Project 3: Business Continuity Start Here
In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a worst-case scenario event take place. Your work on vulnerabilities, threats, and risk in the first two projects will support this.
The BCP assignment will detail the following elements:
· resources required and defined stakeholder roles
· business impact analysis
· recommended preventative controls
· recovery strategies
· contingency plan that includes implementation and maintenance guidelines and defined procedures for testing the plan
Grades are determined on the ability to clearly articulate a developed, effective business continuity plan that considers relevant environmental factors and aligns with organizational objectives.
This is the third of four sequential projects. There are 13 steps in this project.
Step 1: Review Assigned Organization
The process of business continuity planning addresses the preservation and recovery of business in the event of outages to normal business operations. The output of the process is the business continuity plan (BCP), an approved set of documented arrangements and procedures that enables an organization to facilitate the recovery of business operations, minimize losses, and replace or repair incurred damages as quickly as possible (Ouyang, n.d.).
According to the National Institute of Standards and Technology’s Special Publication 800-34, Contingency Planning Guide for IT Systems, business continuity planning is an ongoing task, the goals of which are to (Ouyang, n.d.):
· sustain operations
· recover and resume operations
· protect assets
Goals of the BCP Cycle
In the case of your particular organization (use the one assigned to you in CMP 610 or another organization of your choice), the company may have an existing BCP. However, in your organization, as with many others, the BCP was written, put on the shelf, and rarely, if ever, referenced unless an emergency required implementation.
Knowing this, conduct operations as if there were no existing plan and create a new plan.
The next step will involve planning for the BCP, including establishing a need and defining a scope.
Ouyang, A. (n.d.). CISSP common body of knowledge: Business continuity & disaster recovery planning domain. http://opensecuritytraining.info/CISSP-9-BCDRP_files/9-BCP+DRP.pdf
Business Continuity Plan
Many companies do not realize the importance of a business continuity plan (BCP) until an incident has occurred. A cybersecurity BCP includes a strategy of how the organization information technology would operate and recover after an incident that could be result of an intentional attack or caused by a natural disaster.
There are four critical steps when establishing a BCP, according to guidelines published by the Department of Homeland Security:
· conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them
· identify and document resource requirements, and implement strategies to recover critical business functions and processes
· organize a business continuity team and compile a continuity plan to manage a business disruption
· conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan
There are several recovery goals stated within a BCP, such as recovery point objective (RPO), recovery time objective (RTO), business recovery requirements, and technical recovery requirements. An RPO states how far back should an organization go in time in order to recover data after an incident. Think of clicking Ctrl+Alt+Shift+H on your computer in order to see the history of the websites you have visited. RTO is based on the idea of how long it takes to restore backup data to its original state in order to resume business operations.
One key component of an BCP is the well-being of employees. People should always be a priority when establishing a BCP. All other components of an organization can be replaced, rebuilt, or insured. According to the code of ethics of ISC2, the International Information System Security Certification Consortium, an information security professional must always “protect society, the common good, necessary public trust and confidence, and the infrastructure.”
Department of Homeland Security. (n.d.). Business continuity plan. https://www.ready.gov/business/implementation/continuity
ISC2. (n.d.) ISC2 code of ethics. https://www.isc2.org/ethics/default.aspx?terms=code%20of%20ethics
Step 2: Define the Scope
In the first step, you reviewed BCP methodologies. You are now ready to continue the first part of the planning process, which involves establishing the need for a BCP and defining an appropriate scope for the company outlined in the scenario.
The BCP should address aspects of business continuity, business recovery, contingency planning, disaster recovery, and related activities. Focus on those elements that are adequate and expedient, based on your risk assessment for the enterprise.
Governmental agencies are required to develop an enterprise continuity of operations program (COOP). A COOP is a detailed framework that documents how the agency will ensure that essential functions continue through an emergency situation until normal operations can resume. Outside of federal, state, and local government, enterprises call that kind of framework a BCP. Both COOPs and BCPs are created to help organizations recover from disasters.
Consider what aspects of business continuity the BCP will address, such as business recovery, contingency planning, and disaster recovery. Submit a brief description for feedback (one page or less) of the topic areas to be covered in the BCP.
Step 4: Identify Key Resources and Stakeholders
After the BIA, the next step is to identify the key resources necessary and the stakeholders (executives and management) responsible for those resources. Remember, some resources necessary for a successful BCP might be external to the company. Be sure to include these aspects in the plan.
Now that all resources and stakeholders are identified and listed, answer these two questions: What resources are needed? Who are the players?
Expand the table for the BCP by including a column for accountability. With an assumed and reasonable job title, make a list of probable stakeholders responsible for execution of each recovery effort. Clearly identify their respective responsibilities during the reactivation of business processes.
Use the Key Resources and Stakeholders Template to indicate key resources and stakeholders involved in the recovery for feedback.
Step 5: Consider Preventive Controls
After identifying the key stakeholders and resources, take a look at what can be put in place in advance to prevent or reduce risk. Based on previous research, plus what you have learned in the business impact analysis, what could be done to eliminate or minimize the impact of a major event? These are called preventive controls in the business process realm, or risk countermeasure implementation in technology language.
Either way, the BCP should contain controls that can be classified as measures taken in advance of a catastrophe that are designed to reduce the risk of a negative impact. In the process of itemizing the controls, make sure they are properly aligned with organizational goals and the strategic direction of the enterprise.
The preventative controls selected should be aligned with the organizational goals and strategies. You will list these controls in the next step.
Step 6: List Preventive Controls
In this step, you will write a description of the preventative controls that you considered in the previous step. These controls could eliminate or minimize the impact of a major event.
Upload a description of the preventative controls to be used in the BCP here for feedback.
Step 7: Research Recovery Strategies
A BCP is uniquely different from a complete disaster recovery plan (DRP), neither of which is a small undertaking. Both are required to return the enterprise to 100 percent functionality. The view for the enterprise is to have one BCP that contains multiple DRPs generally broken into department or business function categories.
The BCP is an overarching strategic approach to getting any business back “in” business with all mandatory functionality as soon as possible after disaster strikes. This is why the previous steps and projects have required these elements to be identified and prioritized. As such, the BCP is not as detail-oriented as the DRP and only contains DRP requirements that are absolutely mandatory to get the business back in action at the earliest opportunity.
The DRP is usually more technical, very specific, and very much a necessity in today’s highly connected technology infrastructure. The DRP includes descriptions of data backup strategies, recovery sites, and postincident requirements.
There will naturally be several aspects of the rebuild that might not go exactly as planned. This exercise will be to demonstrate an ability to follow multiple paths in a decision tree environment. The objective will be to create a drawing or descriptive list that follows both options to each decision of “yes” or “no” or “success” or “failure” to the reconstructive effort.
Specifically, for each step, conclude with an answer to the question “was the action successful?” If “yes,” what is the next step? Or, if “no,” what is the alternative step to take next? Continue this process until you have successfully returned to operational status or determined you cannot reactivate under current circumstances. If the result of the plan is an inability to recover, the plan needs additional work to make it successful.
In the next step, you will document the selected recovery strategies.
Step 8: Document Recovery Strategies
Now that you have researched recovery strategies as they pertain to a BCP, list or map multiple strategic options to accomplish the recovery effort. Upload a description of the planned recovery strategies here for feedback.
Step 9: Develop Implementation and Maintenance Procedures for the Contingency Plan
You’ve documented recovery strategies and are well on the way to completing the BCP. But writing a BCP is not enough. You must also have a clear plan for implementing and maintaining the BCP. Answer these questions:
· What resources are needed?
· Under what conditions, such as fire, natural disasters, occurrence of a terrorist attack, etc., will the BCP will be activated?
· How will stakeholders be made aware of the policies and procedures of the BCP?
· How will employees be trained on the plan? How often will training occur? Will there be a general training for all employees or role-based trainings for people in specific functional areas?
· How/where will the plan for stored for safekeeping and accessibility when needed?
· When and how will BCP maintenance reviews be scheduled?
· How will updates and changes to the plan be handled? How often will the plan be updated?
In this step, begin to develop a strategy for how the BCP will be implemented and maintained. This information will be used in Step 11, in which the contingency plan will be documented. Next, you will develop testing procedures for the plan.
Step 10: Develop Testing Procedures for the Contingency Plan
You’ve begun to outline your strategy for how to implement and maintain a BCP. It is also important to conduct business continuity testing to evaluate the effectiveness of a preparedness program in practice. This will give insight into whether the parts of the preparedness program will work and can help identify aspects of the BCP that work on paper but are ineffective or impractical in reality.
|Examples of BCP Tests|
|Types of Tests||Description|
|Structured walk-through||Step-by-step review of BCP plans with organization’s functional representatives|
|Checklist test||Functional representatives review BCP plans and check off the points that are listed to ensure concerns and activities are addressed|
|Simulation||A scenario-based practice execution of the BCP plans.|
|Parallel test||Operational test conducted at the alternate site(s).|
|Full interruption test||Full-scale operational test including shutdown of primary site and recovery of business operations at alternate site(s).|
|Source: Ouyang, A. (n.d.). CISSP common body of knowledge: Business continuity & disaster recovery planning domain. Used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license.|
Taking time to develop, document, and test consistent processes and controls will also help you prepare for the annual audit of your information security system under any of the commonly used security and audit frameworks. Under these security and audit methodologies, auditors will gather information about the organization’s security systems, confirm that appropriate security measures are in place, and provide a report on their findings.
