Business Continuity (BC) and Business Impact Analysis (BIA)

Question 1

What is Business Continuity Planning (BCP)?

Answer 1

process of developing prior arrangements and procedures that enable organization to respond to an event so that critical business functions can continue within planned levels of disruption

Question 2

What is the primary goal of BCP?

Answer 2

enable organizations to maintain essential functions, minimize downtime, and recover critical operations as quickly as possible following a disruption

Question 3

What is the end result of the planning?

Answer 3

BC plan

Question 4

What is the Business Continuity Plan (BCP)?

Answer 4

• overall organization plan for “how-to” continue business
• documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident

Question 5

What is Disaster Recovery Plan (DRP)?

Answer 5

• the plan of recovering from a disaster impacting IT and returning the IT infrastructure to operation
• technical aspect of business continuity

Question 6

What is the difference between BCP and DRP?

Answer 6

• BCP addresses the entire organization’s operations, including people, processes, technology, and facilities
• DRP deals with the technical aspects of recovery, such as restoring IT systems, networks, databases, and applications

Question 7

What is Business Continuity Management Systems (BCMS)?

Answer 7

• BCMS provides a systematic approach to BCP, incorporating risk assessment, business impact analysis, planning, implementation, testing, and continual improvement
• some organizations adopt formal BCMS based on standards such as ISO 22301

Question 8

What are three components of BCMS?

Answer 8

• IRP (Incident Response Planning)
• BCP (Business Continuity Planning)
• DRP (Disaster Recovery Planning)

Question 9

Business Continuity Plan is in place for what occasions?

Answer 9

the times when the duration of an incident affects business operations for an unacceptable period of time

Question 10

What does BCP integrates with?

Answer 10

• BCP integrates with risk assessment and management processes to identify potential threats and vulnerabilities that could disrupt business operations
• by understanding and mitigating these risks, organizations can develop effective BCP strategies tailored to their specific needs

Question 11

What is Business Impact Analysis?

Answer 11

• assessing impact over time of the potential disruptions or incidents on an organization’s critical business processes, systems, and resources
• concerned with business impact analysis, not information systems impact analysis

Question 12

How is the impact measured in BIA?

Answer 12

• quantitative measures
  
  • impact in money
• qualitative
  
  • impact in reputation

Question 13

What is the purpose of BIA?

Answer 13

• identify and prioritize critical business functions (CBFs) and the potential impacts that could arise from their disruption
• help organizations to understand the financial, operational, reputational, and legal consequences of disruptions

Question 14

What are the key steps in BIA?

Answer 14

• Identify Critical Functions
  
  • identify and prioritize the organization’s critical business functions, which are essential for its continued operation and achieving its objectives
• Determine Impact Criteria
  
  • used to assess the consequences of disruptions
  • may include factors like financial loss, customer impact, regulatory compliance, reputation damage, and legal implications
• Assess Impact and Dependencies
  
  • analyze the potential impact of disruptions on critical functions and identify the dependencies and interdependencies between processes, systems, and resources
• Establish Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)
  
  • define the acceptable time frames for recovery of critical functions (RTO) and the acceptable level of data loss (RPO) that the organization can tolerate
• Analyze Costs and Resources
  
  • evaluate the resources, personnel, equipment, and financial implications associated with recovering critical functions and maintaining business operations during a disruption
• Document BIA Results
  
  • document the findings of the BIA, including the identified critical functions, impact assessments, dependencies, recovery objectives, and resource requirements

Question 15

What’s Maximum Tolerable Downtime (MTD)?

Answer 15

• determines the longest period of time that the business is unable to provide its core product until the business fails
• represents the upper limit of acceptable downtime, beyond which the organization’s objectives and functions may be severely impacted

Question 16

What’s Recovery Time Objective (RTO)?

Answer 16

• defines when the business should recover to an acceptable level from the impact
• represents the targeted timeframe for recovering the affected services, systems, or processes to ensure that they can resume normal operations or provide a minimum level of service

Question 17

What’s Recovery Point Objective (RPO)?

Answer 17

• represents the point in time to which data must be recovered in order to resume operations effectively
• typically measured in terms of time and indicates the maximum acceptable time gap between the last data backup or synchronization and the point of failure or disruption

Question 18

What’s Service Delivery Objective (SDO)?

Answer 18

• targeted level of service availability and performance that an organization aims to achieve for its services or systems
• typically defined in the context of service level agreements (SLAs) and outlines the specific requirements and expectations for service availability, response time, throughput, and other performance indicators
• SDO is often tied to key performance indicators (KPIs) and is regularly monitored and reported to ensure that service levels are being met

Question 19

What’s Maximum Tolerable Outage (MTO)?

Answer 19

• maximum allowable duration of time that a system or service can be unavailable or inaccessible before it significantly impacts the organization’s operations or goals until the business is restored to normal
• encompasses not only the recovery of the system or service but also the time required for any necessary repairs, testing, and verification of functionality

Question 20

What should emergency response guidelines include?

Answer 20

• immediate steps organization should follow when responding to an emergency situation
• immediate response procedures, list of individuals to contact, secondary response procedures for first responders
• do not inlcude long-term actions

Question 21

Does CEO serve in the BCP team?

Answer 21

no, but best to obtain top level management approval for the BCP plan

Question 22

What is included in the project scope and planning of the BCP?

