3 - Business Continuity Planning Flashcards
What is Business Continuity Planning?
Assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks mght have on an organization if they were to occur. Used to maintain the continuous operation of a business in the event of an emergency situation.
What are the steps of the BCP process?
- Project Scope and Planning
- Business Impact Assessment
- Continuity Planning
- Approval and Implementation
What components are involved in the Project Scope and Planning phase?
- Structured analysis of the business organization
- Creation of BCP team with approval of senior management
- Assessment of resources available to participate in BCP activities.
- Analysis of the legal and regulatory landscape that governs an organization’s response to a catastrpohic event.
What is a Business Impact Assessment?
It identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurences will have on the business.
What are the types of analysis available for business planners?
- Quantitive: The use of numbers and formulas to reach a decision. Expresses options in terms of the dollar value to the business.
- Qualitive: Takes non-numerical factors, such as reputation, workforce stability, and other concerns into account. Results in categories or prioritization (high, medium, low)
What is Maximum Tolerable Downtime (Maximum Tolerable Outage)?
The maximum length of time a business function can be inoperable without causing irreparable harm to the business.
What is a Recovery Time Objective (RTO)?
The amount of time in which you think you can feasibly recover the function in the event of a disruption.
What is Annualized Rate of Occurrence (ARO)?
The number of times a business expects to experience a given disaster each year.
What are the stages of Continuity Planning?
- Strategy Development: Determine which risks require mitigation and the level of resources that will be committed to each mitigation task.
-
Provisions and Processes: Design the specific procedures and mechanisms that will mitigate the risks deemed unacceptable. Three categories of assets must be protected:
- People
- Buildings/Facilities (Hardening Provisions, Alternate Sites)
- Infrastructure (Physically Hardening Systems, Alternative Systems)
- Plan Approval: Approved by top executive
- Plan Implementation
- Training and Education: All personnel who will be involved in the plan should receive some sort of training on the overall plan and their individual responsibilities.
What are some important components of the written BCP?
- Continuity Planning Goals: Goals of continuity planning as set forth by the BCP team and senior management.
- Statement of Importance: States the reason that the organization devoted significant resources to the BCP development process.
- Statement of Priorities: Involves listing the functions considered critical to continued business operatiosn in a prioritized order.
- Statement of Organizational Responsibility: Restates the organization’s commitment to business continuity planning and informs employees, vendors, and affiliates that they are individually expected to do everything they can to assist with the BCP process.
- Statement of Urgency and Timing: Expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management.
- Risk Assessment: Recaps the decision-making process undertaken during the business impact assessment.
- Risk Acceptance/Mitigation: Covers each risk identified in the risk analysis portion of the document and outlines why risks were deemed acceptable or unacceptable.
- Vital Records Program: States where critical business records will be stored and the procedures for making and storing backup copies of those records.
- Emergency-Response Guidelines: Outlines the organizational and individual responsibilities for immediate response to an emergency response.
- Maintenance: Maintenance of BCP plan, team, and documents
- Testing and Excercises: A formalized excercise program to ensure that the plan remains current and that all personnel are adequately trained to performed their duties in the event of a disaster.
What is the formula for ALE (Annualized Loss Expectancy)?
- Calculate Single Loss Expectancy (SLE):
- SLE = Asset Value (AV) * Exposure Factor (EF)
-
Annualized Loss Expectancy (ALE):
- ALE = SLE * ARO
- ARO (Annualized Rate Occurrence)
- # /year