Date post: | 01-Dec-2015 |
Category: |
Documents |
Upload: | alemseged-habtamu |
View: | 36 times |
Download: | 2 times |
1
IntroductionIntroduction
2BCP/DRP
Course ObjectivesCourse ObjectivesBy the end of this course, you will learn
� The meaning of BCP and DRP
� Risk Assessment
� Business Impact Analysis
� BCP and DRP development process
3BCP/DRP
Course ContentsCourse Contents� Introduction
� Section I: BCP and DRP Overview
� Section II: Project Initiation
� Section III: Risk Assessment
� Section IV: Business Impact Analysis
� Section V: Risk Mitigation Strategy
� Section VI: Plan Design and Development
� Section VII: Testing and Training
� Section VIII: Plan Maintenance
� Summary
4BCP/DRP
2
Section 1
BCP/DRP Overview
5BCP/DRP
Section I - Introduction
Section I ObjectivesIn this section we will cover
� Defining Business Continuity and Disaster Recovery
� Cost of Planning
� Types of Disasters
� BCP and DRP Steps
6BCP/DRP
Section I - Introduction
Defining Business Continuity and Disaster Recovery
� Business Continuity Planning is a methodology to create and validate a plan for maintaining continuous business operations, before, during and after any type of disaster.
� Addresses the ability to continue operations under any disaster scenario
� BCP deployment varies widely from company to company, and one organization from another. There is no one size fits all� Some cannot tolerate any down time� Some may have greater tolerance for down time� Some may have variable down time tolerance level depending on the
time …� The type and size of business determines the final plan� The cost of business disruption vs. investing in BCP
BCP/DRP 7
Section I - Introduction
Defining Business Continuity and Disaster Recovery
� Disaster Recovery is part of Business Continuity
� Deals with an impact of an event
� DR involves
� Stopping the effects of the disaster as quickly as possible
� Minimize the damage,
� Save as much as possible
� Addressing the immediate aftermath
BCP/DRP 8
3
Section I – Introduction
Business components in BCP
As any project, BCP development includes
� People:People are responsible for developing and implementing the
BC/DR Plan
� Process: Processes maintain an orderly flow of business operations
� Technology (and Infrastructure):Understanding how technology is used in the business
operations
� Each of these must be addressed in BCP
BCP/DRP 9
Section I – Introduction
People in BC/DR Planning
� To develop and implement an effective BCP, you need people across the organization/department
� Getting key people in the company to be involved in developing the plan is essential
� Identifying key people to implement the plan is equally important
� Planning and implementation phases
� Planning phase - you need people to develop the Plan
� Implementation phase (during and after disaster) - you need people who perform the plan.
BCP/DRP 10
Section I – Introduction
Process in BC/DR Planning
� Process also, has two phases� Planning,� Implementation
� Companies have processes for running their business “smoothly”. It could be well documented or not
� When disaster occurs, the normal established process is interrupted.� Then the question is:
� How quickly can you recover from a disaster and get the business up and running?
� This depends on the process you developed in the BCP/DRP.� Disaster response varies on the type of disaster and your Plan has to
develop a process for handling various types of disasters.� The eventual Recovery or Failure is dependent on your BCP/DRP
BCP/DRP 11
Section I – Introduction
Technology (Infrastructure) in BC/DR Planning
� Need to understand what happens to your technology components on different types of disasters
� Which elements are venerable to what type of disaster
� (e.g. Power Outage, flood, virus …)
� Your BCP/DRP may provide you a business case to change/upgrade the technology deployed. Or may require to redesign your network……
BCP/DRP 12
4
Section I Introduction
Considering BCP
� Having DR plan for infrastructure only (switches, routers, cell tower,..) is not sufficient
� Equally important – you have to understand how the whole company conducts its business
� departments or business units write DRP from their perspective only
� For effective BC and DR planning need to look at it from the top
� You need to involve representatives from each and allbusiness units.
BCP/DRP 13
Section I – Introduction
Cost of Planning� Companies do not invest in projects that don’t generate revenue or
increase the bottom line.� Funds are limited - Competing against projects that add to bottom line
is difficult� Mgmt tends to defer BCP - “may be next year “…, � What do you have to support your argument for BCP development?
� Large business customers require you to have BCP to do business with� Impact on revenue growth
� Improves business process and operational savings� Potential disaster without a mitigating plan causes significant financial
loss� There could be legal liability implication from the customer
� e.g. customer data loss without proper BCP
� Could be required by law – depending the type of business you are running
BCP/DRP 14
Section I – Introduction
Cost of Planning, cont’d� The Cost of Planning must be balanced with the cost of
taking risk. (auto insurance)
� Do not try to cover every disaster scenarios
� Create a plan for events most likely to happen and most likely to have critical impact on your business operations
� Bad plan is worse than no plan
BCP/DRP 15
Section I – Introduction
Cost of Planning, cont’d
� After a major disaster 40% of businesses go out of business within 5 years.
� In 1993 WTC 42% (150/350) went out of business
� In 2001 majority of businesses were back up and in operation within days.
BCP/DRP 16
5
Section I – Introduction
Types of Disasters� Location – the location of business determines what type
of disaster likely to happen.
� As a starting point make your BCP team come up with the list of disasters that are most likely to happen.
� Disasters can be divided in three categories� Natural
� Man-made
� Accidents
BCP/DRP 17
Section I – Introduction
Types of Disasters - Natural� Weather related
� Avalanche, Snow, � Heavy rain, Floods� Drought� Fire� Strom� Hurricanes� Tornado
� Geological� Earthquake� Tsunami� Volcano� Landslide
BCP/DRP 18
Section I – Introduction
Types of Disasters - Man-made� Fire
� Cyber attack
� Riot
� Product tampering
� Explosion
� Threat
� Theft
BCP/DRP 19
Section I – Introduction
Types of Disasters - Accidents� Transportation
� Infrastructure� Electricity
� Gas
� Water
� Sewer
� Information system infrastructure� Communications infrastructure failure
� Systems failures
� Building collapse
BCP/DRP 20
6
Section I – Introduction
Protecting Data during a disaster
� When disaster occurs – chaos
� Businesses become venerable to theft and fraud (internal and external)
� After disaster People, Process and Technology are in disarray
� Need to develop method to prevent fraud or theft.
(This could also be used for normal and emergency operation)
BCP/DRP 21
Section I – Introduction
Managing Access – During Disaster� Managing Access during disaster should be part of
BC/DR Plan
� Access to Data
� Who should have access to data and systems during disaster?
� Too restrictive access or open to all access have problems.
