Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
BCS 307 Lecture 8.pdf
1. BCS 307 - BUSINESS CONTINUITY
PLANNING
JOHN AMBELE MWAIPOPO
INFORMATION SCIENCE DEPARTMENT
JORDAN UNIVERSITY COLLEGE
2. BC/DR Plan Maintenance
Layout of this Lecture
BC/DR change management
Strategies for managing change
BC/DR plan audit
Plan maintenance activities
Project close out
3. Maintaining the plan you’ve developed may end up being the biggest
challenge you face in the entire business continuity and disaster recovery
plan process.
Many people assume that once the project is complete, they can simply
chalk up another successful project and move on, but that’s far from true.
There are many areas in which you can incorporate BC/DR strategies and
activities in your standard operating procedures.
BC/DR Plan Maintenance
Last phase of BC/DR planning.
4. Change is constant in organizations—change in operations, change in technology, change in
personnel, change in regulations—the list goes on.
BC/DR Plan Change Management
Change management has several discrete steps, as
depicted in Figure to the right.
First step is to monitor changes.
Next step is to decide how the changes impact your
BC/DR plan. Not all changes have an impact on your
plan.
If a change impacts your plan, the next step is to
determine how to address the change in your plan.
Cycle back and perform a modified version of your
risk assessment, business impact analysis, and
mitigation strategy development.
There are numerous sources of change that we’ll
discuss shortly.
5. Training, testing, and auditing
Training often involves testing the plan, and that testing the plan trains staff on
how to implement the plan and carry out the tasks assigned.
Changes will naturally come out of these processes, and that’s part of the purpose
of training and testing.
It’s difficult, if not impossible, to develop a perfect plan the first time through. It’s
not until you try putting the plan to work that you discover steps out of order,
errors, omissions, or redundancies.
Capture a list of changes that need to be made to the BC/DR plan as you deliver
your training and perform your testing, you should.
These changes should be submitted for review. Not all requested changes should
be made for a variety of reasons.
BC/DR Plan Change Management
6. Changes in information technologies
IT team should be familiar with reviewing and assessing change—from
the location and duties of various servers to the implementation of
new applications to the reorganization of existing infrastructure.
Even the most innocuous changes can suddenly inject all kinds of
problems into your network and systems.
Have a process for evaluating the implementation of new technology, a
process that says “Assess impact of this new technology on BC/DR
plans.”
Systems are upgraded, swapped out, modified, or retired, be sure to
include a line item task to consider the impact on BC/DR plans.
BC/DR Plan Change Management
7. Changes in operations
Operations are not static, and changes over time to operations impacts the
BC/DR plan.
Reorganization, expansion, new departments, new facilities, and new
management structures can all impact operations in a variety of ways.
In some cases, changes in operation happen slowly over time and these
changes may go unnoticed as it relates to the BC/DR plan.
Business’s mission-critical operations changes over time or if the processes
used to accomplish these functions have changed, the BC/DR plan is at
significant risk of failure and should be revised.
Changes to operational processes should be implemented as needed.
BC/DR Plan Change Management
8. Corporate changes
Corporate mergers, acquisitions, spin-offs, restructuring, and other
types of corporate changes can have a major impact on the BC/DR
plan.
Continually look to incorporate BC/DR activities into your normal
operations and planning activities and to continually look to protecting
data first.
When critical data are safe, putting systems in place to access and
utilize that data can be secondary during times of turbulent or
unexpected change.
BC/DR Plan Change Management
9. Legal, regulatory, or compliance changes
Changes to the legal, regulatory, or compliance landscape will certainly
trigger required changes to your BC/DR plan.
For example, if laws change regarding data security, you will have to review
your BC/DR plan to determine whether your existing plan meets these new
requirements or whether you’ll need to implement additional tools,
technologies, or processes.
Major change may require you to cycle through all phases of the BC/DR
project planning stages and create a plan for implementing required
changes.
In most cases, changes in this arena will impact operations or IT, and the
impact to the BC/DR plan will be addressed through those channels.
BC/DR Plan Change Management
10. Strategies for managing change
Two strategies for managing change are:
1. Having a process for monitoring change requests
2. Having a process for evaluating change requests.
It’s easier to monitor change and respond to it as needed over time rather than
sitting down once a year and trying to remember (or determine) what’s
changed since your last review of the plan.
Easiest way to monitor change, is to include an additional step or two in
standard operating procedures.
These steps can be as simple as “Determine impact, if any, on BC/DR plan.
If impact exists, submit BC/DR change request to [insert position responsible
BC/DR Plan Change Management
11. Monitor change
Implementing processes for monitoring change can make your job of
maintaining the BC/DR plan much easier.
Develop processes that can be incorporated into everyday workflows so that as
changes occur, they can quickly be assessed for their potential impact.
If the change has no impact, it can be ignored (from a BC/DR perspective).
If the change will have an impact, a change request should be submitted to the
BC/DR team.
A change request may be just a matter of noting that the leader of the
Emergency Response Team has changed.
This change request should trigger the appropriate revision to the BC/DR plan
including contact names, phone numbers, and team rosters.
BC/DR Plan Change Management
12. People
People leave organizations, get promoted, or move into different jobs.
A periodic review of changes to the organization can help you determine if
there have been personnel changes that impact your plan.
Process
Changes to processes should be monitored as well.
Monitor changes to key processes and flagging changes for BC/DR review.
Many corporate processes remain fairly unchanged over time.
Changes to mission-critical functions should be reviewed with the highest
priority.
BC/DR Plan Change Management
13. Technology
Technology may fall outside the scope of IT management.
If your company works with scientific equipment, manufacturing
equipment, medical equipment, or other specialized technology,
changes in this arena should be monitored and assessed.
Often changes in technology create changes in processes, so the trigger
for review and modification may come from either area.
A process for triggering a review should be included in your
technology implementation plans to make BC/DR plan maintenance as
low as possible.
BC/DR Plan Change Management
14. Evaluate and incorporate change
Change review process should be well defined.
Someone should be specifically responsible for processing change requests, a projector
manager or team member.
Use a change management process for managing projects.
Not all changes requested can or should be implemented into a plan.
Changes that are required by law, regulation, or compliance must be made.
Analysis may be required for each change you consider.
Some changes increase your risks; other changes reduce your risks.
Some changes may have a strong effect on the business impact analysis outcomes; others
may have no effect at all.
All approved changes should be incorporated in the training, testing, and auditing
processes and procedures.
BC/DR Plan Change Management
15. Points to consider to manage change:
1. Compile all change requests and prioritize based on potential risk, vulnerability, impact
(if applicable).
2. Determine if change requests are required for legal, regulatory, or compliance reasons. If
so, flag these as required changes.
3. Review compiled change requests, review for redundancy, relevancy, etc. Revise compiled
list as appropriate.
4. Prioritize compiled list. For each item, determine how the change impacts (or is impacted
by):
• Selected risks and threats
• Threat vulnerability
• Business impact analysis
• Risk mitigation strategies
BC/DR Plan Change Management
16. 5. Assess potential cost, risk profile (does it inject or reduce risk?), desirability, feasibility,
and interaction with other elements of the plan.
6. Determine if change request should be incorporated, delayed, rejected, or closed.
7. For each change request incorporated, document impact to BC/DR plan in detail. Advise
change requestor of change acceptance, if appropriate.
8. For each change incorporated, determine need for additional training or testing activities.
Trigger notification for training, testing, or auditing if appropriate.
9. For each change delayed, document reason for delay and how change will be processed
later. Communicate decision to change requestor, if appropriate.
10. For each change rejected or closed, document reason for denying change. Communicate
the status of the change with the rationale to the requestor, if appropriate.
11. For all approved changes, make revisions to BC/DR plan, note change in plan, and notify
plan stakeholders of plan revision, if appropriate.
BC/DR Plan Change Management
17. Audit your BC/DR plan when performing training and testing.
Audit is a process in which you review the BC/DR plan against specific
requirements.
Review can be on the organization’s business practices, objectives,
strategies, or changing financial situation.
You may also review the plan against external constraints such as legal
or regulatory requirements.
Auditing does not test the plan. No assurance that steps and processes
included in the plan will work.
The audit does not train people in the use of the plan or in the skills
needed to implement and execute the plan.
BC/DR Plan Audit
18. Audit is impartial review of the plan to assess whether it meets the company’s overall needs.
Audit plan should be created and should include:
• Audit scope, timeline, requirements, and constraints
• Review of corporate risks and risk management strategies including BC/DR
• Review of business impact
• Review of BC/DR plan development activities
• Review of BC/DR plan test plans and activities
• Review of BC/DR plan training plans and activities
• Review of BC/DR change management and plan maintenance processes
Reviewing these elements result in the generation of change requests that should be
processed by the BC/DR team.
Develop an audit checklist so you can periodically review the plan.
BC/DR Plan Audit
19. Plan Maintenance Activities
Activities hat can help you keep your plan up to date and ready to go.
1. If the plan is revised, the BC/DR team members should be notified in a timely
manner.
2. The plan should use a revision numbering system so team members know whether
they have the latest version of the plan.
3. Review, update, and revise key contact information regularly. This includes staff,
vendors, contractors, key customers, alternate sites, and facilities, among others.
4. Create a BC/DR plan distribution list that is limited to authorized personnel but that
includes all relevant parties. This distribution list should include off-site and remote
facilities that may be used in the event of BC/DR plan activation.
5. Be sure there are up-to-date copies of the BC/DR plan off-site in the event the
building is inaccessible. Alternatively, be sure a copy is secure but accessible in the
cloud and provide secure access to these documents.
20. 6. Be sure there are up-to-date paper copies and/or CDs/DVDs/thumb drives of the
BC/DR plan on-site in the event IT systems go down. If these contain sensitive
information such as key codes, passwords, or other credentialing data, ensure they are
encrypted or kept in a secure location that would be accessible during a disaster.
7. Implement a process whereby all old versions of the plan are destroyed or archived
and new versions replace them. This helps avoid a scenario where team members are
working from different versions of the plan.
8. Always check soft copy and remote storage copies of your plan when changes are
made to the plan. If you store copies off-site or at your alternate work site, these
versions should be updated any time the plan is modified.
9. Whenever significant changes are requested or implemented, test the plan. This will
ensure there are no new areas of concern and will help train staff on the changes.
10. Integrate BC/DR considerations into operational processes to reduce plan
Plan Maintenance Activities
21. 11. Assign responsibility for managing BC/DR change notification and requests to
someone on the BC/DR team. The project management adage that “a task without an
owner won’t get done” is especially true here.
12. Document plan maintenance procedures and follow these procedures to avoid
introducing additional risk into the project. Use periodic prescheduled meetings to
ensure these events occur on a regular basis.
13. Incorporate training into the change process so changes to people, process, and
technology that are incorporated into the BC/DR plan also trigger changes to training
plans.
14. Include BC/DR plan testing, training, auditing, and maintenance activities in your IT
or corporate budget for future activities related to BC/DR.
Plan Maintenance Activities
22. Project Close Out
Be ready to close out your BC/DR project.
Have a clear, comprehensive, and reasonable business continuity and disaster
recovery plan that should address the major threats to your company and mitigate
risks to the most critical business functions.
Develop procedures to monitoring change, implementing change, and maintaining
the BC/DR plan that can be folded into standard corporate operations.
Take time to do several project close-out activities.
1. Ensure all documentation is complete and finalized.
2. Ensure the BC/DR plan is distributed to appropriate personnel.
3. Announce plan completion to project sponsor and other project stakeholders; gain
formal approval or sign-off.
4. Announce plan completion to company to increase awareness and celebrate success.
23. 5. Announce plan completion to regulatory authorities, as appropriate or required.
6. Announce training or testing plans, if appropriate.
7. Hold a project review session to discuss lessons learned and incorporate into
process. This should not be held at the same time as a project close out or celebration.
This should be a working meeting to capture best practices and lessons learned.
8. Hold project close-out meeting to celebrate completion and recognize individual
efforts, as appropriate.
9. Complete any staff reviews related to project work.
10. Submit summary or close out report to project sponsor, executive team, or other
stakeholders, as appropriate.
11. Update legal or compliance documentation to reflect BC/DR readiness, as
appropriate.
Project Close Out