SlideShare a Scribd company logo

Executive Primer on Business Continuity Planning

R
RickMark

The document discusses business continuity planning (BCP) and related IT considerations. It provides an example scenario of a company called ACME that suffers a disaster when its headquarters floods, destroying its on-site servers and backup tapes. This halts all operations and customer access. The summary describes how ACME could have better prepared through regular off-site backups, redundant systems, and testing emergency plans. Effective BCP and IT disaster recovery processes are important for companies to survive unforeseen disasters and interruptions.

1 of 2
Download to read offline
The Technology Advisor September 2009 • www.CPATechAdvisor.com • Vol. 19, No. 6 An Executive Primer on Business Continuity Planning and related IT Considerations By RoBeRt P. GReen, CPA.CItP & RICk MARk The following terms are undoubtedly familiar to you: Disaster aware of in our example. From its headquarters, ACME manages Recovery, Disaster Preparedness, Business Continuity Plan, Opera- its operations, accounting, IT network and all software services for tions Resumption Plan. its five offices. ACME also hosts its own website, eCommerce and But how do they relate to you or your clients? Moreover, how all data servers at its headquarters. Forty percent of ACME’s business does information technology fit into these concepts? originates from customer transactions using ACME’s website. Finally, In the big picture, the above terms all emphasize the survival as a good business practice, ACME does not allow its system users strategies in a business’ Risk Management process. In a more perfect to backup or store documents and other sensitive data on their own world, every company would prioritize the strategic and tactical computers. Rather, their information is centralized in ACME’s servers processes required to resume, sustain and manage their operations at headquarters to ensure (we’ll see) comprehensive backup. through an unplanned disaster or a damaging business interruption. ACME’s headquarters was hit by a relatively harsh storm. The Many constituents have a legitimate interest in this Risk Manage- lower floor, which houses the server room, flooded to a good degree ment process, from employees and management to owners and due to a leak caused by ineffective weather preparations. The flood investors, and outside parties such as auditors and bankers. As such, caused irreparable systems and hardware failures. Work came to a why don’t most businesses, particularly those that are not SEC halt … in all locations. The client website was completely “down,” registrants, prioritize this matter? precluding many customers from conducting business with ACME. First, it is a great deal of work to become proactive and to The most recent backup tapes were over two weeks old and were determine the activities required before any disaster, as well as to actually stored in the server room. Sadly, they were ineffective be able to plan the processes to resume after a disaster. Business because they were soaked and damaged by surrounding debris. A Continuity Planning (or a Business Continuity Plan), which is also search continued unsuccessfully for other reasonably current backup referred to as “BCP” is indeed challenging … and is far more involved tapes. than just drafting an insincerely prepared plan and filing it in a Dilemma: No current data. No productivity. Limited customer drawer. Second, most businesses don’t have the internal management orders and interaction. No likelihood of restoring any current or experience to address this process. And third, among others, many perhaps ANY information with which to do business. business owners and managers believe that their business is already Exaggerated? Not sure how realistic this is? Perhaps, then, sub- prepared for disasters based on naïve assumptions such as “we have stitute for “flood” other real disasters outside of natural occurrence good backup tapes” or “we know everyone’s cell phone numbers.” — ACME’s confidential and private customer data and trade secrets And then you have the other thought process (which is often could have been compromised by a disgruntled employee or other unspoken) that summarizes many business’ approach to this risk: insider or the servers could have literally been stolen by a com- “It won’t happen to us.” petitor or enterprising employee. Other disasters in the Mother BCP involves company-wide participation, coordination with Nature category that can yield the same result include power surges, internal and outside constituents, ongoing updates, management earthquakes and isolated or wide-spread fires. All of these occur and testing. Among the most critical components of the BCP process, somewhere every day. however, and among the more straightforward to address is the ability to have information and computer systems survive and sup- AvoId ThE horror port the business as a result of some disaster. Define and tackle your objectives for Preparedness and Resumption Information technology is a key driver in BCP. Without consid- Engage in BCP; it allows a business’s operations to resume (as ering the IT factors, a disaster can dramatically impact a business’ planned) after a disaster. A BCP for any business should address IT continuity in the form of lost data, lost practices and automated considerations, as well as others: human resources, media or press processes, lost revenues and lost operations. Read on for an example relations, emergency response agencies, operational and physical of what can happen. logistics, and more. Even if ACME had only accomplished some BCP, surely some of the above risks would not have had such ImAgInE ThIs horror business-halting results. Your client, ACME, runs a business with five offices spread around If businesses resist engaging in BCP because they choose to the country. A snapshot of its IT environment is important to be avoid its common sense and prudence, then consider this: BCP
