Nada G.Youssef, profile picture
Uploaded byNada G.Youssef
PPTX, PDF622 views

Chapter 12: Business Continuity Management

This document discusses business continuity management and planning. It defines disasters and the importance of emergency preparedness. Organizations should analyze threats, risks, and business impacts to develop business continuity plans. These plans should include response, contingency, recovery, and resumption components to ensure the organization can respond to and recover from disasters. The plans should be tested, maintained, and audited.

Education
In this document
Powered by AI

Introduction to business continuity management principles and practices.

Defines disasters, emphasizes emergency preparedness, and outlines continuity plan components.

Disasters disrupt operations; resilience and preparedness are essential for organizations.

Continuity planning ensures essential functions; requires threat identification and impact assessment.

BIA identifies essential services and establishes recovery metrics such as MTD, RTO, RPO.

Plans include response, contingency, recovery, and resumption; management involvement is crucial.

Plans detailing immediate post-incident actions, authority contacts, evacuation, and recovery site types.

How essential processes are managed during recovery; responsibility lies with departmental owners.

Strategies and procedures for returning to normal operations; should be documented and tested.

Covers validation and deactivation activities during the resumption phase.

Regular testing validates business continuity plans; dynamic environments necessitate continual updates.

Organizations must prepare for disasters, with management responsible for impact assessments and resource allocation.

