup copies of those records.
One of the big gest chal lenges in im ple ment ing a vi tal records pro gram is of ten iden ti fy ing the vi tal records in the first place! As many or ga ni za tions tran si tioned from pa per-based to dig i tal work flows, they of ten lost the rigor that ex isted around cre at ing and main tain ing for mal file struc tures. Vi tal records may now be dis trib uted among a wide va ri ety of IT sys tems and cloud ser vices. Some may be stored on cen tral servers ac ces si ble to groups, whereas oth ers may be lo cated in dig i tal repos i to ries as signed to an in di vid ual em ployee.
If that messy state of af fairs sounds like your cur rent re al ity, you may want to be gin your vi tal records pro gram by iden ti fy ing the records that are truly crit i cal to your busi ness. Sit down with func tional lead ers and ask, “If we needed to re build the or ga ni za tion to day in a com pletely new lo ca tion with out ac cess to any of our com put ers or files, what records would you need?” Ask ing the ques tion in this way forces the team to vi su al ize the ac tual process of re-cre at ing op er a tions and, as they walk through the steps in their minds, will pro duce an in ven tory of the or ga ni za tion’s vi tal records. This in ven tory may evolve over time as peo ple re mem ber other im por tant in for ma tion sources, so you should con sider us ing mul ti ple con ver sa tions to fi nal ize it.
Once you’ve iden ti fied the records that your or ga ni za tion con sid ers vi tal, the next task is a for mi da ble one: find them! You should be able to iden tify the stor age lo ca tions for each record iden ti fied in your vi tal records in ven tory. Once you’ve com pleted this task, you can then use this vi tal records in ven tory to in form the rest of your busi ness con ti nu ity plan ning ef forts.
Emer gency-Re sponse Guide lines
The emer gency-re sponse guide lines out line the or ga ni za tional and in di vid ual re spon si bil i ties for im me di ate re sponse to an emer gency sit u a tion. This doc u ment pro vides the first em ploy ees to de tect an emer gency with the steps they should take to ac ti vate pro vi sions of the BCP that do not au to mat i cally ac ti vate. These guide lines should in clude the fol low ing:
Im me di ate re sponse pro ce dures (se cu rity and safety pro ce dures, fire sup pres sion pro ce dures, no ti fi ca tion of ap pro pri ate emer gency-re sponse agen cies, etc.)
A list of the in di vid u als who should be no ti fied of the in ci dent (ex ec u tives, BCP team mem bers, etc.)
Sec ondary re sponse pro ce dures that first re spon ders should take while wait ing for the BCP team to as sem ble
Your guide lines should be eas ily ac ces si ble to ev ery one in the or ga ni za tion who may be among the first re spon ders to a cri sis in ci dent. Any time a dis rup tion strikes, time is of the essence. Slow downs in ac ti vat ing your busi ness con ti nu ity pro ce dures may re sult in un de sir able down time for your busi ness op er a tions.
Main te nance
The BCP doc u men ta tion and the plan it self must be liv ing doc u ments. Ev ery or ga ni za tion en coun ters nearly con stant change, and this dy namic na ture en sures that the busi ness’s con ti nu ity re quire ments will also evolve. The BCP team should not be dis banded af ter the plan is de vel oped but should still meet pe ri od i cally to dis cuss the plan and re view the re sults of plan tests to en sure that it con tin ues to meet or ga ni za tional needs.
Ob vi ously, mi nor changes to the plan do not re quire con duct ing the full BCP de vel op ment process from scratch; they can sim ply be made at an in for mal meet ing of the BCP team by unan i mous con sent. How ever, keep in mind that dras tic changes in an or ga ni za tion’s mis sion or re sources may re quire go ing back to the BCP draw ing board and be gin ning again.
Any time you make a change to the BCP, you must prac tice good ver sion con trol. All older ver sions of the BCP should be phys i cally de stroyed and re placed by the most cur rent ver sion so that no con fu sion ex ists as to the cor rect im ple men ta tion of the BCP.
It is also a good prac tice to in clude BCP com po nents in job de scrip tions to en sure that the BCP re mains fresh and is per formed cor rectly. In clud ing BCP re spon si bil i ties in an em ployee’s job de scrip tion also makes
106
them fair game for the per for mance re view process.
Test ing and Ex er cises
The BCP doc u men ta tion should also out line a for mal ized ex er cise pro gram to en sure that the plan re mains cur rent and that all per son nel are ad e quately trained to per form their du ties in the event of a dis as ter. The test ing process is quite sim i lar to that used for the dis as ter re cov ery plan, so we’ll re serve the dis cus sion of the spe cific test types for Chap ter 18.
