Business continuity planning (or business continuity and resilience planning ) is the process of creating a prevention and recovery system to deal with potential threats to the company.
Any events that could negatively impact operations are included in the plan, such as supply chain disruptions, loss or damage to critical infrastructure (main engine or computational/network resources). Thus, BCP is part of risk management. In the US, government entities refer to the process as a operational planning continuity (COOP). The Business Continuity Plan outlines the various disaster scenarios and steps the business will take in a particular scenario to return to regular trading. BCP is written prematurely and may also include precautions to enforce. Usually made with input from key staff and stakeholders, BCP is a series of possibilities to minimize potential hazards for businesses during adverse scenarios.
Video Business continuity planning
Standard is now
In December 2006, the British Standards Institution (BSI) released an independent standard for BCP - BS 25999-1. Prior to the introduction of BS 25999, BCP professionals rely on the BS 7799 information security standard, which is intended only peripherally to improve the organization's information security procedures. The implementation of BS 25999 extends to all organizations. In 2007, BSI issued BS 25999-2 "Specification for Business Continuity Management", which specifies requirements to implement, operate and improve a documented business continuity management system (BCMS).
Business continuity management is standardized in the UK by British Standards (BS) through BS 25999-2: 2007 and BS 25999-1: 2006. BS 25999-2: 2007 business continuity management is the UK Standard for business continuity management across organizations. This includes industry and its sectors. This standard provides a best practice framework for minimizing disruptions during unexpected events that can cause a business to crash. This document provides a practical plan to deal with most possibilities - from extreme weather conditions to terrorism, IT system failures, and staff illness.
This document was released in July 2014 by the British BS EN ISO 22301: 2014 standard, the current standard for business continuity planning.
Civil Controversy Act
In 2004, following the crisis in previous years, the British government passed the 2004 Civil Contingency Act (Act). It provides legislation for civil protection in the UK: Businesses must have sustainable planning steps to survive and continue to grow while working to keep incidents to a minimum.
The Act is divided into two parts: Section 1 focuses on local arrangements for civil protection, establishing the role framework and legal responsibilities for local respondents. Part 2 focuses on emergency forces, building a modern framework for the use of specific legislative measures that may be required to deal with the most serious emergency impacts.
Maps Business continuity planning
Analysis
The analysis phase consists of impact analysis, threat analysis and impact scenarios.
Business impact analysis (BIA)
Business impact analysis (BIA) distinguishes important organizational functions (urgent) and non-urgent (non-urgent) activities. Critical functions are those whose disturbances are deemed unacceptable. Perceptions of acceptance are influenced by the cost of a recovery solution. A function can also be considered important if dictated by law. For each critical function (in scope), two values ​​are then set:
- Recovery Point Objective (RPO) - acceptable latency from data that will not be recovered. For example, is it acceptable for a company to lose 2 days of data?
- Recovery Time Objective (RTO) Ã, - an acceptable amount of time to return a function.
The purpose of the restore point should be to ensure that the maximum data loss that can be tolerated for each activity is not exceeded. The recovery goal of time must ensure that the Maximum Tolerable Period of Interruption (MTPoD) for each activity is not exceeded.
Furthermore, the impact analysis results in recovery requirements for each important function. The recovery requirements consist of the following information:
- Business requirements for essential function recovery, and/or
- Technical requirements for important function recovery
Threat and risk analysis (TRA)
After determining the recovery requirements, any potential threats may require a unique recovery step. Common threats include:
The impact of the epidemic can be considered a pure human, and can be reduced by technical and business solutions. However, if the people behind this plan are affected by the disease, then the process can stumble.
During the SARS outbreak of 2002-2003, several organizations classified staff into separate teams, and rotated teams between primary and secondary work sites, with rotation frequencies equal to the incubation period. The organization also prohibits face-to-face contacts during business hours and non-businesses. This split increases the resistance to the threat of quarantine action if one person on the team is affected by the disease.
Impact scenario
After identifying the prevailing threats, the impact scenario is considered to support the development of a business recovery plan. The business continuity testing plan can document scenarios for each identified threat and impact scenario. More localized impact scenarios - such as the loss of a certain floor in the building - may also be documented. The BC plan should reflect the requirement to restore business in the widest possible damage. Risk assessment must meet the development impact scenario that applies to the business or place of operation. For example, it may not be logical to consider tsunamis in the Middle East region as the possibility of such threats is negligible.
