|
Links:
|
| Business Continuity Planning |
| Here are some helpful steps and questions for building a Business Continuity
Plan. You should build a comprehensive list of risks that threaten your
business' existance and a detailed plan that will lead to normal operations
if any should occur. |
- Executive commitment
- This is the first step. You MUST get the board and executives to realize
the potential downfalls of the company if exploted by mother nature or
evil individuals. Why is this SO important? If you make it through the
first 5 steps without guidance from above, you will get to steps 6 and
7 with a need for budget, at this point you are asking for money that the
executives will see no value in OR they will but add to the process that
will make you go back to step number 2. That is time wasted and money spent.
- The management process
- Identify the team that will lead the BCP process from here on out. It will
be important to implement a high level BCP plan in case something happens
before you finish the BCP process. You need to put a firm schedule in place,
as a lot of Security Planning can be long and time consuming not to mention
abstract, you need to be able to keep focus and direction during the process.
- Identify Threats, Vulneratbilities and Risks
- I have seen alot of processes for determining threats. Probably one of
the best is one that mixes the best of all of them. It is important to
conduct reviews of managers throughout the organization to see what they
feel would seriously impact the company. Sometimes the people that are
closer to the action are more familiar with the potential problems. When
interviewing individuals throughout the organization you should try and
categorize the threats into buckets (Technical/Economic, People/Social,
Internal, External). As you will see over and over again, most security
breaches are from inside the company.
- Business Impact Analysis
- In the event that something does happen, what will be the effects? It is
important to identify the primary areas of the business, as well as the
secondary and terenary parts. Once you have the primary areas identified,
you need to rank the impacts of losing each. Consentrate on the ones that
are most crucial to the survival of the business.
- Develop Strategies
- Ok! Now you have built your team, identified all the threats, done an analysis
of what can happen to you. Now you need to develop solutions/strategies
to the potential threats. Each strategy may involve inside and outside
entities (off-site hot, warm, cold backups, third parties, etc). You also
need to identify a chain of command during a crisis (Executives->Incident
Control->End Departments). Cost should be a factor here too, always
make sure that the cost of a strategy is not more than the actual cost
of loss.
- Develop Plans
- Now that you have chosen specific strategies for each risk. You have to
put on your Army Greens and build your action plan. A server goes down...what
are the steps to get it back up? Each plan will be specific to a person/position
within the organization, you need to identify those people, ensure they
have the plan and their tasks are well documented (after all, you don't
want 20 hands in the cookie jar!). Flow charts are good at this point,
because you don't want someone telling someone else that the problem is
fixed when it is still very much there. Be sure to show a clear flow of
information from individual to individual. In the case that the event causes
a media rukus be sure that you are prepared with statements that will not
make the company look bad, but reverse it to make you look good!
- Test and exercise the plans
- Also a VERY important step. If you have made it to the step, you have spent
a lot of time and resources on putting together a BCP plan. Now the question
is, does it work? Will it work in real life? Practice makes perfect as
my parents always said. Everyone should know their part and know it well.
Practice and test at least once a year. Testing helps you modify the plan
where needed and keeps everyone in tip top shape!
|
|