Business Continuity Planning Methodology

BUSINESS CONTINUITY PLANNING METHODOLOGY
by Akhtar Syed, Ph.D., CISSP and Afsar Syed, BMath., ABCP

“An easy to follow step-by-step guide to help you implement a business continuity
program,
and develop, test, and maintain a business continuity plan.

“Detailed analysis and steps for conducting a business impact analysis, managing
risks, and
developing a continuity strategy.

“Based on industry standards, guidelines, and best practices such as ISO/IEC
17799, NFPA
1600, CobiT, and DRII.

“An in-depth step-by-step guide to help you develop, test, and maintain your
business
continuity plan.

“The business continuity planning process consists of six key stages:
- risk management;
- business impact analysis;
- business continuity strategy development;
- business continuity plan development;
- business continuity plan testing; and,
- business continuity plan maintenance.

“Although there are many publications that explain business continuity planning,
very few
provide detailed methods on how to implement it; even fewer cover implementation
of all six
stages.

“Business Continuity Planning Methodology is a single, comprehensive, text that
explains the
principles of business continuity planning and presents an easy to follow
step-by-step
methodology to implement its six stages. The methodology considers protection of
mission
critical business processes, resources, and services. It focuses on key resources
such as IT
systems and infrastructure, manufacturing and production equipment and
products, facilities,
work areas, vital records, and critical data. The methodology is consistent with
business
continuity industry standards, guidelines, and best practices such as ISO/IEC
17799, NFPA
1600, COBIT, and DRI International.”

- - - - - -

CONTENTS

“This book gives readers the skills to manage risks, conduct a business impact
analysis,
develop a business continuity strategy, and develop, test, and maintain a business
continuity
plan. The main body of the book contains chapters structured according to the six
business
continuity planning stages:

RISK MANAGEMENT

“This chapter introduces the key concepts of risk management and describes a
framework
for managing risks to business continuity. The framework includes steps for risk
assessment,
risk control options analysis, risk control implementation, risk control decision,
and risk
reporting. The chapter explains the concepts and implementation of these steps
through
examples of business continuity risk.

BUSINESS IMPACT ANALYSIS

“This chapter describes the steps for conducting a Business Impact Analysis (BIA)
and
explains the implementation of these steps through an example BIA scenario. The
BIA steps
include assessment of financial and operational impacts, identification of mission
critical
business functions and processes, identification of critical IT systems and
applications, and
determination of recovery requirements. Topics in this chapter include comparison
of BIA
and risk management; BIA benefits and responsibilities; methods of conducting a
BIA;
disaster-to-recovery time line and events; elements of the BIA such as Maximum
Tolerable
Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective
(RPO), Work
Backlog, and Data Loss; summarized findings; and BIA report content.

BUSINESS CONTINUITY STRATEGY DEVELOPMENT

“The business continuity strategy development framework presented in this chapter
is
designed to help the reader determine the best strategy that will enable a timely
and cost
effective recovery from a potential business disruption. It describes the steps to
identify
recovery requirements and options, conduct a cost-benefit assessment, and
identity and
select the most viable recovery options. This chapter also discusses general
considerations
for developing a business continuity strategy, and provides recommendations for
recovery
contracts and service level agreements.

BUSINESS CONTINUITY PLAN DEVELOPMENT

“This chapter is a guide for developing an effective business continuity plan based
on the
results of the preceding stages. It explains the detailed structure and content for
an effective
plan and covers the key plan execution phases: initial response and notification,
problem
assessment and escalation, disaster declaration, plan implementation logistics,
recovery and
resumption, and restoration. Numerous examples of plan activities, procedures,
and tasks
help to explain the content required in the plan. This chapter also addresses the
requirements
for an emergency response plan and crisis communication plan.

BUSINESS CONTINUITY PLAN TESTING

“This chapter introduces the key concepts of business continuity plan testing and
provides a
framework for developing an effective test plan. The topics include test objectives,
test
benefits, test methods, test scenarios, test evaluation criteria, and test budget.
The
framework then explains the sequence of test plan development steps and
addresses
various issues and concerns that influence the test plan, such as test constraints,
strategy,
logistics, and risks.

