CHAPTER 8_Business Continuity and Disaster Recovery Flashcards
Explanation Bullets: The organization can take the following steps to better ensure the continuity of its outsourcing:
- Make the ability of such companies to reliably assure continuity of products and services part of any work proposals.
- Make sure that BCP is included in contracts with such companies, and that their responsibilities and levels of service are clearly spelled out.
- Draw up realistic and reasonable service levels that the outsourced firm will meet during an incident.
- If possible, have the outsourcing companies take part in BCP awareness programs, training, and testing.
Explanation Bullets: 2. Performed the BIA
- Identified critical business functions, their resources, and MTD values
- Identified threats and calculated the impact of these threats
- Identified solutions
- Presented findings to management
Explanation Bullets: • Management Practices:
- Management Practices:
* Technical Practices:
Emphasis: executive succession planning
Organizations should already have executive succession planning in place. This means that if someone in a senior executive position retires, leaves the company, or is killed, the organization has predetermined steps to carry out to protect the company. The loss of a senior executive could tear a hole in the company’s fabric, creating a leadership vacuum that must be filled quickly with the right individual. The line-of-succes-sion plan defines who would step in and assume responsibility for this role. Many organizations have “deputy” roles. For example, an organization may have a deputy CIO, deputy CFO, and deputy CEO ready to take over the necessary tasks if the CIO, CFO, or CEO becomes unavailable.
Emphasis: Identify preventive controls
- Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.
Explanations: Tertiary Sites
During the BIA phase, the team may recognize the danger of the primary backup facility not being available when needed, which could require a tertiary site. This is a secondary backup site, just in case the primary backup site is unavailable. The secondary backup site is sometimes referred to as a “backup to the backup.” This is basically plan B if plan A does not work out.
Emphasis: Standards and Best Practices
Standards and Best PracticesAlthough no specific scientific equation must be followed to create continuity plans, certain best practices have proven themselves over time. The National Institute of Standards and Technology (NIST) is responsible for developing best practices and standards as they pertain to U.S. government and military environments. It is common for NIST to document the requirements for these types of environments, and then everyone else in the industry uses their documents as guidelines. So these are “musts” for U.S. government organizations and “good to have” for other nongovernment entities.
Explanation Bullets: Business Continuity Planning
Preplanned procedures allow an organization to
- Provide an immediate and appropriate response to emergency situations
- Protect lives and ensure safety
- Reduce business impact
- Resume critical business functions
- Work with outside vendors and partners during the recovery period
- Reduce confusion during a crisis
- Ensure survivability of the business
- Get “up and running” quickly after a disaster
Emphasis: Develop the continuity planning policy statement
- Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP, and that assigns authority to the necessary roles to carry out these tasks.
Emphasis: ISO 22301
• ISO 22301 Pending International Standard for business continuity management systems. The specification document against which organizations will seek certification.
Emphasis: recovery strategy stage
In the recovery strategy stage, the team approaches the information gathered during the BIA stage from a practical perspective. It has to figure out what the company needs to do to actually recover the items it has identified as being so important to the organization overall. In its business continuity and recovery strategy, the team closely examines the critical, agreed-upon business functions, and then evaluates the numerous recovery and backup alternatives that might be used to recover critical business operations.
Explanations: Human Resources
We have everything up and running now—where are all the people to run these systems?
Bullets: Strengths
Characteristics of the project team that give it an advantage over others
Explanation Bullets: The main parts of a risk assessment are:
- Review the existing strategies for risk management
- Construct a numerical scoring system for probabilities and impacts
- Make use of a numerical score to gauge the effect of the threat
- Estimate the probability of each threat
- Weigh each threat through the scoring system
- Calculate the risk by combining the scores of likelihood and impact of each threat
- Get the organization’s sponsor to sign off on these risk priorities
- Weigh appropriate measures
- Make sure that planned measures that alleviate risk do not heighten other risks
- Present the assessment’s findings to executive management
Emphasis: Enterprise-Wide BCP
Enterprise-Wide BCPThe agreed-upon scope of the BCP will indicate if one or more facilities will be included in the plan. Most BCPs are developed to cover the enterprise as a whole, instead of dealing with only portions of the organization. In larger organizations, it can be helpful for each department to have its own specific contingency plan that will address its specific needs during recovery. These individual plans need to be compatible with the enterprise-wide BCP.
Emphasis: BS 25999
• BS 25999 The British Standards Institute’s (BSI) standard for business continuity management (BCM). This BS standard has two parts:
Explanations: BCP Project Components
Before everyone runs off in 2,000 different directions at one time, let’s understand what needs to be done in the project initiation phase. This is the phase in which the company really needs to figure out what it is doing and why. So, after someone gets the donuts and coffee, let’s get down to business.
Explanations: Recovery Strategies
Up to this point, the BCP team has carried out the project initiation phase. In this phase, the team obtained management support and the necessary resources, laid out the scope of the project, and identified the BCP team. It also completed the BIA phase. This means that the committee carried out a risk assessment and analysis, which resulted in a report of the real risk level the company faces.
Explanations: Supply and Technology Recovery
At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:
Emphasis: Facility Recovery
Facility RecoveryDisruptions, in BCP terms, are of three main types: nondisasters, disasters, and catastrophes. A nondisaster is a disruption in service due to a device malfunction or failure. The solution could include hardware, software, or file restoration. A disaster is an event that causes the entire facility to be unusable for a day or longer. This usually requires the use of an alternate processing facility and restoration of software and data from offsite copies. The alternate site must be available to the company until its main facility is repaired and usable. A catastrophe is a major disruption that destroys the facility altogether. This requires both a short-term solution, which would be an offsite facility, and a long-term solution, which may require rebuilding the original facility.
Explanation Bullets: Warm and Cold Site Disadvantages
- Operational testing not usually available
* Resources for operations not immediately available
Explanation Bullets: Hot Site Disadvantages
- Very expensive
* Limited on hardware and software choices
Explanation Bullets: The initiation process for BCP might include the following:
- Setting up a budget and staff for the program before the BCP process begins. Dedicated personnel and dedicated hours are essential for executing something as labor-intensive as a BCP.
- Setting up the program would include assigning duties and responsibilities to the BCP coordinator and to representatives from all of the functional units of the organization.
- Senior management should kick off the BCP with a formal announcement or, better still, an organization-wide meeting to demonstrate high-level support.
- Awareness-raising activities to let employees know about the BCP program and to build internal support for it.
- Establishment of skills training for the support of the BCP effort.
- The start of data collection from throughout the organization to aid in crafting various continuity options.
- Putting into effect “quick wins” and gathering of “low-hanging fruit” to show tangible evidence of improvement in the organization’s readiness, as well as improving readiness.
Emphasis: business interruption insurance
A company could also choose to purchase a business interruption insurance policy. With this type of policy, if the company is out of business for a certain length of time, the insurance company will pay for specified expenses and lost earnings. Another policy that can be bought insures accounts receivable. If a company cannot collect on its accounts receivable for one reason or another, this type of coverage covers part or all of the losses and costs.