Quantcast
Last updated on February 10, 2012 at 1:13 EST

Staging a Business Continuity Plan: 3-2-1 Action!

August 26, 2008

By Fagel, Bobbette

Remember “The Wizard of Oz”? When the tornado struck, Dorothy was whisked away to a far-off land. Dorothy, the Tin Man and the others followed the yellow brick road for miles, running into problems on their way to Oz. Finally, after enduring obstacle after obstacle, Dorothy clicked her heals three times, and she was back home in Kansas. Business continuity planning is similar, but with different results than seen in “The Wizard of Oz.” In the movie, there was no advance plan to get the characters back to where they belonged in the event of a tornado or other disaster. Much time, energy and resources were used before the characters could return to “business as usual.”

Figure I: Probability

Not only does planning keep you from having to endure the proverbial yellow brick road, but the best process is as follows:

1. Cast your main characters;

2. Finalize the script;

3. Identify the extras who will be needed;

4. Set the stage;

5. Hold a proper dress rehearsal.

First, secure the complete support of the board of directors and senior management before planning, developing, testing and implementing your business continuity plan. Once you have established support, you are ready to begin.

Choosing the Cast

When developing your business continuity plan, you should start with a business impact analysis (BIA). The BIA is developed to identify critical business assets or functions to determine what is critical for operations. What information resources, systems, processes, supplies, suppliers, etc., are essential for the organization to function?

Think outside the box and include all information resources, not just the obvious, such as servers and workstations. Consider interviewing key personnel within the organization to get an accurate picture of what is needed. Be sure to include all business functions in the process. Then prioritize those findings based on criticality, financial impact and maximum allowable downtime. Also consider the acceptable levels of data and operations that will be required for the organization to be operational.

The following classifications of systems (as provided by ISACA- Information Systems Audit and Control Association) can be used in determining criticality:

* Critical. These functions cannot be performed unless they are replaced by identical capabilities. Critical applications cannot be replaced by manual methods. Tolerance to interruption is very low; therefore, cost of interruption is very high.

* Vital. These functions can be performed manually, but only for a brief period of time. There is a higher tolerance to interruption than with critical systems and, therefore, somewhat lower costs of interruption, provided that functions are restored within a certain time frame (usually five days or less).

* Sensitive. These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform.

* Nonsensitive. These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored.

Finalizing the Script: The Risk Assessment

If a movie director doesn’t edit out unnecessary scenes from the script, the movie goes on seemingly forever, and the important scenes get lost in all the noise. The purpose of performing a risk assessment is to identify the most likely events that could cause an interruption to business processes and/or services. Some threats to consider include:

* Technical/system failures;

* Information security incidents;

* Loss of services/utilities;

* Natural/environmental disasters;

* Malicious acts.

Take into consideration worst-case scenarios, including total destruction of facilities and loss of life. Identifying only the nature of the threat isn’t enough. You also need to consider the probability that a certain threat will materialize. (See Figure 1.)

Take into consideration the impact the realization of the threat will have on operations. What impact will that threat have on the information resources, systems, processes, supplies, suppliers, etc., identified during the BIA phase? (see Figure 2 on the following page.)

For each item identified, calculate the total risk by taking the rank of each (total probability plus total impact severity) to determine the overall risk ranking. Then, when developing your overall business continuity plan, prioritize based on the most critical likelihood of occurrence and impact severity items. (See Figure 3.)

Setting the Stage: Developing Your Business Continuity Plan

Having selected your cast members and prioritized the scenes in the script, the next phase is to build and set the stage. The business continuity plan is a crucial part in recovering from a disruption. Based on the information obtained during the BIA and risk assessment, you can now start planning for what should take place in the event of a disruption or disaster.

It provides a script, or guidance, in evaluating damage; what should happen during the disruption; and what needs to take place to restore business operations after the disruption is over. In essence it should include all the steps required to maintain, resume and recover from a disruption. Also included in the plan should be the “characters” responsible for certain actions.

Figure 2: Impact Severity

According to the Federal Financial Institutions Examination Council (FFIEC), your business continuity plan should be:

* Effective in minimizing service disruptions and financial loss;

* Specific regarding what conditions should prompt implementation of the plan;

* Specific regarding what immediate steps should be taken during a disruption;

* Flexible to respond to unanticipated threat scenarios and changing internal conditions;

* Focused on how to get the business up and running in the event that a specific facility or function is disrupted, rather than focused on the precise nature of the disruption;

* Written and disseminated so that various personnel can implement it in a timely manner.