BUSINESS CONTINUITY PLAN MAINTENANCE

“The focus of this chapter is on maintaining the business continuity plan in a
constant
ready-state. It describes activities needed to ensure that the business continuity
plan always
remains accurate, current, and complete. Topics covered in this chapter include
business
continuity plan change management, plan testing, training, and audit.

“This book also contains the following appendices: a summary of deliverables
resulting from
the six stages of the business continuity planning process; summary of business
continuity
standard guidelines and best practices; business continuity resource information;
and a
glossary of business continuity terminology.”

- - - - - -

WHO SHOULD READ THIS BOOK?

“This comprehensive text is an excellent resource for those who develop business
continuity
plans, manage business continuity projects, or want to learn about the subject of
BCP. It is a
valuable reference for people seeking certifications such as CISSP (Certified
Information
Systems Security Professional) or CBCP (Certified Business Continuity
Professional).”

- - - - - - -

EXCERPT FROM THE INTRODUCTION

Disasters can strike quickly and without warning. Webster’s dictionary defines
disaster as:

“a calamitous event, especially one occurring suddenly and causing great loss of
life,
damage, or hardship, as a flood, airplane crash, or business failure” [1].

“Floods, earthquakes, tornadoes, and hurricanes are examples of major
calamitous events.

“Businesses are vulnerable to the impact of not only major calamities but also
minor business
disruptions. Factors such as increased dependency on technology and “speed to
market”
pressures have made businesses sensitive to even minor disruptions. Some
examples of
minor disruptive events are power outages, information technology (IT) system
failures,
manufacturing equipment failures, hazardous material contamination, voice and
data
communication failure, and computer viruses.

“Over the past decade, the risks of natural disasters, technical and accidental
failures, and
malicious activities have increased the possibility of business disruptions. In spite
of
increased risks, studies show that many businesses have remained complacent.
According
to Gartner, “… many enterprises that experience a disaster never recover. Gartner
estimates
that two out of five enterprises that experience a disaster go out of business within
five
years.” These findings reflect the failure of businesses to invest in adequate
disaster planning
and preparations.

“Serious consequences of business disruptions can be avoided through business
continuity
planning (BCP). BCP is a discipline that prepares an organization to maintain
continuity of
business during a disaster through an implementation of a business continuity
plan. A
business continuity plan is a document that contains procedures and guidelines to
help
recover and restore disrupted processes and resources to normal operational
status within
an acceptable time frame.

“This book explains the concept of BCP with a specific emphasis on the process
and
methodology for developing, maintaining, and implementing a business continuity
plan.

“The methodology considers people, business processes, and resources as
essential
elements of a business continuity plan. A business continuity plan cannot
function effectively
without the collective efforts of the people assigned to various roles and
responsibilities
defined in the plan. Continuity of business cannot be maintained without the
continuous
support of critical business processes—tasks and operations performed by
business units or
functions—and various resources required by these processes.”

- - - - - - -

TABLE OF CONTENTS

PREFACE

CHAPTER 1 INTRODUCTION
1.1 Chapter Overview
1.2 Reasons for BCP
1.3 BCP and Other Planning Approaches
1.4 Business Continuity Planning Concept
1.5 BCP Process: Best Practices and Industry Guidelines
1.6 Key Deliverables of the BCP Process
1.7 Roadmap to this Book
Appendix 1A: BCP Related Rules and Regulations

CHAPTER 2 RISK MANAGEMENT
2.1 Chapter Overview
2.2 Risk Concepts
2.3 Risk Management Framework
Appendix 2A: Risk Assessment Data Collection Process

CHAPTER 3 BUSINESS IMPACT ANALYSIS
3.1 Chapter Overview
3.2 Risk Management and BIA
3.3 BIA Benefits
3.4 Who should be involved in a BIA?
3.5 Methods for Gathering BIA Information
3.6 Recovery Time Requirements
3.7 BIA’s Functional Overview
3.8 BIA Process
3.9 BIA Report

CHAPTER 4 BUSINESS CONTINUITY STRATEGY DEVELOPMENT
4.1 Chapter Overview
4.2 A Framework for BC Strategy Development
4.3 General Recovery Strategy Considerations
4.4 Recovery Contracts and Service Level Agreements
Appendix 4A: Examples of Availability Time Concerns for Recovery Options

CHAPTER 5 BUSINESS CONTINUITY PLAN DEVELOPMENT
5.1 Chapter Overview
5.2 Business Continuity Plan Outline
5.3 Objective and Scope
5.4 Definition of a Disaster
5.5 Risk Management Summary
5.6 Business Impact Analysis Summary
5.7 Business Continuity Strategy Summary
5.8 Business Continuity Teams
5.9 Contact Information
5.10 Activities for BC Plan Execution Phases
5.11 Mapping Resources to BC Plan Execution Phases, Activities, Procedures,
and
Tasks
5.12 Assigning Activities, Procedures, and Tasks
5.13 BC Plan Change Control
5.14 BC Plan Appendices
Appendix 5A: Emergency Response Plan Requirements
Appendix 5B: Crisis Communication Plan Requirements
Appendix 5C: Critical Data and Critical/Vital Record Off-site Storage
Requirements

CHAPTER 6 BUSINESS CONTINUITY PLAN TESTING
6.0 Chapter Overview
6.1 Objective of BC Plan Testing Stage
6.2 BC Plan Testing Benefits
6.3 Test Methods
6.4 BC Test Plan Document
6.5 A Framework for BC Test Plan Development

CHAPTER 7 BUSINESS CONTINUITY PLAN MAINTENANCE
7.1 Chapter Overview
7.2 BC Plan Change Management Process
7.3 Business Continuity Plan Testing
7.4 Business Continuity Training
7.5 Business Continuity Audits
7.6 Suggestions for BC Plan Maintenance

CHAPTER 8 BCP PROCESS: REPORTS AND DOCUMENTS SUMMARY
8.1 Stage 1: Risk Management
8.2 Stage 2: Business Impact Analysis
8.3 Stage 3: Business Continuity Strategy Development
8.4 Stage 4: Business Continuity Plan Development
8.5 Stage 5: Business Continuity Plan Testing
8.6 Stage 6: Business Continuity Plan Maintenance

APPENDIX A: BCP STANDARDS, GUIDELINES, AND BEST PRACTICES

APPENDIX B: BUSINESS CONTINUITY RESOURCE INFORMATION

GLOSSARY OF BCP TERMS AND ABBREVIATIONS

REFERENCES

ABOUT THE AUTHORS

INDEX

- - - - - - -

ABOUT THE AUTHORS

DR. AKHTAR SYED, PH.D., CISSP

“Dr. Syed has extensive training and consulting experience in the field of Business
Continuity
Planning (BCP). As a consultant and trainer, he has assisted numerous
organizations with
BCP training, business impact analysis, continuity strategy assessment, and
business
continuity plan development and testing. He has also worked with IBM Global
Services as a
senior business continuity consultant, helping businesses with alternate disaster
recovery
facility solutions.

“Dr. Syed holds a doctorate degree in systems design engineering, masters
degree in the
field of data communication services, and a bachelors degree in computer science.
He is
also a Certified Information Systems Security Professional (CISSP).”

AFSAR SYED, BMATH., ABCP

“Afsar is a senior business continuity consultant, and has over 15 years of
progressive
business and technical experience in telecommunications, wireless and wireline
data
networking, voice over IP services, Internet security, database systems, computer
programming, and product and project management. He possesses a bachelor of
mathematics degree in computer science and is an Associate Business Continuity
Professional (ABCP).”

- - - - - -
2004, 315 pages. Order #DR730.
- - - - - -

The Disaster Center Bookstore

Business Continuity, Disaster Recovery

Disaster Center Bookstore-a service of Rothstein Associates