Scribd
Upload
364 views34 pages

Business Continutity Plan Slides V1.1

A business continuity plan (BCP) is a strategy for recovering IT systems, operations, and data after a disruption. The goals of a BCP are to minimize financial losses and enable rapid recovery. A BCP involves alternate processing, recovering systems at an alternate location, and implementing contingency planning controls based on a system's security impact level. Developing a BCP involves performing a business impact analysis to determine recovery objectives, creating contingency strategies and plans, testing and training staff, and regularly maintaining the BCP.

Uploaded by

Akmal Gafar
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
364 views34 pages

Business Continutity Plan Slides V1.1

A business continuity plan (BCP) is a strategy for recovering IT systems, operations, and data after a disruption. The goals of a BCP are to minimize financial losses and enable rapid recovery. A BCP involves alternate processing, recovering systems at an alternate location, and implementing contingency planning controls based on a system's security impact level. Developing a BCP involves performing a business impact analysis to determine recovery objectives, creating contingency strategies and plans, testing and training staff, and regularly maintaining the BCP.

Uploaded by

Akmal Gafar
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Business Contingency Plan

IT Risk Management: Information Security

What is BCP?
A coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. Purpose of BCP is to minimize financial losses and to provide rapid recovery during and after a disaster.

Coverage of BCP

Performing some or all of the affected business processes using alternate processing (manual) means (typically acceptable for only short-term disruptions); Recovering information systems operations at an alternate location (typically acceptable for only long term disruptions or those physically impacting the facility); and Implementing of appropriate contingency planning controls based on the information systems security impact level.

Our Discussion Limited to


Information Technology Not Organizational wide Systems BCP usually covers contigency plan for all business function (In the event of a disaster). In IT, BCP is often refer to as DRP (Disaster Recovery Plan/Procedure)

BCP is a form of Resilience

Resilience is the ability to quickly adapt and recover from any known or unknown changes to the environment. The goal of a resilient organization is to continue mission essential functions at all times during any type of disruption.

Information Security in BCP


Confidentiality

Availability

Integrity

Information Security in BCP


Covers the aspect of Availability. It ensure that business remains available during the state of a disaster. Examples:

Bank of Indonesia uses BCP to stay in business in response to Merapi disaster


http://www.republika.co.id/berita/breaking-news/ekonomi/10/11/08/145329-biantisipasi-gangguan-sistem-pembayaran-akibat-merapi

Stages in BCP

Develop Contingency Policy

Identify Regulatory Requirements.


ISO 27001 Peraturan Bank Indonesia SCADA Local Policy to ensure service availability

Must be part of overall organizational and security policy.


To minimize loss in terms of financial, service availability and reputation, BCP must be activated in case of a disaster.

Develop Organizational Structure for BCP.

Business Impact Analysis (BIA)


BIA purpose is to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption. Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the organizations BCPs, and DRP.

Business Impact Analysis

3 Steps involves in performing BIA:


Determine mission/business functions and recovery criticality. Mission/Business functions supported by the system are identified and the impact of a system disruption to those functions is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business functions and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can be linked more clearly to critical mission/business processes and functions. Priority levels can be established for sequencing recovery activities and resources.

Data collection Activities

Sample Process

Theat Analysis
Performs potential analysis of threats. Some common threats include the following:

Disease Earthquake Fire Flood Cyber attack Sabotage (insider or external threat) Hurricane or other major storm Utility outage Terrorism Theft (insider or external threat, vital information or material)

Document Impact Scenario to correlate possible threats and its scenario.

Main Outcome BIA


Maximum Tolerable Downtime (MTD). MTD defines how long a specific business process could go unavailable. Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD. Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage. Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD.

Risk Assessment

Risk Assessment is an important part in classifying BIA dan Controls. By performing risk assessment, each asset will be identify its risk, categorize it and identify controls appropriate.

Risk Assessment

Identify Controls Needed


Controls can be Deterrent, Preventive, Detect and Correct. Depending of the BIA results, Controls can be selected.

Risk Assessment and BIA


Outcomes in performing Risk Assessment is to select appropriate controls to reduce Risk. Outcomes in conducting BIA is to determine MTD, RTO and RPO.

Creating Contingency Strategies and Plan

Contingency strategies are created to mitigate the risks for the contingency planning family of controls and cover the full range of backup, recovery, contingency planning, testing, and ongoing maintenance.

Creating Contingency Strategies and Plan

Testing,Training and Exercise (TT&E)


Organization should be in a state of readiness whenever disaster strikes. In order for organization staff to fully aware of a contingency plan, there should be a periodical TT&E of BCP to test its capability and effectiveness (Time frame could be based on regulatory requirements).

Testing

Testing enables plan deficiencies to be identified and addressed by validating one or more of the system components and the operability of the plan. Testing can take on several forms and accomplish several objectives but should be conducted in as close to an operating environment as possible. Each information system component should be tested to confirm the accuracy of individual recovery procedures.

What can be tested?

These are the components in IT that can be tested:


Notification procedures; System recovery on an alternate platform from backup media; Internal and external connectivity; System performance using alternate equipment; Restoration of normal operations

Training

Training for personnel with contingency plan responsibilities should focus on familiarizing them with their roles in accordance to the contingency strategy and teaching skills necessary to accomplish those roles. This approach helps ensure that staff is prepared to participate in tests and exercises as well as actual outage events. Training should be provided at least annually.

What can be trained?

Cross-team coordination and communication; Reporting procedures; Security requirements; Team-specific processes (Activation and Notification, Recovery, and Reconstitution Phases); and Individual responsibilities (Activation and Notification, Recovery, and Reconstitution Phases).

Excercise

2 Types:
Tabletop Exercise
Classroom types Scenario questions

Functional Exercise
Simulation exercise Real time Most effective

Excercise

For low-impact systems, a tabletop exercise at an organization-defined frequency is sufficient.


The tabletop should simulate a disruption.

For moderate-impact systems, a functional exercise at an organization-defined frequency should be conducted.


An element of system recovery from backup media should be included.

For high-impact systems, a full-scale functional exercise at an organization-defined frequency should be conducted.
A system failover to the alternate location.

Plan Maintenance
It is essential that the BCP be reviewed and updated regularly, as part of the organizations change management process, to ensure that new information is documented and contingency measures are revised if required. Certain elements, such as contact lists, will require more frequent reviews.

Plan Maintenance

BS 25999
BS British Standard 25999 International Standard on BCM Certification is available

BS 25999

Steps to BS 25999

Finish

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy