We discuss business continuity planning (BCP) and disaster-recovery planning (DRP) in detail in Chapter 5, "Disaster Recovery and Business Continuity," but it is important to provide definitions and a framework. Although BCP and DRP are commonly interchanged, they are distinctly different. Per ISACA, BCP is a process designed to reduce the organization's business risk from an unexpected disruption of the critical functions or operations (manual or automated) necessary for the survival of the organization. This includes the human and material resources supporting the critical functions and operations, and assurance of the continuity of the minimum level of services necessary for critical operations. DRP is generally the plan followed by IS to recover an IT processing facility or by business units to recover an operational facility. The IS recovery plan must be consistent with and must support the overall plan of the organization. Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting the business operations. The proper implementation of BCP ensures that critical business functions can withstand a variety of emergencies. The primary responsibility of BCP lies with management; the goal is to minimize the effects of a disaster so that the organization can resume normal operations as soon as possible. BCP is, at best, an annual project and is effective only if it is continuously performed and tested. During BCP, the organization must define what qualifies as a disruptive event or disaster. When we think of disasters, we might think of fires, floods, tornadoes, or terrorist events. In fact, a disaster can include a variety of events that appear smaller in nature but that have a large effect on the organization's continuity. As an example, Wall Street brokers would consider a telecommunications outage a disaster: It restricts their customers' ability to reach them and their ability to perform trading functions. In other businesses, a telecommunications outage would be an annoyance but would not necessarily affect the continuity of the business. The degree to which a BCP/DRP plan is successful depends on the support and leadership of senior management. Senior management needs to support the plan through development, implementation, and testing, to ensure that the plan will be successful in the event of a disaster. Senior management should establish a BCP policy that includes the commitment of the organization to its stakeholders, shareholders, employees, and partners. This policy should include what aspects of the operation will be included in the BCP/DRP and should define responsibilities throughout the organization. Per ISACA, an effective BCP has the following components:
Many BCPs fail because of the following:
The BCP process can be complex and includes all levels of the organization. It is important to remember that this will be an emotional time for all personnel involved; the more detailed the plan and testing are, the better the chance is for success. Senior leadership, security, IT, and managers of business units must be involved in the process to achieve success. The business must identify critical business functions and assign responsibility for all the resources involved with those functions (personnel, procurement, replacement, systems, applications, and data). Senior leadership should involve the marketing or communications department, to define specific communications for each event outlined in the plan and directed communication for the stakeholders (shareholders, employees, and partners). The plan should be part of the change-control process and should be regularly tested and updated to reflect the business requirements. Individual roles and responsibilities should be clearly defined, communicated, and updated. If the organization follows these rules, it can be reasonably sure that the economic viability of the organization will continue in the event of a disaster. |