Chapter 3 Business Continuity Planning Flashcards
What is the process of maintaining business operations with reduced or restricted infrastructure capabilities or resources.
Business Continuity Planning
What is the difference between BCP and DRP
Business Continuity Planning - strategic focused to continue business operations/processes.
Disaster Recovery Plan - tactical plan to transition to recovery site, backups, and implement fault tolerant systems.
4 steps of the BCP process
Business Continuity Plan:
Project Scope and Planning
Business Impact Analysis
Continuity Planning
Approval and Implementation
What is entailed by the organizational review
Business analysis of the organization to id all departments and individuals who have a stake in the BCP process.
- Senior executives/key individuals
- Critical support services
- Critical Security teams
- Operational departments that are responsible for the core services the business provides to its clients
What is the limitation to giving the IT/security department sole responsibility over the BCP
No other operational or support departments are providing input and will not know how to implement the continuity processes when disaster strikes.
Name examples of people you would want on the BCP team
- Core services Dept Org Reps
- Functional area representation
- Physical security and facility management
- Attorneys
- human resources
- public relations
- Senior Management representatives
What are the three BCP phases after the Organizational Review is Complete
- Development
- Testing, Training, and Maintenance
- Implementation
What is one metric that you can point to in order to demonstrate the cost of a loss?
ALE - Annualized Loss Expectancy
Involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business.
Quantitative Impact Assessment
Takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).
Qualitative Impact Assessment
What is the first step in the BIA from a quantitative perspective? Qualitative perspective?
Quantitative - Asset Valuation
Qualitative - ID Business priorities
After you have conducted an asset valuation in the Business Impact Analysis (BIA), what is the next step in determining how much time the business function can tolerate a disruption before suffering irreparable harm?
Develop the maximum tolerable downtime (MTD)
Amount of time in which you can feasibly recover the function in the event of a disruption.
Recovery Time Objective (RTO)
What is the point in time before an incident where the org should be able to recover data from a critical business process?
Recovery Point Objective (RPO)
What is the RPO of a function that is backed up every 20 minutes.
Recovery point objective - 20 minutes
After the BCP team identifies all of the potential risks they estimate the likelihood of the risks materializing using which metric?
Annualized rate of occurrence. (ARO)
he amount of damage that the risk poses to the asset, expressed as a percentage of the asset’s value.
The Exposure Factor
The monetary loss expected each individual time risk materializes. You can compute this using the following formula:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
the monetary loss that the business expects to suffer as a result of the risk harming the asset during a typical year. The formula:
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
What are the two subtasks of continuity planning
Strategy development
Provisions and processes
Describe Strategy development within continuity planning of the BCP
Determines which risks will be addressed by the business continuity plan.
Describe the Provisions and process phase within continuity planning of the BCP and what are the three categories of assets that must be protected through BCP provisions and processes?
BCP designs specific procedures and mechanisms that will mitigate risks deemed unacceptable during the strategy development stage. People, Buildings/Facilities, Infrastructure
Who approves the BCP ideally.
The highest executive possible - CEO if you can in order to demonstrate the importance of the plan to the entire organization.
What document can the CEO sign to relay the importance of the BCP to the workforce?
Statement of Importance
What document outlines the most important to the least important business functions from the business impact analysis?
Statement of priorities
Risk acceptance/mitigation section of BCP contains the outcome of the strategy development portion of the BCP process. For risks that were deemed acceptable what would it describe?
Reason risk was acceptable
Future events that would warrant reconsideration of this determination
Risk acceptance/mitigation section of BCP contains the outcome of the strategy development portion of the BCP process. For risks that were deemed unacceptable what would it describe?
risk management provisions and processes put in place to reduce risk to org’s continued viability.
What does the vital records program list out
Identifies essential records that would be critical to rebuilding the organization.
What are the emergency response guidelines
Outlines the org and individual responsible for immediate response to an emergency.
List of individuals to notify.
How often should BCP team meet once the BCP is complete? What should be discussed?
Periodically to update BCP due to changes and review the results of the plan to ensure it still meets org needs.