bcpdr

1
BUSINESS SURVIVAL
A Guide to Business Continuity
Planning and Disaster Recovery

of 116
CONTENTS
1 WHAT IS BUSINESS CONTINUITY PLANNING?.........................................4
1.1 Business Continuity Planning Defined............................................................................................ 4
1.2 Disaster Recovery Defined............................................................................................................... 5
1.3 Overall Steps..................................................................................................................................... 5
1) Get Board approval......................................................................................................................... 5
2) Determine scope ............................................................................................................................. 5
3) Carry out risk analysis / management (Business Impact Analysis) ................................................ 5
4) Create a project plan and budget .................................................................................................... 5
5) Create the plan (overall document)................................................................................................. 5
6) Gather / Create supporting documentation ..................................................................................... 5
7) Test / review /audit the plan and the process .................................................................................. 5
8) Change Manage any changes made to the plan / process / documentation..................................... 5
9) Formally approve the plan.............................................................................................................. 5
10) Return to 6 ...................................................................................................................................... 5
2 CONVINCING THE BOARD...........................................................................6
2.1 The Importance of Support from the Top...................................................................................... 6
2.2 Explaining Why it’s so Important................................................................................................... 7
3 DEFINING SCOPE .......................................................................................10
3.1 Which Sites?.....................................................................................................................................10
3.2 Which Systems?...............................................................................................................................10
3.3 Which Departments/Business Functions? .....................................................................................11
3.4 Which Personnel?............................................................................................................................13
3.5 Business Partner Relationships ......................................................................................................13
3.6 Which Types of Disasters and Risks? ............................................................................................15
3.7 Which Legislation/Standards need to be considered?..................................................................15
3.8 Interaction with Other Organizations ...........................................................................................15
3.9 Gap Analysis ....................................................................................................................................15
3.10 Questionnaires .................................................................................................................................16
4 RISK MANAGEMENT ..................................................................................21
1) Identify Risks.................................................................................................................................22
2) Quantify Risks (Probability and Impact) .......................................................................................22

of 116
3) Risk Tolerance Levels ...................................................................................................................22
4) Allocate Risks to Appropriate Personnel.......................................................................................22
5) Risk Mitigation, Reduction and Response.....................................................................................23
6) Evaluation of Effectiveness ...........................................................................................................23
4.1 Benefits of Risk Assessment / Management ..................................................................................23
1) Cost Justification ...........................................................................................................................23
2) Facilitation of Communication between all departments in the Business .....................................23
3) Business Responsibility.................................................................................................................23
4) Business Continuity Awareness ....................................................................................................23
4.2 Risk Identification ...........................................................................................................................23
1) Environmental Disasters................................................................................................................26
2) Equipment/System Failure.............................................................................................................26
3) Serious Information Security Incidents .........................................................................................26
4) Organized/Deliberate Disruption...................................................................................................26
5) Loss of Utilities/Services...............................................................................................................26
6) Business Partners...........................................................................................................................26
7) Other Emergency Situations..........................................................................................................27
4.3 Risk Assessment...............................................................................................................................29
1) Cost Impact....................................................................................................................................29
2) Vulnerability Factors .....................................................................................................................31
3) Likely Loss ....................................................................................................................................32
4) Probability .....................................................................................................................................34
4.4 Calculations......................................................................................................................................40
4.5 Risk Mitigation / Risk Response.....................................................................................................42
1) Controls .........................................................................................................................................43
2) Risk Appetite.................................................................................................................................48
4.6 Risk Allocation.................................................................................................................................49
4.7 Scenario Grouping of Risks ............................................................................................................49
4.8 More on Risk Management.............................................................................................................50
5 CREATING THE PLAN ................................................................................51
5.1 Documents to use as Inputs to the Plan .........................................................................................53
5.2 Purpose.............................................................................................................................................54
5.3 Scope.................................................................................................................................................55
5.4 Objectives.........................................................................................................................................55
1) Category I - Critical Functions – Recovery Objective 2 hours......................................................56
2) Category II - Essential Functions – Recovery Objective 5 hours ..................................................56
3) Category III - Necessary Functions – Recovery Objective 24 hours.............................................56
4) Category IV - Desirable Functions - Recovery Objective 48 hours .............................................56
5.5 Distribution List...............................................................................................................................56

of 116
5.6 Version Control ...............................................................................................................................57
5.7 Review Process.................................................................................................................................57
5.8 Strategies ..........................................................................................................................................58
1) Dual Site Method / Alternate Site Method ....................................................................................58
2) Bilateral Aid Agreement Method / Reciprocal Agreement Method ..............................................59
3) Dispersal Method...........................................................................................................................59
4) Deference Method .........................................................................................................................59
5.9 Functions, Responsibilities and Personnel Contact Info ..............................................................59
5.10 Lists...................................................................................................................................................60
1) IT Systems and Components .........................................................................................................60
2) List of key Documents...................................................................................................................62
A list of all key documents related to the BCP should be provided. This should include references to
Procedures, Policies and Guidelines as well as SLAs, contracts, insurance documents etc. .....................62
A key set of procedures to be included is the full set of backup and recovery documents for all IT
systems: .....................................................................................................................................................62
3) Info about all buildings/sites..........................................................................................................62
4) Key Personnel During Emergencies..............................................................................................62
5) Emergency Services Contact information .....................................................................................63
6) Roles and Responsibilities.............................................................................................................63
5.11 Policies and Procedures...................................................................................................................64
1) Notification Procedures, to include ...............................................................................................64
 Description/diagram of the notification process (to include notification to external authorities)......64
 Escalation Procedures........................................................................................................................64
 Script (Telephone Guidelines) for Notification .................................................................................64
 Organizational Structure for Notification..........................................................................................64
 Recovery Team Personnel Notification.............................................................................................64
2) Emergency Procedures And Information, to include.....................................................................64
 Alarm Systems information...............................................................................................................64
 Evacuation Procedures ......................................................................................................................64
 Local Emergency Telephone Numbers..............................................................................................64
 Vital Records Retrieval Procedures...................................................................................................64
 Vital Records Restoration Procedures ...............................................................................................64
 Documentation Recovery Procedures................................................................................................64
 Start-up Procedures ...........................................................................................................................64
 Network Control Center Restoration Procedures ..............................................................................64
 Applications Software and Data Restoration Procedures ..................................................................64
 Other Mission Critical Procedures/Information.................................................................................64
 Management of security and logistics during emergency situations .................................................64
 Procedures for moving critical information to a secure site ..............................................................65
 Procedures for keeping outside agencies, local government agencies etc. informed.........................65
 Procedures for determining whether or not recovery / restoration should be attempted ...................65
 Procedures for training, implementing, testing and maintaining the plan .........................................65
5.12 Contingency options/Redundancy..................................................................................................66
5.13 Key Timeframes...............................................................................................................................66
 Category I - Critical Functions – Recovery Objective 2 hours..........................................................66
 Category II - Essential Functions – Recovery Objective 5 hours ......................................................66

