• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Purpose and critical success factors (CSFs) of BCP
  • Major elements of BCP
  • Seven domains of information technology (IT) infrastructure and their relation with BCP
  • BCP design within small to mid-sized organization

Managing Risk in Information Systems

Business Continuity Planning

Business Continuity Planning
Introduction to BCPs
How many times have we heard of IT organizations running into problems because their supply chain was interrupted or because they experienced some sort of technology failure? If these organizations had used a combination of a BCP and a disaster recovery plan (DRP), this type of situation could have been avoided.

Consider the following table that summarizes the elements of a BCP and a DRP. After reviewing the table, click the ACTIVITY button to attempt a simple exercise.

BCP

  • Covers all functional areas of a business
  • Ensures the entire business can continue to operate in the event of a disruption
  • Involves a business impact analysis (BIA)
  • Addresses other nontechnical elements of the disruption
  • Focuses on getting the overall business functions back to normal

DRP

  • Covers functions of only the IT department
  • Includes the elements necessary to recover from a disaster
  • Involves copying critical data to media or online and then moving the IT operations off-site to be recovered, if required
  • Focuses on restoring and recovering IT functions
Steps in Implementing a BCP
Implementing a BCP is an ongoing task because an organization changes and updates its systems and resources all the time.

A critical eye and outside-the-box thinking must be applied to every step in BCP implementation processes. Position the mouse pointer over each step to learn more about it.
Charter a BCP and create a BCP scope statement
Complete a BIA
Identify countermeasures and controls
Develop individual DRPs
Provide training
Test and exercise plans
Maintain and update the BCP

Define a BCP scope statement, that is, determine business components and functions that need to be recovered from disruption. When defining the scope, it is important to use consistent terminology so as to establish a common vision for the BCP team, where everyone understands the overall goal as well as the major steps required to achieve it. In the absence of a common understanding of the scope of an effort, it is difficult to agree on what success looks like.

The key to any BCP is an impact analysis differentiating between critical and noncritical functions. A function may be considered critical if the implications for stakeholders and the damage to the organization are regarded unacceptable. A function may also be considered critical if dictated by law. The impact analysis also identifies the recovery requirements for each critical function. Recovery requirements consist of the time frame in which a critical function must be resumed after a disaster and the business and technical requirements for recovery of the critical function.

After threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner. Establish the cost of maintaining and implementing appropriate countermeasures and controls.

Determine the business value of the organization's applications and define recovery objectives through data risk and recovery time profiles. Match technologies for safeguarding data, including backup and disaster recovery, on the basis of the business value.

Implement technologies and educate critical personnel about which business processes are affected.

Test the documented plan continuously. Measure and validate test results relative to the plan's overall objectives. Implement required enhancements that have been prioritized as a result of continuous testing and evaluation.

Continuously review and enhance the BCP to reflect organizational changes, fluctuating business conditions, and the addition of new technologies. Remember to repeat the entire process continuously.

Key Roles Involved in BCP Implementation
The board of directors and senior management are responsible for establishing and reviewing an enterprise-wide testing program. The BCP program manager works with the director of security to manage, develop, implement, train, exercise, and maintain the firm-wide continuity of operations, life safety, and the disaster recovery-planning program. The BCP program manager has a high-level involvement in program deliverables.

Position the mouse pointer over each role to learn more about their respective duties and responsibilities. Next, click the ACTIVITY button to attempt an exercise on roles and responsibilities.
  • BCP program manager
  • BCP coordinator
  • BCP team leads
  • Critical vendors
  • Critical contractors
  • Telecommuters
  • Emergency management team
  • Damage assessment team
  • Technical recovery team
This individual is responsible for the development, customization, maintenance, and planning of the organization’s BCP, BIA, risk assessments, and DRP. The BCP program manager works with various stakeholders and business units to develop, customize, train, and exercise the BCP. During crises, disasters, or other emergencies, the BCP program manager takes a leadership role in response and recovery activities.
This individual is responsible for the day-to-day coordination of BCP implementation. The BCP coordinator can have two roles, depending on the stage of the BCP:
  • Developing and completing the BCP
  • Declaring the emergency and activating the BCP
After declaring an emergency, the BCP coordinator contacts appropriate teams or team leads.
Different teams headed by team leaders are formed to implement the BCP. Larger organizations have multiple teams and team leaders with different goals and responsibilities.
A BCP identifies the responsibility of a vendor, or a supplier, to provide goods or services to the organization in case of an emergency. A vendor often manufactures inventory items and sells them to a customer.
Many companies hire employees on contract, in addition to full-time employees, to fulfill a specific need. If you expect contractors to have specific roles in the BCP, you should identify them. For example, some contractor positions may be mission critical, requiring workers to work on-site through any type of disruption.
The individuals often work from home. The organization may want them to access resources at a different location. Alternatively, these workers may have skills that will help the organization get through the disruption.
This team comprises senior managers who consider all potential hazard scenarios. They have overall authority for the recovery of the system but also work closely with the BCP coordinator. This team ensures that the BCP is coordinated with other emergency plans.
This team assesses the damage and declares the severity of the incident. The team members primarily collect and report data but don’t take action. The data is collected from critical areas, such as facility and utilities engineering, process maintenance, purchasing, logistics, and security.
This team is responsible for recovering critical IT resources. The team members are skilled personnel having complete knowledge of the resources they are recovering.
Purpose of BCPs
How will your organization continue to function if something happens that you cannot control, such as the loss of power or the loss of a file server containing your organization's database. For a critical business function, a plan including people, processes, and equipment must be in place to get the function operational as soon as possible.

You can categorize the critical data that needs to be protected as follows. Click each categorization to learn more about it.
  • Identify all equipment, such as servers, switches, and routers.
  • Include databases hosted on the system.
  • Include files, documents, or spreadsheets.
  • Include necessary supplies.
Servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system. If an image is used to rebuild servers, it will list the version number.
Many services have dependencies. For example, an application server may need a database server to remain operational. A wide area network (WAN) link is used to connect a database server at the headquarters to a remote location. If the WAN link fails, a modem can be used as a backup to meet the needs during a disruption.
It is important to ensure descriptions and documentation on the organization's systems and resources. This documentation should be detailed enough to identify the critical system and the supporting architecture. If documentation is not available or is out of date, maintaining and recovering the CBFs becomes much more difficult. Documentation also helps in identifying the elements that you may need to address in the recovery plan.
These can be simple office supplies, such as printer paper and toners, or technical supplies, such as special oils for machinery or tools needed for maintenance.
Best Practices for BCPs
A BCP helps an organization plan and train for disasters. No one wants a disaster. However, if a disaster does occur, an organization is much better prepared to address it directly if a BCP is in place. Read the following scenario to learn how a BCP helps an organization recover from a disaster.

Next, click the ACTIVITY button to attempt an exercise on best practices.
RESOURCES

John Motorcycle Parts Scenario

You have recently bought John Motorcycle Parts—a company that sells widgets to big motorcycle companies. Your company operates on a coast threatened by hurricanes. You want to ensure that the company's Web site used for online sales of widgets continues to operate if hit by a hurricane. For this, you need to have a security plan in place. You, as the owner, have to perform the following tasks:

  • Identify the risks and problems that need to be fixed before your audit team finds loopholes in your overall security plan.
  • List five things that could go wrong without a BCP and a DRP.
  • List five risks that need to be addressed first.

A detailed BCP will enable you to perform these tasks. You can also follow some best practices while developing a BCP. Click the RESOURCES icon to read more about these best practices.

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you've learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

After reviewing your Project Part 1 on risk management, senior management at Health Network decides that you must also develop a BCP and even allocate funds for it.

You need to develop a BCP, considering the additional information on the Health Network IT infrastructure. You will get this information from the chief network manager, who is waiting for you in the server room. Click the image of the chief network manager to know what information will be shared with you.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.

Congratulations on your good work! Before you develop a BCP for DLIS, I have something to share with you.

DLIS has a global reach and at least 50 file servers and 12 databases running everything from an enterprise resource planning (ERP) system to the organization payroll system that has electronic funds transfer (EFT) capability. Other things worth noting are a warm site within 50 miles of the headquarters’ data center. No plans exist for it. You will want to use it in planning your BCP. Currently, backups are done with an outside vendor. However, you will want to recommend a new process, a vendor, and develop a new backup plan for approximately 5 terabytes of critical classified data. Do not forget to develop a testing plan for your BCP.

You can always come to me in case of any doubts or queries. All the best.

Contributing Factors
Various factors will guide you in completing this assignment. Click each icon to get the relevant information. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Research the Internet

Select the icons from the top to receive additional
information related to the situation

You may refer to the following additional resources or those you find on your own to help you and your team develop a BCP. You may also use a BCP template if found during your research.

References
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Read the case scenario of Health Network.
  • Understand your task for this assignment from the chief network manager in the server room.
  • Consider all the factors that contribute to the challenge.
  • Write the purpose of drafting a BCP.
  • Explain the scope and boundaries of the BCP.
  • Explain the key roles involved in the BCP and their respective responsibilities.
  • Analyze and write a proposed schedule for the BCP.
  • Research and summarize your backup approaches and justify your final recommendations.
  • Collate all information in a Microsoft Word (or compatible) document and do a self-review.
  • Submit Project Part 2 Task 2 to your instructor.
At the end of this lesson, you should be able to:
  • Explain the purpose of a business continuity plan (BCP).
  • Identify the standard elements of a BCP.
  • Describe the various steps to implement a BCP.
  • Describe the best practices for implementing a BCP.
In this lesson, you will learn how BCPs are an important element of risk management. You will look at the steps in implementing a BCP in order to ensure continuation of business operations. In addition, you will learn about risk mitigation best practices and the importance of using a BCP.