Mission/Business Process Description Stake Holder Key Resources MTD (Hours) RTO (Hours) WRT (Hours) RPO (Hours) Accounting Processes invoices and Payables CFO Network, Servers, Wkstns 72 48 24 12 Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content. Recovery Time Objective (RTO). The time available to recover disrupted systems and resources. It is typically one segment of the MTD. For example, if a critical business process has a three-day MTD, the RTO might be one day (Day 1). This is the time you will have to get systems back up and running. The remaining two days will be used for work recovery (see Work Recovery Time). Work Recovery Time (WRT) The second segment that comprises the maximum tolerable downtime (MTD). If your MTD is three days, Day 1 might be your RTO and Days 2 to 3 might be your WRT. It takes time to get critical business functions back up and running once the systems (hardware, software, and configuration) are restored. This is an area that some planners overlook, especially from IT. If the systems are back up and running, they're all set from an IT perspective. From a business function perspective, there are additional steps that must be undertaken before it's back to business. These are critical steps and that time must be built into the MTD. Otherwise, you'll miss your MTD requirements and potentially put your entire business at risk. Remember this formula: MTD = RTO + WRT. So in my example of above 72hrs = 48hrs + 24hrs Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage. Data in Italics is for demonstration purposes and should be replaced when you create your own table. Project 3: Business Continuity Step 2: Define the Scope In the first step, you reviewed BCP methodologies. You are now ready to continue the first part of the planning process, which involves establishing the need for a BCP and defining an appropriate scope for the company outlined in the scenario. The BCP should address aspects of business continuity, business recovery, contingency planning, disaster recovery, and related activities. Focus on those elements that are adequate and expedient, based on your risk assessment for the enterprise. Governmental agencies are required to develop an enterprise continuity of operations program (COOP). A COOP is a detailed framework that documents how the agency will ensure that essen ...

1. Mission/Business Process
Description
Stake Holder
Key Resources
MTD
(Hours)
RTO (Hours)
WRT (Hours)
RPO (Hours)
Accounting
Processes invoices and Payables
CFO
Network, Servers, Wkstns
72
48
24
12

2. Maximum Tolerable Downtime (MTD). The MTD represents the
total amount of time leaders/managers are willing to accept for
a mission/business process outage or disruption and includes all
impact considerations. Determining MTD is important because
it could leave continuity planners with imprecise direction on
(1) selection of an appropriate recovery method, and (2) the
depth of detail which will be required when developing
recovery procedures, including their scope and content.
Recovery Time Objective (RTO). The time available to recover
disrupted systems and resources. It is typically one segment of
the MTD. For example, if a critical business process has a
three-day MTD, the RTO might be one day (Day 1). This is the
time you will have to get systems back up and running. The
remaining two days will be used for work recovery (see Work
Recovery Time).
Work Recovery Time (WRT)
The second segment that comprises the maximum tolerable
downtime (MTD). If your MTD is three days, Day 1 might be
your RTO and Days 2 to 3 might be your WRT. It takes time to
get critical business functions back up and running once the

3. systems (hardware, software, and configuration) are restored.
This is an area that some planners overlook, especially from IT.
If the systems are back up and running, they're all set from an
IT perspective. From a business function perspective, there are
additional steps that must be undertaken before it's back to
business. These are critical steps and that time must be built
into the MTD. Otherwise, you'll miss your MTD requirements
and potentially put your entire business at risk.
Remember this formula: MTD = RTO + WRT. So in my
example of above 72hrs = 48hrs + 24hrs
Recovery Point Objective (RPO). The RPO represents the point
in time, prior to a disruption or system outage, to which
mission/business process data must be recovered (given the
most recent backup copy of the data) after an outage.
Data in Italics is for demonstration purposes and should be
replaced when you create your own table.
Project 3: Business Continuity
Step 2: Define the Scope
In the first step, you reviewed BCP methodologies. You are now
ready to continue the first part of the planning process, which
involves establishing the need for a BCP and defining an
appropriate scope for the company outlined in the scenario.
The BCP should address aspects of business continuity,
business recovery, contingency planning, disaster recovery, and
related activities. Focus on those elements that are adequate and
expedient, based on your risk assessment for the enterprise.
Governmental agencies are required to develop an enterprise
continuity of operations program (COOP). A COOP is a detailed
framework that documents how the agency will ensure that
essential functions continue through an emergency situation
until normal operations can resume. Outside of federal, state,
and local government, enterprises call that kind of framework a
BCP. Both COOPs and BCPs are created to help organizations
recover from disasters.
Consider what aspects of business continuity the BCP will

