Business Continuity Disaster Recovery Risk Management How do these fit into a Framework?
Which Project to Work On? 1.Define and assemble a Steering Committee to determine how to give each employee a 50% salary increase. 2.Create and implement a company-wide Business Continuity and Disaster Recovery plan. +
Wendi Finn, CPA (firstname.lastname@example.org) Randy Mueller (email@example.com)
Goals for Today Group Discussion Leave with New Ideas Share Your Stories Use What Fits for You, Discard the Rest
Agenda Definitions Statistics and Examples Relationship with Risk Management Motivations for Managing Continuity Model a basic Framework Starting with an “Interim” plan Questions, Ideas, Bucks vs. Ducks Predictions
Business Continuity Management (BCM) A series of management process and integrated plans that maintain the critical processes of an organization, should a disruption take place which impacts the ability to continue to provide key services. Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Disaster Recovery Disaster Recovery (DR) is the area of security planning that deals with protecting an organization from the effects of significant negative events. Planning concerned with preparation for, and response when disaster hits. The objective is the survival of an organization.
Risk Management Risk is defined as the potential for something to occur. The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. Through an organization’s Risk Management process it is likely that continuity risks will be identified.
Risk/Continuity/Recovery The potential of a disaster occurring is know as its risk, often measured by how likely this is to happen and how badly it will hurt. A business interruption is something that disrupts the normal flow of business operations. A disaster is any event that disrupts a critical business function. This can be just about anything. Whether an event is a business interruption or a disaster sometimes depends on your point of view. (ex. Sony Data Breach)
What is the Relationship? Business Continuity Management (BCM) is concerned with managing risks to ensure that at all times an organization can continue operating at least to a pre-determined minimum level. The BCM process involves reducing the risk to an acceptable level and planning for the recovery of business processes should a risk materialize and a disruption to the business occur. Disaster Recovery Planning is concerned with the actual technical recovery of the IT components and details the procedures to be used to restore the IT components following a failure.
Every week 140,000 hard drives crash in the United States. 31% of PC users have lost all of their files due to events beyond their control. 34% of companies fail to test their tape backups, and of those that do, 77% have found tape backup failures.
The dependence of today’s enterprises on IT is significant. For an organization that uses IT extensively for its operations, not just recording of transactions, the non-availability of its information systems could mean the end of its existence. -ISACA
Other Reasons for BCP… Improved Business Processes Competitive Advantage Requirements – PCI Compliance – SOC Compliance – HIPAA Compliance
…Leads to #1 Reason …”Write something to make the auditors go away!”
Main Components 1.Define BCM Framework 2.Complete Business Impact Analysis 3.Design BCM Approach/Method 4.Deliver BC Plan 5.Test Plan 6.Maintain Plan
Business Continuity Management Step 4: Deliver Plan 4.1 Incident Response Plan 4.2 Incident Management Plan 4.3 Business Recovery Plan 4.4 Communications Plan 4.5 IT Continuity Plan 4.6 Business Resumption Plan
But We Don’t Have the Resources Time Required for Complete Plan – Small Business (<100) approx. 3 months – Large Business (>1000) approx. 1 – 2 years Most Respond with an “Interim” Plan – Address the current risk – Limited scope – Gets something in writing – Is NOT a substitute for a real plan