efforts are addressed (directly or indirectly) in regulatory compliance how ACmE Could hAvE PrEPArEd BETTEr doctrines in place today for companies of all sizes, from Sarbanes- A BCP at ACME should have included better IT preparations. Some Oxley to HIPAA and other Privacy Protection acts, both Federal and examples of procedures might include the following: local. 1. Regular and secure offsite rotation and storage of data backup BCP efforts require a significant investment of corporate labor, tape(s), accompanied by procedures on how to retrieve them outside advisors and financial resources, and include efforts of and restore data and systems functionality from them. procedure design, implementation and testing. Objectives and 2. A duplicate eCommerce website environment “at the ready” tactics of BCP follow, with an emphasis on IT considerations. that activates when the primary site fails for any reason. This could be located at any number of other locations, including CrEATIng, mAInTAInIng And TEsTIng ThE BCP a sister office, or a third-party Internet host. First, the plan must be created. We recommend that a BCP/crisis 3. Offsite or remote server redundancy. Examples include: management team be formed and empowered to create, manage a. A “hot site” – an off-site duplicative server and system and update the BCP. This team should represent all key departments, environment that allows for resumption of systems opera- and focus on the following objectives: tions, with the ability to be connected “live” upon instruction. • the continuity and survival of the business, This approach is simplified and often most effectively man- • the protection of corporate tangible and intangible assets, aged using a newer technology known as Virtualization of • human resources and ‘public’ awareness of the event, the server environments, which allows for more simple and • the creation and documentation of specific preventative affordable redundancy. measures/activities, and b. The adoption of an externally hosted ‘cloud computing’ • the ability for the BCP to be effective, as a whole, on an server and data environments. In this “cloud” concept, a ongoing basis. company’s servers, software and data are hosted by third At its core, a BCP addresses the myriad of business risks that a parties and served to the users via an Internet browser on company would face in the event of foreseeable disasters, including any computer. Hence, resumption would occur simply by the nature of disasters as well as the most important risks of loss. finding an Internet browser anywhere. A business must determine the following at the onset: 4. Redundant Internet and telephone services. Alternative Internet 1. What kind of disasters are most likely to impact the connection services can activate automatically upon a disrup- business? tion of the main connection, thereby keeping communications a. Natural disasters – the usual suspects might include fire, alive without interruption. Secondary phone systems or Internet- flood, earthquake, and the like. based phone systems can be made available for those incidents b. Human-oriented disasters – including theft of digital intel- when communications failures occur. lectual property and trade secrets, or compromising of web 5. Effective server room construction and configuration. Consid- commerce activities, stolen servers, etc. Others include erations include adequate levels of air conditioning, drainage carelessness resulting in a lost unprotected laptop or flash systems, weather proofing, ceiling leak testing, etc. drive containing sensitive information, as well as inappropriate or ineffective network and security design and management. summAry 2. What attributes of a disaster are most impactful to the BCPs are critical in today’s business climate, and the businesses that sustenance of the business’ operations? invest time and effort in their creation, maintenance and testing are a. Loss of the business’ website and eCommerce capabilities. well rewarded in the event of disasters and disruptions of any kind. b. Loss of Internet access for extended periods of time. Specific information technology practices for avoidance of data loss c. Loss of power to keep IT and other operations equipment from disasters are increasingly necessary to make BCPs successful running. and effective. And they are very affordable and achievable when d. Loss of email access or file/folder access. addressed prudently and in advance. This enables BCP constituents e. Loss of employees to conduct business due to geographical to more likely enjoy the peace of mind that they deserve. or pandemic disasters. f. Loss of strategic data (customer lists, accounting data, sales Robert (Bob) Green, CPA.CITP/Partner and Rick Mark/ information, other intellectual property, etc.). Senior Manager are Information Management After addressing the above, the BCP starts to take shape right professionals in the Enterprise Risk Management Services away. The BCP team creates action plans and documentation of group at SingerLewak, LLP, one of the western U.S.’s largest procedures that address and mitigate each of the risks related to CPA and consulting firms with six offices in California. the disasters most likely to be impactful … and then tests these robert green This group provides CIO and CTO advisory services, plans and procedures “real time” to the extent possible. This may as well as governance, risk and compliance advisory/ mean shutting down the company’s power or Internet connectivity audit services to privately held and SEC registrant during business hours. Many companies do NOT test their planned enterprises. Bob presently serves on the AICPA’s Certified procedures in any way, nor update them as information and the Information Technology Professional credential committee. business changes. Thus, the BCP may be entirely useless at the They can be reached at BGreen@SingerLewak.com and actual time of need. RMark@SingerLewak.com. rick mark Reprinted by permission ©2009 The CPA Technology Advisor • 420 N. Kickapoo, Shawnee, OK 74801 • 800-456-0864 • www.CPATechAdvisor.com

