Chapter 11 Business Continuity Management

2

Objectives

Define disaster Understand the process for developing a business

continuity plan Describe the four components of a business

continuity plan Delineate the roles and responsibilities of

leadership, the business continuity team, users & business partners

Be familiar with testing, maintenance & auditing techniques

3

What Is a Disaster?

A disaster is a disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization’s ability to maintain operations, including customer commitments and regulatory compliance

It may result from a malicious act, a natural event, or a human mistake

4

What Is a Disaster? Cont.

Risk Analysis A Risk Analysis will determine the threats that can

disrupt operations, the likelihood of occurrence and the mitigating controls that can be deployed

Once threats have been identified, their impact on the company must be determined

5

What Is a Disaster? Cont.

Business Impact Analysis A BIA provides metrics such as:

The impact disruptions would have on the business The tolerance of downtime on a per-system basis The prioritization of critical business processes in case

of such interruptions Resource requirements needed to restore time-critical

business processes

6

What Is a Disaster? Cont.

Result of a Business Impact Analysis (BIA): To provide direction and guidance to those who

plan the response, recovery and continuity efforts

7

Disaster Strikes Without Warning

Disasters are by default unexpected, but should not be unanticipated

Knowing what to do prior to a disaster occurring is the key to successfully weathering the storm

This is only possible if: A plan is drafted prior to the disaster occurring Employees are trained and understand their role

8

Business Continuity Plan (BCP) Components

Must be a written document Must be approved by upper management Must be made available and communicated to all

employees Must be tested Must be reviewed on a scheduled basis

9

Business Continuity Plan (BCP) Components Cont.

Disaster preparation Disaster response Business contingency Business recovery

10

Business Continuity Plan (BCP) Components Cont. According to PricewaterhouseCoopers, a

BCP should be built according to these assumptions:

Events occur at the worst possible time Worst-case scenario – loss of building and systems Key personnel may not be available Training of new personnel may be required Critical third parties may be affected Other locations &/or business partners are similarly

affected

11

Business Continuity Plan (BCP) Components Cont. Disaster preparation

Address what needs to be done in anticipation of a disaster

The preparation plans are an outcome of the RA Identifying threats and their likelihood leads to identifying

and deploying controls

12

Business Continuity Plan (BCP) Components Cont. Disaster response

Addresses what should be done immediately following a significant incident Defines who has the authority to declare a disaster Defines who has the authority to contact external entities Defines evacuation procedures Defines emergency communication & notification

procedures

13

Business Continuity Plan (BCP) Components Cont. Business continuity

Addresses alternate business processes used throughout the company prior to full recovery

It may include: Activating a designated hot site Redirecting requests to alternate locations Using manual procedures

Focuses on how the company goes on providing the same function, products and/or services absent normal operating conditions

14

Business Continuity Plan (BCP) Components Cont. Business recovery

Addresses the process of recovering information systems to their original state (or a facsimile of) sing a prioritized & systematic methodology

May include: The use of backup tapes to restore data Rebuilding a couple of servers Rebuilding an entire Network Operating Center

15

Business Continuity Plan (BCP) Components Cont. NIST’s DR & BCP development methodology

Obtaining commitment from leadership to dedicate appropriate resources to ensure the plan’s success

Conducting a risk assessment and BIA Identifying preventive controls Developing recovery strategies & procedures Developing operational contingency plans and procedures Plan testing, training and exercises Plan maintenance

16

Preparing for Disaster

Disaster preparation requires the following to be predefined: Establishing an organizational structure to respond to an

emergency Designating an emergency command center Preparing notification procedures Designating alternate operations sites Investing in redundant infrastructure or alternate sites for

data processing Developing & implementing procedures to support

response, recovery and continuity activities

17

Preparing for Disaster Cont.

Organizational structure The chain of command may change during a

disaster Process must exists for a seamless transition of

power The succession of executive leadership should be

codified by the board of directors The BC Team assumes the authority for the

response, continuity & recovery efforts Employees may be asked to assume duties

normally outside of their job description

18

Preparing for Disaster Cont.

Command center location Purpose: to have a predefined location where the

BC Team members report in case of a disaster Used to direct operations, but also as a meeting

center There should be a primary and alternate

command centers

19

Preparing for Disaster Cont.

Command center location (cont.) The primary and alternate command centers

should be stocked with all the required equipment, including: Copies of the BCP Tables and chairs Whiteboards Phones

All BC Team members should have keys and/or codes to enter the command centers

20

Preparing for Disaster Cont.

Notification of personnel Notification procedures should be documented in

the DR plan for both types of disasters: Those that can be predicted Those that cannot be predicted

Notification procedures must include contact information for both business hours and outside of business hours

21

Preparing for Disaster Cont.