Ready-Set-Action: Plan Testing

Without acting out the script, we don’t know whether scenes in the movie will work. Once the business continuity plan is written, it should be tested to confirm that objectives of the plan are achievable. There are various methods of testing (“rehearsing”) that can be performed. Methods, per FFIEC guidelines, include:

Figure 3: Overall Risk

* Orientation/walk-through. A basic form of testing, its primary objective is to ensure that critical personnel from all areas are familiar with the plan. It is characterized by:

– Discussion about the business continuity plan in a conference room or small group setting;

– Individual and team training;

– Clarification and highlighting of critical plan elements.

* Tabletop/mini-drill. This method is more involved than an orientation/ walk-through, because the participants choose a specific event scenario and apply the business continuity plan to it. It includes:

– Practice and validation of specific functional response capability;

– Focus on demonstration of knowledge and skills, as well as team interaction and decision-making capability;

– Role-playing with simulated response at alternate locations/ facilities to act out critical steps, recognize difficulties and resolve problems in a non-threatening environment;

– Mobilization of all or some of the crisis management/response team to practice proper coordination;

– Varying degrees of actual, as opposed to simulated, notification and resource mobilization to reinforce the content and logic of the plan.

* Functional testing. This method involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the business continuity plan. It includes:

– Demonstration of emergency management capabilities of several groups practicing a series of interactive functions, such as direction, control, assessment, operations and planning;

– Actual or simulated response to alternate locations or facilities using actual communications capabilities;

– Mobilization of personnel and resources at varied geographical sites;

– Varying degrees of actual, as opposed to simulated, notification and resource mobilization.

* Full-scale testing. With the comprehensive type of test, the institution implements all or portions of its business continuity plan by processing data and transactions using back-up media at the recovery site. It involves:

– Validation of crisis response functions;

– Demonstration of knowledge and skills, as well as management response and decision-making capability;

– On-the-scene execution of coordination and decision-making roles;

– Actual, as opposed to simulated, notifications, mobilization of resources and communication of decisions;

– Activities conducted at actual response locations or facilities;

– Enterprisewide participation and interaction of internal and external management response teams with full involvement of external organizations;

– Actual processing of data utilizing back-up media;

– Exercises generally extending over a longer period of time to allow issues to fully evolve as they would in a crisis, and allow realistic role-play among all involved groups.

The Cutting Room Floor

Just as pieces of film from a movie often wind up on the cutting room floor, your business continuity plan may need alterations. It must be reviewed, updated and re-tested annually to consider changes in personnel, technology, possible threats and recovery scenarios. Make sure your business continuity plan is relevant to the current business environment. Don’t get stuck on the yellow brick road with Dorothy. Take the time to plan, write the script, and rehearse! Your business and your customers depend on it.

Having selected your cast members and prioritized the scenes in the script, the next phase is to build and set the stage.

BOBBETTE FAGEL

Infotex Inc.

ABOUT THE AUTHOR

Bobbette Fagel is vice president of Infotex Inc., Kokomo. She has been with the managed security services provider since its inception in 2000, initially serving as compliance consultant. Fagel has earned distinction as a certified information systems auditor and certified information security manager. The author can be reached at 800-466-9939, e-mail: bfagel@infotex.com. Infotex is an associate member of the Indiana Bankers Association and an IBA Preferred Service Provider.

Copyright Indiana Bankers Association Jul 2008

(c) 2008 Hoosier Banker. Provided by ProQuest LLC. All rights Reserved.


Related Articles

Breaking News
Space
Science
Technology
Health
CES 2012
More...
Streaming Video
Top Picks
Science
Health
More...
Images and Photos
Images of the Day
Image Galleries
Wallpapers
More...
Space Exploration
Astronomy
Human Spaceflight
Ask the Astronomer
More...
Science and Research
Instruments
Calculator
Ask the Scientist
More...
Technology
Ask the Expert
Technology Reviews
More...
My Health
Health
More...
© 2002-2012 redOrbit.com. All rights reserved
All other copyrights remain the property of their respective owners