� Restrictive – person/s may not be available during emergency
� Open – loss of accountability, theft …
� Physical access to the building/systems
BCP/DRP 22
Section I – Introduction
BCP and DRP Steps� There are 7 basic steps to develop a good plan
1. Project Initiation –� Deals with the process of creating a project plan for BC/DR
activities
2. Risk Assessment –� The process of looking the risks the company faces.
� Covers all potential risks, determine the likelihood of a particular disaster occurring
3. Business Impact Analysis (BIA)� Deals with the potential impacts of these risks to the Business.
4. Risk Mitigation Strategy� Addresses on how the identified risk and its impact can be
tolerated, reduced or avoided
BCP/DRP 23
Section I – Introduction
BCP and DRP Steps - cont’d5. Plan Development
� Outline the methodology to follow for plan development
6. Training and Testing
� Addresses:
� Training people on how to implement the plan
� Running drills, exercises, simulations and reviews
� Testing the Plan
7. Plan Maintenance
� Plan needs to be maintained, updated, validated regularly and after the event.
BCP/DRP 24
7
Section I
The Seven Steps
� Each of these steps will be covered in detail in the following sections.
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
25BCP/DRP
Section 1:
SummaryIn this section we
� Defined Business Continuity and Disaster Recovery
� Identified Business Components
� Identified Types of Disasters
� Identified the steps required for successful BC/DR plan and implementation
26BCP/DRP
Section II
Project Initiation
27BCP/DRP
Section II
Section ObjectivesIn this section we will cover the first Step in BCP/DRP
Project Initiation
28BCP/DRP
8
Section II
Project Initiation
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
29BCP/DRP
Introduction – Project Initiation
� Project is a defined set of tasks with clear objectives, requirements and goals and with start and end points.
� BC/DC planning process should be handled as a project plan and BC and DR are projects.
� In this section we will discuss the process of create a project plan for BR/DC and the elements that contribute to successful completion of the project.
(In general, as a PM you can follow your own Project Management methodology and also the unique needs of your company)
BCP/DRP 30
Introduction – Project Initiation
� What are the factors to make a successful BC/DR plan?
� What are Project Plan Components?
� Who are Key Contributors?
BCP/DRP 31
Project Initiation - Success Factors
� Executive Support
� User Involvement
� Experienced Project Manager
� Clearly Defined Project Objectives
� Clearly Defined Project Requirements
� Clearly Defined Scope
� Shorter Schedule
� Clearly defined PM Process
BCP/DRP 32
9
Success Factors – Executive Support
As any project Executive support is the main factor for the success of BCP/DRP development.
� If the top management is convinced the business need for the project – you will get all the support in every corner.
� BC/DR planning project involves people from all areas of the business.
� You need to pull away people from other projects
� Some departments/organizations may not buy BC/DR project and resist to participate.
BCP/DRP 33
Success Factors – Executive Support - cont’d
� How do you get executive support?� Start with your immediate management for 100% support� Communicate clearly and convincingly.
� Executives understand business and finance not technology
� Prepare presentations � Formatted to the intended audience. (know your audience before
hand)� Non technical, clear and conscience� Help them to understand the need for and make the right decision.
� If possible, provide rough cost estimate of the project and how long it will take.
� What if the decision is No?� …..
BCP/DRP 34
Success Factors – Executive Support – cont’d.
� What if the Executive Management decision is No?
� There are still things you can do help start the process
� You can incorporate BC/DR in your organization project plans that you can control
� If you are implementing new technology or upgrading or expanding the current systems you can include BC/DR concepts in the requirement. Specially backup and redundancy can be included as part of the business operations.
BCP/DRP 35
Success Factors – User Involvement
� As any project end-user involvement is critical
� The processes being developed should be done with the end-users input and collaboration.
� For BC/DR Planning there are two types of users� Who will be involved in the planning the BC/DR project, and
� Who will implement the plan when the event occurred (could be the same or other group of people)
� The latter should be involved in training and testing phase.
� Need to involve a key personnel from start to finish
BCP/DRP 36
10
Success Factors– Experienced Project Manager
� This is critical project and its successes depend on primarily putting well experienced PM
� Pick experienced Project Manager who
� Has formal Project Management training
� Has understanding what it takes to get it done
� Experienced PM is more effective for BC/DR planning (it involves people at all levels and various organizations)
BCP/DRP 37
Success Factors – Clearly Defined Project Objectives
Clearly Defined Project Objectives
� Helps to define the Plan to your unique business needs
� Helps identify most important and less important areas to allocate time and resources accordingly
� Insures all functional areas are covered and brings critical people together to develop the objectives
� How?� List your business functional areas
� Invite key people from those areas to help define the objectives
� Get agreement from all functional areas on prioritizing objectives
BCP/DRP 38
Success Factors – Clearly Defined Project Requirements
� Developing clear and complete requirement is the difference between success and failure
� Objectives are what you want to accomplish� Requirements are how to accomplish those objectives� Clear requirement before the project work begins is critical and saves
rework.
� Requirements have three categories� Business requirement – to determine what the business needs to
survive an event� Functional requirement – details which processes, methods and
resource need to be available during and after an event� Technical requirement – identify technology equipment and
business applications requirement
� The more detailed requirement the better.
BCP/DRP 39
Success Factors – Clearly Defined Scope
� Scope is the total amount of work to be accomplished.
� This is dependent on the Project Objectives.
� Clearly defined project objectives derive a clearly defined scope
� Scope is susceptible to changes as Project Planning progresses.
� There could be a scenario where it may be necessary that additional functions may be identified. In this case a high-level project objective and scope will be added.
BCP/DRP 40
11
Success Factors – Shorter Schedule
� Shorter schedules with more milestones produce successful result� BC/DR planning is a comprehensive look at the business and its
processes to determine its critical functions and emergency procedures.
� It is better to break it down into smaller projects� One project plan for each functional area and one master plan
� Longer schedules –� people lose interest� Move to other projects or replaced
� Milestones help you to:� gauge the progress� stay on budget� be on schedule� stay on Scope
BCP/DRP 41
Success Factors – Clearly Defined PM Process
� PM should have a set of methods, procedures and associated documents or use a well-defined project management process.
� Select a process and use it start to finish
BCP/DRP 42
Project Plan Components� Project Definition
� Project Team
� Project Organization
� Project Planning
� Project Implementation
� Project Tracking
� Project Close Out
BCP/DRP 43
Project Plan Components - Project Definition
� It is a starting point of the project. To get clear understanding of the project and its expected result the following need to be defined or identified� Problem Statement
� Mission statement
� Potential solutions
� Requirements and Constraints
� Success criteria
� Project Proposal – after selection of the best solution write a brief project proposal
� Estimates
� Project Sponsor - who has authority to approve, fund and support the project.