Recommended

Yakhouba
YakhoubaYakhouba
Yakhoubayakhouba sall
 
Cloud services full description
Cloud services full descriptionCloud services full description
Cloud services full description
Jason Caras
 
Business continuity
Business continuityBusiness continuity
Business continuity
Alka Mehar
 
Ecm Basics
Ecm BasicsEcm Basics
Ecm Basics
See Ramkrishna NagulaKonda
 
In Sync Network Time Ben Rothke
In Sync Network Time Ben RothkeIn Sync Network Time Ben Rothke
In Sync Network Time Ben Rothke
Ben Rothke
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_ConfPeter Poulos
 
Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
sco813f8ko
 
iTRACS overview
iTRACS overviewiTRACS overview
iTRACS overviewRogier den Boer
 

Recommended

Yakhouba
YakhoubaYakhouba
Yakhoubayakhouba sall
 
Cloud services full description
Cloud services full descriptionCloud services full description
Cloud services full description
Jason Caras
 
Business continuity
Business continuityBusiness continuity
Business continuity
Alka Mehar
 
Ecm Basics
Ecm BasicsEcm Basics
Ecm Basics
See Ramkrishna NagulaKonda
 
In Sync Network Time Ben Rothke
In Sync Network Time Ben RothkeIn Sync Network Time Ben Rothke
In Sync Network Time Ben Rothke
Ben Rothke
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_ConfPeter Poulos
 
Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
sco813f8ko
 
iTRACS overview
iTRACS overviewiTRACS overview
iTRACS overviewRogier den Boer
 
Bcp
BcpBcp
Bcp
madunix
 
A guide to modern it disaster recovery
A guide to modern it disaster recoveryA guide to modern it disaster recovery
A guide to modern it disaster recoveryJohn Brouillard
 
White Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT InfrastructureWhite Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT Infrastructure
Asaca
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
Micheal Axelsen
 
IT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenterIT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenterDaniel Eason
 
Sea spin5 2013-notes
Sea spin5 2013-notesSea spin5 2013-notes
Sea spin5 2013-notes
Jeff Smith
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BC
Steve Meek
 
ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World IBM India Smarter Computing
 
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
Janine Anthony Bowen, Esq.
 
Smarter Backup
Smarter BackupSmarter Backup
Smarter Backup
IBM
 
Dcca study guide
Dcca study guideDcca study guide
Dcca study guide
Kamal Mouline
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
Nathan Winters
 
Large-Scale Remote Access & Mobility
Large-Scale Remote Access & MobilityLarge-Scale Remote Access & Mobility
Large-Scale Remote Access & Mobility
Array Networks
 
Virtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical StrategyVirtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical Strategy
IIS International Integrated Solutions
 
Using IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructureUsing IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructureIBM India Smarter Computing
 
Understanding and Managing Technical Debt
Understanding and Managing Technical DebtUnderstanding and Managing Technical Debt
Understanding and Managing Technical Debt
Dr. Syed Hassan Amin
 
Estuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millionsEstuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millions
Estuate, Inc.
 
