Business Continuity .

182
• Business Continuity https://store.theartofservice.com/the-business-continuity- toolkit.html

Transcript of Business Continuity .

• Business Continuity

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 Business continuity is the mechanism by which an organization continues to operate its critical business units,

during planned or unplanned disruptions that affect normal

business operations, by invoking planned and managed procedures.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 Not only is business continuity simply about the business, but it also an IT system and process. Today disasters

or disruptions to business are a reality. Whether the disaster is natural or man-made, it affects

normal life and so business. Therefore, planning is important.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 The planning is merely getting better prepared to face it, knowing fully well that the best plans may fail. Planning

helps to reduce cost of recovery, operational overheads and most importantly sail through some

smaller ones effortlessly.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 For businesses to create effective plans they need to focus upon the following key questions. Most of

these are common knowledge, and anyone can do a BCP.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 Should a disaster strike, what are the first few things that I should do? Should I call

people to find if they are OK or call up the bank to figure out my money is safe? This

is Emergency Response. Emergency Response services help take the first hit

when the disaster strikes and if the disaster is serious enough the Emergency

Response teams need to quickly get a Crisis Management team in place.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 What parts of my business should I recover first? The one that brings me most money or the one where I spend the most, or the one that will ensure I shall be able to get sustained future

growth? The identified sections are the critical business units. There is no magic bullet here, no one answer satisfies all. Businesses need to find answers that

meet business requirements.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 How soon should I target to recover my critical business units? In BCP

technical jargon, this is called Recovery Time Objective, or RTO.

This objective will define what costs the business will need to spend to

recover from a disruption. For example, it is cheaper to recover a business in 1 day than in 1 hour.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 What all do I need to recover the business? IT, machinery, records...food, water,

people...So many aspects to dwell upon. The cost factor becomes clearer now...Business leaders need to drive business continuity.

Hold on. My IT manager spent $200000 last month and created a DRP (Disaster Recovery Plan), whatever happened to that? a DRP is about continuing an IT system, and is one of

the sections of a comprehensive Business Continuity Plan. Look below for more on this.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 And where do I recover my business from... Will the business center give

me space to work, or would it be flooded by many people queuing up

for the same reasons that I am.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 But once I do recover from the disaster and work in reduced

production capacity since my main operational sites are unavailable, how long can this go on. How long can I do without my original sites, systems, people? this defines the amount of business resilience a

business may have.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security - Business continuity

1 Now that I know how to recover my business. How do I make sure my

plan works? Most BCP pundits would recommend testing the plan at least

once a year, reviewing it for adequacy and rewriting or updating the plans either annually or when

businesses change.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Cloud computing security - Business continuity and data recovery

1 Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or

an emergency and that any data loss will be recovered. These plans are shared with and reviewed by their

customers.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Risk management - Risk management and business continuity

1 Risk management is simply a practice of systematically selecting

cost-effective approaches for minimising the effect of threat

realization to the organization. All risks can never be fully avoided or

mitigated simply because of financial and practical limitations. Therefore

all organizations have to accept some level of residual risks.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Risk management - Risk management and business continuity

1 Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realised

residual risks

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 Business continuity planning

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 A business continuity plan is a roadmap for continuing operations under adverse conditions such as a

storm or a crime

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 Any event that could impact operations is included, such as

supply chain interruption, loss of or damage to critical infrastructure

(major machinery or computing/network resource). As such, risk management must be

incorporated as part of BCP.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 In 2007, the BSI published BS 25999-2 "Specification for Business

Continuity Management", which specifies requirements for

implementing, operating and improving a documented business

continuity management system (BCMS).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 BS 25999-2:2007 business continuity management is the British Standard for business continuity management

across all organizations

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 This document was superseded in November 2012 by the British

standard BS ISO22301:2012. (British Standards Institution, 2012)

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the

legislation for civil protection in the UK.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 The Act was separated into two distinct parts: Part 1 focuses on local

arrangements for civil protection, establishing a statutory framework of

roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergencies.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning

1 The Act is telling responders and planners that businesses need to

have continuity planning measures in place in order to survive and

continue to thrive whilst working towards keeping the incident as

minimal as possible. (Cabinet Office, 2004)

