Download presentation
Presentation is loading. Please wait.
Published byLana Binns Modified over 10 years ago
1
Business Continuity
2
Information security - Business continuity
Business continuity is the mechanism by which an organization continues to operate its critical business units, during planned or unplanned disruptions that affect normal business operations, by invoking planned and managed procedures.
3
Information security - Business continuity
Not only is business continuity simply about the business, but it also an IT system and process. Today disasters or disruptions to business are a reality. Whether the disaster is natural or man-made, it affects normal life and so business. Therefore, planning is important.
4
Information security - Business continuity
The planning is merely getting better prepared to face it, knowing fully well that the best plans may fail. Planning helps to reduce cost of recovery, operational overheads and most importantly sail through some smaller ones effortlessly.
5
Information security - Business continuity
For businesses to create effective plans they need to focus upon the following key questions. Most of these are common knowledge, and anyone can do a BCP.
6
Information security - Business continuity
Should a disaster strike, what are the first few things that I should do? Should I call people to find if they are OK or call up the bank to figure out my money is safe? This is Emergency Response. Emergency Response services help take the first hit when the disaster strikes and if the disaster is serious enough the Emergency Response teams need to quickly get a Crisis Management team in place.
7
Information security - Business continuity
What parts of my business should I recover first? The one that brings me most money or the one where I spend the most, or the one that will ensure I shall be able to get sustained future growth? The identified sections are the critical business units. There is no magic bullet here, no one answer satisfies all. Businesses need to find answers that meet business requirements.
8
Information security - Business continuity
How soon should I target to recover my critical business units? In BCP technical jargon, this is called Recovery Time Objective, or RTO. This objective will define what costs the business will need to spend to recover from a disruption. For example, it is cheaper to recover a business in 1 day than in 1 hour.
9
Information security - Business continuity
What all do I need to recover the business? IT, machinery, records...food, water, people...So many aspects to dwell upon. The cost factor becomes clearer now...Business leaders need to drive business continuity. Hold on. My IT manager spent $ last month and created a DRP (Disaster Recovery Plan), whatever happened to that? a DRP is about continuing an IT system, and is one of the sections of a comprehensive Business Continuity Plan. Look below for more on this.
10
Information security - Business continuity
And where do I recover my business from... Will the business center give me space to work, or would it be flooded by many people queuing up for the same reasons that I am.
11
Information security - Business continuity
But once I do recover from the disaster and work in reduced production capacity since my main operational sites are unavailable, how long can this go on. How long can I do without my original sites, systems, people? this defines the amount of business resilience a business may have.
12
Information security - Business continuity
Now that I know how to recover my business. How do I make sure my plan works? Most BCP pundits would recommend testing the plan at least once a year, reviewing it for adequacy and rewriting or updating the plans either annually or when businesses change.
13
Cloud computing security - Business continuity and data recovery
Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered. These plans are shared with and reviewed by their customers.
14
Risk management - Risk management and business continuity
Risk management is simply a practice of systematically selecting cost-effective approaches for minimising the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.
15
Risk management - Risk management and business continuity
Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realised residual risks
16
Business continuity planning
17
Business continuity planning
A business continuity plan is a roadmap for continuing operations under adverse conditions such as a storm or a crime
18
Business continuity planning
Any event that could impact operations is included, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, risk management must be incorporated as part of BCP.
19
Business continuity planning
In 2007, the BSI published BS "Specification for Business Continuity Management", which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).
20
Business continuity planning
BS :2007 business continuity management is the British Standard for business continuity management across all organizations
21
Business continuity planning
This document was superseded in November 2012 by the British standard BS ISO22301:2012. (British Standards Institution, 2012)
22
Business continuity planning
In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the legislation for civil protection in the UK.
23
Business continuity planning
The Act was separated into two distinct parts: Part 1 focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergencies.
24
Business continuity planning
The Act is telling responders and planners that businesses need to have continuity planning measures in place in order to survive and continue to thrive whilst working towards keeping the incident as minimal as possible. (Cabinet Office, 2004)
25
Business continuity planning - Business impact analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:
26
Business continuity planning - Business impact analysis (BIA)
Recovery Time Objective (RTO) – the acceptable amount of time to restore the function
27
Business continuity planning - Business impact analysis (BIA)
The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.
28
Business continuity planning - Business impact analysis (BIA)
Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:
29
Business continuity planning - Business impact analysis (BIA)
The business requirements for recovery of the critical function, and/or
30
Business continuity planning - Business impact analysis (BIA)
The technical requirements for recovery of the critical function
31
Business continuity planning - Threat and risk analysis (TRA)
After defining recovery requirements, each potential threat may require unique recovery steps. Common threats include:
32
Business continuity planning - Threat and risk analysis (TRA)
The impact of an epidemic can be regarded as purely human, and may be alleviated with technical and business solutions. However, if people behind these plans are affected by the disease, then the process can stumble.
33
Business continuity planning - Threat and risk analysis (TRA)
During the 2002–2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organizations also banned face-to-face intergroup contact during business and non-business hours. The split increased resiliency against the threat of quarantine measures if one person in a team was exposed to the disease.
34
Business continuity planning - Impact scenarios
After defining threats, impact scenarios form the basis of the business recovery plan. In general, planning for the most wide-reaching impact is preferable. A typical impact scenario such as "building loss" encompasses most critical business functions. A BCP may document scenarios for each building. More localized impact scenarios – for example loss of a specific floor in a building – may also be documented.
35
Business continuity planning - Recovery requirement
After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset inventories allow for quick identification of deployable resources. For an office-based, IT-intensive business, the plan requirements may cover desks, human resources, applications, data, manual workarounds, computers and peripherals.
36
Business continuity planning - Recovery requirement
Other business environments, such as production, distribution, warehousing etc. will need to cover these elements, but likely have additional issues.
37
Business continuity planning - Solution design
The solution design phase identifies the most cost-effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT purposes, this is commonly expressed as the minimum application and data requirements and the time in which the minimum application and application data must be available.
38
Business continuity planning - Solution design
Outside the IT domain, preservation of hard copy information, such as contracts, skilled staff or restoration of embedded technology in a process plant must be considered. This phase overlaps with disaster recovery planning methodology. The solution phase determines:
39
Business continuity planning - Solution design
telecommunication architecture between primary and secondary work sites
40
Business continuity planning - Solution design
applications and data required at the secondary work site, and
41
Business continuity planning - Solution design
physical data requirements at the secondary work site.
42
Business continuity planning - Implementation
The implementation phase involves policy changes, material acquisitions, staffing and testing.
43
Business continuity planning - Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors. Testing may include:
44
Business continuity planning - Testing and organizational acceptance
Crisis command team call-out testing
45
Business continuity planning - Testing and organizational acceptance
At minimum, testing is conducted on a biannual schedule.
46
Business continuity planning - Testing and organizational acceptance
The 2008 book Exercising for Excellence, published by The British Standards Institution identified three types of exercises that can be employed when testing business continuity plans.
47
Business continuity planning - Tabletop exercises
Tabletop exercises typically involve a small number of people and concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business.
48
Business continuity planning - Tabletop exercises
Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.
49
Business continuity planning - Tabletop exercises
The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.
50
Business continuity planning - Medium exercises
A medium exercise is conducted within a "Virtual World" and brings together several departments, teams or disciplines
51
Business continuity planning - Medium exercises
A medium exercise typically lasts a few hours, though they can extend over several days. They typically involve a "Scenario Cell" that adds pre-scripted "surprises" throughout the exercise.
52
Business continuity planning - Complex exercises
A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.
53
Business continuity planning - Complex exercises
While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.
54
Business continuity planning - Maintenance
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities.
55
Business continuity planning - Maintenance
Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
56
Business continuity planning - Maintenance
Testing and verification of technical solutions established for recovery operations.
57
Business continuity planning - Maintenance
Testing and verification of organization recovery procedures.
58
Business continuity planning - Maintenance
Issues found during the testing phase often must be reintroduced to the analysis phase.
