Chapter 15: Business Continuity Planning Flashcards
What is Business Continuity Planning?
Assessing the risks to organizational processes and creating policies, plans, and procedurs to minimize the imapact those rigks might have on the orgamization if they were to occur.
What happens if business continuity is broken?
Business processes have stopoed and the organization is in disaster mode, thus, disaster recovery planning takes over.
What are the four main steps of BCP as defined by ISC2?
Project scope and planning,
business impact assessment
continuity planning
approval and implementaiton
What does project scope and planning require?
structured analysis of the buisiness’s orgamization from a crisis planning point of view
Creation of a BCP team with senior management approval
Assessment of the resource savailablet o participate in BC ativities
Analysis of the legal and regularory landscape that governs response to a catastrophic event
What areas should be considered in business orgamization analysis?
Operational departments that are responsiuble for core services the business provides to clients
Critical support services such as IT, plaint maintenance, and other groups responsible for upkeep of operational departmetns
Senior execs and other key inidividuals essential for the ongoing viability of the orgamization
Who should be on the BCP team?
Representatives from each of the organization’s deparatments responsible for the core services
Representatives from the key support departments identified by org. analysis
IT representatives with technical experience in areas covered by the BCP
Security representatives with knowledge of the BCP process
Representatives from senior management
What is a risk in selecting the BCP team?
Depending on the event, members of the BCP team may not be available in the event of a disaster.
What do you have to consider in selecting an effective BCP team?
Balance representing different points of view with explosive personality differences.
What is one important reason to include senior management representatives in the BCP process?
It can be required by laws or regulations.
What is the marjor resource likely to be needed by the BCP plan during plan creation?
Time of the BCP team members.
Why is it essential to include legal counsel in the BCP process?
Laws and regulations can place requirements on BCP.
What is the difference between quantititative decision making and qualitiative?
Quant uses numbers and formulas, qual uses nonnumerical factors such as emotions, investor/customer confidence, workforce stability, and other concers.
How do you set priorities in BCP?
Assign an asset value (AV), maximum tolerable downtime (MTD) or maximum tolerable outage (MTO), recovery time objective (RTO). The goal of BCP is to insure that the RTO isless than MTO.
What are natural threats?
Violent storms/hurricanes/tornadoes/blizzards
Earthquakes
mudslides/avalanches
volcanoes
What are man made threats?
terrorist acts/wars/civil unreast theft/vandalism fires/explosuions prolonged power outages building collapse transportaion failures
What is ARO?
Annualized Rate of Occurrence. The number of times a business expects a particular disaster to occur per year.
What is Exposure Factor (EF)?
The percentage an asset is reduced in value in the event a loss happens.
What is SLE?
Single Loss Expectancy. The monetary loss expected each time a loss event occurs for an asset.
What nonmonetary impacts can interruptions have on a business?
Loss of goodwill among clients
Loss of employees to other jobs after a prolonged downtime
Social/ethical responsibilites to the communities
Negative publicity
What are the subtasks in continuity development?
Strategy development provisions and procsses plan approval plan implementation training and education
What are the four possible responses to a risk?
reduce, assign, accept, reject
What is the most important activity in BCP?
Ensuring that the people within the orgamization are safe before, during, and after an emergency.
What are the two areas that a BCP should address for each critical facility?
Hardening provisions and alternate sites.
What are the two main methods of providing infrastructure protetion?
Physically hardening systems and alternative systems.
What is essential to the success of the overall BCP effort?
Senior management approval and buy-in.
Who should receive training on the plan?
Everyone who will be directly or indirectly involved in the plan should receive training on the overall plan and their specific responsibilities.
What should the Risk Acceptance/Mitigation portion of a BCP cover?
For risks deemed acceptable, it should outline why and list potential future events that should trigger reconsideration.
For risks deemed unacceptable, it should outline risk amanagement provisions and proceesses that reduce the risk.
What should emergency response guidelines include?
Immediate response procedures (security and safety, fire supporession, notification of emergency response agencies)
Who to notive (execs, BCP members, etc)
Secondary response procedures to take whilew aiting for the BCP team to assemble.
How should a BCP be maintained?
As a living document. Older versions should be physically destroyed and replaced so there can be no confusion as to which version to use.
