Business Continuity Planning Anjan

Date post: 14-Apr-2018
    Business Continuity Planning (BCP)

    Presented by Anjan Mohapatro

    Business Continuity Plan

    Plann ing to ensu re the con t inu at ion o f op erat ion s in th e event o f a ca tas t ro ph ic event .

    Business continuity planning goes beyond disaster recovery planning to include the actions to betaken, resources required, and procedures to befollowed to ensure the continued availability of essential services, programs, and operations in theevent of unexpected interruptions.

    Business Continuity Plan

    How to preserve critical business functionsin the face of a disaster/Crisis so that it canmanage and survive the crisis and take appropriateaction to help ensure the organizations continuedViability

    A plan for emergency response, backupoperations, and post-disaster recovery maintainedby an activity as a part of its security program thatwill ensure the availability of critical resources andfacilitate the continuity of operations in anemergency situation

    Business Continuity Plan

    Goalto assist theorganization/business to continuefunctioning even though normaloperations are disrupted

    Beforedisruption DuringDisruption After DisruptionSteps

    Why BCP is Required

    Proactive rather than Reactive

    It is better toplan activitiesahead of timerather

    than to reactwhen the timecomes

    Maintain businessoperations

    Keep the moneycoming in Short and long

    term loss of business

    Effect oncustomers

    Public image Loss of life

    Utility failuresIntrudersFire/SmokeWater

    Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e

    The Problem

    The Problem





    Errors & Omissions Fire,water,electrical Dishonest employees

    Disgruntled employees Outside Threats

    Utility failuresIntrudersFire/SmokeWater

    Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e

    The Problem

    The Controls

    Information SecurityRedundancy

    Backed up data Alternate equipment Alternate communications Alternate facilities

    Alternate personnel Alternate procedures

    Key Elements

    Disaster Recovery Business Recovery Contingency Planning Crisis Management

    Create a Business ContinuityManagement Team

    Lead by Top Management

    Responsible for creating andMaintaining, testing andImplementing comprehensive

    BCP Top down approach Awareness at all levels

    Key PlayersSenior OfficialsInternal AuditRisk ManagementLegalFinance/Budget


    Corporate Policy

    BCP Policy committed to undertake all reasonable andappropriate steps to protect people, property and allbusiness interests is essential.

    Corporate policy should contain a definition of crisis Responsibility for systems ,resources and key business

    process should be clearly identified BCP team should include top senior leaders, major

    organizational functions and support groups, widespread acceptance.

    Communicated throughout the organization

    Business Continuity Process Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of

    each threat Prepare plan for contingent operations

    Mitigate - identify actions that may eliminaterisks in advance Respond take actions necessary to minimize

    the impact of risks that materialize Recover return to normal as soon as possible

    Any organizational impacts that could resultfrom an interruption of normal operationsshould be examined.

    Identify critical process and document it-purchasing, manufacturing,supplychain

    Process should be ranked as HML Assess Impact if crisis were to Happen

    Human cost Financial cost Corporate Image cost

    BIA Review Factors

    All Hazards Analysis

    Likelihood of Occurrence

    Impact of Outage on Operations System Interdependence

    Revenue Risk

    Personnel and Liability Risks

    The Steps in a BCP - 1

    Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat

    Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources

    Balance impact and countermeasure cost Key -

    Potential damage Likelihood

    Threat any event which could have an undesirable impact

    Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a

    threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset

    Risk the potential for harm or loss, including the degree of confidence of

    the estimate

    Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard effectiveness and

    cost, and probability

    Powerful aid to decision making Difficult to do in time and cost

    Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money

    Less compelling Risk Analysis is performed as a continuum from fully qualitative to less

    than fully quantitative

    Loss impact analysis Recovery time frames

    Essential business functions Information systems applications

    Recommended recovery priorities & strategies Goals

    Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process

    Hardware failure Utility failure Natural disasters Loss of key personnel

    Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors

    Illogical processing Translation of user needs

    (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate

    processing Concentration of

    responsibilities Erroneous/falsified data Misuse

    Risk Analysis Steps

    1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share

    Interviews, questionnaires, workshops 2 - Establish recovery plan parameters Prioritize business functions

    3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios

    Risk Analysis Steps

    4 - Analyze and summarize Estimate potential losses

    Destruction/theft of assets

    Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity

    Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend

    Prioritize Risk Factors

    Personal Safety RiskServices RiskOperational Risk

    Revenue RiskLiability RiskGood Will (Societal) Risk

    What Are External Risks?

    External Risks are risks presented byfactors outside the enterprise; theseinclude risk present in natural disaster,labor strife, the possible failures of

    business partners, suppliers, publicutilities, transportation,telecommunications, and otherbusinesses.

    Loss of Lifelines

    What will we do if there is not power?

    No phone service?

    No Water?

    Government services?

    How will the public react?

    Develop Scenarios

    How bad will the big one be?

    Extended Power, Water, or Telecom Outages? Supply Chain Disruptions? Civil unrest?

    Develop various scenarios and pick which ones toplan for.

    Evaluating Alternatives

    Functionality - provides an acceptable level of

    service Practicality - is reasonable in terms of the time

    and resources needed to acquire, test, andimplement the plan

    Cost Benefit - cost is justified by the benefit to bederived from the plan

    LTU CISP Security 29

    The Steps in a BCP - 2

    Strategy Development (Alternative Selection) Management support Team structure Strategy selection

    Cost effective Workable

    Resources required for recoveryIdentify resources required for recovery and resumption.

    ReSources personnel,hardware,software,specilisedequipment, facility/space and critical records

    Backing up and storing critical and vital business records

    in a safe and accessible location is a prerequisite.Risk assessment and BIA provide the foundation onwhich organisations BCP can rest.

    Crisis Management and Response team development

    Establishment of appropriate administrative structure to

    deal with crisis management.Clear definition of the management structure authorityfor decisions and responsibility for implementation.

    Should have crisis management team to lead incidentresponse.

    Team should comprises of members of critical business

    process lead by senior management.Crisis mnagement team supported by response teams.

    Response plans to address various aspects of potentialcrises

    The Steps in a BCP - 3

    Implementation (Plan Development) Specify resources needed for recovery Make necessary advance arrangements Mitigate exposures

    The Steps in a BCP - 3

    Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability

    Journaling, Mirroring, Shadowing On-line/near-line/off-line

    Insurance Emergency response plans Procedures

    Training Risk management program

    Mitigation StrategiesCost effective mitigation strategies should be employed

    to prevent or lessen the impact of potential crises.Securing equipments and tables by strapping to the wallpreventation from earthquake ,Sprinkler systems canlessen the risk of fire ,a strong records management canmitigate the loss of key datas.

    Resources required for mitigation process should beidentified.

    Systems and resources should be monitored continuallyas a part of mitigation startegy

    MTDEstablish an estimate of the maximum tolerable

    downtime (MTD) for each business process.Determine how long process can be non functionalbefore impacts becomes unacceptable

    Determine how soon process should berestored(Shortest allowable outage restored first)

    Identify alternate procedures to a process

    Evaluate costs of alternate procedures vs waiting forsystem to be restored

    Determine the priorities and processes for recovery of

    critical business processes .

    The Steps in a BCP - 3

    Decision Making Cost effectiveness

    Total cost

    Human intervention requirements Manual functions are weakest

    Overrides and defaults Shutdown capability Default to no access

    Design openness Least Privilege

    Minimum information Visible safeguards

    Entrapment Selected vulnerabilities made attractive

    LTU CISP Security 38

    The Steps in a BCP - 3

    Decision Making Universality Compartmentalization, defense in depth Isolation

    Completeness Instrumentation Independence of controller and subject Acceptance Sustainability

    Auditability Accountability Recovery

    LTU CISP Security 39

    Remedial Measures

    Alter environment Erect barriers Improve procedures

    Early detection Contingency plans Risk assignment (insurance) Agreements

    Stockpiling Risk acceptance

    LTU CISP Security 40

    Remedial Measures

    Fire Detection, suppression

    Water Detection, equipment covers, positioning

    Electrical UPS, generators Environmental


    Good housekeeping

    Backup procedures Emergency response procedures

    LTU CISP Security 41

    The Steps in a BCP - 3

    Plan Development Specify resources needed for recovery Team-based Recovery plans Mitigation steps Testing plans

    Prepared by those who will carry them out

    Review External Dependencies






    Clients /Customers



    Infrastructure Dependence (power, telecom, etc.)

    System Up Time (computing, data,networks, etc.)

    C I f i

    Contact InformationContact information of crisis management team and

    response team should be maintained.Information should be updated regularly .

