Business Continuity planning

Question 1

Four steps of business continuity project planning

Answer 1

1) analysis of organisation from crisis management POV
2) stand up BCP team
3) assess resources available to participate in business continuity activities
4) consider legal and regulatory factors when responding to catastrophic event

Question 2

What does business organisation analysis do?

Answer 2

Considers all departments who have a stake in the BCP process

Question 3

What is MTD/MTO?

Answer 3

Maximum tolerable downtime and maximum tolerable outage - how long can your business be down without causing harm?

Question 4

What is the difference between business continuity plans and disaster recovery plans?

Answer 4

Disaster recovery plans pick up where business continuity plans leave off. Once a disaster strikes and business is interrupted, the disaster recovery plan guides response teams in their efforts to restore operations.

Question 5

Which teams members should you include in BCP team?

Answer 5

• representatives from each department responsible for core services
• IT smes and cyber security teams members
• physical security
• attorneys
• HR team (impact on employees)
• public realisations
• Senior management

Question 6

What is one of the first jobs given to the BCP team when it’s stood up?

Answer 6

Thorough review of the organisation analysis

Question 7

What is the most important phase of the business impact assessment?

Answer 7

Impact assessment

Question 8

What are the stages of the business impact assessment phase?

Answer 8

Identify prioritise 
Risk identification 
Likelihood 
Impact assessment 
Resource prioritisation

Question 9

In the risk identification phase of the BIA - what method do you use?

Answer 9

Purely qualitative

Question 10

What does resource prioritisation phase do?

Answer 10

Prioritise the allocation of business continuity resources to the risk you identified and assessed previously

Question 11

What qualitative measures are used for ‘impact assessment phase’

Answer 11

Loss of goodwill, loss of employees, social responsibility, negative publicity

Question 12

Which areas does the organisation analysis consider?

Answer 12

Core services
Critical support services
Security (physical) staff
Senior management

Question 13

RTO

Answer 13

Recovery time objective - RTO for each function. Amount of time that you can feasibly recover the function in the event of a distribution

Question 14

Who is responsible for the BCP? (Team selection)

Answer 14

Should never be the security team alone - it’s too isolated and doesn’t take the knowledge other operational teams have into account. Keeps people out the loop

Question 15

What part of the BCP documentation follows on from the strategy development?

Answer 15

Risk acceptance/mitigation - contains outcome of the strategy development. Risks identified and which were acceptable and not acceptable

Question 16

Talk through components of the BCP documentation - what’s the importance of documenting the plan?

Answer 16

Continuity planning goals (decided on first meeting)
Statement of importance 
Statement of priorities 
Statement of organisational responsibility 
Statement of urgency and timing 
Risk assessment 
Risk acceptance/mitigation 
Vital records programme 
Emergency response guideline 
Maintenance
Testing and exercises

Question 17

Name some industries that have legal and regulation requirements for BCP?

Answer 17

• publicly traded firms
• banking organisations
• Contractual obligations to clients

Question 18

Name the parts of continuity planning?

Answer 18

Strategy development - decide which risk will be prioritised by the BCP and which resources will be committed (look at MTD)
Provisions and processes - design procedures to mitigate risks. Keep people, buildings/facilities and infrastructure in mind (hardening and alternates)

Question 19

Which resource requirements should you consider in your project plan?

Answer 19

• BCP development
• BCP test, maintenance and training
• BCP implementation

Senior management will look at this intensely due to the cost and impact of using resource

Question 20

Four phases of a BCP

Answer 20

1) planning and scoping
2) business impact assessment
3) continuity planning
4) approval and implementation

Question 21

What data does the ‘impact assessment ‘ phase utilise?

Answer 21

Data from the risk identification and the likelihood assessment (ARO) sections. This sections tries to determine the impact of the risk being realised

Question 22

Talk about the risk identification phase of the BIA

Answer 22

All member of the BCP team should have input and the risk are pure qualitative. You do not need to consider likelihood at this point - this phase of the BIA will drive the rest

Question 23

Where is ARO taken into account in the BIA?

Answer 23

Likelihood assessment (likelihood that each risk will occur)

Question 24

What qualitative measures can be used to identify priorities in the Business impact assessment phase?

Answer 24

Asset value, MTD, RTO

Question 25

What’s two types of of analyses are used by business planners? (BIA - identify priorities)

Answer 25

Qualitative and quantitative

It can be tempting to go with the monetary value but you must consider both!

Question 26

Name the quantitive and qualitative methods used in the resource prioritisation phase of the BIA?

Answer 26

• sort by ALE (computed during impact assessment phase) to get a list of risks you phase. Select items until resources run out
• sit down and combine qual list into one - use it to evaluate or drop the prioritise of a high ALE item.

Question 27

What are the quantitative methods used in the impact assessment phase?

Answer 27

SLE, EF, ALE

calculated for each asset/risk combination

Question 28

In the risk identification phase of the BIA - what are the two forms of risk?

Answer 28

Natural risks and man made

Question 29

Business impact assessment (BIA)

Answer 29

Identify the resources that are critical to an organisations ongoing viability and the threats to those resources. Also looks at likelihood

(Critical Resources x threats x likelihood)

Question 30

Explain how MTD and RTO interact?

Answer 30

Your RTO should never be more then your MTDS - causes less harm

Question 31

How many backup people should be trained for each BCP task to ensure redundancy?

Answer 31

Atleast one

Question 32

Discuss plan approval and implementation elements

Answer 32

Plan approval and implementation - getting top manager level buy in to the plan

• plan approval by top exec (more weight)
• plan implementation (develop implementation schedule that utilised resources and achieves stated goals)
• training and education for all personnel
• BCP documentation (for reference, records and commitment from staff)

Question 33

How to encourage management to buy in?

Answer 33

• the responsibility sits with them if an incident happens

- the cost of the business going down

Question 34

Business continuity plan (BCP)

Answer 34

Assesses the risks to your organisational processes and creates policies, plans, procedures to reduce the impact those risks might have if they were to occur

Making sure your operations can continue even if a risk is realised

Also manage and restores the environment

Question 35

What does your RTO guide?

Answer 35

Your plan and the procedures neccessary to accomplish recovery tasks