Professional Documents
Culture Documents
Whatisbusinesscontinuityplanning BCP 111014020038 Phpapp01
Whatisbusinesscontinuityplanning BCP 111014020038 Phpapp01
Business Continuity
www.cyberlawconsulting.com
Session Overview
www.cyberlawconsulting.com
What is BCP or DRP ?
www.cyberlawconsulting.com
Need for BCP / DRP
www.cyberlawconsulting.com
Objectives of BCP
www.cyberlawconsulting.com
…Objectives of BCP
Other
❚ Enables management to quantify and qualify the
resources like personnel, facilities etc.
❚ Manage the resources to support the required
operational commitment
❚ Test the awareness and skills of the personnel
in such events.
BCP – DRP
www.cyberlawconsulting.com
Steps in BCP
Initiate
❚ Establish a BCP workgroup
Perform
Risk ❚ Develop high-level BCP strategy
Assessment
❚ Develop master schedule and
Choose milestones
Recovery
strategy ❚ Obtain management support
Test and
Validate
www.cyberlawconsulting.com
…Steps in BCP
Initiate
❚ Perform a risk assessment
Perform
Risk
exercise
Assessment ❚ Identify threats and exposures
Choose to each of the core business
Recovery
strategy
processes
Test and
Validate
www.cyberlawconsulting.com
…Steps in BCP
Initiate
❚ Identify recovery strategy
Perform
Risk ❚ Define notification procedures
Assessment
and
Choose ❚ Procedures activating
Recovery
strategy contingency plans
Test and ❚ Establish business recovery
Validate teams for each core business
process
www.cyberlawconsulting.com
…Steps in BCP
Initiate
❚ Validate the company’s
Perform
Risk
business continuity plans
Assessment ❚ Develop and document
Choose contingency test plans
Recovery
strategy ❚ Prepare and execute tests
Test and ❚ Update disaster recovery plans
Validate and procedures
www.cyberlawconsulting.com
What is a disaster ?
www.cyberlawconsulting.com
Teams and
Responsibilities
www.cyberlawconsulting.com
…Teams
www.cyberlawconsulting.com
…Teams
www.cyberlawconsulting.com
…Teams
❚ Applications Teams
❙ Restores user packs and applications
programs
❙ Monitoring application performance and
database integrity
❚ Security Team
❙ Monitor security system and comm. links
❙ Resolve security conflicts
❙ Installation and functioning of sec. package
www.cyberlawconsulting.com
…Teams
www.cyberlawconsulting.com
…Teams
❚ Communications Team
❙ Soliciting and installing communications
hardware
❙ Work with local exchange carriers and
gateway vendors
❚ Transport Team
❙ Coordinating company employees to the site
❙ Also help in contacting, scheduling and
arranging lodgings
…Teams
www.cyberlawconsulting.com
…Teams
❚ Salvage Team
❙ Manage relocation project
❙ More detailed analysis of damage
❙ Provides information to make decision about
reconstruction or relocation
❙ Insurance claims
❙ Immediate records salvage
❘ Paper documents and electronic media
www.cyberlawconsulting.com
…Teams
❚ Relocation Team
❙ Coordinates the process of moving from the
hot site to a new location or to the restored
original location
❙ Relocation of information system, processing
operations, communication traffic and user
operations
❙ Monitor transition to normal service levels
www.cyberlawconsulting.com
IS Auditor’s Role in BCP
www.cyberlawconsulting.com
Policy Implementation
❚ Critical (level 1)
❙ Cannot be processed manually but must be
processed on schedule
❚ Vital (level 2)
❙ Can be processed manually but for a short period
of time
❚ Sensitive (level 3)
❙ Can be done manually for a long period of time
❚ Non Critical
www.cyberlawconsulting.com
Critical Recovery Time
❚ Critical Recovery Time Period
❙ Is a time frame within which business should
resume
❙ Before suffering significant losses.
❚ Depends on nature of business e.g.
Banks, broking house, mfg. house
❚ Depends on time of year or hour of
business when disaster occurs
www.cyberlawconsulting.com
…Critical Recovery Time
❚ Critical applications, systems software and
data should be recovered first
❚ Do not ignore desktop or end-user
applications and utilities like spread sheet,
notepad, etc.
www.cyberlawconsulting.com
Insurance
www.cyberlawconsulting.com
…Insurance
❚ Civil Authorities
❙ Civil authority prevents use of assets
❚ Media Transit
❙ Damage or loss during physical shipment of
data
www.cyberlawconsulting.com
How to Implement BCP?
❚ Identification of Threats
❚ Implementing Plan
❚ Various Teams Involved
❚ Disaster Recovery plan
❚ Maintenance of BCP
www.cyberlawconsulting.com
Identification of Threats
External Threats
❚ Natural Calamities like earthquake, flood, fire
❚ Hardware suppliers - Unreliable or incompatible
h/w
❚ Software Suppliers - Erroneous s/w. poor
documentation
❚ Contractors - e.g. untimely provision of service
❚ Other resources - e.g. communication services
www.cyberlawconsulting.com
…Identification of Threats
www.cyberlawconsulting.com
…Identification of Threats
www.cyberlawconsulting.com
…Identification of Threats
Internal Threats
❚ Management
❙ Failure to provide resources
❙ Inadequate planning an control
❚ Employees
❙ Errors
❙ Improper usr of facilities and services
❙ Theft, fraud, sabotage
…Identification of Threats
❚ Unions
❙ Strikes or harassment
❚ Unreliable systems
❙ H/w failure, S/w failure
Major Security threats
Inventory Process
❚ Who should be involved?