of 116
 Category III - Necessary Functions – Recovery Objective 24 hours.................................................67
 Category IV - Desirable Functions - Recovery Objective 48 hours .................................................67
5.14 Legal Requirements.........................................................................................................................67
5.15 Best Business Practices (Standards) Requirements......................................................................67
5.16 Communications..............................................................................................................................67
1) Internal Communications...............................................................................................................67
2) Communications Plan....................................................................................................................68
3) Stakeholder communications.........................................................................................................69
5.17 Action Task Lists .............................................................................................................................69
5.18 Plan Testing and Maintenance .......................................................................................................69
5.19 IT-specific Considerations ..............................................................................................................69
1) Perform backups regularly. Keep information central, this will help control information backup
and help protect information integrity. Where information is decentralized (e.g. held on PCs), ensure
that this information is also regularly backed up.......................................................................................69
2) Increase physical security to server room to prevent Data loss. ....................................................69
3) Antivirus software should be in place on PCs, Servers (data, file and mail servers) and if possible
at network level also..................................................................................................................................69
4) Patch update and management, including patch management of operating systems, application
software, database software, middleware software, firewall software and other network management
software. ....................................................................................................................................................70
5) Change Management and Configuration Management procedures to ensure that it is easier to
restore applications and system components back to the most recent build and configuration (setup)
easily if the live (production) system is destroyed due to an incident. This should include procedures for
reapplying patches to software and components, recreating firewall rules and policies, operating system
settings etc. ................................................................................................................................................70
6) Internet facing systems are secured and maximum security is applied..........................................70
7) Remote access to data servers is controlled and strictly monitored...............................................70
8) Verify backups to ensure that they are not corrupt. .......................................................................70
9) Backups should be stored offsite. ..................................................................................................70
10) Replicate critical data in as close to real-time as possible .............................................................70
11) Use redundant hardware and software options wherever possible (e.g. RAID, hot failover servers,
alternative ISPs, alternative firewalls, etc.) ...............................................................................................70
12) Physical solutions like fire suppression environmental monitoring and access control are
implemented. .............................................................................................................................................70
13) Standardize the setups / configurations of all hardware, software and network components, and
where possible create scripts to recreate those setups / configurations .....................................................70
14) Document all changes to system and application configurations, patches, versions etc. using
proper change control................................................................................................................................70
15) Perform systematic scheduled restores that verify Tape or backup media integrity.............. Error!
Bookmark not defined.
16) Ensure the whole process is documented and can be followed by non-technical personnel. ........70
17) Use UPS backup power supply options for all servers, and any critical PCs ................................70
18) Ensure that Intrusion Detection Software, Intrusion Prevention Software and / or good Firewall
software is in place to ensure that hackers are either prevented from accessing systems, or are detected as
soon as they access them. Ensure that the alerts from such software are taken seriously, reviewed and
are followed up by key staff. .....................................................................................................................70
5.20 People-specific Considerations .......................................................................................................70
1) Reducing Impact of Personnel Loss ..............................................................................................71

of 116
2) Reducing Impact of Perceived Events...........................................................................................71
5.21 Third Party Considerations............................................................................................................72
5.22 Sample Plans ....................................................................................................................................73
6 MAINTAINING, TESTING AND AUDITING YOUR PLAN ...........................74
6.1 Testing Plan......................................................................................................................................74
1) Planning.........................................................................................................................................74
2) Test Execution...............................................................................................................................75
3) Evaluating testing ..........................................................................................................................75
4) Frequency of testing ......................................................................................................................75
6.2 Proposed Testing Scenarios ............................................................................................................75
1) Scenario 1 ......................................................................................................................................75
2) Scenario 2 ......................................................................................................................................76
3) Scenario 3 ......................................................................................................................................76
4) Scenario 3 ......................................................................................................................................76
6.3 Auditing/Testing Documentation ...................................................................................................76
1) Evaluating Backup and Recovery Strategy Documentation ..........................................................77
2) Evaluating SLAs............................................................................................................................78
6.4 Training............................................................................................................................................80
6.5 Review / Maintenance Process........................................................................................................80
6.6 Change Control/Version Control ...................................................................................................82
7 FRAMEWORKS, METHODOLOGIES, TOOLS AND SERVICES................83
7.1 Why use a Framework/Methodology?...........................................................................................83
7.2 Which Framework/Methodology? .................................................................................................83
1) ITIL ...............................................................................................................................................83
2) COBRA .........................................................................................................................................84
3) NIST Risk Management Guide for IT Systems.............................................................................84
4) OCTAVE.......................................................................................................................................84
5) Six Sigma.......................................................................................................................................84
6) FISCAM (Federal Information System Controls Audit Manual) ..................................................84
FISCAM offers guidance to auditors of Federal Agencies’ systems in terms of integrity, confidentiality
and availability. Section 3.6 goes into great detail about the requirements for service continuity and
provides a framework for use by Auditors to assess compliance. .............................................................84
7) Other Methodologies and Frameworks..........................................................................................84
7.3 Why use Tools?................................................................................................................................85
7.4 Which Tools? ...................................................................................................................................85
1) Risk Evaluation Tools ...................................................................................................................85
2) Self-Assessment Tools ..................................................................................................................85
3) Change Management Tools ...........................................................................................................85
4) Documentation Generators ............................................................................................................85

of 116
a) Policy and Procedure Generators.......................................................................................................85
b) SLA Generators.............................................................................................................................85
c) Questionnaire/Survey Generators......................................................................................................85
7.5 Which Services are Available? .......................................................................................................86
1) Web-based Services.......................................................................................................................86
2) Consultancy Services.....................................................................................................................86
3) Audits ............................................................................................................................................86
8 LEGISLATION, EXTERNAL STANDARDS AND THEIR EFFECTS ...........87
8.1 Legislation and Regulations in the US ...........................................................................................87
1) Sarbanes Oxley Act .......................................................................................................................87
2) HIPAA...........................................................................................................................................88
3) NASD ............................................................................................................................................88
4) GLBA ............................................................................................................................................88
5) Federal Information Security Act 2002 (FISM) ............................................................................88
6) OSHA 1970 (Occupational Safety and Health Administration) ....................................................88
7) Other relevant US legislation and regulations ...............................................................................89
 41 Code of Federal Regulations 101.20.103-4, Occupant Emergency Program, revised as of July 1,
2000...........................................................................................................................................................90
 36 Code of Federal Regulations, Part 1236, Management of Vital Records, revised as of July 1,
2000...........................................................................................................................................................90
 Presidential Decision Directive 67, Protection Against Unconventional Threats to the Homeland
and Americans Overseas, dated May 22,1998...........................................................................................90
 Homeland Security Presidential Directive 3, Homeland Security Advisory System, dated March 11,
2002...........................................................................................................................................................90
 Homeland Security Presidential Directive 5, Management of Domestic Incidents, dated February
28, 2003.....................................................................................................................................................90
 Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and
Protection, dated December 17, 2003........................................................................................................90
 Homeland Security Presidential Directive 8, National Preparedness, dated December 17, 2003 .....90
 Federal Preparedness Circular 60, Continuity of the Executive Branch of the Federal.....................90
 Government at the Headquarters Level During National Security Emergencies, dated November 20,
1990...........................................................................................................................................................90
8.2 Legislation in the UK.......................................................................................................................91
1) The UK Civil Contingencies Bill ..................................................................................................91
2) Data Protection Legislation ...........................................................................................................92
8.3 Other Legislation and Directives....................................................................................................92
1) EU Data Protection Directive 1995 ...............................................................................................92
2) WTO Government Procurement Agreement .................................................................................92
3) PIPEDA (Canada)..........................................................................................................................92
4) Singapore BC/DR Standard...........................................................................................................92
8.4 External Standards..........................................................................................................................93
1) ISO.................................................................................................................................................93
a) ISO17799 ( BS7799) standard mandates that in order to comply an organization must have solid
Business Continuity Management, and must take measures to: ................................................................93
 prevent loss, damage or compromise of assets and interruption of business.....................................93
 prevent compromise or theft of information and information processing facilities...........................93
 prevent loss, modification or misuse of user data in application systems..........................................93

of 116
 protect the confidentiality, authenticity and integrity of information ................................................93
 reduce risks of human error, theft, fraud or misuse of facilities ........................................................93
b) ISO9001 standard mandates Quality Management requirements of IT systems, including dictating
that the Business Continuity process is well-documented, personnel are trained effectively, etc. ............93
2) BSI PAS 56....................................................................................................................................93
3) BSI5000.........................................................................................................................................93
4) FIPS-PUB-87 Guidelines for Automated Data Processing Contingency Planning .......................93
5) ISF Standard for Information Security ..........................................................................................94
6) Visa CISP (Cardholder Information Security Program) and PCI (Payment Card Industry)
requirements ..............................................................................................................................................94
7) Other Standards .............................................................................................................................95
9 USEFUL RESOURCES................................................................................96
9.1 Websites............................................................................................................................................96
1) General ..........................................................................................................................................96
2) Guides and Templates ...................................................................................................................97
3) Risk Management/Impact Analysis...............................................................................................98
4) Training and Certification..............................................................................................................98
5) Change Management .....................................................................................................................99
6) Methodologies ...............................................................................................................................99
7) Tools..............................................................................................................................................99
8) Standards and Legislation............................................................................................................100
9) Useful Other Sites........................................................................................................................100
9.2 Papers .............................................................................................................................................101
9.3 Books...............................................................................................................................................101
10 SPECIFIC REFERENCES.......................................................................103
10.1 Retail / Supply Chain BCP ...........................................................................................................103
10.2 Banking / Finance Industry BCP .................................................................................................103
10.3 Human Security Issues..................................................................................................................103
10.4 IT Security Issues ..........................................................................................................................103
10.5 Database Recovery ........................................................................................................................104