59
Business continuity planning - Information/targets
The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Types of changes that should be identified and updated in the manual include:
60
Business continuity planning - Information/targets
Organization structure changes
61
Business continuity planning - Information/targets
Communication and transportation infrastructure such as roads and bridges
62
Business continuity planning - Technical
Specialized technical resources must be maintained. Checks include:
63
Business continuity planning - Technical
Application security and service patch distribution
64
Business continuity planning - Testing and verification of recovery procedures
As work processes change, previous recovery procedures may no longer be suitable. Checks include:
65
Are all work processes for critical functions documented?
Business continuity planning - Testing and verification of recovery procedures Are all work processes for critical functions documented?
66
Have the systems used for critical functions changed?
Business continuity planning - Testing and verification of recovery procedures Have the systems used for critical functions changed?
67
Are the documented work checklists meaningful and accurate?
Business continuity planning - Testing and verification of recovery procedures Are the documented work checklists meaningful and accurate?
68
Business continuity planning - Testing and verification of recovery procedures
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective?
69
Business continuity planning - Notes
Jump up ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.
70
Business continuity planning - Notes
Jump up ^ Intrieri, Charles (10 September 2013). "Business Continuity Planning". Flevy. Retrieved 29 September 2013.
71
Business continuity planning - Notes
Jump up ^ British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London
72
Business continuity planning - Notes
Jump up ^ British Standards Institution (2012). Societal security – Business continuity management Systems – Requirements: London
73
Business continuity planning - Notes
Jump up ^ Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat
74
Business continuity planning - Bibliography
Business Continuity Planning, FEMA, Retrieved: June 16, 2012
75
Business continuity planning - Bibliography
Continuity of Operations Planning (no date). U.S. Department of Homeland Security. Retrieved July 26, 2006.
76
Business continuity planning - Bibliography
Purpose of Standard Checklist Criteria For Business Recovery (no date). Federal Emergency Management Agency. Retrieved July 26, 2006.
77
Business continuity planning - Bibliography
NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs — PDF (2010). National Fire Protection Association.
78
Business continuity planning - Bibliography
United States General Accounting Office Y2k BCP Guide (August 1998). United States Government Accountability Office.
79
Business continuity planning - International Organization for Standardization
ISO/IEC 27001:2005 (formerly BS :2002) Information Security Management System
80
Business continuity planning - International Organization for Standardization
ISO/IEC 27002:2005 (renumerated ISO17999:2005) Information Security Management – Code of Practice
81
Business continuity planning - International Organization for Standardization
ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity
82
Business continuity planning - International Organization for Standardization
ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management
83
Business continuity planning - International Organization for Standardization
ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services
84
Business continuity planning - International Organization for Standardization
ISO 22301:2012 Societal security - Business continuity management systems - Requirements
85
Business continuity planning - International Organization for Standardization
ISO 22313:2012 Societal security - Business continuity management systems - Guidance
86
Business continuity planning - British Standards Institution
BS :2006 Business Continuity Management Part 1: Code of practice
87
Business continuity planning - Others
"A Guide to Business Continuity Planning" by James C. Barnes
88
Business continuity planning - Others
"Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L Fulmer
89
Business continuity planning - Others
"Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan" By Richard Kepenach
90
Business continuity planning - Others
"Disaster Survival Planning: A Practical Guide for Businesses" by Judy Bell
91
Business continuity planning - Others
Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down.
92
Business continuity planning - Others
Dimattia, S. (November 15, 2001).Planning for Continuity. Library Journal,32–34.
93
Business continuity planning - Others
Exercising for Excellence (Delivering successful business continuity management exercises) by Crisis Solutions
94
Business continuity If there is no Business Continuity plan implemented and the organization in question is facing a rather severe threat or disruption -that may lead to bankruptcy, the implementation and outcome, if not too late, may strengthen the organization's survival and its continuity of business activities (Gittleman, 2013).
95
Business continuity It is also sometimes confused with Work Area Recovery (due to loss of the physical building which the business is conducted within); which is but a part of business continuity.
96
Business continuity The term Business Continuity describes a mentality or methodology of conducting day-to-day business, whereas business continuity planning is an activity of determining what that methodology should be. The business continuity plan may be thought of as the incarnation of a methodology that is followed by everyone in an organization on a daily basis to ensure normal operations.