BCP/DRP 44
12
Project Plan Components – Forming the Project Team
� Create Project Team – early
� When forming the team –� Look Company’s organizational chart to help you identify
geographical locations, functional departments and organizations
� Technical – people with technical specialties from different business units, in addition to IT, should be included.
� Logistical – responsible for logistics and purchasing should be included
� Political/PR – people who are responsible that reassure key customers and stakeholders during and after a crisis should be included
BCP/DRP 45
Project Plan Components – Project Organization
� Addresses on how to organize and run the project. It includes
� Project Objectives,
� Project Requirements,
� Project Parameters
� Project Infrastructure
� Project Processes
� Project Communications Plan
BCP/DRP 46
Project Plan Components – Project Organization
� Project Objectives� Using the project solution developed in the Project Definition stage,
need to develop specific Project Objectives for BC/DR plan� Business Continuity Plan – focuses on sustaining business activities. It
can be written for specific business process or for all key business processes
� Continuity of Operations Plan – focuses on restoring mission-critical operations in an alternate location for an extended period of time
� Disaster Recovery Plan – focuses on restoration of key business processes immediately after a disaster
� Crisis Communication Plan – focuses on providing on consistent and clear communications with employees, customers and stakeholders
� Occupant Emergency Plan – focuses on building and facility safety, specifically to building occupants
�
BCP/DRP 47
Project Plan Components – Project Organization cont’d
� Project Requirements� Write well defined project requirements based on the
objectives discussed above.� Project requirement defines functional and technical
requirement
� Project Parameters� These are scope, budget , schedule and quality� They are interrelated - changing one impacts the others� Scope is the total amount of work to complete the project� Create scope statement – assumptions, included and not
included in the project based on the objectives� Project Parameters need to be ranked from least flexible to
most flexible (usually least is budget)
BCP/DRP 48
13
Project Plan Components – Project Organization cont’d� Project Infrastructure
� It is the tools and resources you have/need to develop BC/DR project
� Project Processes� Need to establish processes and procedures, and proper documentation to run
the project� Team Meetings (how, when, where to conduct meetings)� Reporting (minutes for the team and status for sponsors)� Escalation (problems)� Project Progress (how to track)� Change Control (how to capture and address changes within the company)� Quality Control
� Project Communication Plan� Need to develop proper communication method on the activities and progress
of the BC/DR plan to sponsor and all organizations and departments that have stake
BCP/DRP 49
Project Plan Components – Project Planning
� Key elements in project planning process� Developing Work Breakdown Structure (WBS)
� list of outcomes to be accomplished to complete the project
� The top level WBS can follow this structure
� Risk Assessment
� Business Impact Analysis
� Risk Mitigation Strategy Development
� Emergency Preparation
� Training and Testing
� Maintenance
� Critical Path� Describes how long the project will take and identifies critical and
non-critical tasks
BCP/DRP 50
Project Plan Components – Project Implementation
� How do you manage changes occur in the middle of BC/DR planning development? Any changes in the departments occurring should be assessed on their impact to BC/DR planning� Managing Progress
� Need to develop a method to keep track on the changes occurring in departments/organization that are being covered under the BC/DR plan
� Address how their work impacts the project� Address how your project impacts their work
� Managing Change� Plans are always subject to change� Need to develop Change management process�
BCP/DRP 51
Project Plan Components – Project Tracking
� Need to develop project tracking system to track project progress, schedules, budget ….
� Create project major and minor milestones to track the project progress compared to the schedule
� Major milestones can be set for each Phase of the Project
� Minor Milestones for significant tasks within the phase.
� This information should be available to all team members
BCP/DRP 52
14
Project Plan Components – Project Close Out
The last steps when the Project is completed
� BC/DR plan should be kept up to date under maintenance plan.
� Regular review of the plan (yearly)
� Walk-through of the BC and DR steps defined
� Regular testing
� There has to be some org/department that you can hand off the project and own the maintenance aspect of it.
� Conduct post-project review for “lessons learned”.
BCP/DRP 53
Key Contributors and Responsibilities
� Who are or should be key contributors to BC/DR plan and what should their roll be?
� List the business units and select representatives � Sample list – it is different from one company to another
� Information Technology� Human Resources� Facility� Security� Finance� Legal� Warehouse� Purchasing� Logistics� Marketing and Sales� Public Relations
BCP/DRP 54
Key Contributors and Responsibilities – cont’d
� Select representative from each organization or group listed� Depending the size of the department the numbers vary.
� The following criteria can be used for Business units the BC/DR focuses� Experience with working cross departmental team
� Ability to communicate effectively
� Ability to work well with wide variety of people
� Experience with critical business and technology systems
� Project management leadership
BCP/DRP 55
Requirements Definition
� Business, Functional and Technical requirements are part of Project Definition (discussed earlier)
� Business requirements define the scope of the project
� Functional requirements define what the plan does to accomplish business requirements
� Technical requirements define how these business and functional requirements will be met.
BCP/DRP 56
15
Requirements Definition – Business Requirements
� The first step in developing BR/DR project requirement is to define Business Requirements.
� Need to understand critical areas of the business.
� Need to know what questions to ask, and how to ask to determine if the business is critical or not
� Scenario based question provide better result than asking users if the business or system is critical or not.
� Develop a list of “what-if” scenario questions
BCP/DRP 57
Requirements Definition – Functional Requirements
� Functional requirements describe what functions or features must be available.
� Functional requirements state the need for a method or process to be available to meet the business requirement.
� Need to develop a ranking mechanism to each requirement to determine the criticality of the system for ongoing
operations of the business.
� Very-High, High, Normal, Low
BCP/DRP 58
Requirements Definition – Technical Requirements
� Technical requirements define how functional and business requirements are met, mainly with technology.
� Technical requirements help to:
� assess if the current technology meets BC/DR requirement
� define new technology solution if the current does not meet the requirement
� determine that the current technology in place can be utilized in different way to meet the requirement
BCP/DRP 59
Section II:
Summary – Project Initiation
In this section
� Defined the factors to make a successful BC/DR plan
� Identified Project Plan Components
� Indentified Key Contributors to BC/DR plan
� Defined business, function and technical requirements
60BCP/DRP
16
Section III
Risk Assessment
61BCP/DRP
Section III
Section ObjectivesIn this section we will cover the 2nd Step in BCP/DRP
Risk Assessment
62BCP/DRP
Section IIISection III
Risk AssessmentRisk Assessment
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
63BCP/DRP
Section III
Introduction – Risk Assessment
� In this section we will cover the concept and practical application of risk management from BC/DR point of view.
