Business Continuity Planning Questions with solutions 2023

Business Continuity Planning Questions with solutions 2023 Business Continuity Planning (BCP) Undertaken to reduce risks related to the onset of disasters and other disruptive events BCP activities identify risks and mitigate those risks through changes or enhancements in technology or business processes - The impact of disasters is reduced and the time to recovery is lessened Improve chances that the organization will survive a disaster without incurring costly or even fatal damage to its most critical activities The activities for BCP development scale for any size organizations The elements of the BCP process life cycle are: -Develop BCP policy - Conduct business impact analysis - Perform criticality analysis - Establish recovery targets - Develop recovery and continuity strategies and plans - Test recovery and continuity plans procedures - Train personnel - Maintain strategies, plans, and procedures through periodic reviews and updates BCP Policy Include/cite specific controls that ensure that key activities in the BCP life cycle are performed appropriately Define the scope of the BCP strategy The specific business processes that are included in the BCP effort must be defined BCP (Cont'd) -Develop IT continuity framework - Conduct business impact analysis and risk assessment - Develop and maintain IT continuity plans - Identify and categorize IT resources based on recovery objectives - Define and execute change control procedures to ensure IT continuity plan is current - Regularly test IT continuity plan - Develop follow-up action plan from test results - Plan and conduct IT continuity training - Plan IT services recovery and resumption - Plan and implement backup storage and protection - Establish procedures for conducting post-resumption reviews Business Impact Analysis Identify the impact that different scenarios will have on ongoing business operations Critical, detailed analysis that is carried out before the development of continuity or recovery plans and procedures Inventory key processes & systems • Establish a detailed list of all identifiable processes and systems • Develop questionnaire/intake form that is circulated to key personnel in end- user departments and also within IT • Typically, the information gathered on intake forms is transferred to a multi- columned spreadsheet - Information on all of the organization's in-scope processes can be viewed together Business Impact Analysis (Cont'd) Statements of impact • Qualitative/quantitative description of the impact if the process or system were incapacitated for a time • Captures the number of users and names of departments/functions that are affected by the unavailability of a specific IT system • Includes the geography of affected users and functions • Examples: - Three thousand users in France and Italy will be unable to access customer records - All users in North America will be unable to read or send email Cites the business processes that would be affected Examples: - Accounts payable and accounts receivable functions will be unable to process - Legal department will be unable to access contracts and addendums For revenue generating and revenue supporting business processes, quantifies financial impact per unit of time Examples: - Inability to place orders for appliances will cost at the rate of $1200 per hour - Delays in payments will cost $45,000 per day in interest charges Captures the following information: - Name of the system or process - Who is responsible for it - A description of its function - Dependencies on systems - Dependencies on suppliers - Dependencies on key employees - Quantified statements of impact in terms of revenue, users affected, and/or functions impacted Critical analysis Study of each system and process -- - Consideration of the impact on the organization if it is incapacitated - Likelihood of incapacitation - Estimated cost of mitigating the risk/impact of incapacitation Criticality analysis includes reference to threat analysis - Risk analysis that identifies every threat that has a reasonable probability of occurrence - Mitigating controls or compensating controls - New probabilities of occurrence with those mitigating/compensating controls in place Complexity of the threat and criticality analyses should be proportional to the value of the assets Establishing key recovery targets Recovery time objective and recovery point objective • Determine -- - How quickly key systems and processes are made available after the onset of a disaster - Maximum tolerable data loss that results from the disaster • Recovery time objective (RTO) - Refers to the maximum period that elapses from the onset of a disaster until the resumption of service • Recovery point objective (RPO) - Refers to the maximum data loss from the onset of a disaster Developing continuity plans Organization develop procedures to be performed when disaster strikes the primary operations center for those applications - Include all of the steps that must be taken so that the application continue operating in a warm site /hot site location - Sets of procedures that must be developed, includes • Personnel safety procedures • Disaster declaration procedures • Responsibilities • Contact information • Recovery procedures • Continuing operations Personnel safety procedures Ensuring that all personnel are familiar with evacuation and sheltering procedures • Ensuring visitors know how to evacuate the premises and the location of sheltering areas • Posting signs and placards indicating evacuation routes and gathering areas outside of the building • Emergency lighting to aid in evacuation • Fire extinguisher equipment • Ability to communicate with public safety and law enforcement authorities Safety personnel who can assist in the evacuation of injured and disabled persons • The ability to account for visitors and other non-employees • Emergency shelter in extreme weather conditions • Emergency food and drinking water • Periodic tests to ensure that evacuation procedures will be adequate in the event of real emergency Disaster declaration procedure Form a core team - Core team of personnel familiar with the disaster declaration procedure and actions to be taken once a disaster has been declared - Consists of middle and upper managers who are familiar with operation, especially those that are critical Declaration criteria - Tangible criteria that a core team can consult to guide him/her down the decision path • Forced evacuation of a building containing/supporting critical operations that is likely to last for more than four hours • Any security incident that results in a critical IT system being incapacitated for more than four hours • Hardware, software, or network failures that result in a critical IT system being incapacitated/unavailable for more than four hours Pulling the trigger - When disaster declaration criteria are met, the disaster should be declared - Single core team member declare disaster - Sometimes two or more core team member agree and declare the disaster - All core team member empowered to declare disaster should have the procedure on hand at all times Next steps - Declaring disaster trigger one or more response procedures False alarms - If a disaster has been declared and later it is found that the disaster has been averted, the disaster can be simply called off and declared to be over - Response personnel can be contacted and told to cease response activities and return to normal activities Responsibilities: Emergency response - Include evacuation or sheltering of personnel, first aid, triage of injured persons, etc. Databases Responsible for building databases on recovery systems and for restoring/recovering data from backup media, replication volumes, or e- vaults onto recovery systems Data and records Responsible for access to and re-creation of electronic and paper business records Business function that supports critical business processes and works with database management personnel and data entry personnel if required to re-key lost data