From the operations security perspective, BCP is to ensure that the continuity of IT operations is maintained from the primary or alternate locations during an incident or disastrous events based on the business continuity requirements. An important consideration is that the security levels are maintained during such operations.
Before we plunge deeper into the myriad concepts of the BCP domain, let's recap some of important concepts in the risk assessment and risk management areas:
In the BCP domain, our focus will be on specific threat events that could cause devastating impacts on the functioning of the organization as a whole, and the IT infrastructure in particular. The examples of such events are fire, flood, earthquake, tornado, or terrorist attacks. Generally, an organization may not have controls to prevent such events. Such events are termed as disruptive events. In other words, an event that could impact regular operations for a prolonged period of time can be termed as a disruptive event.
Business Continuity Planning (BCP) is a process that proactively addresses the continuation of business operations during and in the aftermath of such disruptive events. The aim is to prevent interruptions to operations.
BCP requires coordinated efforts by a team of personnel drawn from different business functions of an organization. Let's quickly review the goal and objectives pertaining to the BCP process.
The goal of BCP is to ensure the continuity of business operations without affecting the organization as a whole.
While designing the BCP, availability should be considered as the most important factor.
People are the most important assets in business operations. Hence, life safety or preventing human loss is one of the primary objectives of BCP. Another important objective of BCP is to avoid any serious damage to the business.
BCP involves the following steps. These simplified steps form a life cycle model for the BCP process:
Scoping is a very important activity in a BCP process. The scope of a BCP primarily focuses on a business process. For example, if the scope of BCP is Customer Relationship Management (CRM) processes, then we're looking at the CRM-related information systems: data, people associated with customer management, and facilities such as the servers, data center, backup media, and so on. By focusing on a business process and defining the scope, we will be able to see an end-to-end link of all the associated assets, operations, and processes. Therefore, the primary criterion of BCP scoping is to ensure that it is appropriate, which means ensuring that the scoping process covers all the essential resources.
The Business Continuity Planning process is initiated by establishing the roles and responsibilities of personnel involved. Generally, a BCP committee is formed with personnel drawn from critical business units. The function of a BCP committee is to create, test, and implement the plans. The critical component in planning this process is the support and involvement of senior management throughout the process, life cycle.
BIA is a type of risk assessment exercise that tries to assess qualitative and quantitative impacts on the business due to a disruptive event. Qualitative impacts are generally operational impacts such as inability to deliver, whereas quantitative impacts are related to financial losses. In general, BIA uses What-If scenarios to assess the risks. For example, take a look at the following:
Business Continuity Plans are proactive measures that identify critical business processes required for the continuity and sustainability of the business based on BIA. For example, let's assume if the organization has a Service Level Agreement (SLA) with its customers and a maximum of 2 hours of continuous downtime of its CRM services, then continuity plans need to address the systems that are needed to ensure an adherence to the SLA proactively. The organization needs a strategy or plan, and the same should be consistent across all business units. Defining the continuity strategy and documenting the same are two important functions that constitute the development of BC plans.
The senior management must approve the properly documented business continuity plans and, upon approval, the plans are implemented. Personnel associated with business continuity strategy and operations must be made aware of the continuity processes; the plans have to be periodically tested and updated based on the lessons learned from such tests.
The BCP life cycle also includes the maintenance of the plans. The primary driver for plan update is based on incidents, periodic risk assessments, and changes to the business environment. The plans need to be periodically reviewed and updated based on business changes, technology changes, and/or policy changes.
The following best practices are gleaned from many BCP-related standards and guidelines. They form the base for a successful BC Planning process.
BCP should be as follows:
BCP resources should include the following:
BCP processes should include the following:
BCP measures should include the following:
BCP should identify the following:
BCP objectives include the following:
BCP procedures include the following:
BCP plans should contain the following: