Business Continuity Plan


Published on

Published in: Business, Technology

Business Continuity Plan

  1. 1. Business Continuity Plan Plash Chowdhary Information Security Consultant
  2. 2. Declaration This presentation is made in Plash’s personal capacity and does not represent views of my employer
  3. 3. Business Continuity Planning  It’s a logistics process to run mission critical process for survival and restoring operations from a disaster  It is enforced by law of the land
  4. 4. What is at RISK? • Reputation Loss • Financial Loss • Regulatory concerns • Data Loss • Loss of Life • Jobs
  5. 5. Where is it Applicable? • Vendor and you are caught in the same disaster Supply Chain • Transportation Strike and you have No Inventory • Quitting of critical recourses Human Resources • Worker union Strikes • Acts of God Physical Premises • Targeted terrorist attacks Information • Data leakage by Intrusion/Hacking Technology • Virus outbreak • Your only market is hit by a crisis Marketing • your product developed a snag and needs to be recalled Its Applicable where a Mission Critical Service is disrupted
  6. 6. BCP & Regulations • Several laws/orders mandate BCP as part of organization strategy. Industry Sector Significant Laws and Regulations Healthcare Health Insurance Portability and Accountability Act (HIPAA) of 1996 Food and Drug Administration (FDA) Code of Federal Regulations (CFR), Title XXI, 1999 Government Federal Information Security Act (FISMA) of 2002, Title III of the E-Government Act of 2002 (PL 107-347, 17 December 2002) Executive Order on Critical Infrastructure Protection in the Information Age, 16 October 2001 COOP and Continuity of Government (COG). Federal Preparedness Circular 69, 26 July 1999 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, Contingency Planning Guide for Information Technology Systems, June 2002 NIST 800-53, Recommended Security Controls for Federal Information Systems, February 2005 Finance Federal Financial Institutions Examination Council (FFIEC) Handbook, 2003-2004 (Chapter 10) Basel II, Basel Committee on Banking Supervision, Sound Practices for Management and Supervision, 2003 Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, 2003 Expedited Funds Availability (EFA) Act, 1989 Utilities Governmental Accounting Standards Board (GASB) Statement No. 34, June 1999 North American Electric Reliability Council (NERC) 1200 (1216.1), 2003 Federal Energy Regulatory Commission (FERC) RM01-12-00 (Appendix G), 2003 RUS 7 CFR Part 1730, 2005 Telecommunications Act of 1996, Section 256, Coordination for Interconnectivity NERC Security Guidelines for the Electricity Sector, June 2001 Source: Gartner
  7. 7. BCP Hierarchy Policy BCP Strategy Training Employees Implementation & Monitoring Implementing Testing BCP BCP Business Risk Impact Monitoring Analysis Planning Recovery Risk Requirements Alternatives Assessment
  8. 8. BCP Management Team Legal Finance Management Internal Auditors Operations
  9. 9. BCP Initiation and Recovery Steps BCP Cycle Business Recovery Steps Identification Business Recovery Recovery Prevention Facility Recovery Process Recovery Human Implementation Declaration Recourses recovery IT Recovery Operations Business Telecommunication Data Recovery Recovery Unit Recovery Recovery Containment Escalation
  10. 10. Need External Auditor? Planning Implementation Auditing • Strategy definition • Employee awareness • Reviewing BCP policy • Policy definition • Selecting and • Auditing SLA • Risk Assessment optimizing vendors • BCP Simulation • Identifying critical • Vendor Assessments services and Alternatives • Business Impact Analysis • Applicable Laws