Business Continuity planning Flashcards
Four steps of business continuity project planning
1) analysis of organisation from crisis management POV
2) stand up BCP team
3) assess resources available to participate in business continuity activities
4) consider legal and regulatory factors when responding to catastrophic event
What does business organisation analysis do?
Considers all departments who have a stake in the BCP process
What is MTD/MTO?
Maximum tolerable downtime and maximum tolerable outage - how long can your business be down without causing harm?
What is the difference between business continuity plans and disaster recovery plans?
Disaster recovery plans pick up where business continuity plans leave off. Once a disaster strikes and business is interrupted, the disaster recovery plan guides response teams in their efforts to restore operations.
Which teams members should you include in BCP team?
- representatives from each department responsible for core services
- IT smes and cyber security teams members
- physical security
- attorneys
- HR team (impact on employees)
- public realisations
- Senior management
What is one of the first jobs given to the BCP team when it’s stood up?
Thorough review of the organisation analysis
What is the most important phase of the business impact assessment?
Impact assessment
What are the stages of the business impact assessment phase?
Identify prioritise Risk identification Likelihood Impact assessment Resource prioritisation
In the risk identification phase of the BIA - what method do you use?
Purely qualitative
What does resource prioritisation phase do?
Prioritise the allocation of business continuity resources to the risk you identified and assessed previously
What qualitative measures are used for ‘impact assessment phase’
Loss of goodwill, loss of employees, social responsibility, negative publicity
Which areas does the organisation analysis consider?
Core services
Critical support services
Security (physical) staff
Senior management
RTO
Recovery time objective - RTO for each function. Amount of time that you can feasibly recover the function in the event of a distribution
Who is responsible for the BCP? (Team selection)
Should never be the security team alone - it’s too isolated and doesn’t take the knowledge other operational teams have into account. Keeps people out the loop
What part of the BCP documentation follows on from the strategy development?
Risk acceptance/mitigation - contains outcome of the strategy development. Risks identified and which were acceptable and not acceptable
Talk through components of the BCP documentation - what’s the importance of documenting the plan?
Continuity planning goals (decided on first meeting) Statement of importance Statement of priorities Statement of organisational responsibility Statement of urgency and timing Risk assessment Risk acceptance/mitigation Vital records programme Emergency response guideline Maintenance Testing and exercises
Name some industries that have legal and regulation requirements for BCP?
- publicly traded firms
- banking organisations
- Contractual obligations to clients
Name the parts of continuity planning?
Strategy development - decide which risk will be prioritised by the BCP and which resources will be committed (look at MTD)
Provisions and processes - design procedures to mitigate risks. Keep people, buildings/facilities and infrastructure in mind (hardening and alternates)
Which resource requirements should you consider in your project plan?
- BCP development
- BCP test, maintenance and training
- BCP implementation
Senior management will look at this intensely due to the cost and impact of using resource
Four phases of a BCP
1) planning and scoping
2) business impact assessment
3) continuity planning
4) approval and implementation
What data does the ‘impact assessment ‘ phase utilise?
Data from the risk identification and the likelihood assessment (ARO) sections. This sections tries to determine the impact of the risk being realised
Talk about the risk identification phase of the BIA
All member of the BCP team should have input and the risk are pure qualitative. You do not need to consider likelihood at this point - this phase of the BIA will drive the rest
Where is ARO taken into account in the BIA?
Likelihood assessment (likelihood that each risk will occur)
What qualitative measures can be used to identify priorities in the Business impact assessment phase?
Asset value, MTD, RTO
What’s two types of of analyses are used by business planners? (BIA - identify priorities)
Qualitative and quantitative
It can be tempting to go with the monetary value but you must consider both!
Name the quantitive and qualitative methods used in the resource prioritisation phase of the BIA?
- sort by ALE (computed during impact assessment phase) to get a list of risks you phase. Select items until resources run out
- sit down and combine qual list into one - use it to evaluate or drop the prioritise of a high ALE item.
What are the quantitative methods used in the impact assessment phase?
SLE, EF, ALE
calculated for each asset/risk combination
In the risk identification phase of the BIA - what are the two forms of risk?
Natural risks and man made
Business impact assessment (BIA)
Identify the resources that are critical to an organisations ongoing viability and the threats to those resources. Also looks at likelihood
(Critical Resources x threats x likelihood)
Explain how MTD and RTO interact?
Your RTO should never be more then your MTDS - causes less harm
How many backup people should be trained for each BCP task to ensure redundancy?
Atleast one
Discuss plan approval and implementation elements
Plan approval and implementation - getting top manager level buy in to the plan
- plan approval by top exec (more weight)
- plan implementation (develop implementation schedule that utilised resources and achieves stated goals)
- training and education for all personnel
- BCP documentation (for reference, records and commitment from staff)
How to encourage management to buy in?
- the responsibility sits with them if an incident happens
- the cost of the business going down
Business continuity plan (BCP)
Assesses the risks to your organisational processes and creates policies, plans, procedures to reduce the impact those risks might have if they were to occur
Making sure your operations can continue even if a risk is realised
Also manage and restores the environment
What does your RTO guide?
Your plan and the procedures neccessary to accomplish recovery tasks
