Business Continuity Planning

Previous page
Table of content
Next page

Business Continuity Planning (BCP) is the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes. The BCP is primarily a management tool that ensures Critical Business Functions (CBF) can be performed when normal business operations are disrupted.

Note 

This material is intended to provide you an overview of the Business Continuity Planning process, and it is not covered in much detail in the exam. The objectives for the exam are covered in Chapter 9, "Security Policies and Procedures," and Chapter 10, "Security Management."

Critical business functions refer to those processes or systems that must be made operational immediately when an outage occurs. The business cannot function without these key CBFs. Many CBFs are information intensive and require access to both technology and data.

Two of the key components of BCP are Business Impact Analysis and risk assessment. Business Impact Analysis is concerned with evaluating the processes, and risk analysis is concerned with evaluating the risk or likelihood of a loss. Evaluating all of the processes in an organization or enterprise is necessary in order for BCP to be effective. This section discusses the Business Impact Analysis and the risk assessment process.

Business Impact Analysis

Business Impact Analysis (BIA) is the process of evaluating all of the critical systems in an organization to determine the impact and recovery plans in the event of a loss. The BIA is not concerned with external threats or vulnerabilities. This analysis focuses on the impact a loss would have on the organization.

The key components of a BIA are the identification of critical functions, prioritization of those functions, a timetable of loss, and an estimate of an impact of a loss. The BIA has four aspects:

Critical Function Identification In order to identify critical functions, a company must ask itself, "What functions are necessary to continue operations until full service can be restored?"

This identification process will help you establish which systems must be returned to operation in order for the business to continue. In performing this identification, you may find that a small or overlooked application in a department may be critical for operations. Many organizations have overlooked seemingly insignificant process steps or systems that have prevented the BCP from being effective. Every department should be evaluated to ensure that no critical processes are overlooked.

Prioritization of CBF When continuing business after an event, operations must be prioritized as to essential and nonessential functions. If the organization makes resources available to the recovery process, these resources may be limited. Further, you may find that in a widespread outage, full operation may not be possible for some time. What would happen, for example, if your data communications services went out of service? You can usually establish temporarily services, but you will probably not have the ability to restore full network capability. You should become clear about which applications or systems have priority for resources available. Your company may find itself choosing to restore e-mail before it restores its website.

Timeframe of Critical Systems Loss How long can the organization survive without a critical function? Some functions in an organization do not require immediate action; others do. Which functions must be reestablished, and in what timeframe? If your business is entirely dependent on web presence and is e-commerce–oriented, how long can the web- site stay inoperable? Your organization may need to evaluate and attempt to identify the maximum time that a particular function can be unavailable. This dictates the contingencies that must be made to minimize losses from exceeding the allowable period.

Estimate Tangible and Intangible Impact on the Organization Your organization will suffer losses in an outage. These losses will be of a tangible nature, such as lost production and lost sales. Intangible losses will also be a factor. Will customers lose faith in your service? Your discovery of these impacts can greatly increase the realization of how much a loss of service will truly cost.

A thorough BIA will accomplish several things for your organization. First, the true impact and damage that an outage will cause will be visible. Second, like insurance, understanding the true loss potential may help you in your fight for a budget. Third, and perhaps most important, the process will document what business processes are being used, the impact they have on the organization, and how to restore them quickly.

This gives the BIA some power in the organization, as the costs of an outage become known. People buy insurance, not because they intend to have an accident, they buy it in case they do. A BIA can help identify what insurance is needed in order for the organization to feel safe.

Risk Assessment

Risk assessment primarily deals with the threats, vulnerabilities, and impacts that a loss of information-processing capabilities or information has on an organization. The risk assessment is also referred to as a risk analysis. Each risk that can be identified should be outlined, described, and evaluated on likelihood of it occurring.

The key components of a risk assessment are outlined here:

Risks to Which the Organization Is Exposed This allows you to develop scenarios that can help you evaluate how to deal with these risks should they occur. An operating system, server, or application may have known risks in certain environments. How will your organization deal with these risks, and what is the best way to respond?

Risks That Need Addressing The risk assessment process also allows the organization to provide a reality check on which risks are real and which are not likely. This process helps the organization focus its resources on the risks that are most likely to occur. For example, industrial espionage and theft are very likely risks, but the risk of a pack of wild dogs stealing the entire contents of the payroll file is very low. Therefore, resources would be allocated to preventing espionage or theft, as opposed to the latter.

Coordination with BIA The risk assessment, in conjunction with the BIA, provides the organization with an accurate picture of the situation that is facing the organization. It allows the organization to make intelligent decisions about how to respond to situations.

start sidebar
Real World Scenario: Conducting a Risk Assessment

You have been asked to do a quick assessment of the risks that your company faces from a security perspective. What steps might you take to develop an overview of the problems your company faces?

You would want to interview the department heads and the owners to determine what information they feel needs additional security and what the existing vulnerabilities are from their perspectives. You also want to evaluate the servers to determine what known vulnerabilities they have and how you might counter them. Additionally, you want to make sure that you do a physical assessment of the facility to evaluate what physical risks you must counter. Armed with this information, you have a place to start and can determine what measures may be appropriate for the company from a risk perspective.

end sidebar


Previous page
Table of content
Next page
CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167
Authors: Michael A. Pastore
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
WebLogic: The Definitive Guide
C++ GUI Programming with Qt 3
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
File System Forensic Analysis
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy