Current Need and Plan of BCP (ECP) Implementation:
ABC Healthcare International
Shane Huey, March 2014 Overview Introduction BCP Team Member Roles Layers of Resiliency DRP Team Training Outsourcing the DRP Awareness Campaign: Development Awareness Campaign: Implementation
Introduction Disaster Recovery Plan (DRP)A documented process or set of procedures to recover and protect[enterprise] IT infrastructure in the event of a disaster (Abram, 2012). Note: DRP activated post disaster.
Enterprise Continuity Plan (ECP)The identification and protection of critical business processes and resources required to maintain an acceptable level of business, protecting those resources and preparing procedures to ensure the survival of the organization in times of business disruption (Hiles, 2007). Also referred to as a BCP or business continuity plan. Note: Goal is to prevent occurrence of disaster scenario. DRP/ECP Team Member Roles Risk and threat assessment/identification Development, implementation, and ongoing testing/auditing of DRP/ECP Policy and procedure implementation and maintenance Compliance and ongoing compliance auditing (multi- tiered) Planning and strategy Data backup and physical systems redundancy
DRP/ECP Team Member Roles, Cont. Systems security Physical security Operational procedures Environmental controls Hierarchical response tree and communications protocols (internal as well as with shareholders and customers) Recovery and salvage Post-event analysis and remediation (where warranted)
Layers of Resiliency 1) Strategy and vision 2) Organization 3) Processes 4) Applications and data 5) Technology 6) Facilities
(IBM Corporation, 2002 & 2007) Layers of Resiliency: Strategy and Vision Resiliency begins with strategy (IBM, 2002).
The enterprise business strategy consists of the goals and objectives of the organization and resiliency should be built in from the outset (failure to meet goals and objectives is a failure in resiliency). 3 factors impact resiliency in terms of strategic success:
Uniqueness of competitive position IT Organizational culture
(IBM, 2002)
Layers of Resiliency: Organization Leadership Documented roles Accountability Clearly defined communications protocols Leadership, employee, customer, shareholder, and supplier collaboration Flexibility
(IBM, 2002) Layers of Resiliency: Processes Business/enterprise processes IT processes Layers of Resiliency: Applications & Data Applications Data Layers of Resiliency: Technology Technology -Systems hardware -Software and applications -Network Layers of Resiliency: Facilities Facilities -Security -Environmental considerations -Utilities Security -Physical -Logical DRP Team Training The objective of awareness and training programmes is well defined in the BCI/ DRII common body of knowledge. It is to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the business continuity plan (Hiles, 2007).
Business objectives DRP/ECP awareness (policies and procedural) IT Security (IT and physical) Random audits and DRP/ECP testing
Outsourcing DRP Needs Experience Long-term, standards-compliant solutions Problem and process oriented Current, industry standard technologies (e.g., backup, remote access, data management, retrieval, and restoral, etc.) Minimal requirements of internal resources (i.e., minimal impact on business continuity) Minimal to no post contract impact (able to resume former responsibilities with little to no impact on operations upon consultant withdrawal) Regular reporting per enterprise needs
(Hiles, 2007) Awareness Campaign: Development The objective of awareness and training programmes is well defined in the BCI/ DRII common body of knowledge. It is to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the business continuity plan (Hiles, 2007). Benefits of awareness training Risk assessment Identifying roles and responsibilities Plan of implementation Awareness Campaign: Implementation Clear and accessible policies New hire/employee training; position/role creation (e.g., Awareness Liaison) Planning Communications and response protocols Scenario-based rehearsals, auditing, and testing (scheduled and random)
Bibliography Abram, Bill (2012). 5 tips to build an effective disaster recovery plan. Retrieved from: http://www.smallbusinesscomputing.com/News/ITManagement /5-tips-to-build-an-effective-disaster-recovery-plan.html
Hiles, Andrew ed. (2011). The definitive handbook of business continuity (Second edition). Indianapolis, Indiana: John Wiley & Sons.
IBM Corporation (2002). Resilient infrastructure: Improving your business resilience. IBM Global Services.
IBM Corporation (2007). Risk mitigation for business resilience.