Business Continuity Planning
Business Continuity Planning
It is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster
Business Continuity refers to those activities performed daily to maintain service, consistency, and recover-ability.
Disaster Recovery Planning (DRP)
DRP is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after natural or human-induced disaster. Disaster recovery is a subset of business continuity.
Business Continuity Plan (BCP)
BCP is a comprehensive organizational plan that includes the disaster recovery plan. A Business Continuity Plan (BCP) consists of the five component plans:
- Business Resumption Plan
- Occupant Emergency Plan
- Continuity of Operations Plan
- Incident Management Plan
- Disaster Recovery Plan
The first three plans (Business Resumption, Occupant Emergency, and Continuity of Operations Plans) do not deal with the IT infrastructure. They further state that the Incident Management Plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization’s IT systems, it generally does not represent an agent for activating the Disaster Recovery Plan, leaving The Disaster Recovery Plan as the only BCP component of interest to IT.
1) Business Resumption Plan
This plan outlines the procedures and resources needed to resume critical business operations after a disruption. It identifies key personnel, alternate facilities, essential records, and resources required to maintain essential functions. The plan should also include steps for recovering lost data, restoring communication systems, and acquiring necessary equipment and supplies.
2) Occupant Emergency Plan
This plan focuses on protecting the safety of employees, visitors, and others on-site during emergencies. It includes evacuation procedures, shelter-in-place protocols, emergency response team roles, and communication methods. The plan should also address employee accountability, medical emergencies, and coordination with local authorities.
3) Continuity of Operations Plan (COOP)
The COOP outlines the steps to maintain essential business functions during an emergency or disruption. It identifies critical operations, personnel, and resources required to continue these functions. The plan should also include procedures for relocating operations to alternate sites, succession planning for key personnel, and strategies for maintaining communication and supply chains.
4) Incident Management Plan
This plan provides a framework for responding to and managing various incidents or emergencies that could impact the organization. It outlines the incident command structure, roles and responsibilities, incident response procedures, and communication protocols. The plan should also address incident reporting, documentation, and post-incident review processes.
5) Disaster Recovery Plan
The Disaster Recovery Plan focuses on restoring critical IT systems, applications, and data after a disruption or disaster. It includes procedures for backing up and recovering data, restoring systems and applications, and ensuring the availability of hardware and infrastructure. The plan should also address testing and validation of recovery processes, as well as maintaining and updating the plan regularly.
These components work together to help an organization prepare for, respond to, and recover from various disruptions or emergencies, ensuring the continuity of critical operations and minimizing the impact on the business.
Why Business Continuity Planning is Important
- Definition of Threat:
- A threat is the cause of an unwanted incident.
- Examples include global terrorism and system failures.
- Impact of Threats:
- Threats can harm individuals, organizations, and entire countries.
- An incident can disrupt operations significantly.
- Purpose of Business Continuity Management (BCM) System:
- Prepare, provide, and maintain control and capability.
- Manage a company’s ability to continue operations during disruptions.
- Operational Impact of Disruptions:
- Visualized as a curve with time and level of operation.
- Without BCM, disruptions cause operations to drop significantly and recover slowly.
- With BCM, operations stay above a minimum acceptable level and recover more quickly.
- Examples of Disruptions:
- Sudden Disruptions: Major power failures, system failures, or terrorism.
- Gradual Disruptions: Long-term issues like COVID-19.
- Recovery Time Objective (RTO):
- Emphasizes the importance of time in recovery.
- BCM helps ensure quicker recovery to acceptable operational levels.
- BCM Benefits:
- Maintains operation levels above minimum acceptable during disruptions.
- Facilitates quicker recovery from both sudden and gradual disruptions.
- Enhances readiness and response with support from government agencies and other entities.
The importance of Business Continuity Planning lies in its ability to minimize the operational impact of both sudden and gradual disruptions, ensuring that a company can continue to function and recover more efficiently.
Business Continuity / Disaster Recovery Plans
Comes in various forms, each reflecting the corporation’s particular set of circumstances. The following are some of the general step required to develop and implement a plan.
- Policy Statement (Goal of plan, reasons, and resources)
- Business Impact Analysis (how does a shutdown impact the business financially and otherwise)
- Identify Preventive Steps (can disaster be avoided by taking prudent steps)
- Recovery Strategies (how and what you will need to recover)
- Plan Development (Write plan and implement plan elements)
- Plan buy-in and testing (very important so that everyone knows the plan and knows what to do)
- Maintenance (continuous changes to reflect current situation)
Control Measures for Disaster Planning
Control measures are steps or mechanisms that can reduce or eliminate various threats for organizations. Different types of measures can be included in BCP/DRP.
Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure.
A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
Types of measures:
- Preventive measures – These controls are aimed at preventing an event from occurring.
- Detective measures – These controls are aimed at detecting or discovering unwanted events.
- Corrective measures – These controls are aimed at correcting or restoring the system after a disaster or an event.
These controls should be always documented and tested regularly.
DRP/BCP Strategies
The following is a list of the most common strategies for data protection.
- Backups made to tape and sent off-site at regular intervals
- Backups made to disk on-site and automatically copied to off-site disk or made directly to off-site disk
- Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synchronized). This generally makes use of storage area network (SAN) technology
- High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data
In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.
In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:
- Local mirrors of systems and/or data and use of disk protection technology such as RAID
- Surge protectors — to minimize the effect of power surges on delicate electronic equipment
- Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure. Checking whether it is time for UPS battery replacement.
- On-Premise Server Backup
- Offsite or Cloud Backup
- Fire preventions — alarms, fire extinguishers
- Endpoint Security with EDR/XDR and other security measures
Benefits of drafting a Disaster Recovery Plan
- Providing a sense of security
- Minimizing risk of delays
- Guaranteeing the reliability of standby systems
- Providing a standard for testing the plan
- Minimizing decision-making during a disaster
- Reducing potential legal liabilities
- Lowering unnecessarily stressful work environment
Type of Disasters
-
Natural Disasters
- Earthquakes
- Flood
- Heat Wave
- Landslide
- Tsunami
- Volcanic Eruption
- Haze
-
Man-Made Disasters
- Fire
- Civil Unrest
- Power Failure
- BioTerrorism
- Hazard Material Spills
- Nuclear, Radiation Accidents
- Disease – SARS, Ebola