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 A Business impact analysis (BIA) differentiates critical (urgent) and non-

critical (non-urgent) organization functions/activities. Critical functions are

those whose disruption is regarded as unacceptable. Perceptions of acceptability

are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in

scope) function, two values are then assigned:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 Recovery Time Objective (RTO) – the acceptable amount of time to restore the

function

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 The recovery point objective must ensure that the maximum tolerable

data loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of

Disruption (MTPoD) for each activity is not exceeded.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 Next, the impact analysis results in the recovery requirements for each

critical function. Recovery requirements consist of the following

information:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 The business requirements for recovery of the critical

function, and/or

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Business impact analysis (BIA)

1 The technical requirements for recovery of the critical function

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Threat and risk analysis (TRA)

1 After defining recovery requirements, each potential threat may require unique recovery steps. Common

threats include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Threat and risk analysis (TRA)

1 The impact of an epidemic can be regarded as purely human, and may

be alleviated with technical and business solutions. However, if people behind these plans are

affected by the disease, then the process can stumble.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Threat and risk analysis (TRA)

1 During the 2002–2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between

primary and secondary work sites, with a rotation frequency equal to the incubation

period of the disease. The organizations also banned face-to-face intergroup contact

during business and non-business hours. The split increased resiliency against the threat of quarantine measures if one person in a team

was exposed to the disease.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Impact scenarios

1 After defining threats, impact scenarios form the basis of the

business recovery plan. In general, planning for the most wide-reaching impact is preferable. A typical impact

scenario such as "building loss" encompasses most critical business

functions. A BCP may document scenarios for each building. More localized impact scenarios – for

example loss of a specific floor in a building – may also be documented.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Recovery requirement

1 After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset

inventories allow for quick identification of deployable

resources. For an office-based, IT-intensive business, the plan

requirements may cover desks, human resources, applications, data, manual workarounds, computers and

peripherals.https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Recovery requirement

1 Other business environments, such as production, distribution,

warehousing etc. will need to cover these elements, but likely have

additional issues.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Solution design

1 The solution design phase identifies the most cost-effective disaster

recovery solution that meets two main requirements from the impact analysis stage. For IT purposes, this

is commonly expressed as the minimum application and data

requirements and the time in which the minimum application and

application data must be available.https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Solution design

1 Outside the IT domain, preservation of hard copy information, such as

contracts, skilled staff or restoration of embedded technology in a process plant must be considered. This phase

overlaps with disaster recovery planning methodology. The solution

phase determines:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Solution design

1 telecommunication architecture between

primary and secondary work sites

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Solution design

1 applications and data required at the

secondary work site, and

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Solution design

1 physical data requirements at the secondary work site.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Implementation

1 The implementation phase involves policy changes, material acquisitions, staffing and

testing.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and organizational acceptance

1 The purpose of testing is to achieve organizational acceptance that the

solution satisfies the recovery requirements. Plans may fail to meet

expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution

implementation errors. Testing may include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and organizational acceptance

1 Crisis command team call-out testing

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and organizational acceptance

1 At minimum, testing is conducted on a biannual

schedule.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and organizational acceptance

1 The 2008 book Exercising for Excellence, published by The British Standards Institution identified three

types of exercises that can be employed when testing business

continuity plans.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Tabletop exercises

1 Tabletop exercises typically involve a small number of people and

concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area

of a business.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Tabletop exercises

1 Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then

discuss specific aspects of the plan. For example, a fire is discovered out

of working hours.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Tabletop exercises

1 The exercise consumes only a few hours and is often split into two or three sessions, each concentrating

on a different theme.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Medium exercises

1 A medium exercise is conducted within a "Virtual World" and brings

together several departments, teams or disciplines

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Medium exercises

1 A medium exercise typically lasts a few hours, though they can extend over several days. They typically

involve a "Scenario Cell" that adds pre-scripted "surprises" throughout

the exercise.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Complex exercises

1 A complex exercise aims to have as few boundaries as possible. It

incorporates all the aspects of a medium exercise. The exercise

remains within a virtual world, but maximum realism is essential. This might include no-notice activation,

actual evacuation and actual invocation of a disaster recovery site.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Complex exercises

1 While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run

their course.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Maintenance

1 Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic

activities.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Maintenance

1 Confirmation of information in the manual, roll out to staff for

awareness and specific training for critical individuals.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Maintenance

1 Testing and verification of technical solutions established for recovery operations.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Maintenance

1 Testing and verification of organization

recovery procedures.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Maintenance

1 Issues found during the testing phase often must be reintroduced to the analysis phase.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Information/targets

1 The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Types of changes that

should be identified and updated in the manual include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Information/targets

1 Organization structure changes

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Information/targets

1 Communication and transportation

infrastructure such as roads and bridges

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Technical

1 Specialized technical resources

must be maintained. Checks include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Technical

1 Application security and service patch

distribution

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and verification of recovery procedures

1 As work processes change, previous recovery procedures may no longer be suitable. Checks

include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and verification of recovery procedures

1 Are all work processes for critical functions documented?

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and verification of recovery procedures

1 Have the systems used for critical functions changed?

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and verification of recovery procedures

1 Are the documented work checklists meaningful and

accurate?

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Testing and verification of recovery procedures

1 Do the documented work process recovery tasks and supporting

disaster recovery infrastructure allow staff to recover within the

predetermined recovery time objective?

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Notes

1 Jump up ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for

the next big bang: business continuity planning in the UK finance

sector. Journal of Applied Management Studies, Vol. 8, No, pp.

43–60. Here: p. 48.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Notes

1 Jump up ^ Intrieri, Charles (10 September 2013). "Business

Continuity Planning". Flevy. Retrieved 29 September 2013.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Notes

1 Jump up ^ British Standards Institution (2006). Business

continuity management-Part 1: Code of practice :London

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Notes

1 Jump up ^ British Standards Institution (2012). Societal security –

Business continuity management Systems – Requirements: London

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Notes

1 Jump up ^ Cabinet Office. (2004). overview of the Act. In: Civil

Contingencies Secretariat Civil Contingencies Act 2004: a short.

London: Civil Contingencies Secretariat

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Bibliography

1 Business Continuity Planning, FEMA, Retrieved: June 16, 2012

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Bibliography

1 Continuity of Operations Planning (no date). U.S. Department of Homeland

Security. Retrieved July 26, 2006.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Bibliography

1 Purpose of Standard Checklist Criteria For Business Recovery (no

date). Federal Emergency Management Agency. Retrieved July

26, 2006.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Bibliography

1 NFPA 1600 Standard on Disaster/Emergency Management

and Business Continuity Programs — PDF (2010). National Fire Protection

Association.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Bibliography

1 United States General Accounting Office Y2k BCP Guide (August 1998).

United States Government Accountability Office.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO/IEC 27001:2005 (formerly BS 7799-2:2002) Information Security Management

System

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO/IEC 27002:2005 (renumerated ISO17999:2005) Information Security

Management – Code of Practice

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO/IEC 27031:2011 Information technology - Security techniques -

Guidelines for information and communication technology readiness

for business continuity

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity

management

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO/IEC 24762:2008 Guidelines for information and communications

technology disaster recovery services

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO 22301:2012 Societal security - Business continuity management systems -

Requirements

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - International Organization for Standardization

1 ISO 22313:2012 Societal security - Business continuity management systems - Guidance

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - British Standards Institution

1 BS 25999-1:2006 Business Continuity Management Part 1:

Code of practice

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 "A Guide to Business Continuity Planning" by James C. Barnes

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 "Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L

Fulmer

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 "Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan" By Richard

Kepenach

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 "Disaster Survival Planning: A Practical

Guide for Businesses" by Judy

Bellhttps://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 Dimattia, S. (November 15, 2001).Planning for Continuity. Library Journal,32–34.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity planning - Others

1 Exercising for Excellence (Delivering successful business continuity

management exercises) by Crisis Solutions

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity

1 If there is no Business Continuity plan implemented and the

organization in question is facing a rather severe threat or disruption -that may lead to bankruptcy, the

implementation and outcome, if not too late, may strengthen the organization's survival and its

continuity of business activities (Gittleman, 2013).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity

1 It is also sometimes confused with Work Area Recovery (due to loss of

the physical building which the business is conducted within); which is but a part of business continuity.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity

1 The term Business Continuity describes a mentality or

methodology of conducting day-to-day business, whereas business

continuity planning is an activity of determining what that methodology should be. The business continuity

plan may be thought of as the incarnation of a methodology that is

followed by everyone in an organization on a daily basis to

ensure normal operations.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 This section provides references to a number of worldwide BC/BCM

standards (content pulled from SDO’s website):

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 ISO - On 15 May 2012, ISO published the International Standard ISO