4. address, such as business recovery, contingency planning, and
disaster recovery. Submit a brief description for feedback (one
page or less) of the topic areas to be covered in the
BCP.Submission for Project 3: BCP Scope
Project 3: Business Continuity
Step 3: Conduct a Business Impact Analysis
You've defined the scope for the BCP. Next, use an
established risk management framework to conduct a business
impact analysis (BIA).
The BIA provides written documentation to assist Maria and the
other executives in understanding the business impact should an
outage occur. Such impacts may be financial, in terms of lost
revenues and additional expenses; operational, in terms of
inability to deliver products and services; or even intangible, in
terms of damage to the organization's reputation and loss of
public confidence.
This analysis should include all departments and facilities of
the enterprise, list what it would take for each to resume
adequate operations to meet the needs of the enterprise, and
must include each phase of the recovery activities.
Remember, a key element to "business impact" is the financial
aspect. What will it "cost" to take a particular action and,
equally important, what could be the "cost" of inaction?
Prioritization is a key to the successful recovery of operations.
The sequence of activities is an essential element in your
contingency planning.
Use the Business Impact Analysis Template and then upload
your BIA here forProject 3: Business Continuity
Step 4: Identify Key Resources and Stakeholders
After the BIA, the next step is to identify the key resources
necessary and the stakeholders (executives and management)
responsible for those resources. Remember, some resources
necessary for a successful BCP might be external to the
company. Be sure to include these aspects in the plan.
Now that all resources and stakeholders are identified and
listed, answer these two questions: What resources are needed?

5. Who are the players?
Expand the table for the BCP by including a column for
accountability. With an assumed and reasonable job title, make
a list of probable stakeholders responsible for execution of each
recovery effort. Clearly identify their respective responsibilities
during the reactivation of business processes.
Use the Key Resources and Stakeholders Template to indicate
key resources and stakeholders involved in the recovery for
feedback.Project 3: Business Continuity
Step 5: Consider Preventive Controls
After identifying the key stakeholders and resources, take a
look at what can be put in place in advance to prevent or reduce
risk. Based on previous research, plus what you have learned in
the business impact analysis, what could be done to eliminate or
minimize the impact of a major event? These are called
preventive controls in the business process realm, or risk
countermeasure implementation in technology language.
Either way, the BCP should contain controls that can be
classified as measures taken in advance of a catastrophe that are
designed to reduce the risk of a negative impact. In the process
of itemizing the controls, make sure they are properly aligned
with organizational goals and the strategic direction of the
enterprise.
The preventative controls selected should be aligned with the
organizational goals and strategies. You will list these controls
in the next step.Project 3: Business Continuity
Step 6: List Preventive Controls
In this step, you will write a description of the preventative
controls that you considered in the previous step. These controls
could eliminate or minimize the impact of a major event.
Upload a description of the preventative controls to be used in
the BCP here for feedback.Project 3: Business Continuity
Step 7: Research Recovery Strategies
A BCP is uniquely different from a complete disaster recovery
plan (DRP), neither of which is a small undertaking. Both are
required to return the enterprise to 100 percent functionality.

6. The view for the enterprise is to have one BCP that contains
multiple DRPs generally broken into department or business
function categories.
The BCP is an overarching strategic approach to getting any
business back "in" business with all mandatory functionality as
soon as possible after disaster strikes. This is why the previous
steps and projects have required these elements to be identified
and prioritized. As such, the BCP is not as detail-oriented as the
DRP and only contains DRP requirements that are absolutely
mandatory to get the business back in action at the earliest
opportunity.
The DRP is usually more technical, very specific, and very
much a necessity in today's highly connected technology
infrastructure. The DRP includes descriptions of data backup
strategies, recovery sites, and postincident requirements.
There will naturally be several aspects of the rebuild that might
not go exactly as planned. This exercise will be to demonstrate
an ability to follow multiple paths in a decision tree
environment. The objective will be to create a drawing or
descriptive list that follows both options to each decision of
"yes" or "no" or "success" or "failure" to the reconstructive
effort.
Specifically, for each step, conclude with an answer to the
question "was the action successful?" If "yes," what is the next
step? Or, if "no," what is the alternative step to take next?
Continue this process until you have successfully returned to
operational status or determined you cannot reactivate under
current circumstances. If the result of the plan is an inability to
recover, the plan needs additional work to make it successful.
In the next step, you will document the selected recovery
strategies.Project 3: Business Continuity
Step 8: Document Recovery Strategies
Now that you have researched recovery strategies as they
pertain to a BCP, list or map multiple strategic options to
accomplish the recovery effort. Upload a description of the
planned recovery strategies here for feedback.Submission for

7. Project 3: Viable Recovery Strategies
Project 3: Business Continuity
Step 9: Develop Implementation and Maintenance Procedures
for the Contingency Plan
You've documented recovery strategies and are well on the way
to completing the BCP. But writing a BCP is not enough. You
must also have a clear plan for implementing and maintaining
the BCP. Answer these questions:
· What resources are needed?
· Under what conditions, such as fire, natural disasters,
occurrence of a terrorist attack, etc., will the BCP will be
activated?
· How will stakeholders be made aware of the policies and
procedures of the BCP?
· How will employees be trained on the plan? How often will
training occur? Will there be a general training for all
employees or role-based trainings for people in specific
functional areas?
· How/where will the plan for stored for safekeeping and
accessibility when needed?
· When and how will BCP maintenance reviews be scheduled?
· How will updates and changes to the plan be handled? How
often will the plan be updated?
In this step, begin to develop a strategy for how the BCP will be
implemented and maintained. This information will be used in
Step 11, in which the contingency plan will be documented.
Next, you will develop testing procedures for the plan.Project 3:
Business Continuity
Step 10: Develop Testing Procedures for the Contingency Plan
You've begun to outline your strategy for how to implement and
maintain a BCP. It is also important to conduct business
continuity testing to evaluate the effectiveness of a
preparedness program in practice. This will give insight into
whether the parts of the preparedness program will work and
can help identify aspects of the BCP that work on paper but are
ineffective or impractical in reality.

8. Examples of BCP Tests
Types of Tests
Description
Structured walk-through
Step-by-step review of BCP plans with organization's functional
representatives
Checklist test
Functional representatives review BCP plans and check off the
points that are listed to ensure concerns and activities are
addressed
Simulation
A scenario-based practice execution of the BCP plans.
Parallel test
Operational test conducted at the alternate site(s).
Full interruption test
Full-scale operational test including shutdown of primary site
and recovery of business operations at alternate site(s).
Source: Ouyang, A. (n.d.). CISSP common body of knowledge:
Business continuity & disaster recovery planning domain. Used
under a Creative Commons Attribution-NonCommercial-
ShareAlike 3.0 Unported license.
Taking time to develop, document, and test consistent processes
and controls will also help you prepare for the annual audit of
your information security system under any of the commonly
used security and audit frameworks. Under these security and
audit methodologies, auditors will gather information about the
organization's security systems, confirm that appropriate
security measures are in place, and provide a report on their
findings.
Now develop your strategy for how the BCP will be tested.
Your plan will be included in the contingency plan to be
submitted in the next step.Project 3: Business Continuity
Step 10: Develop Testing Procedures for the Contingency Pl an
You've begun to outline your strategy for how to implement and
maintain a BCP. It is also important to conduct business
continuity testing to evaluate the effectiveness of a