� Identify types of risks companies and businesses face.
� Define risk avoidance, reduction, acceptance and transferring.
� Identify risk management methods
BCP/DRP 64
17
Risk Management
� Risk Management is a topic that covers the management of all types of risks to a company. (We will cover only risks that are directly related to BC/DR planning.)
� Managing Risk is “the process of identifying, controlling, eliminating or minimizing uncertain events that may affect businesses”
� Risk Management Process is assessing the potential and analyzing the trade-off (opportunity cost) of a particular risk. It is very important to understand the opportunity cost of a threat.
BCP/DRP 65
Section III
Risk Management
� Risk can be defined as
� Risk = Threat + Likelihood + Vulnerability + Impact
(risk is a combination of threat, the likelihood of the threat occurring, vulnerability of the company and the impact of the threat on the company)
BCP/DRP 66
Section III
Risk Management Process
� The basic steps of risk management process� Threat Assessment – a process of identifying threats that
can negatively impact the company and its source� Vulnerability Assessment – analyzes how vulnerable,
susceptible and exposed a system/business is to a particular threat and the likelihood of the threat occurring
� Impact assessment – analyzes the magnitude of the impact of the threat on the system/business
� Risk mitigation strategy – addresses the four strategies of risk mitigation and their associated cost� Risk Reduction� Risk Avoidance� Risk Acceptance� Risk Transfer
BCP/DRP 67
Risk Management – People, Process, Technology and Infrastructure
� For every risk/threat being considered its impact on the four business components should be addressed
� If a particular threat occurred,
� What is the impact on people and how do they react?
� How does it impact the business process?
� What is the impact on Technology?
� What is the impact on the Infrastructure (internal and external)?
BCP/DRP 68
18
Risk Assessment Components
� There are three Risk Assessment Components� Threat Assessment
� Vulnerability Assessment
� Impact Assessment (will be covered in the next section)
BCP/DRP 69
Vulnerability Assessment
Threat Assessment
Impact Assessment
DR development phase
Risk Assessment Components – Threat Assessment
� Risk assessment begins with the assessment of all potential threats and an analysis of those threats.
� Threat’s impact on People, Process, Technology and Infrastructure (business components)
� Threat assessment includes� Information gathering� Identifying and listing potential threats
� Natural Threats� Human Threats� Infrastructure Threats
� Threat assessment methodology� Quantitative� Qualitative
BCP/DRP 70
Threat Assessment – Information Gathering
� There are different methods of collecting data about company’s risks:� Questionnaires: to collect data from specific groups or
people
� Interviews: interviews with SMEs - important specially if the SME cannot be part of the BC/DR planning team
� Document reviews: Reviewing corporate and organizational documents helps to identify threats, threat sources and vulnerabilities
� Research: Internal and External:� Internal: data about the past business interruptions
� External: data on the frequency of earthquake, storm, ….
BCP/DRP 71
Threat Assessment – Identifying and Listing Threats
� Natural Threats - threats caused by natural phenomenon.� Fire
� Flood
� Winter Storm
� Drought
� Earthquake
� Tornados
� Hurricanes
� Tsunamis
� Volcanoes
� Pandemics
BCP/DRP 72
19
Threat Assessment – Identifying and Listing Threats
� Human Threats: that are caused by human act.
� Fire
� Theft, Sabotage, Vandalism
� Labor Disputes
� Terrorism
� Chemical/Biological Hazards
� War
� Cyber Threats
BCP/DRP 73
Threat Assessment – Identifying and Listing Threats
� Infrastructure Threats: mainly external issues you have no control over
� Building Failure
� Public Transportation Disruption
� Loss of Utilities
� Oil Shortage
� Food or water contamination
� Regulatory or Legal changes
BCP/DRP 74
Risk Assessment Components – Threat Assessment – Threat Checklist
Threat ChecklistNatural Threats
FireFloodWinter Storm …
Human Caused ThreatsFireTheft, Sabotage
Labor Disbutes…..
Infrastructure Threats
Building failureNon IT Equipment FailureHeating/Cooling Failure
Public Transportation Disruption
IT Specific ThreatsCyber Threats
Equipment FailureLoss of Data …
BCP/DRP 75
Risk Assessment Components – Risk Assessment Table
BCP/DRP 76
Item No Threat Name Threat Source
VulnerabilityRating
Likelihood Rating
Existing Controls
Impact Rating
Overall Risk Rating
001 Fire Internal
002 External
003 Flood Internal
20
Risk Assessment – Threat Assessment Methodology
� There are two types of methodologies to evaluate the various threats being considered
� Quantitative Threat Assessment
� Quantitative method is using hard numbers to represent threats, vulnerabilities and impacts
� Qualitative Threat Assessment
� Qualitative method is using relative values used to represent threats, vulnerabilities and impacts
BCP/DRP 77
Risk Assessment – Quantitative Threat Assessment
� e.g. Building power outage threat caused by Lightening
BCP/DRP 78
Threat Power Outage
Threat Source Lightning
Impact Power outage for two days
Likelihood ?
Vulnerability ?
Impact Cost ?
Risk Cost ?
Risk Assessment – Quantitative Threat Assessment
� Threat Likelihood – Let us say, using information gathering methods discussed earlier found that there is one major outage every other year. So the likelihood of getting one every year is 50%
� Vulnerability - if there is power outage due to lightning, there is 100% chance for a loss of power for 48 hours
� Impact Cost:� Lose of sales (2 days) = $50,000.00
� Cost (expense) due to outage = 5,000.00
� impact cost = $55,000.00
� Risk Cost = Likelihood * Vulnerability * Impact cost� 50% * 100% * $55,000.00 = $27,500.00
BCP/DRP 79
Risk Assessment – Quantitative Threat Assessment
� Now you have the information available to decide on what type of risk mitigation strategy to follow for Power Outage threat caused by Lightning.
BCP/DRP 80
Threat Power Outage
Threat Source Lightning
Impact Power outage for two days
Likelihood 50%
Vulnerability 100%
Impact Cost $55,000.00
Risk Cost (yearly) $27,500
21
Risk Assessment – Qualitative Threat Assessment
� Qualitative assessment uses words instead of values.
