IS Business Continuity Management Strategies and Policies

Previous page
Table of content
Next page

We discuss business continuity planning (BCP) and disaster-recovery planning (DRP) in detail in Chapter 5, "Disaster Recovery and Business Continuity," but it is important to provide definitions and a framework. Although BCP and DRP are commonly interchanged, they are distinctly different. Per ISACA, BCP is a process designed to reduce the organization's business risk from an unexpected disruption of the critical functions or operations (manual or automated) necessary for the survival of the organization. This includes the human and material resources supporting the critical functions and operations, and assurance of the continuity of the minimum level of services necessary for critical operations.

DRP is generally the plan followed by IS to recover an IT processing facility or by business units to recover an operational facility. The IS recovery plan must be consistent with and must support the overall plan of the organization. Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting the business operations.

The proper implementation of BCP ensures that critical business functions can withstand a variety of emergencies. The primary responsibility of BCP lies with management; the goal is to minimize the effects of a disaster so that the organization can resume normal operations as soon as possible. BCP is, at best, an annual project and is effective only if it is continuously performed and tested. During BCP, the organization must define what qualifies as a disruptive event or disaster. When we think of disasters, we might think of fires, floods, tornadoes, or terrorist events. In fact, a disaster can include a variety of events that appear smaller in nature but that have a large effect on the organization's continuity. As an example, Wall Street brokers would consider a telecommunications outage a disaster: It restricts their customers' ability to reach them and their ability to perform trading functions. In other businesses, a telecommunications outage would be an annoyance but would not necessarily affect the continuity of the business.

The degree to which a BCP/DRP plan is successful depends on the support and leadership of senior management. Senior management needs to support the plan through development, implementation, and testing, to ensure that the plan will be successful in the event of a disaster. Senior management should establish a BCP policy that includes the commitment of the organization to its stakeholders, shareholders, employees, and partners. This policy should include what aspects of the operation will be included in the BCP/DRP and should define responsibilities throughout the organization.

Per ISACA, an effective BCP has the following components:

  • Predisaster readiness

  • Evacuation procedures

  • Instructions on how to declare a disaster

  • Identification of the business processes and IT resources to be recovered

  • Clear identification of the responsibilities in the plan

  • Clear identification of the person responsible for each function in the plan

  • Clear identification of contract information

  • A step-by-step explanation of recovery options

  • Clear identification of the various resources required for a recovery and continued operation of the organization

  • Step-by-step application of the constitution phase

Many BCPs fail because of the following:

  • The BCP is outdated and is not regularly reviewed and tested.

  • Responsibilities are not clearly defined.

  • Inadequate testing leads to poorly trained personnel.

  • The procedures for declaring a disaster are not objective or clearly defined.

  • The procedures for declaring the end to a disaster are not objective or clearly defined.

The BCP process can be complex and includes all levels of the organization. It is important to remember that this will be an emotional time for all personnel involved; the more detailed the plan and testing are, the better the chance is for success. Senior leadership, security, IT, and managers of business units must be involved in the process to achieve success. The business must identify critical business functions and assign responsibility for all the resources involved with those functions (personnel, procurement, replacement, systems, applications, and data). Senior leadership should involve the marketing or communications department, to define specific communications for each event outlined in the plan and directed communication for the stakeholders (shareholders, employees, and partners). The plan should be part of the change-control process and should be regularly tested and updated to reflect the business requirements. Individual roles and responsibilities should be clearly defined, communicated, and updated.

If the organization follows these rules, it can be reasonably sure that the economic viability of the organization will continue in the event of a disaster.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Qshell for iSeries
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Competency-Based Human Resource Management
Mapping Hacks: Tips & Tools for Electronic Cartography
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy