Business Continuity Planning

BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY PLANNING

Bbharathrao.wordpress.com


Business Continuity Plan

BCP is the creation and validation of a practical logistical plan for how

an organization will recover and restore

partially or completely within a predetermined time after a disaster

has occurred.


GENERAL CONCEPT

A common man’s view


Business Continuity Planning Lifecycle

Analysis

Solution Design

Implementation

Testing and Acceptance

Maintenance


Need for BCP/DRP


Objectives Goals Areas

Minimize loss by Minimizing the cost associated with disruptions

Identify weaknesses

Business Resumption Planning

Enable the Organization to survive a disaster

Minimize the duration of a serious disruption to b/s operations

Disaster Recovery Planning

Facilitate effective co-ordination of recovery tasks

Crisis Management

Reduce the complexity of the recovery effort


Developing a BCP


Initiate

Obtain understanding of the existing and projected systems

Establish a ‘Steering Committee’

Develop a Master Schedule and milestones


Perform Risk Assessment

To identify threats and

exposures to each to the CBS Perform a Business

Impact Analysis


Choose Recovery Strategy

Plan Development

• Determine all available options and strategies• Business – Logistics,

HR, Accounting

• Technical – IT (Client – Server, Mainframes, Databases, Networks

Identify Recovery Strategy

• Recovery plan components and standards are defined, developed and documented

• Define notification procedures

• Establish Business recovery teams for each CBS


Test and Validate

• Validate the BCP

• Develop and document contingency test plans

• Prepare and execute tests

• Maintenance

• Update disaster recovery plans and procedures


Working of a BCP Process


Differentiation of BCP and DRP

Business Continuity Plan: It is the process of defining arrangements and

procedures that enable an organization to continue as a viable entity. It

addresses the recovery of a company’s critical business functions after an

interruptionDisaster Recovery Plan: It involves

making preparations for a disaster and also addresses the procedures to be followed during and after a loss. It is specific to the information system

function


Types of Disaster Recovery Plans

Emergency Plan Backup Plan

It specifies actions to be undertaken when the disaster happen

It specifies the type of backup to be kept, frequency of backup to be undertaken, procedures, location, personnel, priorities assigned and a time frame

Identification of situations which requires plan to be invoked

It needs continuous updates as changes occur


Types of Disaster Recovery Plans

Recovery Plan Test Plan

It specifies procedures to restore full information system capabilities

Final Component

Formation of a recovery committee, specify responsibilities and guidelines for proper functioning

Identification of deficiencies in the emergency, backup or recovery plans or tin the preparation of an organization for facing a disaster


Threats and Risk Management

•Lack of Integrity•Lack of Confidentiality•Unauthorized Access•Hostile Software

•Disgruntled Employees•Hackers and computer crimes•Terrorism and Industrial espionage


Types of Backup

Full Backup

Incremental Backup

Differential Backup

Mirror Backup

IT captures all files on the disk or within the folder selected for backup

It captures files that were created or changed since the last backup, regardless the backup type

It stores files that have changed since the last full backup.

It is identical to a full backup, with the exception that the files are not compressed in zip files and they cannot be protected with a password


Alternative Processing Facility Arrangements

It is useful when the organization can tolerate some downtime

Organization requires minimum facilities at an alternative location to run its regular operations

It is inexpensive

Cold

site Useful when fast recovery is critical

Organization requires all the facilities at an alternative location

It is expensive

Hot site


Provides intermediate level of backup

Organization can tolerate some downtime

Organization requires only essential facilities at an alternative location

Warm

Site

Two or more organizations might agree to provide backup facilities to each other in the event of one suffering a disaster

It is relatively cheap

Each participant must maintain sufficient capacity to operate another’s critical system

Reciprocal

Agreement

Alternative Processing Facility Arrangements


Insurance

• The purpose of insurance is to spread the economic cost and risk loss from an individual or business to a large number of people.

• Policies are contracts that obligate the insurer to indemnify the policyholder from specific risks in exchange of a premium

• Adequate insurance coverage is a key consideration while developing a BRP/DRP and performing a risk analysis


Activities considered while testing BRP/DRP plan

• Defining the boundaries

• Scenario

• Test Criteria

• Assumptions

• Briefing Session

• Checklists

• Analysing the test

• Debriefing session


Audit of DR/BR plan

• Based on the BIA

• Key employees have participated in the development

• Plan is simple and is realistic in assumptions

• Review the existing DR/BR plan

• Gather

background info regarding its preparation

• Does the DR/BR plan include provisions for personnel, building, utilities and transportation and IT

• Does the BR/DR plan include

contact details of of suppliers of essential equipment

• Does the DR/BR plans include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly


Sources

• ISCA Study Material – Volume 1 – ICAI Publication

• Comprehensive Guide on Information Systems Audit – Volume II – Commissioned by IT Committee of ICAI

• Guide to Implementing Enterprise Risk Management – Internal Standards Board - ICAI

• Information Systems Control Audit – Prof.Jignesh Chhedda – VORA Book Agency


Thanks

Bharath Rao B

[email protected]

/bharathraob


mailto:[email protected]