97
Business continuity - Standards
This section provides references to a number of worldwide BC/BCM standards (content pulled from SDO’s website):
98
Business continuity - Standards
ISO - On 15 May 2012, ISO published the International Standard ISO 22301:2012, "Societal security -- Business continuity management systems --- Requirements". A second International Standard ISO 22313, "Societal security -- Business continuity management systems – Guidance", is in the Draft International Standard (DIS) phase and is expected to be published in late 2012 or early 2013.
99
Business continuity - Standards
In 2011, ISO published the International Standard ISO/IEC 27031:2011, Information security - Security techniques — Guidelines for information and communication technology [ICT] readiness for business continuity." This provides guidance for organization's implementing the ICT component of business continuity management. It also provides guidance in support of the business continuity elements of the information security standards, ISO/IEC and ISO/IEC 2002.
100
Business continuity - Standards
The second, “BS :2007 Specification for Business Continuity Management”, specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS), describing only requirements that can be objectively and independently audited
101
Business continuity - Standards
North America – Published by the National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
102
Business continuity - Standards
North America - ASIS/BSI BCM.01:2010 published Dec 2010
103
Business continuity - Standards
ANSI/ASIS SPC Organizational Resilience: The ANSI/ASIS SPC Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.
104
Business continuity - Standards
Australia – Published by Standards Australia HB : A practitioners guide to business continuity management HB : Executive guide to business continuity management In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS covering risk management.
105
Business continuity - Program
Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysis
106
Business continuity - Policies
Policies are those things mandated by the management of an organization that will always be performed according to a preset design plan, and supporting all business functions within an organization.
107
Business continuity - BC/BCM plan
The components of the business continuity methodology required for manifestation into a documented plan include:
108
Business continuity - BC/BCM plan
Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations. Also called business resumption plan, disaster recovery plan, or recovery plan.
109
Business continuity - BC/BCM planning
Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2) business recovery planning (ensuring continued operation in the aftermath of a disaster).
110
Business continuity - Guidelines
Guidelines are those things which are recommended to be performed according to a preset design plan. However depending upon the needs and requirements of the target business function, these items may or may not be performed, or may be altered during implementation.
111
Business continuity - Procedures
British Standard and other standards identified above provide a specification for implementing a business continuity management system within an organization.
112
Business continuity - Business impact analysis (BIA)
The entire concept of business continuity is based on the identification of all business functions within an organization, and then assigning a level of importance to each business function. A business impact analysis is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity.
113
Business continuity - Business impact analysis (BIA)
The BIA can be used to identify extent and timescale of the impact on different levels of an organization. For instance it can examine the effect of disruption on operational, functional and strategic activities of an organization. Not only the current activities but the effect of disruption on major business changes, introducing new product or services for example, can be determined by BIA.
114
Business continuity - Business impact analysis (BIA)
Most standards require that a business impact analysis should be reviewed at defined intervals appropriate for each organization and whenever any of the following occur:
115
Business continuity - Business impact analysis (BIA)
Significant changes in the internal business process, location or technology
116
Business continuity - Business impact analysis (BIA)
Significant changes in the external business environment – such as market or regulatory change
117
Business continuity - Security management
In today's global business environment, security must be the top priority in managing Information Technology. For most organizations, security is mandated by law, and conformance to those mandates is investigated regularly in the form of audits. Failure to pass security audits can have financial and management changing impacts upon an organization.
118
Business continuity - Document management
In large information technology environments, personnel turnover is inevitable and must be planned as part of business continuity
119
Business continuity - Change management
Regulations require that changes to business functions be documented and tracked for auditing purposes and is designated as "change control". This brings a level of stability to the business functions by requiring the support personnel to document and coordinate proposed changes to the underlying systems. As this process becomes more and more automated, the emphasis will be less upon personnel control, and more upon regulatory compliance.
120
Business continuity - Audit management
One of the goals of business continuity is data center automation, which includes audit management
121
Business continuity - Audit management
Automation is often associated with the idea of centralized management - in area of data storage and data management. Solutions based on storage consolidation can ensure data safety, efficiency, high availability, reliability and convenience.
122
Business continuity - Service level agreements (SLA)
The interface between management and information technology is the Service level agreement (SLA). This provides a written contract stipulating the expectations of management with regard to the availability of a necessary business function, and the deliverables that information technology provides in support of that business function.
123
Business continuity - Communications systems
In order to avoid some of the potential problems associated with disrupted communication channels, the business continuity plan should include a lead manager who will be in charge of all communications in that area, the cooperation of executives and public relations people, and scheduled exercises to put the plan into practice.
124
Business continuity - Other components
Disaster recovery planning occurs as a subset of defining the business continuity procedures.
125
Business continuity - Other components
The following is a list of physical and logical entities within an information technology environment which require the application of a business continuity Methodology. Applying the methodology should include the definition of things such as policies, guidelines, standards, procedures, etc., for each item in the list:
126
Business continuity - Other components
Logical Volumes / Disk Partitions
127
Business continuity - Other components
Journaling Filesystems Log
128
Business continuity - Other components
Group names and GID numbers
129
Business continuity - Planning
Planning, prevention, and preparation are a key part of any business continuity management system and have direct read across from civil contingencies planning. The activity begins with understanding the business to identify potential risks and threats to critical business activities both internally and from the external environment. It is also advisable to examine the resilience of suppliers.
130
EC-Council - Disaster Recovery and Business Continuity
EC-Council Disaster Recovery Professional (EDRP)
131
Disaster recovery and business continuity auditing
132
Disaster recovery and business continuity auditing
Disaster recovery (DR) and business continuity refers to an organization’s ability to recover from a disaster and/or unexpected event and resume operations. Organizations often have a plan in place (usually referred to as a "Disaster Recovery Plan", or "Business Continuity Plan") that outlines how a recovery will be accomplished. The key to successful disaster recovery is to have a plan (emergency plan, disaster recovery plan, continuity plan) well before disaster ever strikes.
133
Disaster recovery and business continuity auditing
Given ever-changing business objectives, one common need in disaster recovery is to perform an audit of the disaster recovery capacity of an organization
134
Disaster recovery and business continuity auditing - Metrics
Some of the key metrics to be measured in a disaster recovery environment are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is a metric that measures the time that it takes for a system to be completely up and running in the event of a disaster. RPO measures the ability to recover files by specifying a point in time restore of the backup copy.
135
Disaster recovery and business continuity auditing - Mission statement
A disaster recovery mission statement is used to identify the purpose and goals of the disaster recovery plan. The mission statement can also help an auditor obtain a better understanding of the organization’s environment. An auditor examined the mission statement to determine the objectives, priorities, and goals of the disaster recovery plan.
136
Disaster recovery and business continuity auditing - The DR committee and auditor
The organization appoints individuals responsible for designing and implementing the disaster recovery plan when needed
137
Disaster recovery and business continuity auditing - The DR committee and auditor
An auditor is assigned to examine and assess the project manager and deputy project manager’s training, experience, and abilities as well as to analyze the capabilities of the team members to complete assigned tasks and that more than one individual is trained and capable of doing a particular function. Tests and inquiries of personnel can help achieve this objective.
138
Disaster recovery and business continuity auditing - The DR committee and auditor
Organizations, particularly large organizations, ordinarily assign the task of determining, on an ongoing basis, if the procedures stated in the disaster recovery plan are actually consistent with real practice to a specific individual within the organization
139
Disaster recovery and business continuity auditing - Documentation
To maximize their effectiveness, disaster recovery plans are documented in written form and in a manner that is easily understood by those who will need to use it
140
Disaster recovery and business continuity auditing - Site designation
A hot/cold site is a location that an organization can move to after a disaster if the current facility is unusable
141
Disaster recovery and business continuity auditing - Site designation
The auditor can verify this through paper and paperless documentation and actual physical observation. Testing of the backups and procedures is also performed to confirm data integrity and effective processes. The security of the storage site is also confirmed.
142
Disaster recovery and business continuity auditing - Data backup
Data backups are central to any disaster recovery plan. An audit of backup processes determines if (a) they are effective, and (b) if they are actually being implemented by the involved personnel. Some techniques that are used to accomplish this include direct observation of the processes in question, analyzing and researching the backup equipment used, conducting computer-assisted audit techniques and tests, examining of paper and paperless records.
143
Disaster recovery and business continuity auditing - Data backup
The continual backing up of data and systems can help minimize the impact of threats. Even so, the disaster recovery plan also includes information on how best to recover any data that has not been copied. Controls and protections are put in place to ensure that data is not damaged, altered, or destroyed during this process. Information technology experts and procedures need to be identified that can accomplish this endeavor. Vendor manuals can also assist in determining how best to proceed.
144
Disaster recovery and business continuity auditing - Drills
Practice drills conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor’s primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed and procedures designed to deal with these potential deficiencies are implemented and tested to determine their effectiveness.
145
Disaster recovery and business continuity auditing - Backup of key personnel
A disaster recovery plan includes clearly written policies and specific communication with employees to ensure that both regular and replacement personnel is selected, documented, and informed should a disaster occur
146
Disaster recovery and business continuity auditing - Insurance issues
The auditor determines the adequacy of the company's insurance coverage (particularly property and casualty insurance) through a review of the company's insurance policies and other research
147
Disaster recovery and business continuity auditing - Insurance issues
Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster
148
Disaster recovery and business continuity auditing - Communication issues
Good disaster recovery planning ensures that both management and the recovery team have disaster recovery procedures which allow for effective communication
149
Disaster recovery and business continuity auditing - Emergency procedures
Procedures to sustain staff during a round-the clock disaster recovery effort are included in any good disaster recovery plan
150
Disaster recovery and business continuity auditing - Environmental issues
Disaster recovery plans may also involve procedures that take into account the possibility of power failures or other situations that are of a non-IT nature
151
TRAC (ISMS) - Business Continuity Program
The Business Continuity Program module provides a framework for conducting a Business Impact Analysis as well as creating a full Business Continuity Plan.
152
Resilience (organizational) - Business Continuity and Competitiveness
Many corporations are adopting resilience and business continuity initiatives and sharing best practices.[ Building A Resilient Nation: Enhancing Security, Ensuring a Strong Economy]
153
Resilience (organizational) - Business Continuity and Competitiveness
Many experts and leaders see resilience as a vital component to a comprehensive homeland security strategy.Katherine McIntire Peters
154
Crisis management - Business continuity planning
Business Management: Top tips for effective, real-world Business Continuity Management)
155
Crisis management - Business continuity planning
Each critical function and or/process must have its own contingency plan in the event that one of the functions/processes ceases or fails, then the business/organisation is more resilient, which in itself provides a mechanism to lessen the possibility of having to invoke recovery plans (Osborne, 2007)
156
Crisis management - Business continuity planning
A note of caution when planning training scenarios, all too often simulations can lack ingenuity, an appropriate level of realism and as a consequence potentially lose their training value
157
Crisis management - Business continuity planning
Following a simulation exercise, a thorough and systematic debriefing must be conducted as a key component of any crisis simulation. The purpose of this is to create a link and draw lessons from the reality of the simulated representation and the reality of the real world. (Borodzicz, 2005).
158
Crisis management - Business continuity planning
The whole process relating to business continuity planning should be periodically reviewed to identify any number of changes that may invalidate the current plan. (Osborne, 2007).
159
Facility management - Business continuity planning
All organisations should have in place a continuity plan so that in the event of a fire or major failure the business can recover quickly. In large organisations it may be that the staff move to another site that has been set up to model the existing operation. The facilities management department would be one of the key players should it be necessary to move the business to a recovery site.
160
Information risk management - Risk management and business continuity
Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realised residual risks
161
Business continuity management
A business continuity plan is a roadmap for continuing operations under adverse conditions such as a storm or a crime
162
Business continuity management
In 2007, the BSI published BS Specification for Business Continuity Management, which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).
163
Business continuity management - Business impact analysis (BIA)
* Recovery Time Objective (RTO) – the acceptable amount of time to restore the function
164
Business continuity management - Business impact analysis (BIA)
* The business requirements for recovery of the critical function, and/or
165
Business continuity management - Business impact analysis (BIA)
* The technical requirements for recovery of the critical function
166
Information security policies - Business continuity
# Should a disaster strike, what are the first few things that I should do? Should I call people to find if they are OK or call up the bank to figure out my money is safe? This is Emergency Response. Emergency Response services help take the first hit when the disaster strikes and if the disaster is serious enough the Emergency Response teams need to quickly get a Crisis Management team in place.
167
Information security policies - Business continuity
# What parts of my business should I recover first? The one that brings me most money or the one where I spend the most, or the one that will ensure I shall be able to get sustained future growth? The identified sections are the critical business units. There is no magic bullet here, no one answer satisfies all. Businesses need to find answers that meet business requirements.
168
Information security policies - Business continuity
# How soon should I target to recover my critical business units? In BCP technical jargon, this is called Recovery Time Objective, or Recovery time objective|RTO. This objective will define what costs the business will need to spend to recover from a disruption. For example, it is cheaper to recover a business in 1 day than in 1 hour.
169
Information security policies - Business continuity
# What all do I need to recover the business? IT, machinery, records...food, water, people...So many aspects to dwell upon. The cost factor becomes clearer now...Business leaders need to drive business continuity. Hold on. My IT manager spent $ last month and created a DRP (Disaster recovery|Disaster Recovery Plan), whatever happened to that? a DRP is about continuing an IT system, and is one of the sections of a comprehensive Business Continuity Plan. Look below for more on this.
170
Information security policies - Business continuity
# And where do I recover my business from... Will the business center give me space to work, or would it be flooded by many people queuing up for the same reasons that I am.
171
Information security policies - Business continuity
# But once I do recover from the disaster and work in reduced production capacity since my main operational sites are unavailable, how long can this go on. How long can I do without my original sites, systems, people? this defines the amount of business resilience a business may have.
172
Information security policies - Business continuity
# Now that I know how to recover my business. How do I make sure my plan works? Most BCP pundits would recommend testing the plan at least once a year, reviewing it for adequacy and rewriting or updating the plans either annually or when businesses change.
173
Disaster recovery plan - Relationship to the Business Continuity Plan
The Institute further states that a Business Continuity Plan (BCP) consists of the five component plans:[ The Disaster Recovery Plan.] Chad Bahan
174
Disaster recovery plan - Relationship to the Business Continuity Plan
* Business Resumption Plan
175
Disaster recovery plan - Relationship to the Business Continuity Plan
* Continuity of Operations Plan
176
Disaster recovery plan - Relationship to the Business Continuity Plan
The Institute states that the first three plans (Business Resumption, Occupant Emergency, and Continuity of Operations Plans) do not deal with the IT infrastructure
177
Disaster recovery plan - Relationship to the Business Continuity Plan
The Disaster Recovery Institute International states that disaster recovery is the area of business continuity that deals with technology recovery as opposed to the recovery of business operations.Disaster Recovery Institute International. Course BCLE Participant Guide: Professional Practice 6. Page
178
Certified Business Continuity Professional
'Certified Business Continuity Professional' ('CBCPDisaster Recovery Institute International. Certification CBCP. (accessed June 3, 2011).') is internationally recognized professional certification issued by the Disaster Recovery Institute for Business continuity planning|business continuity management. A certified expert must pass a detailed exam consisting of ten domains and prove his/hers experience in at least five domains for minimum two years.
179
Coordinated Incident Management System - Business Continuity / Crisis Management
In recent years, CIMS has also been recognised as best practice for implementing management structures for response and recovery
180
Facilities management - Business continuity planning
All organizations should have in place a continuity plan so that in the event of a fire or major failure the business can recover quickly. In large organizations it may be that the staff move to another site that has been set up to model the existing operation. The facilities management department would be one of the key players should it be necessary to move the business to a recovery site.
181
Emergency procedure - Business Continuity Planning
Business continuity planning may also feed off of the emergency procedures, enabling an organization to identify points of vulnerability and minimise the risk to the business by preparing backup plans and improving resilience. The act of producing the procedures may also highlight failings in current arrangements that if corrected, could reduce the risk levels.
182
For More Information, Visit:
The Art of Service
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.