Answer 22

1. structured analysis of the organization
2. creation of BCP team
3. assessment of available resources
4. analysis of legal and regulatory landscape

Question 23

Is implementing RAID part of business continuity plan or disaster recovery?

Answer 23

business continuity

Question 24

Who should receive initial business continuity plan training in organizations?

Answer 24

everyone in the organization

Question 25

Is documentation of the plan part of the project scope and planning phase?

Answer 25

no

Question 26

Is statement of accounts normally included in business continuity plan documentation?

Answer 26

no

Question 27

What are the steps of BIA?

Answer 27

1. Identification of priorities
2. Risk identification
3. Likelihood assessment
4. Resource prioritization

Question 28

What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?

Answer 28

at least an annual basis

Question 29

What is the goal of the BCP process?

Answer 29

RTO < MTD

Question 30

What’s the first step when conducting BIA?

Answer 30

identify the business’s priorities

Question 31

What’s the major resource consumed by the BCP process during the project scope and planning phase?

Answer 31

• the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process (personnel)
• represents a significant use of business resources and is another reason that buy-in from senior management is essential

Question 32

Business continuity planning process is conducted for an organization. What’s the first step that should be taken?

Answer 32

business organization analysis helps guide the remainder of the work

Question 33

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

Answer 33

In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase

Question 34

What are the benefits for addressing BC/DR offered by cloud operations?

Answer 34

• distributed, remote processing and storage of data
• fast replication
• regular backups offered by cloud providers

Question 35

What are dependencies that must be considered when reviewing the BIA after cloud migration?

Answer 35

• cloud provider’s suppliers
• cloud provider’s vendors
• cloud provider’s utilities

Question 36

What serves as a reliable guide for BC/DR activity?

Answer 36

checklists

Question 37

What kind of items should be included in BC/DR kit?

Answer 37

flashlight, documentation equipment, annotated asset inventory; BC/DR kit is intended to be compact

Question 38

After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort because a lot of the material that would be included is already available from which analysis?

Answer 38

cost-benefit analysis

Question 39

What are the possible notification avenues and who should be notified during a disaster?

Answer 39

telephone call tree rosters, website postings, SMS blasts; notifications should inclide organiztaion’s personnel, the public, and regulatory and response agencies, depending on who might be affected by the circumstance

Question 40

After human safety is addressed, what should be the next concern of the business?

Answer 40

continuity of critical operations

Question 41

What items should BC/DR plan include?

Answer 41

1. critical asset inventory; includes necessary hardware, software, media …
2. disaster criteria; balance the risk of overreaction and underreaction
3. disaster declaration process; authority needs to be named for the purpose of formal declaration of an event or disaster (also declares cessation of BC/DR activity)
4. essential points of contact; internal and external entities
5. detailed actions, tasks and activities; checklists are helpful - constitute a record after the activity is complete

Question 42

How does BC/DR understand event?

Answer 42

any unscheduled adverse impact to the operating environment; distinguished from disaster by the duration of impact (lasts 3 days or less, disaster lasts longer)

Question 43

What is BC/DR toolkit?

Answer 43

a container that holds all the necessary documentation and tools to conduct a proper BC/DR action

Question 44

What should be the properties of the DR/BC toolkit?

Answer 44

secure, durable, compact

Question 45

Why should there be also a physical copy of the DR/BC toolkit?

Answer 45

the systems/internet connection might be unavailable during the disaster

Question 46

What should the BC/DR toolkit include?

Answer 46

1. a current cocpy of the plan with all appendicees and addenda
2. emergency and backup communication equipment
3. copies of all appropriate network and infrastructure diagrams and architecture
4. copies of all requisite software for creating a clean build of the critical systems, if necessary, with media containing appropriate updates and patches for current versioning
5. emergency contact information
6. decumentation tools and equipment (pens, paper, laptop …)
7. small number of emergency essentials (flashlights, water, rations …)
8. fresh batteries sufficient for operating all powered equipment in the kit for at least 24 hours

Question 47

How to ensure DR/BC kit is always available?

Answer 47

ensure there is a duplicate at at least one other location; if plan calls for relocation, the plan should be in the alternate location as well

Question 48

What is Recovery Service Level (RSL)?

Answer 48

proportion of service expressed as percentage that is necessary for continued operation during disaster; e.g. if manufacturing creates 10K pills an hour, business leaders may decide that 6K (60%) is only necessary for the time of the disaster

Question 49

What is the difference between Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?

Answer 49

• BCP: the overall organization for “how-to” continue business
• DRP: plan for recovering from a disaster impacting IT and returning the IT infrastructure to operation

Question 50

What are the two important items that BIA consist of?

Answer 50

1. cost-benefit analysis (CBA)
2. calculation of the return of investment (ROI)

Question 51

What is the purpose of cost-benefit analysis (CBA)?

Answer 51

list the benefits of the decision alongisde their corresponding costs; can be strictly quantitative

Question 52

What does a thorough cost-benefit analysis consider?

Answer 52

intangible benefits - those taht cannot be calculated directly

Question 53

What are the standards related to continuity management?

Answer 53

• NIST Risk Management Framework and ISO 27000
  
  • both deal with business continuity and disaster recovery
• HIPAA
  
  • mandates adequate data backups, disaster recovery planning and emergency access to healthcare data in the event of a system interruption
• ISO 22301:2019
  
  • specifies the requirements needed for an organization to plan, implement and operate and continually improve the continuity capability