TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Similar documents
5 Steps to Prepare a Disaster Recovery Plan

BUSINESS CONTINUITY PLAN

Business Continuity Plan

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

What You Should Know About Cloud- Based Data Backup

FORMULATING YOUR BUSINESS CONTINUITY PLAN

Business Continuity and Disaster Planning

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Best Practices in Disaster Recovery Planning and Testing

Business Continuity and Disaster Recovery Planning

Business Continuity Management

Disaster Recovery and Business Continuity What Every Executive Needs to Know

DISASTER RECOVERY Steps You Need to Take (Before It s Too Late)

Desktop Scenario Self Assessment Exercise Page 1

Unit Guide to Business Continuity/Resumption Planning

Business Continuity Planning

Ensuring your DR plan does not Lead to a Disaster

DISASTER RECOVERY PLANNING GUIDE

NCUA LETTER TO CREDIT UNIONS

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Availability and Disaster Recovery: Basic Principles

Disaster Recovery and Business Continuity Plan

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Temple university. Auditing a business continuity management BCM. November, 2015

BUSINESS CONTINUITY PLANNING GUIDELINES

Why Should Companies Take a Closer Look at Business Continuity Planning?

Ensure Absolute Protection with Our Backup and Data Recovery Services. ds-inc.com (609)

Business Continuity Planning in IT

Prepared by Rod Davis, ABCP, MCSA November, 2011

Business Resiliency Business Continuity Management - January 14, 2014

Building a strong business continuity plan

Operational Continuity

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

Managing business risk

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Business Continuity Planning Guide

11 Common Disaster Planning Mistakes

a Disaster Recovery Plan

Backup & Disaster Recovery

The ultimate guide to business continuity and disaster recovery

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

Interactive-Network Disaster Recovery

With 57% of small to medium-sized businesses (SMBs) having no formal disaster

7 Critical Facts Every Business Owner Must Know About Protecting Their Computer Network From Downtime, Data Loss, Viruses, Hackers and Disasters

BUSINESS CONTINUITY PLAN OVERVIEW

Building Economic Resilience to Disasters: Developing a Business Continuity Plan

The Benefits of Continuous Data Protection (CDP) for IBM i and AIX Environments

WHY CLOUD BACKUP: TOP 10 REASONS

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Protecting your Enterprise

The 7 Disaster Planning Essentials

Why cloud backup? Top 10 reasons

Business Continuity Planning ebook

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Contents. Introduction. What is the Cloud? How does it work? Types of Cloud Service. Cloud Service Providers. Summary

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

Disaster Recovery Planning Process

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Workforce Solutions Business Continuity Plan May 2014

How to Design and Implement a Successful Disaster Recovery Plan

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Template Courtesy of: Cloudnition LLC 55 W. 22 nd St Suite 115 Lombard, IL (630)

Business Continuity and Disaster Recovery Planning

Disaster Recovery Planning Guide

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Clinic Business Continuity Plan Guidelines

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Transcription:

5 STEPS TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Introduction The Snowpocalypse of 2015 brought one winter storm after another, paralyzing the eastern half of the United States. It knocked out power for days and weeks at a time, sorely testing the resiliency of companies of all sizes. In all, the financial damage topped $15 billion. Barely two years before, Superstorm Sandy hammered New Jersey and New York with gale-force winds and massive ocean surges instead of ice and snow drifts, flooding thousands of businesses and even more thousands of homes. It even silenced the mighty Stock Exchange on Wall Street for nearly a week. Sounds like real life, playing out the catastrophes predicted in the movie 2012, doesn t it? Disasters like this happen all the time a hurricane, an earthquake or a wildfire. With our growing reliance on IT systems and data, business disasters can unfold like a thriller until you realize that this isn t some kind of made for TV movie or New York Times best seller. 2

But disrupting your business doesn t require a natural disaster or even a cyber attack. These days it s just as likely a sudden power loss or a failed software upgrade. (For example, July 2015 saw a computer glitch halt flights at United Airlines for two hours before it was corrected. The resulting ripple affected 4900 flights worldwide and cost millions.) Regardless of the cause, business disruptions happen. Big or small, when they happen to you, the result can be catastrophic to your bottom line. When companies are hit by disasters, natural or man-made, their physical facilities can be damaged and sustain huge physical losses. However, the potential operations losses can cost even more. Recovering the infrastructure, systems and data to restore operations could take months if it s even possible putting their entire business at risk. In some cases, data losses can even lead to additional lawsuits and litigation fees. As for Wall Street, a decade earlier an even worse disaster had forced the NYSE to upgrade and harden its infrastructure. But what would have happened to our financial system if they hadn t? And even though United Airlines suffered only a two-hour outage, look how much damage occurred, by not being able to switch instantly over to a safe-mode? Your company doesn t have to be a financial clearing house or a major airline to be at risk. Restoring your network, your systems, and your applications rapidly and without loss of data is critical for resuming normal operations. 3