Embed presentation

Downloaded 42 times
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 12: Business Continuity Management
Copyright 2014 Pearson Education, Inc. 2 Objectives ❑ Define a disaster ❑ Appreciate the importance of emergency preparedness ❑ Analyze threats, risks, and business impact assessments ❑ Explain the components of a business continuity plan and program ❑ Develop policies related to business continuity management
Copyright 2014 Pearson Education, Inc. 3 Emergency Preparedness ■ Disaster ❑ Any event that results in damage or destruction, loss of life, or drastic change to the environment ❑ A disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization’s capability to maintain operations, including customer commitments and regulatory compliance ❑ The cause can be environmental, operational, accidental, or willful
Emergency Preparedness cont. ■ Resilient organization ❑ Has the capability to quickly adapt and recover from known or unknown change to the environment ■ Business disruption has an economic and societal ripple effect ■ Emergency preparedness is a civic duty and regulatory requirement ❑ Presidential Decision Directive (PDD) 63 Critical Infrastructure Protection ❑ Federal Continuity Directive 1 Copyright 2014 Pearson Education, Inc. 4
Copyright 2014 Pearson Education, Inc. 5 Business Continuity Risk Management ■ Continuity planning ❑ The business practice of ensuring the execution of essential functions ❑ Component of organizational risk management ❑ Risk management for continuity of operations requires the organizations to ■ Identify the threats that can disrupt operations ■ Determine the risk ■ Assess the impact on the company
Business Continuity Risk Management cont. ■ Business continuity threat assessment ❑ Identify viable threats and predict the likelihood of occurrence ❑ Threat modeling takes into account historical and predictive geographic, technological, physical, environmental, industry, and third-party factors ■ Business continuity threat assessment ❑ Evaluates the sufficiency of controls to prevent a threat from occurring or to minimize its impact Copyright 2014 Pearson Education, Inc. 6
Copyright 2014 Pearson Education, Inc. 7 What Is a Business Impact Assessment? ■ Business Impact Analysis ❑ Identify essential services/processes and recovery timeframes ❑ It is a multistep collaborative activity that involves business process owners, stakeholders, and corporate officers ❑ A BIA incorporates three metrics ■ Maximum tolerable downtime (MTD) ■ Recovery time objective (RTO) ■ Recovery point objective (RPO)
Copyright 2014 Pearson Education, Inc. 8 Business Continuity Plan ■ The objective is to ensure the organization has the capability to respond and recover from a disaster ■ Component: ❑ Response plans ❑ Contingency plans ❑ Recovery plans ❑ Resumption plans
Business Continuity Plan cont. ■ Business continuity management involves the entire organization ❑ Board of Directors provides oversight and guidance, authorizes the related policy, and is legally accountable for the actions of the organization ❑ Executive management provides leadership ❑ Business Continuity Team (BCT) has the authority to make decisions related to disaster preparation, response, and recovery Copyright 2014 Pearson Education, Inc. 9
Copyright 2014 Pearson Education, Inc. 10 Disaster Response Plans ■ Addresses what should be done immediately following a significant incident ■ Defines who has the authority to declare a disaster ■ Defines who has the authority to contact external entities ■ Defines evacuation procedures ■ Defines emergency communication & notification procedures ■ Upon declaration of a disaster, all BCT members should report to a designated command and control center ■ Occupant emergency Plan (OEP) ❑ Describes evacuation and shelter-in-place procedures in the event of a threat or incident to the health and safety of personnel
Disaster Response Plans cont. ■ Relocation strategies ❑ Hot site ❑ Fully operational location with redundant equipment. ❑ The data has been streamed to the site on a real-time basis or close to real time ❑ Warm site ❑ Configured to support operations including communications capabilities, peripheral devices, power, and HVAC. ❑ Spare computers may be located there that then would need to be configured in the event of a disaster ❑ Date must be restored ❑ Cold site ❑ Available alternative location ❑ Equipped with power, HVAC, and secure access ❑ Mobile site ❑ Self-contained unit ❑ Equipped with the required hardware, software, and peripherals ❑ Data needs to be restored Copyright 2014 Pearson Education, Inc. 11
Operational Contingency Plans ■ Addresses how an organization’s essential business processes will be delivered during the recovery process ■ Developed at the departmental level ■ Responsibility of the business process owner ■ The documentation should follow the same form as the SOPs Copyright 2014 Pearson Education, Inc. 12
Copyright 2014 Pearson Education, Inc. 13 The Disaster Recovery Phase ■ Recovery strategies ❑ The path to bringing the company back to a normal business environment ❑ A plan should be in place that breaks down each category of the overall recovery effort to simplify the daunting recovery process: ■ Mainframe ■ Network ■ Communications ■ Infrastructure ■ Facilities
Copyright 2014 Pearson Education, Inc. 14 The Disaster Recovery Phase Cont. ■ Recovery procedures ❑ All procedures should be designed, tested, documented, and approved prior to when the disaster strikes ❑ Procedures should be written as if the person who will be following them is not intimately familiar with the information system or component ❑ Procedures should explain what needs to be done, when, where, and how ❑ The key is to respond fast using predefined steps ❑ Recovery procedures should be reviewed annually
Copyright 2014 Pearson Education, Inc. 15 The Resumption Phase ■ The objective is to transition to normal operations ■ Two major activities ❑ Validation ■ Verifying recovered systems are operating correctly ❑ Deactivation ■ The official notification that the organization is no longer operating in emergency or disaster mode
Copyright 2014 Pearson Education, Inc. 16 Plan Testing and Maintenance ❑ Proactive testing of the plan is essential ❑ Until tested, the plan is theoretical at best ❑ The tests should prove that the procedures and the plan are: ■ Relevant ■ Operable under adverse conditions ■ Accurate ❑ Tests are used to discover errors and inadequacies
Copyright 2014 Pearson Education, Inc. 17 Plan Testing and Maintenance Cont. ■ Three standard testing methodologies ❑ Tabletop exercise ■ Structured review ■ Simulation ❑ Functional exercises ❑ Full-scale testing ■ Business continuity plan audit ❑ Evaluation of how the business continuity program in its entirety is being managed ❑ Auditors must be independent
Copyright 2014 Pearson Education, Inc. 18 Plan Maintenance ❑ Business environments are dynamic: The plan should be reviewed and edited regularly to match the changes that occur in the company and/or the industry in which the company is involved ❑ The plan cannot be reviewed without the risk assessment being reviewed as well ❑ Responsibility for maintaining the plan should be assigned to a specific role such as the ISO
Copyright 2014 Pearson Education, Inc. 19 Summary ■ A disaster can strike at any time. The organization must be prepared to respond to continue to provide services/products to its clients. ■ It is the responsibility of executive management to insure that threats are evaluated, impact to business processes recognized, and resources allocated. ■ This requires the creation and maintenance of an audited business continuity plan and of a set of ancillary procedures.