� Define Qualitative Value Scale
BCP/DRP 81
Value Level
1 Extremely Low
2 Very Low
3 Low
4 High
5 Very High
6 Extremely High
Risk Assessment – Qualitative Threat Assessment
� Same example used for Quantitative Method� Threat Likelihood – using information gathering method
discussed earlier found that there is one major outage every other year. So you can say the likelihood of getting one every year is “High (4)”
� Vulnerability - if there is power outage due to lightning, the chance of losing of power for two days is “Extremely High (6)”
� Impact Cost: the total cost of revenue loss and expenses incurred is “Low (3)
� Risk Cost: is the average value of Likelihood, Vulnerability and Impact cost
� (4 + 6 + 3)/3 = 4.3 ~ 4 (High)
BCP/DRP 82
Risk Assessment – Qualitative Threat Assessment
� Now you have the information available to develop a risk mitigation strategy for Power Outage threat caused by Lightning.
BCP/DRP 83
Threat Power Outage
Threat Source Lightning
Impact Power outage for two days
Likelihood 4 (High)
Vulnerability 6 (Extremely High)
Impact Cost 3 (Low)
Risk Cost (yearly) 4 (High)
Risk Assessment Components – Risk Assessment Table
BCP/DRP 84
� Update the Risk Assessment Table
Item No
Threat Name Threat Source
Vulnerability Likelihood Existing Controls
Impact Overall Risk
001 Fire Internal
002 External
003 Flood Internal
004 Power Outage Lightening Extremely-High
High None High
22
Risk Assessment Components – Vulnerability Assessment
� Vulnerability is weakness, exposure or susceptibility to threats.� Vulnerabilities can be exploited intentionally or triggered
unintentionally.� The result of Threat assessment becomes input to Vulnerability
assessment.� People, Process, Technology and Infrastructure are
vulnerable to threats. � For each threat, each business component will be considered for
vulnerability assessment � How vulnerable are people (the staff , customers …) to the threat
presented?� How vulnerable is the business process to the threat?� How vulnerable is the technology in place to the threat?� How vulnerable is the infrastructure to the threat?
BCP/DRP 85
Risk Assessment Components – Vulnerability Assessment
� Vulnerability assessment can be qualitative or quantitative (mainly qualitative – High, Medium, Low). It addresses “how vulnerable the business component is”
� Information gathering:� Questionnaires,
� Interviews,
� Document reviews and
� Research.
� Risk = Threat + Likelihood + Vulnerability + Impact
BCP/DRP 86
Risk Assessment
� From Threat and Vulnerability assessments we collected the following information needed for the next phase
� Potential Threat Sources
� Likelihood of the threat occurring
� Vulnerability of the company
� A preliminary Risk value
� Risk = Threat + Likelihood + Vulnerability + Impact
BCP/DRP 87
Section III:
SummaryIn this section we
� Defined Risk Management concept
� Covered the Risk Management processes.
� Identified Risk Assessment components.
� Information gathering methods
� Defined Threat and Vulnerability Assessment methods
88BCP/DRP
23
Section IV
Business Impact Analysis
89BCP/DRP
Section IV
Section ObjectivesIn this section we will cover the third Step in BCP/DRP
Business Impact Analysis
90BCP/DRP
Section IVSection IV
Business Impact AssessmentBusiness Impact Assessment
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
91BCP/DRP
Section IV
Introduction – Business Impact Assessment
In this section we will:
� Define Business Impact Assessment (BIA) concepts
� Identify critical business processes
� Determine disruption impact - including financial, operational and legal
� Define business recovery requirements
BCP/DRP 92
24
Business Impact Assessment
� BIA is identifying critical processes to the on-going business operations and to understand the disruption of these processes’ impact on the business.
� The primary purposes of BIA are� Understanding and identifying the organizations critical
business objectives
� Determine the time it takes to resume business functions after disruption
� Assess the impact of disruption on critical business functions and set priorities
� Provide information for which recovery strategy can be developed
BCP/DRP 93
Business Impact Assessment – Impact category
� First step is to clearly define a category to assess business process criticality.
BCP/DRP 94
Category Function Label
1 Critical Mission-Critical
2 Essential Vital
3 Necessary Important
4 Desirable Minor
Business Impact Assessment – Impact category
� Mission-Critical business processes are the ones that have serious impact in the company’s operations.
� Vital business processes are also the processes considered critical, but can be tolerated until Mission-Critical processes are restored
� Important business processes are the ones that does not stop the company from operating in the near term but have long-term impact.
� Minor business processes are processes that can be restored at a later time after recovery is completed.
BCP/DRP 95
Business Impact Assessment – Recovery Time
Recovery Time Requirements
� Maximum Tolerable Downtime (MTD) or Maximum Tolerable Outage (MTO): The maximum down time the business can tolerate a particular business process or function outage. MTD is the combination of systems recovery time and work recovery time. MTD = RTO + WRT.
� Recovery Time Objective (RTO): The time available to recover disrupted systems
� Work Recovery Time (WRT): the time it takes to get critical business functions up and running after systems recovered.
� Recovery Point Objective (RPO): The amount or extent of data loss be tolerated by the critical business systems.
BCP/DRP 96
25
Business Impact Assessment – RTO
Recovery Window
BCP/DRP 97
Category Function Label RTO
1 Critical Mission-Critical 0-12 hours
2 Essential Vital 13-24 hours
3 Necessary Important 1-3 days
4 Desirable Minor > 3 days
BIA – impact evaluation
� After risks and threats identified (previous section), the business impact must be evaluated for� Business functions: activities – sales, marketing, manufacturing
� Business processes: how these activities occur or get done
� IT systems: how these business processes are carried out –computer systems, applications, automated systems
� The impact should also be considered for upstream and downstream functions
BCP/DRP 98
BIA – Identifying Business Functions� Create a list of functional areas of the business.
� Start with common business functions listed below, and add from organizational chart� List of Business functions
� Information Technology� Operations� Human Resources� Finance� Legal� Facilities/Security� Marketing and Sales� Manufacturing� Warehouse� ….
� Contact SMEs for to discuss the critical business functions� With the help of SMEs, list all departments, divisions, under each
heading.
BCP/DRP 99
BIA – Gathering Data� The next step is to collect data for the each business functional areas listed. (processes
and criticality)� Data collection methodologies:
� Questionnaires:� Interviews:� Workshops:� Documents and research.
� sample questions:� What single point of failures exist?� What are upstream and downstream risks to your business function?� What workaround would you use for your business process?� What is the minimum number of staff you need?� What is the maximum tolerable down time?� What are the key skills and knowledge required to recover your business process?� How would this business function in a recovery site?� ….
BCP/DRP 100
26
BIA – Determining the Impact of disruption� The next step is to determine the impact for each business
functional areas, then assign criticality rating.� The impact can include:
� Financial: loss of revenue, lost sales, salaries and wages paid.� Customers: loss of customers – go to competitors� Suppliers: lose of suppliers� Employees: impacted by the disaster (injury, ….� PR: lose of thrust� Legal: unable to meet legal and regulatory requirement� Operational: Business operations being disrupted� HR: The impact on the staff on handling the disaster� Investors: may lose confidence.� Competitive Advantage:
BCP/DRP 101
BIA – Criticality Matrix
� After data collection, assign criticality rating.
BCP/DRP 102
Business Function Business Process Criticality
Human Resources Payroll Mission-critical
New Hire Important
Finance Accounts Receivable Mission-critical
Accounts Payable Mission-critical
Tax filings Mission-critical
Marketing and Sales Sales Calls Vital
Sales Training Minor
BIA Findings Report� The next step to write the BIA findings report based on the information collected. The
report should include:� Key Business functions and processes� Process and resource interdependence� IT dependencies� Criticality� Impacts on operations� Recovery time requirements� Recovery Resources� SLA� Technology� Work-around procedures� Financial impact� Legal impact� Competitive impact� Investor impact� Customer impact� ….
BCP/DRP 103
Section IV:
SummaryIn this section we
� Defined BIA
� Identified Business functions and processes
� Learned on how to gather BIA information and to prepare BIA Reports
104BCP/DRP
27
Section V
Risk Mitigation Strategy Development
105BCP/DRP
Section V
Section Objectives
In this section we will cover the fourth Step in BCP/DRP
Risk Mitigation Strategy Development
� Types Risk Mitigation Strategies
� Risk Mitigation Process.
� Backup and Recovery considerations.
106BCP/DRP
Section VSection V
Risk Mitigation StrategyRisk Mitigation Strategy
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
107BCP/DRP
Introduction – Risk Mitigation Strategy
� Risk Mitigation is a process of taking steps to reduce the effects of an event.
� Developing the Risk Mitigation Strategy is the last step in Risk Management activity for BC/DR Plan development
� Inputs:� Risk Assessment (threat and vulnerability assessment)
� BIA
� Output:� Risk Management Strategy Plan
BCP/DRP 108
28
Risk Mitigation Strategies
� There are four types of Risk Management Strategies.
� Risk Acceptance
� Risk Avoidance
� Risk Limitation
� Risk Transference
BCP/DRP 109
Risk Mitigation Strategies – Risk Acceptance
� Risk Acceptance: Accepting risk does not reduce its impact.
� There are many reasons companies choose risk acceptance� The primary is Cost. Accepting the risk can be less costly than
implementing mitigation strategies.
� Small companies do it more often.
� It is the least expensive option for near term and the most expensive when disaster happens.
BCP/DRP 110
Risk Mitigation Strategies – Risk Avoidance
� Risk Avoidance is the opposite of Risk Acceptance.
� In BC/DR plan, it is an action that avoids any exposure to a risk (example deploying fully redundant systems).
� It is the most expensive of all mitigation strategies, but has significant impact in reducing cost of down time and recovery.
� This is one of the options to be considered for mission-critical business functions.
BCP/DRP 111
Risk Mitigation Strategies – Risk Limitation
� Risk Limitation is a method of limiting the exposure to threat by taking action.
� Does not stop the system from failure but helps to recover in a timely manner.
� e.g. daily backup of data.
� It falls between Risk Avoidance and Risk Acceptance.
� The cost varies depending the options implemented.
BCP/DRP 112
29
Risk Mitigation Strategies – Risk Transference
� Risk Transference is a method of transferring the risk to a third party. Paying another company to assume the risk.
� e.g. Buying insurance, outsourcing payroll services.
� Risk Transference has an ongoing cost (e.g. service fee).
BCP/DRP 113
Risk Mitigation Process
� The next step is to select appropriate options in order to develop comprehensive strategy.
� Recovery Requirements
� Recovery Options
� Recovery Cost
BCP/DRP 114
Risk Mitigation Process – Recovery Requirements
� Recovery Requirements are developed for critical business process identified in BIA report.
� Include � Recovery Time
� Cost of recovery
� Processes required
� Identify the resources and associated cost to help determine the mitigation strategy.
BCP/DRP 115
Risk Mitigation Process – Recovery Options
� Recovery Options are developed for each critical business process identified in BIA report.
� There are three options� As-needed
� Prearranged
� Preestablished
� The cost and time to implement these options varies
� Each option must be reviewed in terms of MTD for each critical business process. � (e.g. If you have a requirement to have an alternate site for IT
services, all options must be considered)
BCP/DRP 116
30
Recovery Options – As-needed
� As-needed option
� takes longer time to deploy
� may cost more (depending on the disruption type)
� Resources and services are acquired after the event occurred.
� There is additional risk of not being able to get the Resources at all.
BCP/DRP 117
Recovery Options – Prearranged
� Prearranged option requires making arrangements and contractual agreement with suppliers and service providers – for equipment and services to be provided within specified period.
� In addition to the cost of equipment and services, there is a recurring cost.
BCP/DRP 118
Recovery Options – Pre-established
� Pre-established recovery option is setting up an alternate site that can be activated after the disaster. The site is only used for recovery option.
� The site must be kept up-to-date to reflect the current environment of the actual site
� There is a cost for building the site and up keep.
� Shorter recovery time than the other options.
BCP/DRP 119
Developing Risk Mitigation Strategy
� Risk Mitigation Strategy steps
� Gather recovery data
� Compare cost and capability options
� Select the mitigations options for each business process – acceptance, avoidance, limitation, or transference
� Select the recovery options
� Based on the above information can develop a document that outlines the cost, capability, effort, quality of each option considered
BCP/DRP 120
31
IT Recovery Options
� When developing IT Systems Risk Management Strategy – need to consider the latest technology available today.
� As technological developments are fast paced (specially for IT), the system currently in operation/production can be outdated, you may even consider to replace or upgrade the system.
� Or, if you already have BC/DR plan developed a few years ago can be invalid due to technological advancement; you need to revise the BC/DR plan more often than the other business functions.
BCP/DRP 121
IT Recovery Options –Alternate Sites� Considering an alternate site. Common options
� Fully Mirrored Site: a fully redundant site that mirrors the live site. � Provides high availability� Can also be used for load balancing.
� Hot Site: with an identical configuration that can be operational within 4 hours.
� Warm Site: Fully or partially equipped site and can be operational within hours being restored from backup data. The facility can be used for less critical functions during normal business operation.
� Mobile Site: A self contained unit that can be transported to establish an alternate work site.
� Cold Site: A site that is started up after the disruption occurred. It is the least expensive but has the longest recovery time.