What is a Business Continuity Plan? What exactly is a business continuity plan (BCP)? A business continuity plan is a set of documented procedures to continue operations if a place of business is affected by different levels of disaster. The disaster can be short or long term, can be localized to a single office or multiple facilities, and can be centered on physical or information assets. While a disaster recovery plan (DRP) tends to focus on a company s physical assets, a business continuity plan covers both physical and information assets. The ultimate goal of a BCP, then, is resiliency allowing your business to resume normal operations with minimal impact to customers, employees and revenue. The ultimate goal of a BCP is resiliency allowing your business to maintain and resume normal operations with minimal impact to customers, employees and revenue. 4

So, do you need a BCP? In reality, there s no longer a question of if your company need a recovery plan, but rather how extensive the plan should be. It s not just about backup up your desktop computers anymore.if you have more that a handful of employees, you ve got several servers, either on-site or in the cloud. You ve also got desktops and databases and applications for corporate email, customer relationship management (CRM), HR, payroll, and web presence, as well as the network infrastructure itself. All have to be highly-available possibly 24/7. And all of them are vulnerable to a disaster, hackers, even a simple failure. How long can your company operate with the interruption of one or all of these systems? If you d find yourself or your customers crippled in such a case, you need a comprehensive plan to restore your operations, data flow and revenue streams. 5

Five Steps to an Effective Business Continuity Plan If your company doesn t have data recovery in its business continuity plan, or you fear the plans are no longer adequate to protect you in the event of a disaster, here are five steps that will put you on the right path. Create a Business Continuity Contingency Statement Conduct a Business Impact Analysis (BIA) Identify and Implement Control Measures Create and Document Recovery Plans Implement Plan Testing, Training, Metrics and Maintenance 6

Step #1: Create a Business Continuity Contingency Statement So what is a Business Continuity Contingency Statement? It s a formalized policy that authorizes development and implementation of a BCP plan. It acknowledges, from an executive level, the necessity of a business continuity plan to the company s survival. It also commits resources, time and budget to that effort. Does this statement authorize a short-term project to develop a BCP? Absolutely not. Achieving business continuity is not a static, one-time effort. Information Technology assets are constantly changing and evolving. Even a software update changes the dynamics of many companies IT systems. To address this constant change, the BCP s structure has to be flexible and adaptable; it has to be a living document. Therefore, developing and maintaining a BCP requires an on-going commitment of time, resources and budget. IT is not a standalone island of company information, either. When you re developing a BCP, it s important to understand the various departments involved and how they mesh together. The BC team, therefore, must have members from departments across the company, not just one or two from IT. 7

This team is responsible for: Determining the scope of the plan Identifying internal and external elements and assets Choosing third-party vendors and systems Briefing senior management on the progress of the plan Assembling documentation necessary to develop a relevant BCP Compiling network diagrams Reviewing systems documentation Documenting equipment configurations Identifying the following: What are the serious threats to the infrastructure - both natural and manmade? This could include power and system failures, cyber attacks, human error, fire, earthquakes, etc. What are the most serious vulnerabilities? What is the history of any previous disruptions? Prioritize the most critical areas that must get back up and running first. Remember that the plan should be flexible to deal with constant technology changes. But creating a BCP should never be a case of The Blob That Ate Your Company. When you re creating the plan, keep in mind the scope of the work. Create a timeline with several time-boxed phases to prevent endless iterations. This will allow the BCP team to track its own progress, will prevent analysis-paralysis and will keep senior management informed. After completing the information gathering process, the team should be able to compile and document its findings. It will then work with senior management to create and refine the business continuity plan. 8

Step #2: Conduct a Business Impact Analysis (BIA) After the BCP team has gathered the relevant information, it s time to create a Business Impact Analysis (BIA). The BIA is used to determine how the identified risks will effect the company s business operations, should they occur. When an incident causes a negative impact to operations, the consequences could be disastrous. A BIA identifies critical business functions and processes, potential threats to those functions and potential costs associated with the threats. Then the BC team uses this information to prioritize the order in which systems and data must be restored. In this process, you ll need to do the following assessments: Business assessment: Identify functions and processes required to operate at both normal and acceptable levels. Rank the functions by their impact to servicing the customer, internal operations and revenue impact. Risk assessment: Next, identify and document threat scenarios that can cause business disruption. Categorize each of these by type and likelihood. Cost assessment: For each function, quantify the cost and/or loss of revenue an interruption would bring, if possible. This will be easy for some functions, difficult for others. Knowing these costs is especially important when it s time to seek budget for resources, tools and vendor services to put your BCP into effect. Priority assessment: By now, you have the information to rank the business functions and supporting systems by operational criticality, the probability of various threats, and the potential costs should they be interrupted. Those with highest likelihood and cost should have the highest priority in BCP. 9

When completing these assessments and compiling your findings, it might be helpful to create a risk/impact probability chart to help you determine which risks to prioritize and deal with immediately. Items in the critical risk corner are the most probably and highest impact, and should therefore be addressed first. The items in the low-level risk corner are less of a concern. With a BIA, you ll know what to address and when. PROBABILITY OF OCCURRENCE IMPACT RISK 10

Step #3: Implement Control Measures Within the business continuity plan, one of the most important areas is identifying control measures and eliminating threats. What are control measures? Control measures are steps you can take to avoid or reduce the impact of threats to company infrastructure and information. There are three different kinds of control measures you can implement: 1. Detective measures. Detective measures are controls that will detect and discover events. 2. Preventative measures. A preventative measure will help prevent an incident from occurring. 3. Corrective measures. A corrective measure will rectify or restore a network or system after an incident has occurred. The first two kinds are most often preventative in nature, while the third corrective measures defines how you deal with a disruption after it happens. Prevention: Mitigating the Risk Mitigating risk means identifying control measures to avoid or eliminate threats before they cause disruption. Internal threats can often be contained using control measures. For example, employees often use company computers to surf to any Internet site they choose. Unrestricted surfing opens up the company servers to potential viruses, Trojan Horse and other dangerous malware. 11

Taking action: Creating contingency plans Whether it s Mother Nature or the local power company, outside entities don t ask permission before they interrupt your business. Control measures for dealing with large-scale disruptions are called contingency plans. Preventative contingency plans include methods to backup, synchronize or mirror one or more systems, applications or servers to alternate storage. Reactive contingency plans are activated after a disruption occurs. Control measures go way beyond just backing up your company s data. They create safe restoration points for all components of your infrastructure, so you can ensure availability no matter what. 12

Step #4: Create and Document Recovery Plans You ve documented your critical business functions and processes, identified the risks and costs of each threat, and put control measures in place. Now, what do you do when worse comes to worst, and an actual disruption occurs? IT may have all the systems backed up, mirrored and on standby, but IT s contingency plans do not stand on their own. Each department in your company needs a detailed recovery strategy. There have to be well-documented plans to utilize these contingencies in the right order, for short and medium term outages, as well as for catastrophic failures or disasters. Using the BIA and the control measures from previous steps, you can now construct the recovery plans for each system and function. 1. Order the recovery by priority of business functions. 2. Within each function, document the critical departments and job functions within each department that are crucial to the company s ability to serve its customers. 3. For each department, document a list of well-defined recovery tasks in the order they need to be restored. 4. List all IT systems contingency plans associated with that function, as well as any external dependencies. 13

By now you can see how critical the Business Impact Analysis and Control Measures steps are. The information gathered in those steps allows you to document the recovery of each function, by each department and each system in the order of priority required for the business to survive the event. And each can be recovered individually, or as part of a larger need. Many companies choose to outsource their data recovery to a managed services provider (MSP) that specializes in data protection and recovery. An MSP can be an expert, cost-effective way to handle your data backup and recovery. They can also be a valuable resource in creating the IT portion of your BCP. Focus on business, not IT headaches. We can help! 14

Step #5: Implement Plan Testing, Training, Metrics and Maintenance If you spend the time, money and energy to visit the doctor when you re sick, would you disregard his advice and let your prescriptions sit on your shelf, unused? Some people would, probably the ones that would probably gamble with their company s information assets. Just like your health, it s important to treat a continuity strategy as a vital, flexible and ongoing plan. Each individual recovery plan should be tested regularly. With today s elastic and highlyavailable cloud infrastructures, virtual servers are cost-effective stand-ins for production systems or for entire infrastructures. These can be used to stage and test the data and systems backups. If full recovery tests are not possible, at minimum the integrity of the backup media should be tested. In either situation, the goal is the same: to ensure the virtual servers and data are safe and available when you need to activate them. The success of your business continuity plan doesn t just depend on IT, nor on management and the BCP teams. It s important for each employee to understand their own responsibilities in the recovery strategy. Involving and training all your employees in the recovery plans will ensure they know what to do when a business disruption occurs. Finally, continuity requires attention to change. Technology changes. Business needs change. Processes and their owners change. Set a regular and mandatory schedule for the BC / DR management team to review the priorities of each department. This should not be an optional meeting it s important to your business survival. 15

Wrap Up You can t keep a disaster from coming around, but you can ensure that your business keeps running and your data is protected when it does. By following these five steps to an effective business continuity plan, you ll be ready when the time comes. Here at Paranet, we firmly believe that IT should be focused on your business not the other way around. Disasters can strike at any time, but that doesn t mean your team should divert time, money, and effort away from critical business processes to worry about a possible outage. An effective BCP can help your team align your technology with your business goals and ensure readiness when a disruptive event happens. This way, your company can return to business as usual without missing a beat. Have comments, questions, or feedback? Just let us know! GET STARTED ON YOUR BUSINESS CONTINUITY PLAN TODAY! 16

Paranet Headquarters 5001 Spring Valley Road Suite 1050-W Dallas, TX 75244 Phone: 888.692.4942 Fax: 214.623.5300 Support 214.623.5200

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information