❙ Staff from concerned department
❙ Purchase department
❙ Personal /HRD department
❙ Finance / accounts department
❙ Engineering / technical depts.
❙ Administration department
Implementing Plan
Inventory Process
❚ What should be inventorised?
❙ Manpower (specific for BCP /DRP ).. Who possesses
special skills?
❙ Building, plant & machinery, furniture & fixtures
❙ Communications equipment & facilities e.g. telephone
systems, modems, wiring systems, controllers,
switches
❙ Electrical equipment and facilities, wiring
…Implementing Plan
❙ Computer equipment and peripherals
❙ Computer data & software such as
O.S.,utilities ( defragmentation, forming
etc. ), application s/w
❙ Back-up facilities
❙ Stationary items e.g. computer
stationary
❙ Specific consumables e.g. printer
ribbons, cartridges
❙ Documents, forms and registers
www.cyberlawconsulting.com
Disaster Recovery Plan
www.cyberlawconsulting.com
Emergency Plan
www.cyberlawconsulting.com
Backup Plan
www.cyberlawconsulting.com
...Backup Plan
❚ Documentation
❙ Operating procedures, systems and program
documentation, special procedures, input source
documents, output documents
❙ A copy of current BCP plan at backup site & backup
plan at current site
❙ A copy of all important legal documents to be
available at backup site
...Backup Plan
❚ Software backup
❙ Systems s/w & Application software
❙ current Program patches for all backup
locations
❚ Electronic Vaulting
Alternative Site options
❚ Hot Site
❙ Fully Configured, ready to operate
❙ If owned… computer hardware and
data/software is available
❙ If shared… computer hardware / O.S. is
available, data & application software may
have to be loaded
❙ Expensive option can be used initially for
short period
...Alternative Sites Options
❚ Warm Site
❙ Partially configured, with network
connection and selected peripheral
equipment but without the main computer
❚ Cold Site
❙ Basic environment is available
❚ Duplicate Information processing facility
❙ Dedicated self-developed
www.cyberlawconsulting.com
...Alternative Sites Options
❚ Reciprocal agreement
❙ Two or more organisation agree to provide
backup facilities
❙ Low cost
❙ Often informal in nature and cannot be
enforced legally
❙ Confidentiality could be a concern
www.cyberlawconsulting.com
Contract with Alternative
site
❚ Configurations
❙ H/w, s/w whether adequate at all times?
❚ Speed of availability
❙ How early facility will be available?
❚ Subscribers per site
❙ Whether limited number of subscribers?
❚ Preference
❙ Priority in case of global disaster
www.cyberlawconsulting.com
...Contract
❚ Usage period
❙ How long the facility shall be available?
❚ Warranties
❙ Any liability limitations? e.g. lack of electricity.
Provision for generator
❚ Testing
❙ Whether testing is allowed at alternate site?
...Contract
❚ Reliability
❙ Technical and financial reliability
❚ Insurance coverage at alternate site ..
your insurance policy should also cover h/
w, s/w etc. at alternate site
Alternate hardware
facilities
❚ Vendor or third-party
❙ Vendor may not immediately supply in crisis
❙ Buy from used h/w market.. Mostly applicable
abroad
❙ Vendor supply can be best ensured at the
time of moving from hot site to warm / cold
site in phased manner
Telecommunication
Network
❚ Susceptible to..
❙ The same natural disasters
❙ Also sensitive to unique disastrous
events e.g. cable cuts, central switching
office disasters,hacking etc.
❙ Organisation’s responsibility and not
that of Local Exchange Carrier (LEC)
...Telecommunication
Networks
❚ Backing up of telecommunication
facilities such as
❙ Telephone voice circuits
❙ LAN, WAN
❙ Third party EDI providers
❙ UPS for telecom equipment
❚ Critical capacity requirement be
identified
www.cyberlawconsulting.com
Methods of Telecom
Continuity
❚ Redundancy
❙ Extra capacity is provided
❚ Alternative Routing
❙ Routing via alternating medium e.g.
copper, fiber optic
❙ Involves use of different networks, circuit
or end points
❙ Use of couriers as an alternative to
electronic transmission.
www.cyberlawconsulting.com
...Methods
❚ Diverse Routing
❙ Mix of redundancy and alternate routing
❙ Therefore time consuming and costly
❙ Generally alternative and diverse routing is
over terrestrial media and therefore is subject
to risk of decaying
...Methods
www.cyberlawconsulting.com
Auditing BCP / DRP
www.cyberlawconsulting.com
...Auditing
prashant . mali@cyberlawconsulting.com
cyberlawconsulting@gmail.com
Cell: (91)(9821763157)
www.cyberlawconsulting.com