Business Continuity planning Flashcards
Four steps of business continuity project planning
1) analysis of organisation from crisis management POV
2) stand up BCP team
3) assess resources available to participate in business continuity activities
4) consider legal and regulatory factors when responding to catastrophic event
What does business organisation analysis do?
Considers all departments who have a stake in the BCP process
What is MTD/MTO?
Maximum tolerable downtime and maximum tolerable outage - how long can your business be down without causing harm?
What is the difference between business continuity plans and disaster recovery plans?
Disaster recovery plans pick up where business continuity plans leave off. Once a disaster strikes and business is interrupted, the disaster recovery plan guides response teams in their efforts to restore operations.
Which teams members should you include in BCP team?
- representatives from each department responsible for core services
- IT smes and cyber security teams members
- physical security
- attorneys
- HR team (impact on employees)
- public realisations
- Senior management
What is one of the first jobs given to the BCP team when it’s stood up?
Thorough review of the organisation analysis
What is the most important phase of the business impact assessment?
Impact assessment
What are the stages of the business impact assessment phase?
Identify prioritise Risk identification Likelihood Impact assessment Resource prioritisation
In the risk identification phase of the BIA - what method do you use?
Purely qualitative
What does resource prioritisation phase do?
Prioritise the allocation of business continuity resources to the risk you identified and assessed previously
What qualitative measures are used for ‘impact assessment phase’
Loss of goodwill, loss of employees, social responsibility, negative publicity
Which areas does the organisation analysis consider?
Core services
Critical support services
Security (physical) staff
Senior management
RTO
Recovery time objective - RTO for each function. Amount of time that you can feasibly recover the function in the event of a distribution
Who is responsible for the BCP? (Team selection)
Should never be the security team alone - it’s too isolated and doesn’t take the knowledge other operational teams have into account. Keeps people out the loop
What part of the BCP documentation follows on from the strategy development?
Risk acceptance/mitigation - contains outcome of the strategy development. Risks identified and which were acceptable and not acceptable