Notification of personnel (cont.) A call tree is a common notification method

where specific individuals are given the role of contacting others to alert them of the situation The call tree should account for primary &

alternate contact methods Procedures to deal with an individual not being

reachable should be included in the plan

22

Preparing for Disaster Cont.

Relocation of operations Operations may need to be relocated because of:

Natural, environmental disaster Flood, tornado, ice storm

Physical disaster Loss of power, loss of communication lines

Relocation strategies must be in place prior to the need to relocate occurs

23

Preparing for Disaster Cont.

Relocation of operations (cont.) Relocation strategies include:

Delivery functions, which provide services or products to the customer

Operational business functions, which provide the core infrastructure of the company, like accounting and HR

All staff may not be required to relocate, just enough to handle critical functions and an acceptable level of operations

24

Preparing for Disaster Cont.

Relocation of operations (cont.) The relocation plan must address:

Staffing levels Space considerations Utility & environmental needs Transportation Logistics

25

Preparing for Disaster Cont.

Alternate data center sites Provide facilities for continued information

processing activity 5 different types of sites are available:

Hot site: fully operational location w/ redundant equipment. The data has been streamed to the site on a real-time

basis, or close to real time

26

Preparing for Disaster Cont.

Alternate data center sites (cont.) Provide facilities for continued information

processing activity 5 different types of sites are available:

Warm site: Configured to support operations including

communications capabilities, peripheral devices, power and HVAC.

Spare computers may be located there which then would need to be configured in the event of a disaster

Date must be restored

27

Preparing for Disaster Cont.

Alternate data center sites (cont.) Provide facilities for continued information

processing activity 5 different types of sites are available:

Cold site: Available alternate location Equipped with power, HVAC and secure access

28

Preparing for Disaster Cont.

Alternate data center sites (cont.) Provide facilities for continued information

processing activity 5 different types of sites are available:

Mobile site: Self-contained unit Equipped with the required hardware, software and

peripherals Data needs to be restored

29

Preparing for Disaster Cont.

Alternate data center sites (cont.) Provide facilities for continued information

processing activity 5 different types of sites are available:

Mirrored site: Two backup sites, geographically separated Mirrored backup datacenters with redundant bandwidth

and power Any information sent to one backup site is automatically

mirrored to the other one Data is replicated to backup sites in real time

30

Responding to a Disaster

Disaster response can be either chaotic or orderly If chaotic, this bad start will have repercussions

throughout the disaster and after A proven, tested plan, which has been

successfully communicated to all employees, is what separates order from chaos

31

Responding to a Disaster Cont.

Four stages of disaster response Detection Notification Declaration Activation

32

Responding to a Disaster Cont.

Detection All employees share the responsibility of remaining

aware of potential disasters. Early detection is, as always, important

Notification It is the responsibility of the first person who discovers a

disaster to report it to a member of the BCT Notification can be made in person, on the phone, via

email, as long as reception is confirmed

33

Responding to a Disaster Cont.

Declaration Situation is evaluated by the BC Team If warranted, the BC plan is activated BC Team notifies Management Managers are then responsible to alert their own staff Managers are responsible for keeping an updated

employee list

34

Responding to a Disaster Cont.

Activation The BCT Leader is the one with the responsibility to

activate the plan If the BCT Leader is not available, the alternate team

leader takes the responsibility to activate the plan If both are unavailable, responsibility falls to the first

available team member

35

Responding to a Disaster Cont.

Activation (cont.) At this point, decisions need to be made about

The command center Relocation of personnel & operations The recovery site

The BCT is the authoritative body to: Activate the plan Set policy Establish procedures during disaster & recovery periods

36

Responding to a Disaster Cont.

Non-operational business concerns Public Safety Employee Relations Media Relations Customer Relations Crime

37

Responding to a Disaster Cont.

Public safety The first order of priority is the safety of all employees,

visitors, vendors, business partners, consultants Communications must be established with the police,

fire department, and other emergency organizations If required, communications must be established with

federal organizations such as Fed Emergency Management Agency (FEMA)

38

Responding to a Disaster Cont.

Employee Relations Employees must be kept abreast of the situation Employees should be clearly told to either report at an

alternate location or go home and remain on stand-by Managers need to use their leadership skills and make

all communications with the employees straight-forward Safety and security of personnel and their families may

need to be arranged

39

Responding to a Disaster Cont.

Media Relations Important to not allow miscommunications and

misinformation Only one employee is officially authorized to interact with

the media Employees should be instructed to:

Have no comments Forward all media information requests to the dedicated

person in charge of media relations

40

Responding to a Disaster Cont.