of 116
Acknowledgements
Michelle Sollicito would like to say thank you to all the friends and colleagues from Yahoo!, Earthlink,
Schlumberger Sema, Accenture, and other large companies for providing input, advice and support to help
me in completing this book.
About the Authors
Michelle Sollicito is an Ebusiness Consultant with Exceptiona.com in Atlanta Georgia. She has 16 years
IT and Ebusiness experience gained with many organizations across the world, having lived in the UK,
New Zealand and now in the USA.
Who is This Book For?
“Business Survival – a Guide to Business Continuity Planning and Disaster Recovery” is for experienced
and inexperienced, technical, and non-technical personnel who are interested in the need for Business
Continuity Planning within their organizations.
These personnel include:
 Senior and Executive management, the decision-makers who make budgetary decisions
 Business Continuity Managers and their teams
 Chief Information Officers, who ensure the implementation of the Disaster Recovery elements of
the Business Continuity Plan and play a large role in (and perhaps even manage or oversee) the
Business Continuity Process
 The IT security program manager, who implements the security program
 IT managers and system owners of system software and/or hardware used to support IT functions.
 Information owners of data stored, processed, and transmitted by the IT systems
 Business Unit owners and managers who are responsible for the way in which their own unit fits
into the overall Business Continuity Plan, but especially
o Facilities Managers, who are responsible for the way the buildings are evacuated and
secured, providing floor plans and information to Emergency Services, etc.
o Human Resources Managers who are responsible for the “people” elements of the
Business Continuity Plan
o Communications and PR Managers who are responsible for the communications policies
that form part of the Business Continuity Plan
 Technical support personnel (e.g. network, system, application, and database administrators;
computer specialists; data security analysts), who manage and administer security for the IT
systems
 Information system auditors, who audit IT systems
 IT consultants, who support clients in developing, implementing and testing their Business
Continuity Plans

3
BUSINESS SURVIVAL
A Guide to Business Continuity
Planning and Disaster Recovery

of 116
The driver for Business Continuity Planning should take into consideration natural disasters and
internal security breaches as well as Terrorism! Gartner 2002
1 What is Business Continuity Planning?
With the emergence of the internet as a place for doing business 24 hours per day, 365 days per year, it is
more and more important that organizations are able to continue to operate when unexpected events occur.
The events of 9/11 showed how deeply unexpected events can affect whole industries such as the Financial
Industry and the Airline industry, and the knock-on effect this kind of event can have across the whole
economy of the United States.
However, even in the midst of such a catastrophic disaster, Dow Jones and Co, publisher of The Wall
Street Journal, located very close to the World Trade Center, enacted its Business Continuity Plan so
effectively that it was able to provide its readers with the newspaper the very next day, despite having to
relocate all its editors, reporters and support personnel to alternate offices and installing 100 pcs at the new
location!
The tsunami of Christmas 2004 (and before that, the power blackout in New York, and the rolling
blackouts in California) showed the potential for disasters to affect whole regions at a time.
The Enron and Worldcom scandals (amongst others) illustrated how deeply companies can be affected by
bad PR events.
Taking into account all of these facts, the Federal US Government, investors, as well as many of the
organizations governing industry standards and regulations, recognized the need for improved Business
Continuity measures and increased controls to help prevent the impact of events such as these.
As a result, organizations (especially those in the United States) are coming under increasing pressure to
produce effective Business Continuity Planning measures in order to reduce/mitigate risks.
Many organizations had Disaster Recovery Plans already in place and assumed that these were sufficient to
meet the requirements of new laws, regulations and conformance requirements. However, they have now
discovered that Business Continuity Planning is about much more than simply ensuring that computer
systems come back up quickly and effectively after a disaster.
So, what exactly is the difference between Business Continuity Planning and Disaster Recovery Planning?
1.1 Business Continuity Planning Defined
Business continuity planning is concerned with optimizing organizational resilience.
As such, it is a business function aimed at developing, documenting and integrating procedures, processes
and technologies in order that in the event of a disaster, critical business functions can continue with
minimal disruption or downtime, providing at least the minimum level of acceptable service, while the
remainder of the organization is restored to “business as usual” status.
Business Continuity Planning (or BCP) is all-encompassing. It is the responsibility of each department or
business function to define the restoration requirements essential to continuing its operations as part of

of 116
Business Continuity Planning, and thus BCP encompasses the complete restoration process required across
the whole organization, not only the IT systems.
Likewise, Business Continuity Planning should consider all kinds of disasters – natural ones (e.g. those
caused by flood or earthquake), system failures (e.g. caused by hardware failure or software failure) and all
other types of disasters (e.g. those caused by caused intentionally by viruses, hackers or terrorism or those
caused accidentally by fire, accidents etc.).
BCP does include IT recovery plans (Disaster Recovery), but also considers other aspects such as
communications, buildings, stationery, office equipment, water supplies, electrical supplies, etc. Done
properly, BCP is more about creating a Business Continuity culture rather than simply specifying a set of
procedures to follow in the event of an emergency.
In order to avoid some of the political issues commonly experienced within organizations having a Disaster
Recovery team and a Business Continuity team, it should be made very clear that the Disaster Recovery
team reports to the Business Continuity manager and is just one team making up the Business Continuity
team.
1.2 Disaster Recovery Defined
Disaster Recovery, however, is a subset of Business Continuity Management and is primarily an IT
function, aimed at restoring the organization’s IT systems to “business as usual” status in as efficient a
manner as possible.
Disaster Recovery Plans document the actions required to restore systems and data after a disaster or an
outage in such a way as to prevent, or at the least minimize, the impact that the disaster or outage has on the
organization.
Disaster Recovery Plans typically also document any precautions taken to minimize the effects of a disaster
or outage.
The key difference between Business Continuity Planning and Disaster Recovery is that BCP is proactive
(its aim is to avoid or mitigate the impact of a risk), whereas Disaster Recovery is reactive (it aims to
restore the business after the risk occurs).
However, Disaster Recovery is an integral component of a Business Continuity plan.
1.3 Overall Steps
In order to successfully create a Business Continuity Plan and Process, there are a number of steps that
need to be taken.
1) Get Board approval
2) Determine scope
3) Carry out risk analysis / management (Business Impact Analysis)
4) Create a project plan and budget
 Establish a BCP group / team
 Establish a Steering Committee
5) Create the plan (overall document)
6) Gather / Create supporting documentation
7) Test / review /audit the plan and the process
8) Change Manage any changes made to the plan / process / documentation
9) Formally approve the plan
10) Return to 6

of 116
2 Convincing the Board
2.1 The Importance of Support from the Top
It is absolutely essential to gain top management approval and commitment to the development of a
Business Continuity Plan and Process. The aim of the BCP process is to create a Business Continuity
culture, to change the way that everyone in the organization thinks, and for a change of that magnitude, it
has to be perceived as being driven from the top downwards.
Without it, it will be almost impossible to motivate other players, who may see no direct financial return
from work carried out on such a plan. It will also be difficult to obtain resources and finances required to
make the Business Continuity Plan effective.
Luckily, corporate governance and preparedness is a hot topic in the Board Rooms of most organizations
these days, thanks to 9-11, Sarbanes Oxley Audits and public trials of corporate executives, so this should
make it much easier to gain the top-level approval required. Many companies are also already under
pressure to comply with international standards that require Business Continuity Plans as a key component
in the path to compliance.
The reason for the pressure to conform to corporate governance standards is, in essence, purely because
Business Continuity is good practice. Knowing that a BCP is in place reassures investors and potential
investors, employees and potential employees, customers and potential customers.
Some executives, however, will provide endless excuses for why they cannot commit resources to BCP
work – lack of time, resources and/or money being the most common excuse1
.
The best way to gain commitment from such executives is to ask probing questions about their level of
confidence in the event of a disaster – ask them how confident they are that the company’s vital records are
well protected, or how confident they are that a determined hacker could not get into the company’s
systems.
Ask them how much it would cost their organization (in terms of financial costs, as well as in terms of
consumer and investor confidence) if a key system went down for two weeks, and ask how sure they are
that this could never happen.
Ask them how confident they would be about producing the Year End Accounts if their CFO befell an
unfortunate accident a week before Accounts Close.
Point out that these days, an organization that does not provide at least a minimum level of service to its
clients (and /or business partners) following a disaster may not have a business worth recovering!
Customers are just one click away from a competitor in many cases, and, of course, if business partners
find out that they can function without your organization for one day, they may decide they can function
without you for longer!
This approach is likely to increase their attention level dramatically!
1
http://www.exceptiona.com/displaycategoryitems.asp?ArticleId=155 Ostrich Syndrome