More Related Content

PPTX
Chapter 8: Communications and Operations Security
byNada G.Youssef
 
PPTX
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
PPTX
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
PPT
Disaster Recovery Plan
byEmilie Gray
 
PPTX
Chapter 9: Access Control Management
byNada G.Youssef
 
PPTX
Chapter 10: Information Systems Acquisition, Development, and Maintenance
byNada G.Youssef
 
PDF
Cybersecurity tips for employees
byPriscila Bernardes
 
PDF
Ch07 Managing Risk
byphanleson
 
Chapter 8: Communications and Operations Security
byNada G.Youssef
 
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
Disaster Recovery Plan
byEmilie Gray
 
Chapter 9: Access Control Management
byNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
byNada G.Youssef
 
Cybersecurity tips for employees
byPriscila Bernardes
 
Ch07 Managing Risk
byphanleson
 

What's hot

PPTX
Disaster Recovery Plan / Enterprise Continuity Plan
byMarcelo Silva
 
PPTX
Business continuity & disaster recovery planning (BCP & DRP)
byNarudom Roongsiriwong, CISSP
 
PPTX
Chapter 5: Asset Management
byNada G.Youssef
 
PPT
Isms awareness training
bySAROJ BEHERA
 
PPTX
Information Technology Disaster Planning
byguest340570
 
PPT
Information security in todays world
bySibghatullah Khattak
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Computer Security 101
byProgressive Integrations
 
PPTX
Cyber security
bySatbharai Sethar
 
PPTX
Social & professional issues in IT
byRohana K Amarakoon
 
DOCX
Capstone Project Student Management System
byDonna Muller
 
PDF
Computer security
byMahesh Singh Madai
 
PPTX
Bcp
bymadunix
 
PPT
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
PPTX
Basic concepts in computer security
byArzath Areeff
 
PPT
Security technologies
byDhani Ahmad
 
PPTX
Cloud computing risks
bysripriya78
 
PDF
Business Continuity Planning
byalanlund
 
PDF
Ransomware and tips to prevent ransomware attacks
bydinCloud Inc.
 
PPTX
How to run a tabletop DR test
byDatabarracks
 
Disaster Recovery Plan / Enterprise Continuity Plan
byMarcelo Silva
 
Business continuity & disaster recovery planning (BCP & DRP)
byNarudom Roongsiriwong, CISSP
 
Chapter 5: Asset Management
byNada G.Youssef
 
Isms awareness training
bySAROJ BEHERA
 
Information Technology Disaster Planning
byguest340570
 
Information security in todays world
bySibghatullah Khattak
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Computer Security 101
byProgressive Integrations
 
Cyber security
bySatbharai Sethar
 
Social & professional issues in IT
byRohana K Amarakoon
 
Capstone Project Student Management System
byDonna Muller
 
Computer security
byMahesh Singh Madai
 
Bcp
bymadunix
 
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
Basic concepts in computer security
byArzath Areeff
 
Security technologies
byDhani Ahmad
 
Cloud computing risks
bysripriya78
 
Business Continuity Planning
byalanlund
 
Ransomware and tips to prevent ransomware attacks
bydinCloud Inc.
 
How to run a tabletop DR test
byDatabarracks
 

Viewers also liked

PPTX
Chapter 4: Governance and Risk Management
byNada G.Youssef
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPTX
Chapter 6: Human Resources Security
byNada G.Youssef
 
PPTX
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
PPTX
Chapter 2: Policy Elements and style
byNada G.Youssef
 
PPTX
Chapter 13: Regulatory Compliance for Financial Institutions
byNada G.Youssef
 
PPTX
Chapter 1: Understanding Policy
byNada G.Youssef
 
PPTX
Chapter 2: Health Care Financial Statements
byNada G.Youssef
 
PPTX
Chapter 8: Capital Financing for Health Care Providers
byNada G.Youssef
 
PPTX
Chapter 1: Context of Health Care Financial Management
byNada G.Youssef
 
PPTX
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
PPTX
Chapter 9: Using Cost Information to Make Special Decisions
byNada G.Youssef
 
Chapter 4: Governance and Risk Management
byNada G.Youssef
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Chapter 6: Human Resources Security
byNada G.Youssef
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
Chapter 2: Policy Elements and style
byNada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
byNada G.Youssef
 