Sum mary Ev ery or ga ni za tion de pen dent on tech no log i cal re sources for its sur vival should have a com pre hen sive
busi ness con ti nu ity plan in place to en sure the sus tained vi a bil ity of the or ga ni za tion when un fore seen emer gen cies take place. There are a num ber of im por tant con cepts that un der lie solid busi ness con ti nu ity plan ning prac tices, in clud ing project scope and plan ning, busi ness im pact as sess ment, con ti nu ity plan ning, and ap proval and im ple men ta tion.
Ev ery or ga ni za tion must have plans and pro ce dures in place to help mit i gate the ef fects a dis as ter has on con tin u ing op er a tions and to speed the re turn to nor mal op er a tions. To de ter mine the risks that your busi ness faces and that re quire mit i ga tion, you must work with a cross-func tional team to con duct a busi ness im pact as sess ment from both quan ti ta tive and qual i ta tive points of view. You must take the ap pro pri ate steps in de vel op ing a con ti nu ity strat egy for your or ga ni za tion and know what to do to weather fu ture dis as ters.
Fi nally, you must cre ate the doc u men ta tion re quired to en sure that your plan is ef fec tively com mu ni cated to present and fu ture BCP team par tic i pants. Such doc u men ta tion should in clude con ti nu ity plan ning guide lines. The busi ness con ti nu ity plan must also con tain state ments of im por tance, pri or i ties, or ga ni za tional re spon si bil ity, and ur gency and tim ing. In ad di tion, the doc u men ta tion should in clude plans for risk as sess ment, ac cep tance, and mit i ga tion; a vi tal records pro gram; emer gency-re sponse guide lines; and plans for main te nance and test ing.
Chap ter 18 will take this plan ning to the next step—de vel op ing and im ple ment ing a dis as ter re cov ery plan that in cludes the tech ni cal con trols re quired to keep your busi ness run ning in the face of a dis as ter.
Exam Es sen tials Un der stand the four steps of the busi ness con ti nu ity plan ning process. Busi ness con ti nu ity
plan ning in volves four dis tinct phases: project scope and plan ning, busi ness im pact as sess ment, con ti nu ity plan ning, and ap proval and im ple men ta tion. Each task con trib utes to the over all goal of en sur ing that busi ness op er a tions con tinue un in ter rupted in the face of an emer gency sit u a tion.
De scribe how to per form the busi ness or ga ni za tion anal y sis. In the busi ness or ga ni za tion anal y sis, the in di vid u als re spon si ble for lead ing the BCP process de ter mine which de part ments and in di vid u als have a stake in the busi ness con ti nu ity plan. This anal y sis is used as the foun da tion for BCP team se lec tion and, af ter val i da tion by the BCP team, is used to guide the next stages of BCP de vel op ment.
List the nec es sary mem bers of the busi ness con ti nu ity plan ning team. The BCP team should con tain, at a min i mum, rep re sen ta tives from each of the op er a tional and sup port de part ments; tech ni cal ex perts from the IT de part ment; phys i cal and IT se cu rity per son nel with BCP skills; le gal rep re sen ta tives fa mil iar with cor po rate le gal, reg u la tory, and con trac tual re spon si bil i ties; and rep re sen ta tives from se nior man age ment. Ad di tional team mem bers de pend on the struc ture and na ture of the or ga ni za tion.
Know the le gal and reg u la tory re quire ments that face busi ness con ti nu ity plan ners. Busi ness lead ers must ex er cise due dili gence to en sure that share hold ers’ in ter ests are pro tected in the event dis as ter strikes. Some in dus tries are also sub ject to fed eral, state, and lo cal reg u la tions that man date spe cific BCP pro ce dures. Many busi nesses also have con trac tual obli ga tions to their clients that must be met be fore and af ter a dis as ter.
Ex plain the steps of the busi ness im pact as sess ment process. The five steps of the busi ness im pact as sess ment process are iden ti fi ca tion of pri or i ties, risk iden ti fi ca tion, like li hood as sess ment, im pact as sess ment, and re source pri or i ti za tion.
De scribe the process used to de velop a con ti nu ity strat egy. Dur ing the strat egy de vel op ment phase, the BCP team de ter mines which risks will be mit i gated. In the pro vi sions and pro cesses phase, mech a nisms and pro ce dures that will mit i gate the risks are de signed. The plan must then be ap proved by se nior man age ment and im ple mented. Per son nel must also re ceive train ing on their roles in the BCP process.
Ex plain the im por tance of fully doc u ment ing an or ga ni za tion’s busi ness con ti nu ity plan. Com mit ting the plan to writ ing pro vides the or ga ni za tion with a writ ten record of the pro ce dures to fol low when dis as ter strikes. It pre vents the “it’s in my head” syn drome and en sures the or derly progress of events in an emer gency.