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising IBM India Smarter Computing
 
Top 10 Most Important DAM Features
Top 10 Most Important DAM FeaturesTop 10 Most Important DAM Features
Top 10 Most Important DAM Features
databasics
 
The Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdfThe Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdf
aNumak & Company
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems using
Iaetsd Iaetsd
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
guest13df88e8
 

More Related Content

What's hot

Bcp
BcpBcp
Bcp
madunix
 
A guide to modern it disaster recovery
A guide to modern it disaster recoveryA guide to modern it disaster recovery
A guide to modern it disaster recoveryJohn Brouillard
 
White Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT InfrastructureWhite Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT Infrastructure
Asaca
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
Micheal Axelsen
 
IT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenterIT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenterDaniel Eason
 
Sea spin5 2013-notes
Sea spin5 2013-notesSea spin5 2013-notes
Sea spin5 2013-notes
Jeff Smith
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BC
Steve Meek
 
ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World IBM India Smarter Computing
 
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
Janine Anthony Bowen, Esq.
 
Smarter Backup
Smarter BackupSmarter Backup
Smarter Backup
IBM
 
Dcca study guide
Dcca study guideDcca study guide
Dcca study guide
Kamal Mouline
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
Nathan Winters
 
Large-Scale Remote Access & Mobility
Large-Scale Remote Access & MobilityLarge-Scale Remote Access & Mobility
Large-Scale Remote Access & Mobility
Array Networks
 
Virtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical StrategyVirtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical Strategy
IIS International Integrated Solutions
 
Using IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructureUsing IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructureIBM India Smarter Computing
 
Understanding and Managing Technical Debt
Understanding and Managing Technical DebtUnderstanding and Managing Technical Debt
Understanding and Managing Technical Debt
Dr. Syed Hassan Amin
 
Estuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millionsEstuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millions
Estuate, Inc.
 
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising IBM India Smarter Computing
 
Top 10 Most Important DAM Features
Top 10 Most Important DAM FeaturesTop 10 Most Important DAM Features
Top 10 Most Important DAM Features
databasics
 

What's hot (19)

Bcp
BcpBcp
Bcp
 
A guide to modern it disaster recovery
A guide to modern it disaster recoveryA guide to modern it disaster recovery
A guide to modern it disaster recovery
 
White Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT InfrastructureWhite Paper: The Benefits of An Outsourced IT Infrastructure
White Paper: The Benefits of An Outsourced IT Infrastructure
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
 
IT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenterIT in Europe E-zine TechTarget - Building a Virtualised datacenter
IT in Europe E-zine TechTarget - Building a Virtualised datacenter
 
Sea spin5 2013-notes
Sea spin5 2013-notesSea spin5 2013-notes
Sea spin5 2013-notes
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BC
 
ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World ESG white paper: The Evolution of NAS in a Virtual IT World
ESG white paper: The Evolution of NAS in a Virtual IT World
 
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
 
Smarter Backup
Smarter BackupSmarter Backup
Smarter Backup
 
Dcca study guide
Dcca study guideDcca study guide
Dcca study guide
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
 
Large-Scale Remote Access & Mobility
Large-Scale Remote Access & MobilityLarge-Scale Remote Access & Mobility
Large-Scale Remote Access & Mobility
 
Virtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical StrategyVirtualization 2013: Mission Critical Strategy
Virtualization 2013: Mission Critical Strategy
 
Using IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructureUsing IBM data reduction solutions to manage more data with less infrastructure
Using IBM data reduction solutions to manage more data with less infrastructure
 
Understanding and Managing Technical Debt
Understanding and Managing Technical DebtUnderstanding and Managing Technical Debt
Understanding and Managing Technical Debt
 
Estuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millionsEstuate helps major wireless telecom save tens of millions
Estuate helps major wireless telecom save tens of millions
 
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
Mesabi Group paper: Rethink Data Protection and Retention Now Merchandising
 
Top 10 Most Important DAM Features
Top 10 Most Important DAM FeaturesTop 10 Most Important DAM Features
Top 10 Most Important DAM Features
 

Similar to Executive Primer on Business Continuity Planning

The Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdfThe Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdf
aNumak & Company
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems using
Iaetsd Iaetsd
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
guest13df88e8
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Startedmxp5714
 