Customer relations Customers must be kept informed They are concerned:

Is the bank still able to service my needs?

Crime Disaster situation tends to spawn crime Property & personnel should receive enhanced security

as outlined in the DR/BC plan

41

Planning for Contingencies

Business contingency procedures Should be task-based Should be step-by-step Different than SOPs

SOPs assume normal operation conditions

42

Planning for Contingencies Cont.

Business contingency documentation Should follow the same form as SOP

documentation Simple step Hierarchical Graphic flowchart

BCOPs: Are written to be easily understood Should include short & direct sentences

43

Recovering from Disaster

Recovery strategies The path to bringing the company back to normal

business environment A plan should be in place, that breaks down each

category of the overall recovery effort to simplify the daunting recovery process: Mainframe Network Communications Infrastructure Facilities

44

Recovering from Disaster Cont.

Recovery procedures All procedures should be designed, tested,

documented and approved prior to when the disaster strikes

Procedures should be written as if the person who will be following them is not intimately familiar with the information system or component

Procedures should explain what needs to be done, when, where and how.

The key is to respond fast using predefined steps

45

Recovering from Disaster Cont.

Recovery manual Comprehensive document that incorporates

recovery procedures on a system- or device-specific basis

Should include a table of contents and an index

46

Testing and Maintaining the Plan

Proactive testing of the plan is essential Until tested, the plan is theoretical at best The tests should prove that the procedures and

the plan are: Relevant Operable under adverse conditions Accurate

Tests are used to discover errors and inadequacies

47

Testing and Maintaining the Plan Cont. Five testing methods

Preliminary review Structured walkthrough Tabletop simulation Parallel (functional) testing Full-scale testing

48

Testing and Maintaining the Plan Cont.

Preliminary review Plan & procedures distributed to all functional areas for

review All critical processes should be validated All personnel, responsibilities have been identified

49

Testing and Maintaining the Plan Cont.

Structured walkthrough Representatives from each functional area meet to walk

through the plan & procedures to verify accuracy & completeness

Can also be used as a training exercise to clarify & highlight critical elements

50

Testing and Maintaining the Plan Cont.

Tabletop simulation Focus is on testing a specific scenario Participate practice the appropriate steps to deal with the

fictitious disaster chosen in the scenario Only the materials and data available in a real disaster are

used Outcome: identify the strengths and weaknesses of the

plan in a non-threatening environment

51

Testing and Maintaining the Plan Cont.

Parallel (functional) testing Operational test of a specific system or activity Redundant backup systems are brought online and

processing capabilities compared to real operational output Continuity procedures: manual or alternate processes are

initiated Goal: to validate plan and procedures and provide

experience in case a real disaster were to occur

52

Maintaining the Plan

Business environments are dynamic: the plan should be reviewed and edited regularly to match the changes that occur in the company and/or the industry in which the company is involved

The plan cannot be reviewed without the risk assessment being reviewed as well

Responsibility for maintaining the plan should be assigned to a specific role such as the ISO

53

Agreements with Vendors

BC may depend on vendors providing services, equipment, facilities, and personnel

There must be corresponding Service level agreements (SLAs) to identify: How quickly the vendor would respond The type and quantity of replacement equipment that would

be guaranteed to be available Personnel & facilities availability Status of the organization in the event of a major disaster

involving multiple vendor clients SLAs should be reviewed annually

54

Auditing the Plan

Some industries regulated by federal mandates are required to have a BCP

Regulators/auditors review the BCP for: Relevancy Management approval Completeness Accuracy Organization

55

Auditing the Plan Cont.

Regulators/auditors will look for answers for the following questions Is the plan written? Has management approved the plan? How often are the risk assessment & business impact

analysis reviewed? By whom? How often is the plan reviewed? By whom? Are all policies & procedures documented?

56

Auditing the Plan Cont.

Regulators/auditors will look for answers for the following questions (cont.) Where is the documentation stored? Who is on the BCP Team? What training have they received? What training has the user community received? How has the plan been tested?

57

Auditing the Plan Cont.

Regulators/auditors will look for answers for the following questions (cont.) : Is there a written testing plan? How often is the plan tested? Are the results documented? If third parties are involved, what is the process for

testing/verifying their procedures? Who is responsible for maintaining the plan?

58

Summary

A disaster can strike at any time. The organization must be prepared to respond in order to continue to provide services/products to their clients.

It is the responsibility of executive management to insure that threats are evaluated, impact to business processes recognized, and resources allocated.

This requires the creation & maintenance of an audited business continuity plan and of a set of ancillary procedures.