Now develop your strategy for how the BCP will be tested. Your plan will be included in the contingency plan to be submitted in the next step.
Step 11: Document the Contingency Plan
You’ve developed testing procedures. However, an effective BCP must outline how the plan will be implemented and maintained and also how it will be tested to ensure its viability in a real emergency situation. Therefore, an integral part of the BCP should be a discussion of plans for implementation and maintenance and for business continuity testing.
Upload your contingency plan with a description of how the BCP will be tested and plans for ensuring the proper implementation and maintenance of the plan here for feedback.
Step 12: Consolidate and Update Your Work
You’ve documented testing and implementation procedures, and the plan is nearly complete. In the next step, you will submit your final BCP. Take some time now to update your work on the project to this point and make updates based on feedback received or new information uncovered.
In the final step, you’ll complete and submit the BCP.
Step 13: Write the Business Continuity Plan (BCP)
Use the results from the previous steps to create a five- to seven-page business continuity plan. Explain the thought process of creating the specific plan steps and how each is related to business strategy considerations.
Use this Business Continuity Plan Template to submit your final assignment.
Step 1: Review of the the Risk Management Framework
Bukola A Wilson-Akinfe
University of Maryland Global Campus
CMP 630 9041 Risk Management and Organizational Resilience(2218)
Dr Michael T. Hanners
Step 1: Review of the Risk Management Framework
Risk Management Framework is used as a template that guides the companies on identifying, eliminating, and minimization the risk. It includes five components that comprise the identification of the risks that the organization faces. These are either operational, privacy, or legal issues (Jakšič & Marinč, 2019). The second step is the measurement and assessing the risks to create a risk profile for the identified risks. After the second phase, the organizations need to develop the mitigation of the risks.
The mitigation of risks involves the examination of the identified risks and determining whether they can be eliminated. This category does not include the risks that are deemed to be acceptable. The fourth step is reporting and monitoring, which reexamines the adopted risk mitigation strategies and determines whether they leave the desired effects (Yan et al., 2018). This is followed by governance that ensures the risk mitigation is implemented and the employees adhere to the policies.
Jakšič, M., &Marinč, M. (2019). Relationship banking and information technology: The role of artificial intelligence and FinTech. Risk Management, 21(1), 1-18. https://link.springer.com/article/10.1057/s41283-018-0039-y
Yan, Q., Huang, W., Luo, X., Gong, Q., & Yu, F. R. (2018). A multi-level DDoS mitigation framework for the industrial Internet of Things. IEEE Communications Magazine, 56(2), 30-36. https://ieeexplore.ieee.org/abstract/document/8291111/
Key Resources and Stakeholders Template
Copy the BIA findings into the table below and add information on the resources that are needed and person or groups accountable for that specific aspect of the BCP.
Note: You can add more rows to the bottom of the table if needed.
Step 3: Conduct a Business Impact Analysis
The BIA provides written documentation to assist Maria and the other executives in understanding the business impact should an outage occur. Such impacts may be financial, in terms of lost revenues and additional expenses; operational, in terms of inability to deliver products and services; or even intangible, in terms of damage to the organization’s reputation and loss of public confidence.
This analysis should include all departments and facilities of the enterprise, list what it would take for each to resume adequate operations to meet the needs of the enterprise, and must include each phase of the recovery activities.
Remember, a key element to “business impact” is the financial aspect. What will it “cost” to take a particular action and, equally important, what could be the “cost” of inaction?
Prioritization is a key to the successful recovery of operations. The sequence of activities is an essential element in your contingency planning.
Use the Business Impact Analysis Template and then upload your BIA here for feedback.
Risk Management Framework
ISACA Risk IT describes risk management framework as risk holistically across the organization and explains that IT affects risk and the organization concurrently (ISACA, 2009).
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), enterprise risk management is defined as “a process … applied … across the enterprise, designed to identify potential events … and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). The COSO framework is used by risk executives to manage enterprise risks.