    Compliance audits should be conducted to enforce BCP

    Policies.Policy violations should be highlighted and correctiveactions to be taken

    M it i S t d R

    Monitoring Systems and ResourcesResources include

    Emergency equipment

    Fire alarms' and suppression systems

    Local resources and vendors

    Alternate work sites

    System backups and offsite storage.

    A id d t d d t ti

    Avoidance ,deterrence and detectionBCP should address the specifics of potential crisis and

    include overall deterrence and any precursors andwarning signs ,detection measures.

    Workplace violence

    Natural disasters Protests/riots

    Product or manufacture failure

    Hostile takeover



    A id d t d d t ti

    Avoidance ,deterrence and detectionEmployee should be appropriately motivated to feel

    personally responsible for avoidance ,deterrence anddetection.

    Facilities enhancing Avoidance

    Architectural Natural or manmade barriersOperational: Security officers check posts, employeeawareness programmes, surveillance and counter

    intelligenceTechnological: Intrusion Detection, access control, cctv,package and baggage screening.

    P t ti l C i i R g iti

    Potential Crisis RecognitionIf potential crisis exists. Organization should be able to

    recognize when specific dangers occur .Identification of danger signals coupled with thelikelihood of an event is indicative of an imminent crisis.

    Unusual changes in sales volume Legislative changes

    Corporate policy changes

    Changes to competitive environment

    Changes to supply based environment

    Warning of natural disasters

    Potential Crisis Recognition

    Potential Crisis RecognitionIdentification of danger signals coupled with the

    likelihood of an event is indicative of an imminent crisis. Cash flow changes

    Potential for civil or political instability

    Hostile labor negotiations


    Report Potential crisis

    Report Potential crisisCertain departments and functions are well placed to

    observe warning signs of imminent crisis. Personnelassigned to these functions should be trainedappropriately.

    Crisis should be communicated to all EMPLOYEES

    A Potential crisis once recognized should be immediatelyreported.

    Parameters for notification criteria should be established,documented and adhered to by all employees.

    Report Potential crisis

    Report Potential crisisQualified personnel should have ready access to theupdated ,confidential listings of persons andorganizations to be contacted when certain conditions orparameters of a potential crisis are met.

    Types of Notification

    Notifications in a crisis situation should be timely andclear and should use variety of procedures andtechnologies.

    Sometimes notification systems are also impacted by thedisaster thus redundancies built into the notification

    Assessment of the situation: size of the problem

    potential for escalation, possible impact of the situation.

    Declare a Crisis

    Declare a CrisisThe point at which a situation is declared as a criisisshould be clearly defined ,documented and fit everyspecific and controlled parameters.

    Activities that declaring a crisis will trigger

    Evacuation,shelter and relocation

    Safety protocol

    Response site and alternate site activation

    Team deployment

    Operational Changes

    Execute the Plan

    Execute the PlanBCP should be developed around worst case scenario, responsecan be scaled up to match the actual crisis .

    Goals should protect the following interests

    Save lives and reduce chances of further injuries and deaths

    Protect assets

    Restore critical business processes and systems

    Reduce downtime

    Protect reputation damage

    Control media coverage

    Maintain Customer relation


    CommunicationsEffective communications is one of the most importantingredients in crisis management.

    Identify the Audience

    Internal and external audience should be identified to conveycrisis and organizational response. It is often appropriate to

    segment the audiences. Messages tailored specifically for a groupcan be released.

    Internal Audience

    Employees and their families

    Business owners and Partners

    Board of Directors


    CommunicationsExternal Audience

    Present and potential Customers/clients

    Contractors and vendors


    Govt and regulatory agencies Local law enforcement

    Investors and shareholders

    Surrounding Communities EMERGENCY RESPONDERS

    Communications With Audience

    Communications With Audience Communications should be timely and honest

    An audience should hear the news from the organization Should provide objective and subjective assessment

    All employees should be informed at the same time

    Give bad news all at once do not sugar coat it

    Provide regular updates

    Communications- Face to face meetings, News conference,Voice mail, Company intranet and internet sites, toll freehotline, special newsletter, local and national newspaper

    Communications With Audience

    Communications With AudienceOfficial Spokesman : The company should designate a singleprimary spokesperson . This person should be trained in media

    relationship prior to crisis. All in formations should be funneledthrough a single source to assure that the messages beingdelivered are consistent.

    Resource Management :

    How Human resources are managed will decide success or failureof Crisis management

    Accounting for All Individuals : A system should be devised by

    which all personnel can be accounted for quickly after the onset of a crisis.