Recovery requirements
After the analysis phase, business and technical recovery requirements precede the solution phase. Asset inventory allows rapid identification of scattered resources. For an IT-based intensive business in the office, the plan requirements may include desks, human resources, applications, data, manual workarounds, computers and peripherals. Other business environments, such as production, distribution, warehousing, etc. Must include these elements, but may have additional issues.
The robustness of an emergency management plan depends on how much money an organization or business can put into the plan. The organization must balance its realistic feasibility with the need to prepare properly. In general, every $ 1 put into the emergency management plan will prevent a $ 7 loss.
Design solution
The design phase of the solution identifies the most cost-effective disaster recovery solution that meets two key requirements of the impact analysis phase.
For IT purposes, this is usually expressed as a minimum application and data and time requirements in which minimum applications and application data must be available.
Outside of the IT domain, the storage of hard copy information, such as contracts, expert staff, or technological restorations embedded within the process plant should be considered. This phase overlaps with the disaster recovery planning methodology. Solution phase determines:
- the crisis management command structure
- secondary work site
- telecommunication architecture between main and secondary work sites
- data replication methodology between main and secondary work sites
- the apps and data required on the secondary work site
- the physical data requirements on the secondary work site.
Implementation
The implementation phase involves policy changes, material acquisitions, staffing and testing.
Organizational test and acceptance
The purpose of testing is to achieve organizational acceptance that the solution meets recovery requirements. The plan may fail to meet expectations due to inadequate or inaccurate recovery requirements, solution design errors or mis-implementation of the solution. Testing may include:
- The crisis command team test test
- Test the technical swing from main to secondary work location
- Test the technical swing from the secondary work location to the primary
- Test app
- Business process test
At a minimum, testing is done on a bi-annual schedule.
The 2008 book Exercising for Excellence , published by The British Standards Institution identifies three types of exercises that can be used when testing a business continuity plan.
Table exercise
Table exercises usually involve a small number of people and concentrate on certain aspects of the BCP. They can easily accommodate a full team of specific business areas.
Another form involves a single representative from each of several teams. Usually, the participants work through simple scenarios and then discuss specific aspects of the plan. For example, fire is found from working hours.
This exercise only spends a few hours and is often divided into two or three sessions, each concentrating on a different theme.
Exercise is
The exercises are being done in the "Maya World" and bring together several departments, teams or disciplines. Usually concentrates on several aspects of BCP, encouraging interaction between teams. The scope of the intermediate exercise may range from teams from one organization placed together in one building to multiple teams operating throughout the scattered locations. The environment must be realistic as it is practical and team size should reflect a realistic situation. Realism can extend to simulated news broadcasts and websites.
Moderate exercise usually lasts for several hours, although they can extend for several days. They usually involve "Scenario Cells" that add "surprises" that have been prepared beforehand during the exercise.
Exercise complex
Complex exercises aim to have as few limits as possible. It combines all aspects of intermediate exercise. This exercise remains in a virtual world, but maximum realism is very important. This may include unannounced activation, actual evacuation and actual requests from disaster recovery sites.
Although the start and stop times have been previously approved, the actual duration may not be known if events are allowed to run their course.
Maintenance
The maintenance of annual or annual maintenance cycles from the BCP manual is broken down into three periodic activities.
- Confirm information in the manual, rolling to staff for awareness and specialized training for critical individuals.
- Testing and verifying technical solutions established for recovery operations.
- Test and verify the organization's recovery procedure.
Problems encountered during the testing phase should often be reintroduced into the analysis phase.
Information/target
The BCP manual should evolve with the organization. Enabling call trees verifies the efficiency of notification plans as well as the accuracy of contact data. Like most business procedures, business continuity planning has its own jargon. The broad sense of organization about the jargon of business continuity is very important and glossary is available. The types of organizational changes that must be identified and updated in the manual include:
- Staffing
- Client matters
- Vendors/suppliers
- Organizational structure changes
- Company investment portfolio and mission statement
- Communications and transportation infrastructure such as roads and bridges
Technical
Specific technical resources should be maintained. Checks include:
- Virus definition distribution
- Application security and distribution of service patches
- Hardware operation
- Operation of the app
- Data verification
- Data applications
Testing and verification of recovery procedures
Source of the article : Wikipedia
0 Comments