of 116
For more information on how the Board can be convinced of the necessity of a BCP plan, see Whats Wrong
With BCP? CPM's Advisory Board Sounds Off On the State of the Industry, Paul Kirvan
http://www.contingencyplanning.com/archives/2003/janfeb/1.aspx
2.2 Explaining Why it’s so Important
The US Federal government recognizes the impact upon the economy of organizations having insufficient
Business Continuity measures in place, and hence is putting increased pressure on organizations to put into
place (and to test) business continuity plans to reduce the impact on the economy, industry and the public
of major disasters. Government Agencies must now have BCPs in place, and most large organizations are
affected by one of the laws/regulations requiring that a BCP be in place now, or in the near future – such as
HIPAA2
and the Sarbanes Oxley Act3
.
Increasing emphasis on Corporate Governance means that key stakeholders are insisting upon effective
Disaster Recovery / Business Continuity Plans. This is because suppliers, employees, business partners,
shareholders and potential investors are acutely aware of the potential financial impact of not having such
plans – not only in terms of real financial losses, but also the potential loss of customers, poor public
image, falling share prices etc.
Not only is it a good idea to have an effective BCP to keep stakeholders’ minds at rest, but Business
continuity plans can be shown to be an excellent return on investment - research has shown that
organizations have a much better chance of remaining in business and suffering significantly fewer costs as
a result of a disruption if they have a Business Continuity Plan. Further, the alternative to having a BCP
can be financial ruin.
One study suggests that any organization that suffers a computer outage lasting more than 10 days never
fully recovers, and that 50% of such companies go out of business within 5 years of such an incident.4
Disaster Recovery Institute International (www.drii.org) research shows that –
 More than 75% of US businesses have experienced some type of interruption
 More than 80% of small businesses experiencing business interruptions go out of business
within 5 years
 93% of all organizations who experienced a disaster with no recovery plan in place closed
within five years
 50% of companies that lost critical business functions for more than ten days never recovered
 the average cost of business and system downtime for Fortune 500 companies, is $96,000 per
minute.
Despite these figures, IDC found that although 80% of large companies have a BCP plan or process
underway, only 40-45% of small companies do.
Part of the reason that more companies do not have BCP plans in place is because there is clearly a
mismatch in communication between the IT function and Business functions within many organizations –
A Roper study shoed that while 52% of IT executives believe that their organizations are very vulnerable to
the possibility of losing critical data, only 14% of business executives in the same organizations were aware
of this vulnerability.
There are many other compelling reasons for creating an effective Business Continuity Plan
2
http://www.hipaadvisory.com/action/notes/vol3/may03.htm HIPAA and Business Continuity/Disaster Recovery Planning
3
http://www.itpapers.com/abstract.aspx?cid=66&docid=83814 Sarbanes Oxley and BCP
4
Jon Toiga, Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems, (Yourdon Press, 1989)

of 116
Disasters are by their very nature, unexpected. They tend to occur at the most inconvenient times – the one
week in the year when all the experts on the critical systems are away at a seminar, the day after the most
recent system backup failed, just before “close” for End of Year Accounting functions, at the end of a long
day when all the network engineers are tired and confused.
Effective Business Continuity Planning enables all the key players to think carefully through all the
possible scenarios and determine the best way to tackle each, and then to document these in such a way that
the most tired, confused, inexperienced team member knows what is expected of him or her in each
situation.
Having an effective Business Continuity Plan ensures that a great deal of the critical employee knowledge
and expertise is captured on paper in policies, procedures and plans. This protects the organization in the
event of employee absenteeism and resignation, and reduces training costs when replacing critical
employees.
Compliance with many internationally recognized standards (e.g. ISO1799) - increasingly of great
importance to many organizations throughout all sectors of trade, industry and government (many
government agencies and organizations will not enter into contracts with companies who are not compliant
with one or other of the required standards) - requires appropriate business continuity management and
planning.
Furthermore, many organizations decide to implement BCP planning measures independent of any external
pressures from trade, industry and government, because of factors such as
 Increasing dependency over recent years on computerization, leading to an increased risk of loss
of normal business operations
 Increased security threats to IT systems (including viruses, hackers, trojan horses etc.)
 Increased recognition of the impact that a serious incident could have on the business (and even
the whole industry/economy) in the light of events such as Y2k, 911, the New York power outage
(August 2003), the Rolling blackouts in California (2001), etc.
If the Board still doesn’t “get it” once you have listed all these reasons that Business Continuity Planning is
so important, it is time to get out your list of issues that you have found within the organization that could
cause potentially huge losses or embarrassment.
For example
 A critical business function located on the ground floor of a building that is built within a
flood plain
 Firewalls that are being bypassed, meaning that hackers could potentially gain direct access to
the systems containing credit card data
 UPS backup power systems that are not maintained and therefore will not operate in the event
of power outages
 Change management procedures being bypassed so that it would be impossible to recreate the
software set up on key web servers if one of them was lost due to hardware failure
 A failover site that uses the same ISP as the main sites, so that in the event of ISP failure
neither site would be operational
 SLAs that are out of date or insufficient to protect the business against loss of service
64-70% of business that have major fires never recover. The primary reason for failure is the loss of vital
business records. (Broder 1999)

of 116
Also, point out that research shows that
 The Power Grid in the US, built in the 19th
Century, is not able to support 21st
Century load
effectively
 Demand for premium power will grow from 10% to 50% by 2010
 The New York blackout and the Rolling Blackouts in California may be symptoms of this
problem
 More and more organizations are looking at backup power options
 Software bugs cost business $60billion per year
 Ecommerce/ebusiness increasingly requires 24 x 7 x 365 availability of many systems
In 1999, a large US candy manufacturer missed candy deliveries worth approximately $200 million
because of system glitches in its new $112 million computer system.
An online trading company lost $2.5 billion in market value when its system crashed.

of 116
3 Defining Scope
Assuming that the Board gives approval for the creation of a Business Continuity Process / Plan to be
developed, the first stage is to define the scope. Many BCP planners have skipped this step to their peril,
perhaps assuming that it is “obvious” what is within scope and what is not in scope. However, it is often
not until the detail is examined that it becomes clear how important scoping is within any BCP exercise.
An essential for the scoping phase of any BCP process is a database to contain all the lists that will be
obtained during this phase and then expanded upon and updated/maintained later in the process. Ensure
that this database is secure, is regularly backed up, its contents are available to authorized staff only within
the intranet, and that the BCP team and other authorized parties get an updated paper copy of all relevant
lists from that database regularly. Also, ensure that the backup of that database as well as the paper copies
are stored at multiple sites, including in a fireproof safe offsite at a document storage facility. It would be
most embarrassing for the BCP team not to be able to function during a crisis because they did not have
access to their own database, or information stored in it!
As a minimum, the BCP should cover all business processes within the organization – not only IT systems,
but also communications, business information, production, sales, accounts, customer service and public
relations etc. However, consideration should be given to which systems and sites span across
organizational boundaries, and which of these should be taken into account during the scoping exercise.
This chapter provides a guide to ascertaining which sites, systems etc. to consider when making scoping
decisions.
3.1 Which Sites?
For example, it is important to get a complete list of all sites that contain systems or personnel owned by or
related to the organization in any way. Start by assuming that all are in scope, and only eliminate sites
when you are sure that they are not in scope.
While it may be obvious that sites such as the organizational Headquarters, the Data Center Site and any
offices, warehouses and retail outlets owned by the organization should be included, sites that some
organizations might overlook if this approach were not taken include
 Homes of employees who work from home some or all of the time
 Business Partner sites (the sites of Suppliers, Wholesalers, even some Customers)
 Offshore Outsourcing centers
 Failover sites (it is amazing how many organizations assume that Failover sites will always be
operational and available, no matter when an emergency might materialize, and therefore
eliminate these from the scope of their Business Continuity Plans!)
 Banks/Financial Institutions (how would your organization operate if its main source of finance
were not operational for a few days?)
 The sites of Utilities on which the business is dependent
 Offsite storage facilities for backup media
Once a list of all sites exists within your BCP database, the sites should be prioritized according to
criticality - e.g. the Data Center may be a criticality level 1 site, whereas the Bonded Warehouse may be a
criticality level 5 site.
3.2 Which Systems?

of 116
A clear definition of which systems are covered within the Business Continuity Process is needed because
so many owners of smaller systems will otherwise assume that their system is not significant enough to
warrant inclusion.
It is often obvious that the larger IT systems should be included within scope however, the inavailability of
the smallest, single user spreadsheet just before the Accounts are due to close can potentially cause big
problems for an organization, so overlook nothing!
Also it is vital to consider systems that are not owned by the organization (and possibly located offsite) –
especially nowadays, with so many organizations reliant upon external systems for their own survival – e.g.
credit card software/shopping carts, business to business marketplaces/exchanges, bank automated
clearance systems, etc. The impact of losing access to these kinds of systems can be huge on an
organization, even for a short period of time, so examining SLAs and Failover options for those systems is
crucial to BCP planning.
Interdependencies between all systems (both internal and external) need to be clearly understood before it
can be determined that any system is not within scope.
It is also important to take into account that systems consist of many components, and each component is
within scope.
 Hardware (servers, network cables, routers, hubs, firewalls, etc.)
 Software (operating system software, system administration software, networking software,
database software, application software, office automation software, web server software, custom
software, packaged software, all single user software, spreadsheets, all development and test code
used to create any of these in house, etc.)
 Interfaces with other systems
 Data and information
It is easy to forget (or not realize) how interdependent these components often are, so it is key to identify
interdependencies clearly also. For example, in some organizations, if a key firewall, proxy or router goes
down, access to most of the organization’s systems is no longer available.
As input to the process of determining which systems and components are in scope, use network topology
diagrams, system architecture diagrams, etc. and be sure they are kept up-to-date with all the latest changes.
A wealth of automated scanning tools are available these days to enable you to double-check that the list of
systems you have identified is truly the full list – it is very easy to miss systems when carrying out a system
audit. Some tools are aimed at scanning routers and firewalls to identify all that are operational, while
some are aimed at scanning each PC or Server to find out which applications are installed (remember that
in many organizations, PC owners can install software on their own PCs without informing the Technical
Support personnel, especially by downloading from the internet).
List all systems in terms of priority/criticality within your BCP database, remembering that some systems
that may not seem to be critical may need to be brought up before critical systems can become operational,
due to interdependencies.
3.3 Which Departments/Business Functions?
Of course it is easy to say that all departments and business functions should be part of the Business
Continuity Planning Process, and so they should. However, it is important to recognize that some
departments will be more involved than others, while some will simply provide input to the process in
terms of which systems are essential to their continued operations.

of 116
Recognize that some parts of the business may have a lot of the information needed for the BCP process
already at their fingertips - many organizations nowadays have an Internal Audit department (especially in
the US, since the Sarbanes Oxley laws have become operational) - and this department may have already
done a great deal of the legwork involved in obtaining lists of key systems, personnel and contact
information, as well as lots of useful documentation – procedures, guidelines and standards.
They may also have already identified some areas of BCP/DR which are weak within the company. All
this information will be very useful in reducing the workload of the BCP/DR team, and having the
information to hand will also help to prevent bad feeling within the company arising from two different
departments asking for exactly the same information!
Encourage team working, and lots of cross-communication and sharing of information with such a
department if your organization has one.
Of course, the IT department is another key ally essential to the success of the BCP effort. In most
organizations, a great number of the concerns of the BCP team are already concerns that have been
considered by the IT department in some detail, and it is likely that the IT department will already have
established Disaster Recovery plans and procedures, Failover sites for the IT department and Failover
hardware and software options for key IT systems. Learn everything you can from the IT department and
be sure to foster a close relationship – there is nothing more likely to make a BCP effort fail than a poor
relationship between the BCP team and the IT department.
List all departments and business functions and order them by priority (in order of importance to the
organization) within your BCP database.
Areas to be considered could include:
 Ecommerce processes
 Email-based communications
 Other online real-time customer services
 Production line / processes
 Quality control mechanisms
 Customer service handling
 Sales / sales admin
 Finance / treasury
 Research / development
 Maintenance and support services
 Information technology services
 Premises (Head Office and branches)
 Marketing
 Public Relations
 Accounting and reporting
 Strategic and business planning activities
 Internal audit
 Human resources management

of 116
3.4 Which Personnel?
It is often best to allow the Business Functions or Departments to elect representatives to be involved in the
BCP effort from amongst themselves. However, there are some key players who really need to play some
part in the team.
At least one Board Member should have day-to-day knowledge about the work on the BCP effort, so that
the team has the full authority it needs in order to carry out its mission. In addition, at least one legal expert
is required in order to advise on laws which must be conformed to, and to help when examining contracts
and SLAs to explain the implications of different clauses within them.
The Emergency Operations Center Management team (or Help Desk in a smaller organization) should be
fully involved with all aspects of the BCP as it is their staff who will be implementing many of the
procedures in an emergency, and who will be the first point of contact in a disaster.
Ensure that for each department/business function listed within the BCP database, there are at least two
contact names/numbers (preferably each from a different site if possible) who are aware of the BCP
process.
It is imperative that one person is elected to be responsible overall for the BCP team, plan and process, and
is given full authority as BCP Manager. However, this person should have a strong backup partner
(preferably based at a different location) who is fully aware of all aspects of the BCP in case the BCP
Manager is unavailable.
This person must have full-time responsibility for the BCP plan and process in order to be most effective,
someone who is free from other responsibilities and who has the authority to confront other managers when
necessary.
3.5 Business Partner Relationships
From time to time it will be necessary to involve business partners in the BCP process. In some cases, this
will be purely to inform them of alternative contact numbers and locations in case of emergency or disaster.
However, in other cases, business partners may play a key role in getting the organization back up and
running – for example, if the business partner provides or shares a key system.
In the Ebusiness world, the boundaries between organizations is becoming more and more blurred – with
many companies involved in Joint Ventures, many organizations opening up a great deal of their IT
Infrastructure to one another via Extranets and public websites, and with many business processes crossing
organization boundaries. As organizations depend more and more upon the extended value chain of all
their business partners in order to produce a product or service, business partners become more crucial to
the overall Business Continuity of each organization. The BCP team should be aware of this, and be sure
to include Business Partners is whichever aspects of the BCP process are relevant to them.
A good way to determine which business partners the BCP team may need to focus on, is by sending out a
questionnaire to all Business Partners/Vendors such as the one below.

of 116
For more ideas on third party questionnaires see the sample questionnaire provided at DRJ.com
http://www.drj.com/eab/q&a/bcpvendorquestions.doc
It should be mandatory that critical business partners, such as Banks, Financial Institutions, etc. have their
own “real” BCP plan – the organization should seriously consider the option of changing business partners
if one does not exist. In the US, public companies under the scrutiny of Sarbanes Oxley Auditors often
require SAS70s or other documentation (e.g. Systrust certification) to reduce the risk of critical business
partners having inadequate Business Continuity and Systems Management.
List all the organization’s business partners. Take into account Banks and Financial Institutions, Corporate
Customers, Suppliers/Vendors, ISPs, Wholesalers, any Business to Business (EBusiness) partners,
Auditors, Consultants etc. Ensure that their contact details are kept fully up to date in your BCP database.
Recognize that your organization may be required to provide reassurance to its business partners also.
More and more organizations are becoming acutely aware of how dependent they are upon their business
partners and are requiring periodic testing of business continuity or disaster recovery exercises. For
example, in the Financial Sector, the Nasdaq Stock Market (and SIA) currently requires members to
participate in such tests, see http://www.continuitycentral.com/news0894.htm.
Third Party Questionnaire on BCP
1. Has your organization recently (in the past year) been audited by an External
Auditor for any of the following standards? SAS70? Visa CISP? Sarbanes Oxley?
Yes/No
If yes, please provide the Auditor’s report or a copy of the Certificate.
2. Does your organization have a fully documented Business Continuity Plan or
Disaster Recovery Plan? Yes/No
If you answered No, please go to question 5.
3. Does your organization have a process to support the Business Continuity Plan /
Disaster Recovery Plan, which ensures that changes to the business or systems are
constantly assessed to determine whether or not the BCP needs to change?
4. Does your Business Continuity Plan / Disaster Recovery Plan cover:
•all sites?
•all business functions?
•all IT systems?
•emergency evacuation procedures?
•alternate site arrangements?
•data backup and recovery policy (including offsite storage of key data)?
•a number of different types of incident / disaster scenarios?
5. Please provide key contact information in the event of an emergency or incident.
6. Please provide the name, position and contact info of the person responsible for
BCP within your organization