9. preparedness program in practice. This will give insight into
whether the parts of the preparedness program will work and
can help identify aspects of the BCP that work on paper but are
ineffective or impractical in reality.
Examples of BCP Tests
Types of Tests
Description
Structured walk-through
Step-by-step review of BCP plans with organization's functional
representatives
Checklist test
Functional representatives review BCP plans and check off the
points that are listed to ensure concerns and activities are
addressed
Simulation
A scenario-based practice execution of the BCP plans.
Parallel test
Operational test conducted at the alternate site(s).
Full interruption test
Full-scale operational test including shutdown of primary site
and recovery of business operations at alternate site(s).
Source: Ouyang, A. (n.d.). CISSP common body of knowledge:
Business continuity & disaster recovery planning domain. Used
under a Creative Commons Attribution-NonCommercial-
ShareAlike 3.0 Unported license.
Taking time to develop, document, and test consistent processes
and controls will also help you prepare for the annual audit of
your information security system under any of the commonly
used security and audit frameworks. Under these security and
audit methodologies, auditors will gather information about the
organization's security systems, confirm that appropriate
security measures are in place, and provide a report on their
findings.
Now develop your strategy for how the BCP will be tested.
Your plan will be included in the contingency plan to be
submitted in the next step.

10. Business Continuity Plan Template
CIO Maria Sosa has asked you to provide her and the other
executives with a business continuity plan for your
organization.
Final Business Continuity Plan (five- to seven-page report using
this template). The plan should include the following
components:
· Title Page
· Include:
· for whom you are preparing the document, the title, the date
prepared, and your name as the preparer of the document
· Overview
· Remember that this is your Business Continuity Plan, not
recommendations on how to build a plan. Make sure that the
language and style of writing support this.
· Include:
· justifications demonstrating the value of a BCP for the
organization
· description of the scope of the BCP (one to two-page
narrative, from Step 2)
· Business Impact Analysis and Key Resources and Stakeholders
(Steps 3 & 4 using Template in discussion area, plus one-page
summary of findings)
· Include:
· BIA Template table with at least 5 entries (see BIA template)
· Discussion of the information in the table (Methodology, key
factors, priorities, etc)
· Preventative Controls (one to two pages, from Step 6)
· Provide a list of controls that your organization has put into
place in support of the BCP
· These controls should be specifically focused on the BCP
· Contingency Plan and Recovery Strategies (two to three pages,
from Step 7&8)
· Discuss how to respond to a contingency and bring the

11. business back to full normal operations after implementing the
contingency plan
· Under what conditions will the plan be activated?
· How will you notify stakeholders?
· How will you respond to disaster?
· What strategies or processes will you use to recover?
· NIST 800-34 is an excellent resource
· Plan Maintenance
· From Steps 9-11 in the project
· How will staff be trained on the plan?
· How will the plan be maintained and updated?
· How will you test the plan?
·
Mission/Business Process
Description
Stake Holder
Key Resources
MTD
(Hours)
RTO (Hours)
WRT (Hours)
RPO (Hours)
Accounting
Processes invoices and Payables
CFO
Network, Servers, Wkstns
72
48
24
12

12. Maximum Tolerable Downtime (MTD). The MTD represents the
total amount of time leaders/managers are willing to accept for
a mission/business process outage or disruption and includes all
impact considerations. Determining MTD is important because
it could leave continuity planners with imprecise direction on
(1) selection of an appropriate recovery method, and (2) the
depth of detail which will be required when developing
recovery procedures, including their scope and content.

13. Recovery Time Objective (RTO). The time available to recover
disrupted systems and resources. It is typically one segment of
the MTD. For example, if a critical business process has a
three-day MTD, the RTO might be one day (Day 1). This is the
time you will have to get systems back up and running. The
remaining two days will be used for work recovery (see Work
Recovery Time).
Work Recovery Time (WRT)
The second segment that comprises the maximum tolerable
downtime (MTD). If your MTD is three days, Day 1 might be
your RTO and Days 2 to 3 might be your WRT. It takes time to
get critical business functions back up and running once the
systems (hardware, software, and configuration) are restored.
This is an area that some planners overlook, especially from IT.
If the systems are back up and running, they're all set from an
IT perspective. From a business function perspective, there are
additional steps that must be undertaken before it's back to
business. These are critical steps and that time must be built
into the MTD. Otherwise, you'll miss your MTD requirements
and potentially put your entire business at risk.
Remember this formula: MTD = RTO + WRT. So in my
example of above 72hrs = 48hrs + 24hrs
Recovery Point Objective (RPO). The RPO represents the point
in time, prior to a disruption or system outage, to which
mission/business process data must be recovered (given the
most recent backup copy of the data) after an outage.
Data in Italics is for demonstration purposes and should be
replaced when you create your own table.