Risk is identified as:
· the risk of not realizing a benefit from IT
· the risk of not delivering on IT programs
· the risk of not providing intended services with IT
What’s important is that the risk management framework definition is largely consistent across four organizations concerned with standardization: ISACA, COSO, ISO (International Organization for Standardization), and NIST (National Institute for Standards and Technology). Differences are understandable for the audience and emphasize variations. The guidance to system security engineers is to recognize requirements, clarify responsibilities, and work as a team to identify and mitigate risk holistically and continuously across the organization.
Risks are evaluated along with benefit using this framework, for a more complete strategic decision process. Otherwise, the ISACA model is similar to the NIST risk management model in NIST Special Publication 800-39, Managing Information Security Risk. The ISACA risk model (2009) stresses connectivity to the business model (framing), risk governance (leadership involvement), evaluation (assessment) and response, and prescribes communication (cross-organization teams) and continuous assessment (monitoring).
ISACA framework definitions are consistent with ISO 31000 definitions. ISO 31000:2009, “A Practical Guide for SMEs (small- and medium-sized enterprises),” features a process cycle similar to NIST guidance, featuring planning (frame and assess), implementing (respond) and monitoring (monitor), but adds an important continuous improvement prescription to improve the plan and process in response to a changing environment.
ISO Guide 73:2009 is a definitions standard that contains a definition of risk management. Like all ISO standards, it is available for purchase. Nonetheless, the freely available online ISO 31000:2009 defines risk as a combination of the consequences of an uncertain event (including changes in circumstances) and the associated uncertain likelihood of occurrence.
Importantly, “Risk in ISO 31000:2009 is neutral; the consequences associated with a risk can enhance the achievement of objectives (i.e. positive consequences) or can limit or diminish the achievement of objectives (i.e. negative consequences)” (ISO/ITC, 2009). This interpretation is different from that of the NIST special publications.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2014). Enterprise risk management — integrated framework. Executive summary. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf
ISACA. (2009). The risk IT framework. https://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf
ISO/ITC. (2009). ISO 31000:2009: A practical guide for SMEs. http://www.iso.org/iso/iso_31000_for_smes.pdf
Business Impact Analysis
A business impact analysis (BIA) is an important component of a business continuity plan. In fact, organizations must perform a BIA in order to determine which functions, activities, and business processes are of vital importance for the organization to function.
A BIA is essentially the classification of an organization’s functions, activities, and business processes as either critical or noncritical. There are certain elements of an organization that are essential for its proper functioning (critical) and that must be addressed to have an organization up and running in the aftermath of a disaster. In other words, a BIA helps an organization identify critical components to its survival.
A critical component of any BIA is its recovery methods such as recovery point objective (RPO), recovery time objective (RTO), and business and technical recovery requirements. A recovery point objective (RPO) states how far back should an organization go in time in order to recover data after an incident. Recovery time objective (RTO) is based on how long it takes to restore backup data to its original state to resume business operations.
Understanding the balance between actions that are important and actions that are urgent is an essential concept in developing the near-term situation analysis. When a task is important, there may be severe consequences if it is not accomplished. When a task is urgent, there may not be another opportunity to accomplish the task before time or resources run out. Many tasks are obviously important or obviously urgent. Discerning which of these tasks are both important and urgent, however, is somewhat difficult in a postdisaster situation. The figure below shows a framework for assessing the priority of various possible actions.
Near-term analysis of the disaster situation should determine whether the business process is recoverable within predetermined timelines or whether the focus should switch to more strategic actions such as:
· reassigning business process responsibility to another organizational element
· building a new permanent facility
· foregoing the business process entirely
Globally or nationally dispersed organizations may have the option of reassigning business process responsibility to other similar facilities. This decision will shorten the business process recovery period and may improve overall organizational efficiency by decreasing excess production capability across the enterprise. Residual effects may include personnel relocation or integration of telecommunications features in remaining business processes or both.
Forward-looking organizational leaders can see opportunity in the aftermath of disaster. This type of planning is beyond the scope of a disaster recovery plan (DRP) but must be considered within the larger business continuity plan concept. If a facility is determined to be unrecoverable, but is still required to support a key business process, planners should focus on infusing new technology or workflow improvements into the supported business process. Armed with a thorough understanding of the organization’s overarching business strategy, planners can create an outline for specific actions and investments to transform loss into new opportunity.
Discontinuing a business process may be a valid decision in view of the organization’s long-term business strategy. If the business process was headed toward obsolescence in the current business perspective, merely accelerating the planned divestments will set the organization on its future course—ahead of schedule. Residual operating budgets and insurance payouts can be redirected toward developing next-generation capabilities.
Business Impact Analysis Template
Note: You can add more rows to the bottom of the table if needed.
Business Impact Analysis Template
Note: You can add more rows to the bottom of the table if needed.