Data Centers In US
Data Centers In USData Centers In US
Data Centers In US
msirmajritchie
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdfWhitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
FINAP Worldwide
 
The cloud primer
The cloud primerThe cloud primer
The cloud primer
Joe Orlando
 
SaaS for Credit Origination
SaaS for Credit OriginationSaaS for Credit Origination
SaaS for Credit Origination
InfraRisk
 
Why Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
Why Cloud-Based Asset Management Is Vital for Business Safety and EfficiencyWhy Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
Why Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
Asset Panda
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic Solutions
Netmagic Solutions Pvt. Ltd.
 
Efficient Data Centers Are Built On New Technologies and Strategies
Efficient Data Centers Are Built On New Technologies and StrategiesEfficient Data Centers Are Built On New Technologies and Strategies
Efficient Data Centers Are Built On New Technologies and Strategies
CMI, Inc.
 
How the Cloud is Revolutionizing the Retail Industry
How the Cloud is Revolutionizing the Retail IndustryHow the Cloud is Revolutionizing the Retail Industry
How the Cloud is Revolutionizing the Retail Industry
Raymark
 
Using IoT to Drive Lean Implementation
Using IoT to Drive Lean ImplementationUsing IoT to Drive Lean Implementation
Using IoT to Drive Lean Implementation
MileyJames
 
V mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryV mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryVMware_EMEA
 
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
anhlodge
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
Schneider Electric
 
Cloud
CloudCloud
Cloudain84
 
Should business move to cloud
Should business move to cloudShould business move to cloud
Should business move to cloud
Shashwat Shankar
 

Similar to Executive Primer on Business Continuity Planning (20)

The Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdfThe Challenges Of Multi-cloud Management.pdf
The Challenges Of Multi-cloud Management.pdf
 
Iaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems usingIaetsd design and implementation of secure cloud systems using
Iaetsd design and implementation of secure cloud systems using
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
 
Data Centers In US
Data Centers In USData Centers In US
Data Centers In US
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
 
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdfWhitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
Whitepaper - Analyzing the Adoption of Cloud Computing For Banking & Finance.pdf
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
 
The cloud primer
The cloud primerThe cloud primer
The cloud primer
 
SaaS for Credit Origination
SaaS for Credit OriginationSaaS for Credit Origination
SaaS for Credit Origination
 
Why Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
Why Cloud-Based Asset Management Is Vital for Business Safety and EfficiencyWhy Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
Why Cloud-Based Asset Management Is Vital for Business Safety and Efficiency
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic Solutions
 
Efficient Data Centers Are Built On New Technologies and Strategies
Efficient Data Centers Are Built On New Technologies and StrategiesEfficient Data Centers Are Built On New Technologies and Strategies
Efficient Data Centers Are Built On New Technologies and Strategies
 
How the Cloud is Revolutionizing the Retail Industry
How the Cloud is Revolutionizing the Retail IndustryHow the Cloud is Revolutionizing the Retail Industry
How the Cloud is Revolutionizing the Retail Industry
 
Using IoT to Drive Lean Implementation
Using IoT to Drive Lean ImplementationUsing IoT to Drive Lean Implementation
Using IoT to Drive Lean Implementation
 
V mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryV mware quick start guide to disaster recovery
V mware quick start guide to disaster recovery
 
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Cloud
CloudCloud
Cloud
 
Should business move to cloud
Should business move to cloudShould business move to cloud
Should business move to cloud
 

Executive Primer on Business Continuity Planning

  • 1. The Technology Advisor September 2009 • www.CPATechAdvisor.com • Vol. 19, No. 6 An Executive Primer on Business Continuity Planning and related IT Considerations By RoBeRt P. GReen, CPA.CItP & RICk MARk The following terms are undoubtedly familiar to you: Disaster aware of in our example. From its headquarters, ACME manages Recovery, Disaster Preparedness, Business Continuity Plan, Opera- its operations, accounting, IT network and all software services for tions Resumption Plan. its five offices. ACME also hosts its own website, eCommerce and But how do they relate to you or your clients? Moreover, how all data servers at its headquarters. Forty percent of ACME’s business does information technology fit into these concepts? originates from customer transactions using ACME’s website. Finally, In the big picture, the above terms all emphasize the survival as a good business practice, ACME does not allow its system users strategies in a business’ Risk Management process. In a more perfect to backup or store documents and other sensitive data on their own world, every company would prioritize the strategic and tactical computers. Rather, their information is centralized in ACME’s servers processes required to resume, sustain and manage their operations at headquarters to ensure (we’ll see) comprehensive backup. through an unplanned disaster or a damaging business interruption. ACME’s headquarters was hit by a relatively harsh storm. The Many constituents have a legitimate interest in this Risk Manage- lower floor, which houses the server room, flooded to a good degree ment process, from employees and management to owners and due to a leak caused by ineffective weather preparations. The flood investors, and outside parties such as auditors and bankers. As such, caused irreparable systems and hardware failures. Work came to a why don’t most businesses, particularly those that are not SEC halt … in all locations. The client website was completely “down,” registrants, prioritize this matter? precluding many customers from conducting business with ACME. First, it is a great deal of work to become proactive and to The most recent backup tapes were over two weeks old and were determine the activities required before any disaster, as well as to actually stored in the server room. Sadly, they were ineffective be able to plan the processes to resume after a disaster. Business because they were soaked and damaged by surrounding debris. A Continuity Planning (or a Business Continuity Plan), which is also search continued unsuccessfully for other reasonably current backup referred to as “BCP” is indeed challenging … and is far more involved tapes. than just drafting an insincerely prepared plan and filing it in a Dilemma: No current data. No productivity. Limited customer drawer. Second, most businesses don’t have the internal management orders and interaction. No likelihood of restoring any current or experience to address this process. And third, among others, many perhaps ANY information with which to do business. business owners and managers believe that their business is already Exaggerated? Not sure how realistic this is? Perhaps, then, sub- prepared for disasters based on naïve assumptions such as “we have stitute for “flood” other real disasters outside of natural occurrence good backup tapes” or “we know everyone’s cell phone numbers.” — ACME’s confidential and private customer data and trade secrets And then you have the other thought process (which is often could have been compromised by a disgruntled employee or other unspoken) that summarizes many business’ approach to this risk: insider or the servers could have literally been stolen by a com- “It won’t happen to us.” petitor or enterprising employee. Other disasters in the Mother BCP involves company-wide participation, coordination with Nature category that can yield the same result include power surges, internal and outside constituents, ongoing updates, management earthquakes and isolated or wide-spread fires. All of these occur and testing. Among the most critical components of the BCP process, somewhere every day. however, and among the more straightforward to address is the ability to have information and computer systems survive and sup- AvoId ThE horror port the business as a result of some disaster. Define and tackle your objectives for Preparedness and Resumption Information technology is a key driver in BCP. Without consid- Engage in BCP; it allows a business’s operations to resume (as ering the IT factors, a disaster can dramatically impact a business’ planned) after a disaster. A BCP for any business should address IT continuity in the form of lost data, lost practices and automated considerations, as well as others: human resources, media or press processes, lost revenues and lost operations. Read on for an example relations, emergency response agencies, operational and physical of what can happen. logistics, and more. Even if ACME had only accomplished some BCP, surely some of the above risks would not have had such ImAgInE ThIs horror business-halting results. Your client, ACME, runs a business with five offices spread around If businesses resist engaging in BCP because they choose to the country. A snapshot of its IT environment is important to be avoid its common sense and prudence, then consider this: BCP
