Business Continuity planning Flashcards

1
Q

Four steps of business continuity project planning

A

1) analysis of organisation from crisis management POV
2) stand up BCP team
3) assess resources available to participate in business continuity activities
4) consider legal and regulatory factors when responding to catastrophic event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does business organisation analysis do?

A

Considers all departments who have a stake in the BCP process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is MTD/MTO?

A

Maximum tolerable downtime and maximum tolerable outage - how long can your business be down without causing harm?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between business continuity plans and disaster recovery plans?

A

Disaster recovery plans pick up where business continuity plans leave off. Once a disaster strikes and business is interrupted, the disaster recovery plan guides response teams in their efforts to restore operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which teams members should you include in BCP team?

A
  • representatives from each department responsible for core services
  • IT smes and cyber security teams members
  • physical security
  • attorneys
  • HR team (impact on employees)
  • public realisations
  • Senior management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is one of the first jobs given to the BCP team when it’s stood up?

A

Thorough review of the organisation analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the most important phase of the business impact assessment?

A

Impact assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the stages of the business impact assessment phase?

A
Identify prioritise 
Risk identification 
Likelihood 
Impact assessment 
Resource prioritisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In the risk identification phase of the BIA - what method do you use?

A

Purely qualitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does resource prioritisation phase do?

A

Prioritise the allocation of business continuity resources to the risk you identified and assessed previously

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What qualitative measures are used for ‘impact assessment phase’

A

Loss of goodwill, loss of employees, social responsibility, negative publicity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which areas does the organisation analysis consider?

A

Core services
Critical support services
Security (physical) staff
Senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RTO

A

Recovery time objective - RTO for each function. Amount of time that you can feasibly recover the function in the event of a distribution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who is responsible for the BCP? (Team selection)

A

Should never be the security team alone - it’s too isolated and doesn’t take the knowledge other operational teams have into account. Keeps people out the loop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What part of the BCP documentation follows on from the strategy development?

A

Risk acceptance/mitigation - contains outcome of the strategy development. Risks identified and which were acceptable and not acceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Talk through components of the BCP documentation - what’s the importance of documenting the plan?

A
Continuity planning goals (decided on first meeting)
Statement of importance 
Statement of priorities 
Statement of organisational responsibility 
Statement of urgency and timing 
Risk assessment 
Risk acceptance/mitigation 
Vital records programme 
Emergency response guideline 
Maintenance
Testing and exercises
17
Q

Name some industries that have legal and regulation requirements for BCP?

A
  • publicly traded firms
  • banking organisations
  • Contractual obligations to clients
18
Q

Name the parts of continuity planning?

A

Strategy development - decide which risk will be prioritised by the BCP and which resources will be committed (look at MTD)
Provisions and processes - design procedures to mitigate risks. Keep people, buildings/facilities and infrastructure in mind (hardening and alternates)

19
Q

Which resource requirements should you consider in your project plan?

A
  • BCP development
  • BCP test, maintenance and training
  • BCP implementation

Senior management will look at this intensely due to the cost and impact of using resource

20
Q

Four phases of a BCP

A

1) planning and scoping
2) business impact assessment
3) continuity planning
4) approval and implementation

21
Q

What data does the ‘impact assessment ‘ phase utilise?

A

Data from the risk identification and the likelihood assessment (ARO) sections. This sections tries to determine the impact of the risk being realised

22
Q

Talk about the risk identification phase of the BIA

A

All member of the BCP team should have input and the risk are pure qualitative. You do not need to consider likelihood at this point - this phase of the BIA will drive the rest

23
Q

Where is ARO taken into account in the BIA?

A

Likelihood assessment (likelihood that each risk will occur)

24
Q

What qualitative measures can be used to identify priorities in the Business impact assessment phase?

A

Asset value, MTD, RTO

25
Q

What’s two types of of analyses are used by business planners? (BIA - identify priorities)

A

Qualitative and quantitative

It can be tempting to go with the monetary value but you must consider both!

26
Q

Name the quantitive and qualitative methods used in the resource prioritisation phase of the BIA?

A
  • sort by ALE (computed during impact assessment phase) to get a list of risks you phase. Select items until resources run out
  • sit down and combine qual list into one - use it to evaluate or drop the prioritise of a high ALE item.
27
Q

What are the quantitative methods used in the impact assessment phase?

A

SLE, EF, ALE

calculated for each asset/risk combination

28
Q

In the risk identification phase of the BIA - what are the two forms of risk?

A

Natural risks and man made

29
Q

Business impact assessment (BIA)

A

Identify the resources that are critical to an organisations ongoing viability and the threats to those resources. Also looks at likelihood

(Critical Resources x threats x likelihood)

30
Q

Explain how MTD and RTO interact?

A

Your RTO should never be more then your MTDS - causes less harm

31
Q

How many backup people should be trained for each BCP task to ensure redundancy?

A

Atleast one

32
Q

Discuss plan approval and implementation elements

A

Plan approval and implementation - getting top manager level buy in to the plan

  • plan approval by top exec (more weight)
  • plan implementation (develop implementation schedule that utilised resources and achieves stated goals)
  • training and education for all personnel
  • BCP documentation (for reference, records and commitment from staff)
33
Q

How to encourage management to buy in?

A
  • the responsibility sits with them if an incident happens

- the cost of the business going down

34
Q

Business continuity plan (BCP)

A

Assesses the risks to your organisational processes and creates policies, plans, procedures to reduce the impact those risks might have if they were to occur

Making sure your operations can continue even if a risk is realised

Also manage and restores the environment

35
Q

What does your RTO guide?

A

Your plan and the procedures neccessary to accomplish recovery tasks