22301:2012, "Societal security -- Business continuity management

systems --- Requirements". A second International Standard ISO 22313,

"Societal security -- Business continuity management systems –

Guidance", is in the Draft International Standard (DIS) phase and is expected to be published in

late 2012 or early 2013.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 In 2011, ISO published the International Standard ISO/IEC 27031:2011, Information

security - Security techniques — Guidelines for information and communication technology [ICT] readiness for business continuity." This

provides guidance for organization's implementing the ICT component of business

continuity management. It also provides guidance in support of the business continuity

elements of the information security standards, ISO/IEC 27001 and ISO/IEC 2002.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 The second, “BS 25999-2:2007 Specification for Business Continuity

Management”, specifies requirements for implementing,

operating and improving a documented business continuity

management system (BCMS), describing only requirements that

can be objectively and independently audited

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 North America – Published by the National Fire Protection Association

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 North America - ASIS/BSI BCM.01:2010 published Dec

2010

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security,

Preparedness, and Continuity Management Systems—

Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS

PS-Prep, a voluntary program designed to enhance national

resilience in an all hazards environment by improving private

sector preparedness.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Standards

1 Australia – Published by Standards Australia HB 292-2006 : A practitioners guide to

business continuity management HB 293-2006 : Executive guide to business

continuity management In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with

traditional risk management practices. This interpretation is designed to be used in

conjunction with AS/NZS 31000 covering risk management.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Program

1 Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1)

assessment of the probable effect of such events, (2) development of

recovery strategies and plans, and (3) maintenance of their readiness

through personnel training and plan testing. See also business impact

analysis

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Policies

1 Policies are those things mandated by the management of an

organization that will always be performed according to a preset design plan, and supporting all

business functions within an organization.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - BC/BCM plan

1 The components of the business continuity methodology required for

manifestation into a documented plan include:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - BC/BCM plan

1 Set of documents, instructions, and procedures which enable a business to respond to accidents, disasters,

emergencies, and/or threats without any stoppage or hindrance in its key

operations. Also called business resumption plan, disaster recovery

plan, or recovery plan.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - BC/BCM planning

1 Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm's key

operations in the event of an accident, disaster, emergency,

and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of

adverse events), and (2) business recovery planning (ensuring

continued operation in the aftermath of a disaster).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Guidelines

1 Guidelines are those things which are recommended to be performed

according to a preset design plan. However depending upon the needs

and requirements of the target business function, these items may or may not be performed, or may be

altered during implementation.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Procedures

1 British Standard 25999-2 and other standards identified above provide a

specification for implementing a business continuity management

system within an organization.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Business impact analysis (BIA)

1 The entire concept of business continuity is based on the

identification of all business functions within an organization, and then

assigning a level of importance to each business function. A business impact analysis is the primary tool for gathering this information and assigning criticality, recovery point

objectives, and recovery time objectives, and is therefore part of the basic foundation of business

continuity.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Business impact analysis (BIA)

1 The BIA can be used to identify extent and timescale of the impact

on different levels of an organization. For instance it can examine the

effect of disruption on operational, functional and strategic activities of an organization. Not only the current activities but the effect of disruption

on major business changes, introducing new product or services for example, can be determined by

BIA.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Business impact analysis (BIA)

1 Most standards require that a business impact analysis should be

reviewed at defined intervals appropriate for each organization and whenever any of the following

occur:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Business impact analysis (BIA)

1 Significant changes in the internal

business process, location or technology

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Business impact analysis (BIA)

1 Significant changes in the external business environment – such as market or regulatory

change

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Security management

1 In today's global business environment, security must be the

top priority in managing Information Technology. For most organizations, security is mandated by law, and

conformance to those mandates is investigated regularly in the form of audits. Failure to pass security audits can have financial and management

changing impacts upon an organization.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Document management

1 In large information technology environments, personnel turnover is inevitable and must be planned as

part of business continuity

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Change management

1 Regulations require that changes to business functions be documented and tracked for auditing purposes and is designated as "change control". This brings a level of stability to the business functions by

requiring the support personnel to document and coordinate proposed changes to the

underlying systems. As this process becomes more and more automated, the emphasis will

be less upon personnel control, and more upon regulatory compliance.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Audit management

1 One of the goals of business continuity is data center automation, which includes audit

management

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Audit management

1 Automation is often associated with the idea of centralized management

- in area of data storage and data management. Solutions based on storage consolidation can ensure

data safety, efficiency, high availability, reliability and

convenience.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Service level agreements (SLA)

1 The interface between management and information technology is the

Service level agreement (SLA). This provides a written contract

stipulating the expectations of management with regard to the

availability of a necessary business function, and the deliverables that information technology provides in support of that business function.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Communications systems

1 In order to avoid some of the potential problems associated with disrupted communication channels, the business continuity plan should include a lead manager who will be in charge of all communications in

that area, the cooperation of executives and public relations

people, and scheduled exercises to put the plan into practice.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Other components

1 Disaster recovery planning occurs as a subset of defining the business continuity

procedures.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Other components

1 The following is a list of physical and logical entities within an information

technology environment which require the application of a business continuity Methodology. Applying the

methodology should include the definition of things such as policies, guidelines, standards, procedures,

etc., for each item in the list:

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Other components

1 Logical Volumes / Disk Partitions

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Other components

1 Journaling Filesystems Log

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Other components

1 Group names and GID numbers

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity - Planning

1 Planning, prevention, and preparation are a key part of any business continuity management

system and have direct read across from civil contingencies planning.

The activity begins with understanding the business to

identify potential risks and threats to critical business activities both internally and from the external

environment. It is also advisable to examine the resilience of suppliers.

https://store.theartofservice.com/the-business-continuity-toolkit.html

EC-Council - Disaster Recovery and Business Continuity

1 EC-Council Disaster Recovery Professional

(EDRP)

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing

1 Disaster recovery and business continuity

auditing

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing

1 Disaster recovery (DR) and business continuity refers to an organization’s

ability to recover from a disaster and/or unexpected event and resume operations. Organizations often have a plan in place (usually referred to as

a "Disaster Recovery Plan", or "Business Continuity Plan") that outlines how a recovery will be

accomplished. The key to successful disaster recovery is to have a plan (emergency plan, disaster recovery

plan, continuity plan) well before disaster ever strikes.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing

1 Given ever-changing business objectives, one common need in

disaster recovery is to perform an audit of the disaster recovery capacity of an organization

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Metrics

1 Some of the key metrics to be measured in a disaster recovery

environment are the Recovery Time Objective (RTO) and Recovery Point

Objective (RPO). RTO is a metric that measures the time that it takes for a

system to be completely up and running in the event of a disaster.

RPO measures the ability to recover files by specifying a point in time

restore of the backup copy.https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Mission statement

1 A disaster recovery mission statement is used to identify the purpose and goals of the disaster

recovery plan. The mission statement can also help an auditor

obtain a better understanding of the organization’s environment. An auditor examined the mission statement to determine the

objectives, priorities, and goals of the disaster recovery plan.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - The DR committee and auditor

1 The organization appoints individuals responsible for designing and

implementing the disaster recovery plan when needed

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - The DR committee and auditor

1 An auditor is assigned to examine and assess the project manager and deputy project manager’s training,

experience, and abilities as well as to analyze the capabilities of the team

members to complete assigned tasks and that more than one individual is

trained and capable of doing a particular function. Tests and

inquiries of personnel can help achieve this objective.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - The DR committee and auditor

1 Organizations, particularly large organizations, ordinarily assign the task of determining, on an ongoing

basis, if the procedures stated in the disaster recovery plan are actually consistent with real practice to a

specific individual within the organization

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Documentation

1 To maximize their effectiveness, disaster recovery plans are

documented in written form and in a manner that is easily understood by

those who will need to use it

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Site designation

1 A hot/cold site is a location that an organization can move to after a disaster if the current facility is

unusable

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Site designation

1 The auditor can verify this through paper and paperless documentation

and actual physical observation. Testing of the backups and

procedures is also performed to confirm data integrity and effective

processes. The security of the storage site is also confirmed.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Data backup

1 Data backups are central to any disaster recovery plan. An audit of backup processes determines if (a)

they are effective, and (b) if they are actually being implemented by the

involved personnel. Some techniques that are used to accomplish this include direct observation of the

processes in question, analyzing and researching the backup equipment

used, conducting computer-assisted audit techniques and tests,

examining of paper and paperless records.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Data backup

1 The continual backing up of data and systems can help minimize the impact of threats. Even

so, the disaster recovery plan also includes information on how best to recover any data

that has not been copied. Controls and protections are put in place to ensure that data is not damaged, altered, or destroyed during this process. Information technology experts

and procedures need to be identified that can accomplish this endeavor. Vendor manuals can also assist in determining how best to proceed.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Drills

1 Practice drills conducted periodically to determine how effective the plan is and to

determine what changes may be necessary. The auditor’s primary concern here is verifying that these drills are being

conducted properly and that problems uncovered during these drills are addressed and procedures designed to deal with these potential deficiencies are implemented and

tested to determine their effectiveness.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Backup of key personnel

1 A disaster recovery plan includes clearly written policies and specific communication with employees to

ensure that both regular and replacement personnel is selected, documented, and informed should a

disaster occur

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Insurance issues

1 The auditor determines the adequacy of the company's insurance coverage

(particularly property and casualty insurance) through a review of the company's insurance policies and

other research

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Insurance issues

1 Effective DR plans take into account the extent of a company's

responsibilities to other entities and its ability to fulfill those

commitments despite a major disaster

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Communication issues

1 Good disaster recovery planning ensures that both management and

the recovery team have disaster recovery procedures which allow for

effective communication

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Emergency procedures

1 Procedures to sustain staff during a round-the clock disaster recovery

effort are included in any good disaster recovery plan

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery and business continuity auditing - Environmental issues

1 Disaster recovery plans may also involve procedures that take into account the possibility of power

failures or other situations that are of a non-IT nature

https://store.theartofservice.com/the-business-continuity-toolkit.html

TRAC (ISMS) - Business Continuity Program

1 The Business Continuity Program module provides a framework for

conducting a Business Impact Analysis as well as creating a full

Business Continuity Plan.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Resilience (organizational) - Business Continuity and Competitiveness

1 Many corporations are adopting resilience and business continuity

initiatives and sharing best practices.[https://www.policyarchive.org/bitstre

am/handle/10207/9662/Building_Resilience_OCT6.pdf?

sequence=1 Building A Resilient Nation: Enhancing Security, Ensuring

a Strong Economy]

https://store.theartofservice.com/the-business-continuity-toolkit.html

Resilience (organizational) - Business Continuity and Competitiveness

1 Many experts and leaders see resilience as a vital component to a comprehensive homeland security strategy.Katherine McIntire Peters

https://store.theartofservice.com/the-business-continuity-toolkit.html

Crisis management - Business continuity planning

1 Business Management: Top tips for effective, real-world Business Continuity Management)

https://store.theartofservice.com/the-business-continuity-toolkit.html

Crisis management - Business continuity planning

1 Each critical function and or/process must have its own contingency plan

in the event that one of the functions/processes ceases or fails, then the business/organisation is

more resilient, which in itself provides a mechanism to lessen the

possibility of having to invoke recovery plans (Osborne, 2007)

https://store.theartofservice.com/the-business-continuity-toolkit.html

Crisis management - Business continuity planning

1 A note of caution when planning training scenarios, all too often

simulations can lack ingenuity, an appropriate level of realism and as a consequence potentially lose their

training value

https://store.theartofservice.com/the-business-continuity-toolkit.html

Crisis management - Business continuity planning

1 Following a simulation exercise, a thorough and systematic debriefing

must be conducted as a key component of any crisis simulation. The purpose of this is to create a link and draw lessons from the reality of

the simulated representation and the reality of the real world. (Borodzicz,

2005).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Crisis management - Business continuity planning

1 The whole process relating to business continuity planning should be periodically reviewed to identify any number of changes that may

invalidate the current plan. (Osborne, 2007).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Facility management - Business continuity planning

1 All organisations should have in place a continuity plan so that in the event of a fire or major failure the business

can recover quickly. In large organisations it may be that the staff move to another site that has been

set up to model the existing operation. The facilities

management department would be one of the key players should it be

necessary to move the business to a recovery site.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information risk management - Risk management and business continuity

1 Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realised

residual risks

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity management

1 A business continuity plan is a roadmap for continuing operations under adverse conditions such as a

storm or a crime

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity management

1 In 2007, the BSI published BS 25999-2 Specification for Business

Continuity Management, which specifies requirements for

implementing, operating and improving a documented business

continuity management system (BCMS).

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity management - Business impact analysis (BIA)

1 * Recovery Time Objective (RTO) – the acceptable amount of time to restore the

function

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity management - Business impact analysis (BIA)

1 * The business requirements for recovery of the critical

function, and/or

https://store.theartofservice.com/the-business-continuity-toolkit.html

Business continuity management - Business impact analysis (BIA)

1 * The technical requirements for recovery of the critical

function

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # Should a disaster strike, what are the first few things that I should do?