  • 2. efforts are addressed (directly or indirectly) in regulatory compliance how ACmE Could hAvE PrEPArEd BETTEr doctrines in place today for companies of all sizes, from Sarbanes- A BCP at ACME should have included better IT preparations. Some Oxley to HIPAA and other Privacy Protection acts, both Federal and examples of procedures might include the following: local. 1. Regular and secure offsite rotation and storage of data backup BCP efforts require a significant investment of corporate labor, tape(s), accompanied by procedures on how to retrieve them outside advisors and financial resources, and include efforts of and restore data and systems functionality from them. procedure design, implementation and testing. Objectives and 2. A duplicate eCommerce website environment “at the ready” tactics of BCP follow, with an emphasis on IT considerations. that activates when the primary site fails for any reason. This could be located at any number of other locations, including CrEATIng, mAInTAInIng And TEsTIng ThE BCP a sister office, or a third-party Internet host. First, the plan must be created. We recommend that a BCP/crisis 3. Offsite or remote server redundancy. Examples include: management team be formed and empowered to create, manage a. A “hot site” – an off-site duplicative server and system and update the BCP. This team should represent all key departments, environment that allows for resumption of systems opera- and focus on the following objectives: tions, with the ability to be connected “live” upon instruction. • the continuity and survival of the business, This approach is simplified and often most effectively man- • the protection of corporate tangible and intangible assets, aged using a newer technology known as Virtualization of • human resources and ‘public’ awareness of the event, the server environments, which allows for more simple and • the creation and documentation of specific preventative affordable redundancy. measures/activities, and b. The adoption of an externally hosted ‘cloud computing’ • the ability for the BCP to be effective, as a whole, on an server and data environments. In this “cloud” concept, a ongoing basis. company’s servers, software and data are hosted by third At its core, a BCP addresses the myriad of business risks that a parties and served to the users via an Internet browser on company would face in the event of foreseeable disasters, including any computer. Hence, resumption would occur simply by the nature of disasters as well as the most important risks of loss. finding an Internet browser anywhere. A business must determine the following at the onset: 4. Redundant Internet and telephone services. Alternative Internet 1. What kind of disasters are most likely to impact the connection services can activate automatically upon a disrup- business? tion of the main connection, thereby keeping communications a. Natural disasters – the usual suspects might include fire, alive without interruption. Secondary phone systems or Internet- flood, earthquake, and the like. based phone systems can be made available for those incidents b. Human-oriented disasters – including theft of digital intel- when communications failures occur. lectual property and trade secrets, or compromising of web 5. Effective server room construction and configuration. Consid- commerce activities, stolen servers, etc. Others include erations include adequate levels of air conditioning, drainage carelessness resulting in a lost unprotected laptop or flash systems, weather proofing, ceiling leak testing, etc. drive containing sensitive information, as well as inappropriate or ineffective network and security design and management. summAry 2. What attributes of a disaster are most impactful to the BCPs are critical in today’s business climate, and the businesses that sustenance of the business’ operations? invest time and effort in their creation, maintenance and testing are a. Loss of the business’ website and eCommerce capabilities. well rewarded in the event of disasters and disruptions of any kind. b. Loss of Internet access for extended periods of time. Specific information technology practices for avoidance of data loss c. Loss of power to keep IT and other operations equipment from disasters are increasingly necessary to make BCPs successful running. and effective. And they are very affordable and achievable when d. Loss of email access or file/folder access. addressed prudently and in advance. This enables BCP constituents e. Loss of employees to conduct business due to geographical to more likely enjoy the peace of mind that they deserve. or pandemic disasters. f. Loss of strategic data (customer lists, accounting data, sales Robert (Bob) Green, CPA.CITP/Partner and Rick Mark/ information, other intellectual property, etc.). Senior Manager are Information Management After addressing the above, the BCP starts to take shape right professionals in the Enterprise Risk Management Services away. The BCP team creates action plans and documentation of group at SingerLewak, LLP, one of the western U.S.’s largest procedures that address and mitigate each of the risks related to CPA and consulting firms with six offices in California. the disasters most likely to be impactful … and then tests these robert green This group provides CIO and CTO advisory services, plans and procedures “real time” to the extent possible. This may as well as governance, risk and compliance advisory/ mean shutting down the company’s power or Internet connectivity audit services to privately held and SEC registrant during business hours. Many companies do NOT test their planned enterprises. Bob presently serves on the AICPA’s Certified procedures in any way, nor update them as information and the Information Technology Professional credential committee. business changes. Thus, the BCP may be entirely useless at the They can be reached at BGreen@SingerLewak.com and actual time of need. RMark@SingerLewak.com. rick mark Reprinted by permission ©2009 The CPA Technology Advisor • 420 N. Kickapoo, Shawnee, OK 74801 • 800-456-0864 • www.CPATechAdvisor.com