� Reciprocal Site: It is an arrangement made with other companies that have similar operations.
BCP/DRP 122
Section V:
SummaryIn this section we covered
� Types Risk Mitigation Strategies
� Risk Mitigation Process.
� Backup and Recovery Considerations.
123BCP/DRP
Section VI
BC/DR Plan Development
124BCP/DRP
32
Section VI
Section ObjectivesIn this section we will cover the fifth Step in BCP/DRP
Business Continuity/Disaster Recovery Plan Development
� Business Continuity and Disaster Recovery phases
� Define BC/DR Teams.
� Define BC/DR activity checklists
125BCP/DRP
Section VISection VI
Plan DevelopmentPlan Development
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
126BCP/DRP
Introduction – BC/DR Plan Development
� The plan needs to state risks, vulnerabilities, potential impacts to mission-critical business functions and associated mitigation strategies.
� From the previous sections we have� Identified risks,
� Assessed vulnerabilities
� Determined potential impacts on business
� Identified mission critical business functions
� Developed mitigation strategies
� Next is to determine and develop a guideline on when, how and by whom are these strategies implemented
BCP/DRP 127
BC/DR Plan Phases
� Business Continuity and Disaster Recovery Phases
BCP/DRP 128
Recovery Phase
Activation Phase
Business Continuity
Phase
Maintenance/Review Phase
33
BC/DR Plan – Activation Phase
� Activation Phase addresses the time during and immediately after a business disruption
� Activation includes� Initial Response
� Problem assessment
� Escalation
� Disaster declaration
� Plan implementation
BCP/DRP 129
BC/DR Plan – Activation Phase – Disaster Levels
Defining the disaster type and level. • There should be clearly defined disaster level to help you
determine the types of activation and recovery process to follow.� Major Disaster: has major impact on business. It disrupts all
or most of the critical business operations. Such as the destruction of the entire facility. It occurs rarely.
• Intermediate Disaster: the impact is less than major. It impacts one or more mission-critical business functions. Business operations will experience significant disruption.
• Minor Disaster: It is a type of disaster occurs more often and impacts only a single business operations. It is an Isolated incident, and normal business operations will not be interrupted.
BCP/DRP 130
BC/DR Plan – Activation Phase – BR/DR Teams
• Notification of the disaster to the following BC/DR Teams. They will handle/respond to disaster by implementing procedures outlined in the BC/DR Plan � Crisis Management Team
� Damage Assessment Team
� Notification Team
� Emergency Response Team
� Business Continuity Leader
� Crisis Communication Team
� Resource and Logistics Team
� Risk Assessment Team
BCP/DRP 131
BC/DR Plan –TriggersTrigger defines when an alternate plan or method should be
implemented• Activation Trigger: For each Disaster Level, need to have clearly
defined triggers. Based on the Initial Assessment - determine the disaster level and activate the part of BC/DR Plan that addresses the issue.
• Transition Trigger: a trigger to move from one phase to another • Activation to Recovery Phase: it is triggered after the initial
evaluation from Damage assessment team, CMT is on the scene and the selected BC/DR plan is activated
• Recovery to Continuity Phase: This is triggered after the disaster (event) is under control and the effects have been addressed.
• Business Continuity to Normal Operations: this is triggered when things are back to “normal”.
BCP/DRP 132
34
BC/DR Plan – Recovery Phase
• Recovery Phase is started immediately after the disaster occurred and contained. The event could still be continuing.
BCP/DRP 133
BC/DR Plan – Business Continuity Phase
• Business Continuity phase starts after Recovery phase is done and the steps to get back normal operating conditions are determined.
• It addresses
• How business operations can resume on temporary locations
• The work-around needed
• The transition back to normal operations from temporary location
BCP/DRP 134
BC/DR Plan – Maintenance/Review Phase
Maintenance Phase occurs whether the BC/DR is activated or not. It deals with reviewing, evaluating and revising the plan.
• If activated, has to be done after the completion of Recovery Activity.
• Evaluate how the plan performed in the light of actual event.
• Revise the document on the lessons learned.
• Regular/scheduled plan review to insure the document still current and valid.
• During Operational changes: all changes in the business operations and processes should will be handled in Change Control
BCP/DRP 135
BC/DR TeamsCreating BC/DR Teams : people should be selected base on the skills, and
expertise for the task they be assigned.• Crisis Management Team:
• have representatives from all business units• Have expertise to deal with major business disruption• In charge for activating, implementing and managing BC/DR plan
• Damage Assessment Team(s):• from key areas of business units.• Can be multiple Teams• Mobile, immediate availability
• Operations Assessment Team(s):• Who can assess the immediate impact on operations
• IT Team:• have expertise in system administration and other IT related activities
• Administrative Support Team:• Who can handle administrative tasks
BCP/DRP 136
35
BC/DR Teams cont’d
• Transportation and Relocation Team:• Who can address transportation and relocation needs for people and equipment
• Media Relations Team:• Who can provide information about the disruption to employees, media,
investors, customers, suppliers
• Human Resource Team:• Who handle employees needs during disaster, hiring additional staff
• Legal Affairs Team:• Who can address the legal concerns of the company
• Physical Security Team:• Who can handle physical safety of the people, building.• Who can handle access control to the building
• Procurement Team:• Handles equipment and services purchasing
BCP/DRP 137
BC/DR Contact Information
• Contact Information should include the following and be stored where it can be readily available under a disaster condition. • The list should include
• Management• Key Operations Staff• BC/DR Team members• Suppliers, vendors• Key customers• Emergency number• Others as needed
• This information should be maintained regularly and kept up-to-date.
BCP/DRP 138
BC/DR Plan Change Control
• Need to develop a method to:• update the BC/DR Plan when change occurs in the organization
that has impact on the plan
• E.g. Adding new departments, upgrading systems, changing operational process ….
• monitor and track changes in BC/DR Plan (version control)
• Revision history table
• distribute the BC/DR plan to interested parties
BCP/DRP 139
Emergency Response and Recovery• Emergency Management
• Simple rule - Assigning roles• Emergency Response Plan
• Emergency Response is the immediate response to the incident• The Plan is derived from the risks identified• Some of Emergency Response tasks are:
• Protect personnel• Contain the incident• Engage ERT and CMT• Assess impact • Notification
• Develop a basic plan that covers variety of emergencies that contains• Roles and Responsibilities• Tools and equipment• Resources• Actions and procedures
BCP/DRP 140
36
Emergency Response Team (ERT)
• Set up ERT with defined roles and responsibilities
• The ERT leader is responsible for activating and coordinating emergency response
• If CMT and ERT are two separate teams the ERT leader should be a member of CMT.