Should I call people to find if they are OK or call up the bank to figure out

my money is safe? This is Emergency Response. Emergency Response

services help take the first hit when the disaster strikes and if the disaster is serious enough the

Emergency Response teams need to quickly get a Crisis Management

team in place.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # What parts of my business should I recover first? The one that brings me

most money or the one where I spend the most, or the one that will

ensure I shall be able to get sustained future growth? The

identified sections are the critical business units. There is no magic

bullet here, no one answer satisfies all. Businesses need to find answers that meet business requirements.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # How soon should I target to recover my critical business units? In

BCP technical jargon, this is called Recovery Time Objective, or

Recovery time objective|RTO. This objective will define what costs the

business will need to spend to recover from a disruption. For

example, it is cheaper to recover a business in 1 day than in 1 hour.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # What all do I need to recover the business? IT, machinery,

records...food, water, people...So many aspects to dwell upon. The

cost factor becomes clearer now...Business leaders need to drive business continuity. Hold on. My IT

manager spent $200000 last month and created a DRP (Disaster

recovery|Disaster Recovery Plan), whatever happened to that? a DRP is about continuing an IT system, and is

one of the sections of a comprehensive Business Continuity Plan. Look below for more on this.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # And where do I recover my business from... Will the business center give me space to work, or

would it be flooded by many people queuing up for the same reasons that

I am.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # But once I do recover from the disaster and work in reduced

production capacity since my main operational sites are unavailable, how long can this go on. How long can I do without my original sites, systems, people? this defines the amount of business resilience a

business may have.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Information security policies - Business continuity

1 # Now that I know how to recover my business. How do I make sure my plan works? Most BCP pundits would recommend testing the plan at least

once a year, reviewing it for adequacy and rewriting or updating the plans either annually or when

businesses change.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery plan - Relationship to the Business Continuity Plan

1 The Institute further states that a Business Continuity Plan (BCP)

consists of the five component plans:[http://www.sans.org/reading_room/w

hitepapers/recovery/disaster-recovery-plan_1164 The Disaster

Recovery Plan.] Chad Bahan

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery plan - Relationship to the Business Continuity Plan

1 * Business Resumption Plan

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery plan - Relationship to the Business Continuity Plan

1 * Continuity of Operations Plan

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery plan - Relationship to the Business Continuity Plan

1 The Institute states that the first three plans (Business Resumption,

Occupant Emergency, and Continuity of Operations Plans) do not deal with

the IT infrastructure

https://store.theartofservice.com/the-business-continuity-toolkit.html

Disaster recovery plan - Relationship to the Business Continuity Plan

1 The Disaster Recovery Institute International states that disaster recovery is the area of business

continuity that deals with technology recovery as opposed to the recovery

of business operations.Disaster Recovery Institute International.

Course BCLE 2000. Participant Guide: Professional Practice 6. Page 17.

2012.https://store.theartofservice.com/the-business-continuity-toolkit.html

Certified Business Continuity Professional

1 'Certified Business Continuity Professional' ('CBCPDisaster Recovery Institute International.

Certification CBCP. https://www.drii.org/certification/cbcp.php (accessed June 3, 2011).') is internationally

recognized professional certification issued by the Disaster Recovery Institute for Business

continuity planning|business continuity management. A certified expert must pass a detailed exam consisting of ten domains and

prove his/hers experience in at least five domains for minimum two years.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Coordinated Incident Management System - Business Continuity / Crisis Management

1 In recent years, CIMS has also been recognised as best practice for

implementing management structures for response and recovery

https://store.theartofservice.com/the-business-continuity-toolkit.html

Facilities management - Business continuity planning

1 All organizations should have in place a continuity plan so that in the event of a fire or major failure the business

can recover quickly. In large organizations it may be that the staff move to another site that has been

set up to model the existing operation. The facilities

management department would be one of the key players should it be

necessary to move the business to a recovery site.

https://store.theartofservice.com/the-business-continuity-toolkit.html

Emergency procedure - Business Continuity Planning

1 Business continuity planning may also feed off of the emergency

procedures, enabling an organization to identify points of vulnerability and minimise the risk to the business by

preparing backup plans and improving resilience. The act of

producing the procedures may also highlight failings in current

arrangements that if corrected, could reduce the risk levels.

https://store.theartofservice.com/the-business-continuity-toolkit.html