of 116
3.6 Which Types of Disasters and Risks?
At this point most disasters and disaster types should be considered to be in scope. It may be that your
organization determines that some potential disasters are excluded because they are so unlikely (e.g.
nuclear war, terrorist bomb), but if that decision is made, it is important to get sign off at Board level of any
threats that are excluded from scope.
3.7 Which Legislation/Standards need to be considered?
An initial meeting with the Board, IT Management and the Legal Department should identify most
legislative requirements, and standards the organization wishes to comply with, the most common being
HIPAA, Sarbanes Oxley, Visa CISP and Data Protection Act laws. However, anticipate others cropping up
during your investigations, especially if your organization is a government agency, financial institution or
in the Health industry.
3.8 Interaction with Other Organizations
Before determining the scope of your own incident response plans, it is important to know how local
authorities and government agencies will respond to incidents and how your organization should fit into the
overall picture.
There are a number of resources on the web to help you to assess how to respond to various different types
of incident, including bioterrorist incidents, disease outbreaks, natural disasters etc. Some useful resources
are listed here:
http://www.riskinstitute.org/ptrdocs/LocalGovernmentPreparationforBioterroristActs.pdf
Local Government Preparation for Bioterrorist Acts
http://www.bt.cdc.gov/Planning/
Public Health Emergency Preparedness and Response, CDC
http://www.fema.gov/library/bizindex.shtm
Emergency Management Guide for Business and Industry, FEMA
http://www.disastercenter.com/terror.htm
Counter-Terrorism – Terrorism and Security Information
http://www.cj.msu.edu/%7Eoutreach/CIP/CIP.pdf
Critical Incident Protocol – a Public and Private Partnership, Michigan State Uni
http://europa.eu.int/comm/environment/civil/pdfdocs/commission.pdf
European Union Strategy on Prevention, Preparedness, and Response to Natural, Man-made and other risks
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0566.xml
National Response Plan (Dept Homeland Security)
3.9 Gap Analysis
Which parts of the BCP are already in place, are not in place, and which parts need defining more clearly?
Review current policies and procedures and meet with key personnel to determine what needs to be done.
Work closely with the Internal Audit department in ascertaining the current situation - Internal Audit
departments should have a fairly clear idea of what is already in place, and what is missing.

of 116
In many organizations, Disaster Recovery procedures are already defined but Business Continuity Plans are
not.
Knowing what already exists ahead of starting the BCP process can reduce workload and frustration!
A good way of determining the current position is by using questionnaires to gather initial information.
Some sample questionnaires are given below.
3.10 Questionnaires
Some useful fact-gathering questionnaires to use when trying to identify scope, and attempting to determine
the current position within the company are provided below.

of 116
Questionnaire for Top Executives
1. Does your organization have a Business Continuity Plan in place? Yes/No
(if you answered No, go to question 5)
2. When was the Business Continuity Plan last tested?
3. Who is responsible for the Business Continuity Plan?
4. What is the most recent date on which the BCP was updated, reviewed, approved
and released?
a) Most recent six months
b) Most recent year
c) More than one year ago
5. If a 9/11 type event wiped out your whole data center today, what is your
confidence level that the organization would survive?
a) Low
b) Medium
c) High
6. When was the most recent Business Impact analysis/Risk analysis exercise
carried out?
a) Most recent six months
b) Most recent year
c) More than one year ago
7. Has your organization quantified the risks you face in financial terms? If yes,
please give details of documentation or contacts for further questions in this area
Y/N _______________________________________________________________
8. Has your organization prioritized systems and business functions according to
their criticality to business continuity? If yes, please give details of documentation
or contacts for further questions in this area Y/N
___________________________________________________________________

of 116
Questionnaire for Top Executives Pt 2
9. Has your organization determined maximum tolerable outage times for each of
the INTERNAL systems used by your organization? If yes, please give details of
documentation or contacts for further questions in this area Y/N
___________________________________________________________________
10. Has your organization determined maximum tolerable outage times for each of
the EXTERNAL systems used by your organization? If yes, please give details of
documentation or contacts for further questions in this area Y/N
___________________________________________________________________
11. Does your organization have SLAs with third parties documenting these
maximum tolerable outage times? If yes, please give details of documentation or
contacts for further questions in this area Y/N
___________________________________________________________________
12. Does your organization have an alternate site to use for systems and / or business
functions in the event of an incident (a hot site, cold site, or reciprocal agreement)?
If yes, please give details of documentation or contacts for further questions in this
area Y/N
___________________________________________________________________
13. Are names and numbers in contact lists updated regularly and redistributed in
paper form? Y/N
14. Is there a published Security Policy which is given to every new member of staff
– whether permanent or contract?

of 116
Questionnaire For Data Center Management
1. Which of the following physical security measures exist to protect the Data
Center?
•No windows / no windows that allow viewing of the inside of the Data Center?
•No signs advertising the fact that the Data Center is a Data Center?
•No access to the building through any door apart from the main door without an
access card and pin number?
•Security Guards on duty 24 hours per day?
•Closed circuit TV, monitored by Security 24 hours per day?
•Access control keypads requiring a pin to be entered and a security card to be
swiped before gaining access to secure areas?
•Access control lists indicating staff who are allowed to access different parts of
the building
•All Emergency exits are always clear and open?
•Alarm systems – both automated (fire detection, smoke detection, flood
detection) and manual?
•Are sprinkler systems in place where appropriate?
•Are air conditioning systems checked regularly?
•ID badges must be worn by all employees at all times?
•Are clear evacuation routes posted on all notice boards and at key locations?
•Are all visitors required to sign in and out and to be accompanied at all times by
authorized personnel?
•Located away from rail lines, airports, chemical plants, and other hazardous
locations?
2. Which of the following security procedures are in place to protect the Data
Center?
•Are fire drills / evacuation drills carried out regularly?
•Is the fire detection and extinguishing equipment tested / inspected regularly
(past 6 months)?
•Are all occupants trained in emergency procedures and security procedures?
•Is there a written termination procedure that includes a checklist of items to be
returned to the company, such as keys, ID badges, card access, etc.?
•Is there a policy to challenge visitors who are unknown, not accompanied, not
wearing a badge?
•Is there a no tailgating policy ensuring that employees do not hold the door open
for anyone they do not know is authorized to enter the building?
•Is this procedure followed by termination of all system access for the terminated
employee?
•Is there a no smoking, eating or drinking policy in effect in the most sensitive
areas of the Data Center?
3. Which of these further security measures are in place for protection of the Data
Center?
•Is one person responsible for Security of the Data Center?
•Is there a document / booklet of which all occupants are aware, providing
information about how to respond to different types of incidents? Bomb threats,
Fire, Security violations, power failures etc.?
•Are backup power generation facilities and UPS facilities on hot standby at all
times and available in case of power failure?
•Is backup air conditioning equipment available at all times?
•Is all computing equipment and all network components clearly
marked for identification purposes?
•Do all changes to the Data Center equipment, software, configuration
and layout require a full change management request and go through
full review before being implemented?

of 116
A good source of further questionnaire questions for different groups involved in Business Continuity is
provided at http://www.drj.com/articles/drpall.html within the sample Disaster Recovery Plan.

