Example Business Continuity Plan Based upon DS4.2 from COBIT (Control Objectives for Information Technology)

Prepared by: Micheal Axelsen FCPA1

Director, Applied Insight Pty Ltd

Provided as is, without warranty, for businesses to consider as a very early starting point in the preparation of a business continuity plan. This work is based upon material delivered to University business students.

Question One: Research Issue – Personal Data Protection

Assume a fire has destroyed your bedroom. Identify the items in your room that would be irreplaceable if this scenario eventuated. Draw up a business continuity plan for your bedroom and yourself.

Identify what you would need to do to ensure that irreplaceable items are better protected in the future. Identify the steps you would need to take immediately after the fire to recover from this disaster.

Worked Solution

Note that in COBIT 4.1, regarding the IT aspects we would need to identify an IT continuity plan. Firstly, we need to understand our business requirements – what our key business functions and processes are (DS4.2).

So, the business continuity plan draws upon our risk management framework (for argument’s sake, AS/NZS 4360:2004):

Identify key business functions and processes.

1 Micheal may be contacted on 0412 526 375 or micheal.axelsen@appliedinsight.com.au.

1

Identify ‘major’ disruption by reference to risk appetite

Consider what the definitions of economic loss might be that are insignificant, minor, moderate, major, or catastrophic (e.g. catastrophic might be $1,000,000 whilst insignificant might be $500).

Identify potential business impacts What actions can be taken to address requirements for:

Resilience (reduce likelihood or consequence of the risk) Alternative processing (work-arounds in the event access is denied) Recovery capability of critical IT services (recovery of critical IT services)

Identify usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach

2

A rough approach might look like this:Business Continuity Plan

Risk Appetite: The business has determined that it can withstand a $3,000 level of disruption.

Assumptions: Catastrophic events (e.g. fire, flood) would result in similar business impacts. Actions to reduce impact will work equally as well for low-impact events (e.g. localised flooding, loss of internet connection).

Note: Some things are deliberately missing – who can spot something?

Key business functions Business impact if unavailable

Resilience Actions Procedures & Responsibilities

Client Acquisition: Marketing website material

(two websites, www.michealaxelsen.com and www.appliedinsight.com.au) and supporting collateral

Clients unable to discover business and identify services. Large business impact.

If content lost, would take months to re-create, if at all possible.

Host with reliable ISP with strong financial background (Yahoo)

Host on a common ISP platform.

Take XML download of posts/content monthly. Add to backup processes.

MSA

Current marketing plan Marketing stages with clients lost. Moderate business impact.

Incorporate into Exchange Server with email – reduce points of failure.

Reputable provider with SLA (WebCentral)

Enables sync across devices and internet access.

None identified. MSA

Service Delivery Methodologies and client

outputsAffects ability to convince clients of capability.

Store in a single place and protect that well (i.e. hard drive) and incorporate into backup processes.

Backup process:

1. Use SyncBack for each laptop daily –

MSA

3

Key business functions Business impact if unavailable

Resilience Actions Procedures & Responsibilities

Affects efficiency and effectiveness as these are all key to service delivery.

files are stored in three places (PMD, Dell, HP).

2. Daily backup from Dell to external USB using MS Backup & Sync (monthly resets to keep disk space low).

3. Monthly backup of entire system to a third 500gb pocket media drive kept at separate office 5 km away.

Precedents and models Affects ability to convince clients of capability.

Affects efficiency and effectiveness as these are all key to service delivery.

Store in a single place and protect that well (i.e. hard drive) and incorporate into backup processes.

See backup process MSA

Templates Affects ability to convince clients of capability.

Affects efficiency and effectiveness as these are all key to service delivery.

Store in a single place and protect that well (i.e. hard drive) and incorporate into backup processes.

See backup process MSA

Research Notes Affects ability to convince clients of capability.

Affects efficiency and effectiveness as these are all key to service delivery.

Store in a single place and protect that well (i.e. hard drive) and incorporate into backup processes.

Store research notes in Evernote software (paid subscription) – enables sync across devices and mobile access.

Maintained in three places (Dell, online, and HP Mini-Note).

None required – rely upon Evernote SLA. MSA

Administrative Support

4

Key business functions Business impact if unavailable

Resilience Actions Procedures & Responsibilities

MYOB Accounting System Unable to invoice and meet external compliance requirements.

Store in a single place and protect that well (i.e. hard drive) and incorporate into backup processes.

See backup process MSA

Access to email Unable to communicate with clients.

Incorporate into Exchange Server with email – reduce points of failure.

Reputable provider with SLA (WebCentral)

None. MSA

Task list Current workload would be lost.

Incorporate into Exchange Server with email – reduce points of failure.

Reputable provider with SLA (WebCentral)

Enables sync across devices and internet access with only an internet connection.

None. MSA

Mobile telephone Major contact point with clients lost; $1,200 phone to replace if purchased.

Insurance policy None. MSA

VOIP phone Major contact point with clients lost; $100 phone to replace if needs to be repurchased.

None – wear this as an expense. Identify provider (Engin telephone).

Divert VOIP phone to mobile in emergency using password details noted in Evernote.

MSA

Accounting records (Paper) Unable to invoice and meet external compliance requirements.

Monthly scan to electronic format. See backup process. MSA

Bookmarks Lose record of access to many required online services (e.g. online

Place bookmarks online in webspace (start.michealaxelsen.com) using Google start page.

None. MSA

5

Key business functions Business impact if unavailable

Resilience Actions Procedures & Responsibilities

banking, blog, Critical passwords Unable to access many

websites crucial to operating business

Store passwords in Evernote (encrypted using common super-duper secret password).

Will be able to regain access with PC and internet connection.

None. MSA

Suncorp Token Key Without this, I lose access to online banking full stop.

In event of catastrophe, Suncorp provides a temporary security code until a new key is issued.

None. MSA

IT Infrastructure Dell Laptop (15”) (approximately $3K) Unable to provide

servicesInsurance policy; backup processes

In event of loss, identify with insurance provider and order replacement.

Preferred Vendor: Dell

MSA

HP Laptop Mini-Note 2133 (approximately $1K) Unable to provide services

Insurance policy; backup processes

In event of loss, identify with insurance provider and order replacement.

Preferred Vendor: HT

MSA

HP Scanjet bubblejet printer Unable to provide services

Insurance policy; backup processes.

Order three year on-site warranty.

In event of loss, identify with insurance provider and order replacement.

Preferred Vendor: HT

MSA

Pocketmedia Drive Unable to provide services

Insurance policy; backup processes

In event of loss, identify with insurance provider and order replacement.

Preferred Vendor: HT

MSA

External USB HDD (WD) Unable to provide services

Insurance policy; backup processes

In event of loss, identify with insurance provider and order replacement.

MSA

6

Key business functions Business impact if unavailable

Resilience Actions Procedures & Responsibilities

Preferred Vendor: HT

Broadband connection Unable to perform online banking, pay bills, and deliver services.

Identify a secondary alternative provider

Use alternative provider (suggested: $10 per GB wireless connection at UQ, available quickly from office).

Or just wifi surf someone else’s open wireless connection .

MSA

CD Media (to reinstall software) If lost, would require re-purchase of $5,000 worth of Microsoft goodies without proof-of-purchase.

Backup CD media and store in a separate location (office) together with software keys.

Restore from separate DVDs. MSA

7