Chapter 3 - Business Continuty Planning Flashcards
Strategy Development
The strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development. The BCP team must now take the prioritized list of concerns raised by the quantitative and qualitative resource prioritization exercises and determine which risks will be addressed by the business continuity plan. Fully addressing all the contingencies would require the implementation of provisions and processes that maintain a zero-downtime posture in the face of every possible risk. For obvious reasons, implementing a policy this comprehensive is simply impossible.
Differences between Business Continuity Plan and Disaster Recovery Planning
BCP comes first, and if the BCP efforts fail, DRP steps in to fill the gap. For example, a data center is located downstream from a dam. BCP efforts might involve verifying that municipal authorities perform appropriate preventive maintenance on the dam and reinforcing the data center to protect it from floodwaters. If floods happens, your business continuity efforts have failed, and it’s time to invoke your disaster recovery plan.
Business Organization Analysis
One of the first responsibilities of the individuals responsible for business continuity planning is to perform an analysis of the business organization to identify all departments and individuals who have a stake in the BCP process.
What’s the first step performed in a Business Impact Analysis (BIA)?
One of the first steps of a BIA is to Identify and Prioritize Critical Organization Functions.
During this phase, the following activities will occur:
■ Obtain senior management support to go forward with the project
■ Define a project scope, the objectives to be achieved, and the planning assumptions
■ Estimate the project resources needed to be successful, both human resources and financial resources
■ Define a timeline and major deliverables of the project In this phase, the program will be managed like a project, and a project manager should be assigned to the BC and DR domain.
The next step in the planning process is to have the planning team perform a BIA. The BIA will help the company decide what needs to be recovered, and how quickly. Mission functions are typically designated with terms such as critical, essential, supporting and nonessential to help determine the appropriate prioritization.
Business continuity plan
A business continuity plan (BCP) focuses on sustaining an organization’s business functions during and after a disruption. Information systems are considered in the BCP only in terms of their support to the larger business processes. The business recovery plan (BRP) addresses the restoration of business processes after an emergency. The BRP is similar to the BCP, but it typically lacks procedures to ensure continuity of critical processes throughout an emergency or disruption. The continuity of operations plan (COOP) focuses on restoring an organization’s essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. The disaster recovery plan (DRP) applies to major, usually catastrophic events that deny access to the normal facility for an extended period. A DRP is narrower in scope than an IT contingency plan in that it does not address minor disruptions that do not require relocation.
Occupancy Emergency Plan
The Occupant Emergency Plan (OEP) provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.
Such events would include a fire, hurricane, criminal attack, or a medical emergency. OEPs are developed at the facility level, specific to the geographic location and structural design of the building.
What assesses potential loss that could be caused by a disaster?
The Business Impact Analysis (BIA)
The Business Assessment is divided into two components. Risk Assessment (RA) and Business Impact Analysis (BIA). Risk Assessment is designed to evaluate existing exposures from the organization’s environment, whereas the BIA assesses potential loss that could be caused by a disaster. The Business Continuity Plan’s goal is to reduce the risk of financial loss by improving the ability to recover and restore operations efficiently and effectively.
When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems?
Many elements of a BCP will address senior management, such as the statement of importance and priorities, the statement of organizational responsibility, and the statement of urgency and timing. Executive management staff initiates the project, gives final approval and gives ongoing support. The BCP committee directs the planning, implementation, and tests processes whereas functional business units participate in implementation and testing.
Key BCP concepts for exam
Business Continuity Plan (BCP) provides procedures for sustaining mission/business operations while recovering from a significant disruption.
The BCP focuses on sustaining an organization’s mission/business processes during and after a disruption. An example of a mission/business pro cess may be an organization’s payroll process or customer service process. A BCP may be written for mission/business processes within a single business unit or may address the entire organization’s processes. The BCP may also be scoped to address only the functions deemed to be priorities. A BCP may be used for long-term recovery in conjunction with the COOP plan, allowing for additional functions to come online as resources or time allow. Because mission/business processes use information systems (ISs), the business continuity planner must coordinate with information system owners to ensure that the BCP expectations and IS capabilities are matched.
For your exam you should know the information below:
Plan Purpose Scope Plan Relationship
Business Continuity
Plan (BCP) Provides procedures for sustaining mission/business
operations while recovering from a significant disruption. Addresses mission/business
processes at a lower or
expanded level from COOP
MEFs. Mission/business process focused plan that may be activated in coordination with a COOP plan to sustain non-MEFs.
Continuity of Operations Plan (COOP) Provides procedures and guidance to sustain an organization’s MEFs at an alternate site for up to 30 days; mandated by federal directives Addresses MEFs at a facility; information systems are addressed based only on their support of the mission essential functions. MEF focused plan that may also activate several business unit-level BCPs, ISCPs, or DRPs, as appropriate.
Crisis Communications Plan Provides procedures for disseminating internal and external communications; means to provide critical status information and control rumors.
Addresses communications with personnel and the public; not information system-focused. Incident-based plan often activated with a COOP or BCP, but may be used alone during a public exposure event.
Critical Infrastructure Protection (CIP) Plan Provides policies and procedures for protection of national critical infrastructure components, as defined in the National Infrastructure Protection Plan.
Addresses critical infrastructure components that are supported or
operated by an agency or organization.
Risk management plan that supports COOP plans for organizations
with critical infrastructure and key resource assets.
Cyber Incident Response Plan Provides procedures for mitigating and correcting a cyber attack, such as a virus, worm, or Trojan horse. Addresses mitigation and isolation of affected systems,
cleanup, and minimizing loss of information. Information system-focused plan that may activate an ISCP or DRP,
depending on the extent of the attack.
Disaster Recovery Plan (DRP) Provides procedures for relocating information systems operations to an alternate location. Activated after major system disruptions with long-term effects. Information system-focused plan that activates one or more ISCPs for recovery of individual systems.
Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovering an information system. Addresses single information system recovery at the
current or, if appropriate alternate location.
Information system-focused plan that may be activated independent
from other plans or as part of a larger recovery effort coordinated with a DRP, COOP, and/or BCP
Occupant Emergency Plan (OEP) Provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. Focuses on personnel and property particular to the specific facility; not mission/business process or information system-based. Incident-based plan that is initiated immediately after an event, preceding a COOP or DRP activation.
Business Recovery Plan Provides procedure for recovering business operations immediately following a disaster Address business process; not IT-focused;IT address based only on its support for business.
Change Management step order
Request Approve Document Test Implement Report
A BCP does not address the protection of cold sites at remote location.
N/A
Which team is responsible for getting the alternative site into a working and functioning environment?
The restoration team
Continuity of Operations Plan
The continuity of operations plan establishes senior management and a headquarters after a disaster. It outlines roles and authorities, orders of succession, and individual role tasks.