    Accurate contact information should be maintained and updated

    Notification of Next of Kin by a senior manager in case of injury orfatality

    Resource Management

    Resource ManagementFamily Representatives : Family representative programin case of injuries and fatality. Family representativeshould be some one other than the Person whoperformed the notification.

    Link between the Organization and The Employees

    family .Financial Support During the crisis there may befinancial implications for the organization and the

    families of the employees. Implications may includefinancial support to victims family

    Pay roll : Should be functional throughout the crisis.


    LogisticsLogistical decisions made in advance will impact the success orfailure of a good BCP

    Crisis Management Centre Should be identified in advance. Thisis the initial site used by the crisis management team andresponse team for directing and overseeing crisis managementactivities.

    It should have uninterruptible power supply, computercommunication, heating and ventilating conditions system andother support systems. Emergency supplies should be identifiedand kept in the centre.

    Access control system should be implemented with the membersof team given 24x7 access.

    A secondary Crisis management centre should be identified in the

    event that the primary centre is impacted due to the crisis


    LogisticsAlternate Worksite Organization should have alternate worksiteidentified for business recovery and resumption.

    Offsite storage Allows rapid crisis response and businessrecovery. Critical documents and information are stored. Sufficientdistance form the primary facility

    Financial and Insurance issue : Existing funding and Insurancepolicies should be examined ,additional funding and insurancecoverage should be identified and obtained

    Amount of fund required for continuity of operations should beidentified

    Some cash and credit should be available for weekend and afteroffice hours .

    Insurance providers should be contacted as soon as possible.


    LogisticsTransportation at the time of Crisis may be a challenge

    Evacuation of personnel Transportation to an alternate site

    Supplies to an alternate site

    Transportation of critical data to alternate site

    Transportation of staff with special needs .

    Suppliers/Service Providers Critical vendor or serviceprovider agreements should be established and contactinformation maintained. Evaluate their ability to providenecessary supplies and services in the case of far

    reaching crisis.

    Mutual Aid Agreements

    Mutual Aid Agreements Identify resources that may be borrowed from other

    organizations during a crisis as well as mutual supportthat may be shared with other organization.

    Damage and Impact assessment : Once the CrisisManagement team is activated damage should be

    assessed . All incidents should be recorded anddocumented including the response actions.

    Crisis Involving Physical Damage Crisis Management

    team should be mobilized at site .Entry approval by Public safety authority. Make a

    preliminary assessment of the extent of damage and thelikely length of time that the facility will be unusable .


    Recovery Once the extent of damage is known process recovery

    should be prioritized and a schedule for resumptionsdetermined and documented.

    Resumptiions of critical process

    Resumptions of other processes

    Return to Normal operations - Return to pre crisisnormal /New normal

    Organization springs back to productive work Crisis may be officially declared over


    Implementing plan

    Implementing plan BCP is a living document ,evolutionary that grows and

    changes with the organization and remains relevant andactionable.

    Educate and train only as valuable as others have theknowledge of it. Time commitment from all stakeholders

    Crisis management team and response teams are to betrained at least annually , new members when they joinResponsibilities and accountabilities authority should be

    clearly defined. Educate and train all personnel.

    Test the BCP

    Plan Testing Proves feasibility of recovery process Verifies compatibility of backup facilities

    Ensures adequacy of team procedures Identifies deficiencies in procedures

    Trains team members

    Provides mechanism for maintaining/updating theplan

    Upper management comfort

    The Steps in a BCP - Finally

    Plan Testing Checklist Structured Walkthroughs

    Life exercises/Simulations Periodic off-site recovery tests/Parallel Full interruption drills

    Test MonitoringTest Monitoring Assign observers to take notesduring the test. Video tape/Audio recording can bedone .Assign to document events chronologically

    Testing scenarios should be designed using the

    events identified in the risk assessmentParticipants should understand their individual rolesand should be allowed to interact freely

    After completion of exercise/test it should becritically evaluated, effectiveness of the test, desiredlevel of goals attended.

    Develop BCP Review Schedule

    Develop BCP Review Schedule BCP should be reviewed and evaluated according to the

    predetermined schedule.

    Reviewed every time a risk assessment is carried out.

    Major trends in the sector or industry or any initiativetaken should initiate a review.

    New regulatory requirement

    Test and exercise results.


