John Bax BCP+ 10 presentationx

confidencetoughManagement

Nov 20, 2013 (3 years and 28 days ago)

64 views

Business Continuity
Planning

Interested in learning about experiences in disaster recovery and backup planning?





Presented by John M. Bax, CISSP, CBCP

Business Continuity Planning (BCP) is...


The advanced planning and preparations which
are necessary to; identify the impact of potential
losses; formulate and implement viable continuity
strategies; develop continuity plan(s) which
ensure continuity of the organizational services in
the event of a disruption, emergency or disaster;
and to administer comprehensive training,
maintenance, testing and evaluation processes to
ensure the longevity of the plan.

AN EVENT

OCCURS

Emergency

Response

Relocate

Backups

Restore

Operating

System

Reload

Systems

Software

Reload
Applications
Software

Reload Data,
Roll Forward
and Synch

Establish Connectivity

and Communications

BCP Practices...

1) Project Initiation and Management

2) Risk Evaluation and Control

3) Business Impact Analysis

4) Developing Business Continuity Strategies

5) Emergency Response and Operations

6) Developing and Implementing Business Continuity Plans

7) Awareness and Training Programs

8) Maintaining and Exercising Business Continuity Plans

9) Public Relations and Crisis Coordination

10) Coordination with Public Authorities

Project Initiation and Management


Establish the need for a Business Continuity Plan (BCP),
including obtaining management support and organizing and
managing the project to completion within agreed upon time
and budget limits.


Has a Business Continuity Manager been identified?


Has management support and sponsorship from senior management
been achieved?


Has a management structure been established?


NOTE: Business Continuity Management (BCM) is a process developed to
counteract systems failure. It is not just about the recovery of Information
Technology systems and services, it is an organization wide discipline. Business
Continuity Management is a business issue, with real benefits for any organization.



Risk Evaluation and Control


Determine the events and environmental surroundings that can
adversely affect the organization and its facilities with
disruption as well as disaster, the damage such events can
cause, and the controls needed to prevent or minimize the
effects of potential loss. Provide cost
-
benefit analysis to justify
investment in controls to mitigate risks.





Has a risk assessment been undertaken?



Have risk reduction measures been identified to mitigate potential
losses?

Business Impact Analysis


Identify the impacts resulting from disruptions and disaster
scenarios that can affect the organization and techniques that
can be used to quantify and qualify such impacts. And,
establish critical functions, their recovery priorities, and inter
-
dependencies so that recovery time objective can be set.


Have critical business processes been established?


Have the impacts of loss been identified?


Are interdependencies between departments known?


Can prioritization and time dependencies of business processes be
achieved?

Developing Business Continuity Strategies


Determine and guide the selection of alternative business
recovery operating strategies for recovery of business and
information technologies within the recovery time objective,
while maintaining the organization’s critical functions.


Have all critical processes been identified and recovery timeframes
agreed?


Has the strategy considered both recovery and risk reduction?


Is the strategy appropriate to the business and are critical operating
requirements supported?



Emergency Response and Operations


Develop and implement procedures for response and
stabilizing the situation following an incident or event,
including establishing and managing an Emergency Operations
Center to be used as a command center during the emergency.


Has a crisis management process been established to respond to
incidents?


Are all team members aware of their responsibilities?

Developing and Implementing
Business Continuity Plans


Design, develop, and implement the Business Continuity Plan
that provides recovery within the recovery time objective.



Have business continuity plans been developed in support of the
strategy?



Are these plans owned and managed by the business?

Awareness and Training Programs


Prepare a program to create corporate awareness and enhance
the skills required to develop, implement, maintain, and
execute the Business Continuity Plan.



Have all staff been made aware of BCM and is this promoted as an
ongoing initiative?



Have recovery teams been trained in their roles and responsibilities?



Are IT and other specialists groups aware of their response to an
incident and can they effectively provide the support required?


Maintaining and Exercising Business
Continuity Plans


Pre
-
plan and coordinate plan exercises, and evaluate and
document plan exercise results. Develop processes to maintain
the currency of continuity capabilities and the plan document
in accordance with the organization’s strategic direction and
verify that the Plan will prove effective by comparison with a
suitable standard, and report results in a clear and concise
manner.


Are all business continuity plans and supporting procedures owned
by a nominated business of support person?


Is plan maintenance undertaken on a regular basis?


Has a test strategy been developed with exercises and tests
undertaken on a regular basis?


Are plans updated to reflect changes in business strategy?



Public Relations and Crisis
Coordination


Develop, coordinate, evaluate, and exercise plans to handle
media during crisis situations; communicate with and, as
appropriate, provide trauma counseling for employees and
their families, key customers, critical suppliers,
owners/stockholders, and corporate management during crisis
and ensure all stakeholders are kept informed on an as
-
needed
basis.



Does the crisis management process include internal and external
communications, the media and potentially trauma counseling?


Is a process in place to ensure that all stakeholders are kept
informed on an as
-
needed basis?


Coordination with Public Authorities


Establish applicable procedures and policies for coordinating
response, continuity, and restoration activities with local
authorities while ensuring compliance with applicable statutes
or regulations.



Does the crisis management process include internal and external
communications, the media and potentially trauma counseling?



Is a process in place to ensure that all stakeholders are kept
informed on an as
-
needed basis?


But what about...


Today things are cloudy,
there is…


Cloud Storage


PAAS


SAAS


VMs


Ect
.












AN EVENT

OCCURS

Emergency

Response

Relocate

Backups

Restore

Operating

System

Reload

Systems

Software

Reload
Applications
Software

Reload Data,
Roll Forward
and Synch

Establish Connectivity

and Communications

Cloud
Storage

PAAS

VMs

SAAS

Same BCP Practices for different times

1) Project Initiation and Management

2) Risk Evaluation and Control

3) Business Impact Analysis

4) Developing Business Continuity Strategies

5) Emergency Response and Operations

6) Developing and Implementing Business Continuity Plans

7) Awareness and Training Programs

8) Maintaining and Exercising Business Continuity Plans

9) Public Relations and Crisis Coordination

10) Coordination with Public Authorities


Questions...












…Thank You