of 116
4 Risk Management5
Risk Management is defined as “the process of identifying risk, assessing risk and taking steps to reduce
risk to an acceptable level”6
. This is an ongoing process, and aims to continually identify, assess and
handle risks across the organization.
All organizations have to take risks in order to survive. In fact, the original definition of the term “Risk” is
simply “uncertainty of outcome”, and should neither imply positive nor negative impact. However, in day-
to-day use, the term has become synonymous with adverse outcomes and hence, will be used within that
context here.
Risk Management is about reducing the degree of “uncertainty” and reducing the number of surprises
involved in potential risks through more effective risk identification, mitigation and response as well as
more effective management of change, more efficient use of resources, and improved reporting and
communication within the organization.
Risk Management requires that:
 All risks are identified, especially the key risks to critical business functions
 Risks are quantified (in terms of probability and impact), and prioritized
 Risk tolerance levels are clearly defined
 Risks are allocated to the appropriate group / person
 Appropriate mitigation or risk responses are identified
 These responses and mitigation measures are reviewed for effectiveness
5
Some BCP practitioners (e.g. The Business Continuity Institute) prefer to call this phase of BCP
“Business Impact Analysis” and differentiate it from more traditional risk management and analysis. The
author believes the name is less important than understanding the process behind it.
6
as above

of 116
1. Identify Risks
5. Identify Risk Mitigation,
Reduction and Response
Measures
6. Evaluate Effectiveness
of Measures
4. Allocate Risks
to Appropriate Personnel
3. Define
Risk Tolerance levels
2. Quantify Risks
(probability, impact)
1) Identify Risks
The first stage in Risk Management is to identify which risks exist that could possibly affect the
organization. The initial risk assessment process should include a thorough review of all possible risks, but
once the Risk Management process is ongoing, this identification process can be the work of a “Risk
Council” which meets regularly (monthly?) with the remit of looking at all recent changes to the
organization, the systems used by the organization or the environment within which the organization
operates (e.g. new legislation, changes to the supply chain, etc.) and identifying any new risks that should
be considered. The Risk Council should gain its input from the Change Management processes within the
organization, but also from the head of each business function, whose responsibility it should be to identify
changes and report them to the Risk Council. All risks identified should be recorded in a central risk log
and monitored by the Risk Council.
2) Quantify Risks (Probability and Impact)
Once risks have been identified, they need to be given a priority. Two factors determine the priority
assigned to a risk – the probability that it will occur and the impact it will have on the organization if that
risk materializes.
3) Risk Tolerance Levels
Once risks are identified and quantified, it can be determined what the organization’s risk tolerance level is
with regard to each risk. For example, the organization may determine that it can tolerate up to 25 pcs
being infected with a virus. After that point, it may be necessary to invoke incident management
procedures such as shutting off access to the internet from the internal network.
4) Allocate Risks to Appropriate Personnel
It is important to make a team or an individual ultimately responsible for monitoring for each risk,
responding to it etc. For example the PC system administrator might be the appropriate person to monitor
for virus attacks and to respond appropriately to such attacks.

of 116
5) Risk Mitigation, Reduction and Response
Risk mitigation measures should be identified to determine to which extent the risk itself can be reduced or
eliminated, or to which extent the impact of the risk can be reduced or eliminated. For example, the risk of
a Virus Infection can be mitigated using Anti-virus software and Firewall software. In some cases, this
software can also provide automatic responses to infections, such as automatically “quarantining” infected
files, or preventing mail attachments from being opened if they are infected.
6) Evaluation of Effectiveness
The Risk Council should receive facts and figures indicating the effectiveness or otherwise of risk
mitigation / reduction measures put into place. These figures can be used to review the measures put into
place, and also to reassess the probability and impact figures used to assess the risk in the first place.
4.1 Benefits of Risk Assessment / Management
1) Cost Justification
Because Disaster Recovery Planning and Business Continuity Planning does not directly generate income,
it should be justified in financial terms. Risk assessment and impact analysis can be used to provide such
cost justification.
2) Facilitation of Communication between all departments in the Business
For example, Risk Assessment tends to get the IT Department talking to the rest of the business about their
requirements for availability, their most critical systems etc. It should not only direct appropriate
information/education at each group involved in disaster recovery/business continuity, but should play a
major role in enhancing the communication and understanding between each of these groups so that they
can work together more effectively – not only in the event of a disaster, but also in their normal day-to-day
business. It should bring all the groups involved closer together.
3) Business Responsibility
The Risk Assessment system should be simple enough to enable its use without IT or Security expertise.
Business Management should be able to take responsibility for their parts of the plan.
4) Business Continuity Awareness
Risk Assessment tends to make people more aware of the risks they face, and therefore is a good way to
gain commitment to the Business Continuity process. Widescale awareness of Business Continuity issues
enables everyone in the organization to know which role they should play in the event of a disaster, and
makes it a topic they will think about whenever changing anything that could impact the BCP (e.g.
hardware configuration, policy/strategy etc.).
4.2 Risk Identification
Risk identification is key to the BCP process. It is important to ensure that all parts of the organization
(including third parties, as appropriate, such as suppliers, customers, vendors etc.) are involved in
identifying risks to the organization and are very aware that risks can come from outside of the organization
(e.g. severe weather, earthquakes), from third party relationships (e.g. power failure) or inside of it (e.g.
internal employees hacking into systems).
Effective ways to identify such risks include:

of 116
 Interviews with Business Unit Managers
 Questionnaires
 Risk Surveys
 Network scanning tools
 Brainstorming sessions
 Scenario walkthroughs
 Audits (see http://www.informit.com/articles/article.asp?p=24608&redir=1 for an article on how
to carry out security audits)
A sample Risk Survey template is shown below:
Asset Risk Survey Template
Asset ID Asset
Name
Asset
Class
Threats Vulnerabilities Exposure
Level
(H,M,L)
Probability Existing
Controls
Missing
Controls
Ideally, Risk Assessment should aim to identify the 20% of risks that would have 80% of the potential
impact on the organization, as well as the 20% of risks that are most likely to occur, in order to use risk
management resources effectively.
In order to identify all the risks to an organization it is necessary to inventory all asset types and systems
and look at each one in turn with representatives of the users of those assets and/or systems.
Once all assets are identified, they can be categorized into groups / categories, which should include
tangible assets as well as non-tangible assets:
 Tangible assets
o Physical (e.g. buildings, equipment, hardware)
o Financial (e.g. currency, bank deposits, shares)
 Non-tangible assets (e.g. goodwill, reputation)

of 116
LowRiskISP has listed all of its assets and given each asset a rating according to how crucial it is to the
organization’s continuance. Listed here is a subset of its asset register:
Asset Class Subclass Asset Name Asset Rating
Tangible Physical infrastructure Data center 5
Tangible Physical infrastructure Servers 3
Tangible Physical infrastructure Routers 3
Tangible Physical infrastructure Network switches 3
Tangible Physical infrastructure PBXs 3
Tangible Physical infrastructure Uninterruptible power
supplies
3
Tangible Physical infrastructure Fire suppression
systems
3
Tangible Physical infrastructure Air conditioning
systems
3
Tangible Physical infrastructure Power supplies 3
Tangible Physical infrastructure Server application
software
2
Tangible Physical infrastructure End-user application
software
1
Tangible Physical infrastructure Development tools 1
Tangible Physical infrastructure End user PCs 1
Tangible Physical infrastructure Fax machines 1
Tangible Physical infrastructure Removable media (e.g.
tapes, floppy disks,
CD-ROMs, DVDs,
portable hard drives,
PC card storage
devices, USB storage
devices, etc.)
1
7
The following list of possible threats (some of which will be far more likely than others in your
organization) may help in determining which risks to the organization should be considered within the BCP
7
A useful list of common Information System Assets is provided by Microsoft at
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/srappb.mspx

of 116
1) Environmental Disasters
 Fire
 Severe cold (or hot) weather or drought (especially a risk for Water Utilities)
 Tornadoes, Hurricanes, Storms, Strong winds, Snow, Floods
 Landslides
 Earthquakes, Volcanoes
 Disease/Epidemic
 Chemical Release or Contamination
 Other Environmental Hazards (pollution, radiation, toxic waste etc.)
2) Equipment/System Failure
 IT Equipment or System Failure
 Air conditioning failure (especially to the Server room)
 Telecoms Failure (many organizations ignore this possibility!)
 Non-IT Equipment failure
 Production line failure or Cooling plant failure, etc.
3) Serious Information Security Incidents
 Loss of records or data (especially a risk for credit card companies or financial institutions)
 Exposure of records or data (e.g. papers not shredded, read by outsiders, website bug allows
viewing of records or data)
 Disclosure of personal / sensitive information (e.g. credit card details, health information)
 Cyber crime (hacking, viruses, phishing etc. – particularly risky for ISPs, Ecommerce and
Ebusiness Organizations)
4) Organized/Deliberate Disruption
 Theft, Arson, or other action by a disgruntled employee
 Malicious / intentional Disruption or Sabotage
 Serious Information Security Incidents (e.g. a virus that takes down the network or deletes all
critical data)
 Terrorist bomb, plane crash, etc.
 Labor Dispute/Industrial Action/Strike
5) Loss of Utilities/Services
 Internal power failure (especially to the Server room)
 Electrical power failure
 Loss of water supply
 Loss of natural gas supply
 Loss of drainage or waste removal
 Gas/oil shortage (in the UK, the fuel crisis of 2000 brought the whole country to a standstill8
)
 Loss of communications (such as land or wireless telephone services, etc.)
6) Business Partners
 Loss of key shared IT systems
8
http://www.guardian.co.uk/oil/story/0%2C11319%2C1361836%2C00.html

of 116
 Business Partner going out of business altogether
 Natural disaster / Terrorism disaster or other serious disaster affecting business partner
 Loss of third party supplied services (for any reason):
o ASP or ISP hosting services
o Mail delivery services / package delivery services
o Warehousing facilities, logistics services, transport services
o Outsourced services (payroll, technical support, customer services etc.)
 Etc.
7) Other Emergency Situations
 Aircraft accident (especially a risk for an Airline)
 Other Major Accident / Explosion
 Nuclear war (or other act of war)
 Civil unrest or riot
 Workplace violence
 Disruption to public transport
 Negative PR
 Litigation and other legal problems
 Regulatory problems (some Health and Safety inspection problems can lead to an operation being
closed down!)
 Mergers/acquisitions (yes, the effects of these can be equivalent to a disaster!)
 Industry-wide problems 9
 Human error (often overlooked, but high on the list of risks causing system outages)
It should be clear that some of these risks may have interdependencies with one another. Also, recognize
that industries and organizations will have risks specific to their own environments. For example, in the
financial industry, some risks that might be identified include:
 Tax increases
 Inflation rates
 Exchange rates
 Political unrest
 New standards / guidelines / legislation
For more risks specific to the financial industry, see http://www.olovconsulting.com/project_risks.htm
All risks identified should be entered into the organizational Risk Log (or Risk Register). This should be
stored in the BCP database and maintained within it.
Having identified all risks, it is necessary to determine from the list above which are the top 10 priorities in
terms of disasters most likely to adversely affect the organization and to carefully analyze the possible
impact of each. This process is known as Risk Assessment (and, in this context, is sometimes known as
Business Impact Analysis).
9
Microsoft provides a useful list of common threats, see
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/srappc.mspx

of 116
An imaginary organization, an ISP, “LowRiskISP”, has come up with the following possible risks that it is
concerned with:
Risk Type Risk Scenario
Environmental Fire
Flood
Disease
Cold
Strong wind/hurricane
Landslide
Chemical contamination
Equipment/system IT equipment or system failure
Air conditioning failure
Telecoms failure
Non-IT Equipment failure
Security Loss of records / data
Exposure of records / data
Disclosure of personal / sensitive
info
Hacking
Viruses
Phishing
Deliberate Disruption Theft
Arson
Terrorist bomb
Terrorist plane crash
Terrorist bioterror incident
Labor dispute
Utilities Internal power failure
Electricity power failure
Loss of water supply
Loss of natural gas supply
Loss of waste removal/drainage
Gas/oil shortage
Loss of all telecommunications
Business Partners Loss of shared IT Systems
Business Partner going out of
business
Natural disaster affecting
business partner
Terrorism disaster affecting
business partner
Loss of third party supplied
service
Other Human Error
Negative PR
Litigation issues
Major accident/incident

of 116
4.3 Risk Assessment
Risk assessment seeks to identify “the net negative impact of the exercise of a vulnerability, considering
both the probability and the impact of occurrence”10
and forms part of the Risk Management process.
Ideally, the objective of risk assessment is to:
 Translate damage predictions and impact predictions into financial terms if possible
 Illustrate, if possible, by way of a diagram, how impact increases over duration
Risk assessment (or Quantitative Risk Analysis) is the process by which risks are quantified to provide
management with useful information in assessing which events are most likely to occur and which are
likely to have the greatest impact on the business, should they do so.
The process takes into account the identified risks, the probability and frequency at which they are likely to
occur, and the impact financially on the organization if they do occur.
1) Cost Impact
Using the list of risks identified in 4.2 above, for each asset (or asset group), identify all the undesirable
events that could occur, and estimate how much of that asset’s value the organization would lose should it
occur to its fullest extent. It is a good idea to be aware of the minimum the organization is likely to lose,
given an event, as well as the maximum, in order to provide a more balanced assessment. It is also a good
idea to have a picture of how the cost rises over time (for example, if the disaster prevents a system from
being operational for 1 hour the cost will be far lower than if it is out of action for 1 day, and still less than
if it is out of action for a week or longer).
These estimates must take into account the loss of customer confidence / damage to the organization’s
image and its effect on sales when the loss of asset value is considered. Also they should take into account
Regulatory effects – for example, fines imposed due to Data Privacy laws being breached.
Here is a list of some of the costs (both direct and indirect) that might be incurred as a result of a risk:
 Direct revenue loss
 Loss of cash flow
 Reduced interest on overnight (or longer-term) balances
 Increased interest costs due to lost cash flow
 Loans called in or re-rated at higher levels due to drop in share prices (where share value
underpins loan facilities etc.)
 Delays in customer accounting, Accounts receivable and billing/invoicing
 Penalties due to delays in Accounts payable
 Loss of credit control and increased bad debt (bad credit ratings make it more costly to get loans
etc.)
 Loss of revenue (or payment of fines/penalties) related to Service Level Agreements due to failure
to provide service or meet service levels
 Wages paid to unproductive personnel
 Additional expenses and wages paid to personnel carrying out recovery work rather than business
as usual
 Replacing personnel who may have been lost, sick or have resigned because of disaster
10
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf NIST Risk Management Guide

of 116
 Brand / Social / Corporate image loss (and recovery costs associated with restoring such)
 Consumer / Market confidence loss (and recovery costs associated with restoring such)
 Reduced share value due to reduced investor confidence
 Cost of recreating / recovering data lost due to disaster
 Loss of power/control over business partner relationships (e.g. ability to demand reduced price
deals from Suppliers etc.)
 Lost ability to respond to opportunities (investments/new ventures etc.)
 Cost of replacement of buildings, equipment, software etc.
 Additional costs of working at a different site or under different conditions (e.g. admin costs,
travel costs and personnel expenses) etc.
 Interest value on deferred billings
 Loss of customers (lifetime value of each) and market share
 Loss of profits
 Additional advertising costs, PR costs and marketing costs to reassure customers/prospective
customers and investors/potential investors
 Recruitment costs for new personnel lost due to disaster
 Training / retraining costs for personnel
 Penalties/fines resulting from failure to produce timely accounts figures and/or tax payments
 Fines / penalties for non-compliance with laws and / or industry standards (e.g. Visa CISP)
 Liability claims (e.g. by employees for accidents that were avoidable)
 Potential costs due to prosecution for non compliance and contract adherence
 Environmental Impact
 Property loss (remember to include real estate, land, buildings, facilities, all assets etc.)
LowRiskISP has taken a few of the key scenarios it is interested in, and has evaluated the asset values
associated with them, see below:
Risk Type Risk Specifics Asset Value
Types
Low/High
Asset
Value
estimates
Asset Value
Equipment/system IT equipment
or system
failure
Key system is
down for less
than 1 hour
Direct revenue
loss, loss of cash
flow, wages paid
to unproductive
personnel,
additional
expenses paid to
recovery staff
$2000 -
$6000
$4000
Security Loss of records
/ data
Sales records
are lost for
one whole
day
Direct revenue
loss, loss of cash
flow, increased
interest cost due to
loss of cash flow,
cost of recreating
data where
possible
$10000 -
$50000
$30000
Exposure of
records / data
All credit
card records
Loss of brand
image/corporate
$50000 -
$400000
$200000

bcpdr

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (15)

Similar to bcpdr

Similar to bcpdr (20)

More from Michelle Sollicito

More from Michelle Sollicito (6)

bcpdr