Chapter 1: Understanding Policy
byNada G.Youssef
 
Chapter 2: Health Care Financial Statements
byNada G.Youssef
 
Chapter 8: Capital Financing for Health Care Providers
byNada G.Youssef
 
Chapter 1: Context of Health Care Financial Management
byNada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
Chapter 9: Using Cost Information to Make Special Decisions
byNada G.Youssef
 

Similar to Chapter 12: Business Continuity Management

PPTX
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
byJayLloyd8
 
PPTX
Business Continuity & Disaster Recovery
byEC-Council
 
PPTX
Business continuity planning and disaster recovery
byKrutiShah114
 
PPT
Business Continuity Planning Presentation Overview
byBob Winkler
 
PPTX
Building a Business Continuity Capability
byRod Davis
 
PPTX
ISO-22301-Presentation Business Continuity Management System latest.pptx
byJustinNickaf3
 
PDF
Business Continuity Plan
byBizPlanss
 
PPTX
Buisness contingency plan
byRMC
 
PPT
Introduction of Business Continuity Pocesss.ppt
byJEANELYESPERANZA
 
PPTX
Risk crisis nad management
byPasangdolmoTamang
 
PPTX
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
PPT
Continuity Planning 101
bytjrettig
 
DOCX
COM-CON Session Topics, Audiences, and Presentation Types
byLynellBull52
 
PDF
Business continuity & disaster recovery
byGeorge Coutsoumbidis
 
DOCX
Chapter 32Disaster Recovery, Business Continuity, Backups, a
byEstelaJeffery653
 
DOCX
Disaster Recovery, Business Continuity, Backups, and High Av.docx
bycuddietheresa
 
ODP
Cissp Week 24
byjemtallon
 
PPTX
Business Continuity as a Career
byBonnie Canal
 
PPSX
The Revere Group - Making A Case For Disaster Recovery
bycadavis22
 
PPT
Risk Based Planning for Mission Continuity
byDan Houser
 
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
byJayLloyd8
 
Business Continuity & Disaster Recovery
byEC-Council
 
Business continuity planning and disaster recovery
byKrutiShah114
 
Business Continuity Planning Presentation Overview
byBob Winkler
 
Building a Business Continuity Capability
byRod Davis
 
ISO-22301-Presentation Business Continuity Management System latest.pptx
byJustinNickaf3
 
Business Continuity Plan
byBizPlanss
 
Buisness contingency plan
byRMC
 
Introduction of Business Continuity Pocesss.ppt
byJEANELYESPERANZA
 
Risk crisis nad management
byPasangdolmoTamang
 
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
Continuity Planning 101
bytjrettig
 
COM-CON Session Topics, Audiences, and Presentation Types
byLynellBull52
 
Business continuity & disaster recovery
byGeorge Coutsoumbidis
 
Chapter 32Disaster Recovery, Business Continuity, Backups, a
byEstelaJeffery653
 
Disaster Recovery, Business Continuity, Backups, and High Av.docx
bycuddietheresa
 
Cissp Week 24
byjemtallon
 
Business Continuity as a Career
byBonnie Canal
 
The Revere Group - Making A Case For Disaster Recovery
bycadavis22
 
Risk Based Planning for Mission Continuity
byDan Houser
 

More from Nada G.Youssef

PPT
Chapter 12
byNada G.Youssef
 
PPTX
Chapter 11
byNada G.Youssef
 
PPTX
Chapter Eight
byNada G.Youssef
 
PPTX
Chapter Tewlve
byNada G.Youssef
 
PPTX
Chapter Nine
byNada G.Youssef
 
PPTX
Chapter Four
byNada G.Youssef
 
PPTX
Chapter Six
byNada G.Youssef
 
PPTX
Chapter one
byNada G.Youssef
 
PPTX
Preparatory Year of Saudi Electronic University
byNada G.Youssef
 
PPTX
مجلة 1
byNada G.Youssef
 
PPTX
Chapter Eleven
byNada G.Youssef
 
PPTX
Chapter Ten
byNada G.Youssef
 
PPTX
Chapter Three
byNada G.Youssef
 
PPTX
Chapter Two
byNada G.Youssef
 
PPTX
Chapter Five
byNada G.Youssef
 
PPTX
Chapter Seven
byNada G.Youssef
 
Chapter 12
byNada G.Youssef
 
Chapter 11
byNada G.Youssef
 
Chapter Eight
byNada G.Youssef
 
Chapter Tewlve
byNada G.Youssef
 
Chapter Nine
byNada G.Youssef
 
Chapter Four
byNada G.Youssef
 
Chapter Six
byNada G.Youssef
 
Chapter one
byNada G.Youssef
 
Preparatory Year of Saudi Electronic University
byNada G.Youssef
 
مجلة 1
byNada G.Youssef
 
Chapter Eleven
byNada G.Youssef
 
Chapter Ten
byNada G.Youssef
 
Chapter Three
byNada G.Youssef
 
Chapter Two
byNada G.Youssef
 
Chapter Five
byNada G.Youssef
 
Chapter Seven
byNada G.Youssef
 

Recently uploaded

PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PPTX
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
PPTX
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 

Chapter 12: Business Continuity Management

  • 1.
    Security Program and Policies Principlesand Practices by Sari Stern Greene Chapter 12: Business Continuity Management
  • 2.
    Copyright 2014 PearsonEducation, Inc. 2 Objectives ❑ Define a disaster ❑ Appreciate the importance of emergency preparedness ❑ Analyze threats, risks, and business impact assessments ❑ Explain the components of a business continuity plan and program ❑ Develop policies related to business continuity management
  • 3.
    Copyright 2014 PearsonEducation, Inc. 3 Emergency Preparedness ■ Disaster ❑ Any event that results in damage or destruction, loss of life, or drastic change to the environment ❑ A disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization’s capability to maintain operations, including customer commitments and regulatory compliance ❑ The cause can be environmental, operational, accidental, or willful
  • 4.
    Emergency Preparedness cont. ■Resilient organization ❑ Has the capability to quickly adapt and recover from known or unknown change to the environment ■ Business disruption has an economic and societal ripple effect ■ Emergency preparedness is a civic duty and regulatory requirement ❑ Presidential Decision Directive (PDD) 63 Critical Infrastructure Protection ❑ Federal Continuity Directive 1 Copyright 2014 Pearson Education, Inc. 4
  • 5.
    Copyright 2014 PearsonEducation, Inc. 5 Business Continuity Risk Management ■ Continuity planning ❑ The business practice of ensuring the execution of essential functions ❑ Component of organizational risk management ❑ Risk management for continuity of operations requires the organizations to ■ Identify the threats that can disrupt operations ■ Determine the risk ■ Assess the impact on the company
  • 6.
    Business Continuity Risk Managementcont. ■ Business continuity threat assessment ❑ Identify viable threats and predict the likelihood of occurrence ❑ Threat modeling takes into account historical and predictive geographic, technological, physical, environmental, industry, and third-party factors ■ Business continuity threat assessment ❑ Evaluates the sufficiency of controls to prevent a threat from occurring or to minimize its impact Copyright 2014 Pearson Education, Inc. 6
  • 7.
    Copyright 2014 PearsonEducation, Inc. 7 What Is a Business Impact Assessment? ■ Business Impact Analysis ❑ Identify essential services/processes and recovery timeframes ❑ It is a multistep collaborative activity that involves business process owners, stakeholders, and corporate officers ❑ A BIA incorporates three metrics ■ Maximum tolerable downtime (MTD) ■ Recovery time objective (RTO) ■ Recovery point objective (RPO)
  • 8.
    Copyright 2014 PearsonEducation, Inc. 8 Business Continuity Plan ■ The objective is to ensure the organization has the capability to respond and recover from a disaster ■ Component: ❑ Response plans ❑ Contingency plans ❑ Recovery plans ❑ Resumption plans
  • 9.
    Business Continuity Plancont. ■ Business continuity management involves the entire organization ❑ Board of Directors provides oversight and guidance, authorizes the related policy, and is legally accountable for the actions of the organization ❑ Executive management provides leadership ❑ Business Continuity Team (BCT) has the authority to make decisions related to disaster preparation, response, and recovery Copyright 2014 Pearson Education, Inc. 9
  • 10.
    Copyright 2014 PearsonEducation, Inc. 10 Disaster Response Plans ■ Addresses what should be done immediately following a significant incident ■ Defines who has the authority to declare a disaster ■ Defines who has the authority to contact external entities ■ Defines evacuation procedures ■ Defines emergency communication & notification procedures ■ Upon declaration of a disaster, all BCT members should report to a designated command and control center ■ Occupant emergency Plan (OEP) ❑ Describes evacuation and shelter-in-place procedures in the event of a threat or incident to the health and safety of personnel
  • 11.
    Disaster Response Planscont. ■ Relocation strategies ❑ Hot site ❑ Fully operational location with redundant equipment. ❑ The data has been streamed to the site on a real-time basis or close to real time ❑ Warm site ❑ Configured to support operations including communications capabilities, peripheral devices, power, and HVAC. ❑ Spare computers may be located there that then would need to be configured in the event of a disaster ❑ Date must be restored ❑ Cold site ❑ Available alternative location ❑ Equipped with power, HVAC, and secure access ❑ Mobile site ❑ Self-contained unit ❑ Equipped with the required hardware, software, and peripherals ❑ Data needs to be restored Copyright 2014 Pearson Education, Inc. 11
  • 12.
    Operational Contingency Plans ■Addresses how an organization’s essential business processes will be delivered during the recovery process ■ Developed at the departmental level ■ Responsibility of the business process owner ■ The documentation should follow the same form as the SOPs Copyright 2014 Pearson Education, Inc. 12
  • 13.
    Copyright 2014 PearsonEducation, Inc. 13 The Disaster Recovery Phase ■ Recovery strategies ❑ The path to bringing the company back to a normal business environment ❑ A plan should be in place that breaks down each category of the overall recovery effort to simplify the daunting recovery process: ■ Mainframe ■ Network ■ Communications ■ Infrastructure ■ Facilities
  • 14.
    Copyright 2014 PearsonEducation, Inc. 14 The Disaster Recovery Phase Cont. ■ Recovery procedures ❑ All procedures should be designed, tested, documented, and approved prior to when the disaster strikes ❑ Procedures should be written as if the person who will be following them is not intimately familiar with the information system or component ❑ Procedures should explain what needs to be done, when, where, and how ❑ The key is to respond fast using predefined steps ❑ Recovery procedures should be reviewed annually
  • 15.
    Copyright 2014 PearsonEducation, Inc. 15 The Resumption Phase ■ The objective is to transition to normal operations ■ Two major activities ❑ Validation ■ Verifying recovered systems are operating correctly ❑ Deactivation ■ The official notification that the organization is no longer operating in emergency or disaster mode
  • 16.
    Copyright 2014 PearsonEducation, Inc. 16 Plan Testing and Maintenance ❑ Proactive testing of the plan is essential ❑ Until tested, the plan is theoretical at best ❑ The tests should prove that the procedures and the plan are: ■ Relevant ■ Operable under adverse conditions ■ Accurate ❑ Tests are used to discover errors and inadequacies
  • 17.
    Copyright 2014 PearsonEducation, Inc. 17 Plan Testing and Maintenance Cont. ■ Three standard testing methodologies ❑ Tabletop exercise ■ Structured review ■ Simulation ❑ Functional exercises ❑ Full-scale testing ■ Business continuity plan audit ❑ Evaluation of how the business continuity program in its entirety is being managed ❑ Auditors must be independent
  • 18.
    Copyright 2014 PearsonEducation, Inc. 18 Plan Maintenance ❑ Business environments are dynamic: The plan should be reviewed and edited regularly to match the changes that occur in the company and/or the industry in which the company is involved ❑ The plan cannot be reviewed without the risk assessment being reviewed as well ❑ Responsibility for maintaining the plan should be assigned to a specific role such as the ISO
  • 19.
    Copyright 2014 PearsonEducation, Inc. 19 Summary ■ A disaster can strike at any time. The organization must be prepared to respond to continue to provide services/products to its clients. ■ It is the responsibility of executive management to insure that threats are evaluated, impact to business processes recognized, and resources allocated. ■ This requires the creation and maintenance of an audited business continuity plan and of a set of ancillary procedures.