• Emergency Response and Disaster Recovery can go in parallel
• ERT members should be trained and regularly exercise on the tasks they are responsible for.
BCP/DRP 141
Crisis Management Team (CMT)• CMT is responsible for making high-level decisions,
coordinating efforts and determining the appropriate responses• The team leaders for various activities in the BC/DR should be a
member of CMT• CMT oversees ERT and DRT• ERT leader should be a member of CMT and report the activities
to CMT regularly• CMT coordinates the activities related to initiating DR efforts• CMT role ceases when business continuity begins and it
transitions the business operations to normal management.• Need to create a hand-over criteria for transfer responsibility to
normal operations.
• If alternate facility is setup, CMT is responsible for overseeing disaster recovery and business continuity activities
BCP/DRP 142
Crisis Management Team (CMT)
• All Crisis related communications are originated or approved by CMT.
• It helps to insure correct and consistent information being release/communicated
• It keeps the CMT in the loop
• HR representative should be a member of the CMT.• Addresses needs of employees
• Can hire, select and manage additional temporary staff (if needed).
• Representative from legal departments should be a member. Helps to address/handle legal and insurance related issues
• Representative form financial department should be a member to assess the status of the company and insure bills are dispersed in timely manner.
BCP/DRP 143
Disaster Recovery - checklists
• Checklists help make the right decision and responders understand the steps to take.• Activation Checklists: Activation checklist can be used to
determine if, how and when to activate BC/DR Plan. Identify all activities and triggers should take place before and during the plan activation. • Initial Response Checklist
• Damage Assessment Checklist
• Disaster Declaration and Notification Checklist
• Recovery Checklists: identify all the activities should take place during recovery phase• General Recovery Checklist
• Inspection, Assessment and Salvage Checklist
BCP/DRP 144
37
Business Continuity - checklists• Business continuity begins when disaster recovery ends. • Involves limited business operations.• Involves work-around solutions while systems and resource are fully
restored• The most critical aspect of BC is determining what should be restored,
salvaged or replaced.• BC checklists help to insure the required systems are in place and
functional• Resuming Work checklist• HR checklist• Insurance and Legal checklist• Production and Operations checklist• Resuming Operations checklist• Using Existing Facility checklist• New Facility checklist• Transition to Normalized Activities checklist
BCP/DRP 145
Section V:
SummaryIn this section we
� Studied Business Continuity and Disaster Recovery phases
� Defined BC/DR Teams.
� Defined BC/DR activity checklists
146BCP/DRP
Section VI
Testing and Training
147BCP/DRP
Section VI
Section ObjectivesIn this section we will cover the fifth Step in BCP/DRP
Testing and Training
� Training for
� Emergency Response
� Disaster Recovery
� Business Continuity
� Testing BC/DR Plan.
148BCP/DRP
38
Section VISection VI
Testing and TrainingTesting and Training
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
149BCP/DRP
Testing and Training� After BC/DR Plan is developed the next step is to test the
plan effectiveness and train the implementers for the specific roles assigned
BCP/DRP 150
Section VI
Training for Emergency Response� ERT members should be trained in the emergency response
activities described in the BC/DR Plan
� the basic CPR training should be part of all emergency responders training.
� Specialized skills training may be required
� Refresher training should be taken regularly
� ERT leader is responsible for ensuring the members are trained
151BCP/DRP
Section VI
DR and BC Testing/Training� Four methods of plan testing
� Paper Walk-through� Functional exercise� Field exercise� Full interruptions
� Training can be coordinated with testing� The objective of the training is to understand the plan and
� how to activate,� when to activate, and� how to implement the steps defined
� Everyone involved in the BC/DR implementation needs to understand their roles and responsibilities
152BCP/DRP
39
Section VI
DR and BC Testing/Training Cont’d� Testing the plan
� Verifies the validity of the steps developed
� Provides training to implementers
� Identifies gaps and flaws in the plan, so can be revised
� Determines the cost and feasibility
� Before Testing –
� develop Test Evaluation Criteria
� After completion –
� write recommendation based on the result
153BCP/DRP
Section VI
DR and BC Testing – Paper Walk-through
� A Paper walk-through should be scheduled once a year. � Steps to run paper walk-through
� Develop Realistic Scenarios
� Develop Evaluation Criteria
� Provide copies of the plan to CMT
� Divide participants by Team
� Use Checklists for key processes
� Take Notes
� Identify Additional Training needs
� Develop Summary and Lessons Learned
� Revise DR/BC Plan if needed.
154BCP/DRP
Section VI
DR and BC Testing – Functional Exercise
� A functional exercise is to test some of the plan’s functionality.
� Done with very minimal or no impact to mission-critical business operations.
� Functional exercises can be used as a training mechanism.
� Follow similar steps covered in Paper walk-through
155BCP/DRP
Section VI
DR and BC Testing – Field Exercise� Field exercises should be done with simulated realistic
scenario.
� Can be with specific organization or department
� Can also be coordinated with the local/city emergency responders.
� Provides hands-on training.
� Helps to evaluate/assess the performance of CMT and DRT members
156BCP/DRP
40
Section VI
DR and BC Testing – Full Interruption Test
� Full Interruption activates all components of the Plan and interrupts mission-critical functions.
� Can be run with specific organization(s) or department(s)
� Can also be coordinated with the local/city emergency responders.
� Very expensive to run the test.
157BCP/DRP
Section VI
SummaryIn this section we
� Studied BC/DR Plan testing and training
158BCP/DRP
Section VII
Plan Maintenance
159BCP/DRP
Section VII
Section ObjectivesIn this section we will cover the last Step in BCP/DRP
cycle
Plan Maintenance
� Change Management
� Maintenance Activities
160BCP/DRP
41
Section VIISection VII
Plan MaintenancePlan Maintenance
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
161BCP/DRP
Section VII
Plan Maintenance – Change Management
� Plan Maintenance’s critical part is controlling and keeping up with changes to make the document current and viable.
� The major reasons for change or revising the plan are: � IT Change
� Operations
� Corporate
� Regulatory
162BCP/DRP
Section VII
Plan Maintenance – Change Control Methods
� Monitoring – implement a step in each business/function operational procedure to include “if change impacts on BC/DR – submit change request”
� Regular review of organizational changes, current employment status and department of each BC/DR Team members.
� Ensure that everyone uses the latest version of the Plan
163BCP/DRP
StepsSteps
Project Initiation
Risk Assess-ment
BIARisk
Mitigation Strategy
Plan Develop-ment
Testing and
Training
Plan Main-
tenance
164BCP/DRP