15:4 (1)
SEE FIGURE CHAAR DOT TRISS and chaar dot ekatriss
BUSINESS CONTINUITY POLICY
document approved by top management that defines the extent and scope of the business continuity effort (a project or an ongoing program) within the organization.
can be broken into two parts
Internal
Public
message to internal stakeholders (i.e., employees, management, board of directors) that the company is undertaking the effort, committing its resources and expecting the rest of the organization to do the same.
message to external stakeholders (i.e., shareholders, regulators, authorities, etc.) that the organization is treating its obligations (e.g., service delivery, compliance) seriously.
broadly state the general principles on which business continuity will be based
should be proactive
should state the message that There are preventive and detective controls to reduce the likelihood of a disruption and corrective controls to mitigate the consequences.
BUSINESS CONTINUITY PLANNING INCIDENT
MANAGEMENT
Incidents and crises are dynamic by nature, often rapid and unforeseeable
Depending on an estimation of the level of damage to the organization, all types of incidents should be categorized
Classification can dynamically change while the incident is resolved
Negligible
Minor
Crisis
Major
incidents are those causing no perceptible or significant
damage,
very brief OS crashes with full information recovery or momentary power outages with UPS backup
incidents are those that, while not negligible, produce no negative material (of relative importance) or financial impact
incidents cause a negative material impact on business processes and may affect other systems, departments or even outside clients
a major incident that can have serious material (of relative importance) impact on the continued functioning of the business and may also adversely impact other systems or third parties.
severity of the impact depends on the industry and circumstances .
but is generally directly proportional to the time elapsed from the inception of the incident to incident resolution
Negligible incidents can be analyzed statistically to identify any systemic or avoidable causes.
security officer (SO) or other designated individual
person should then follow a pre established escalation protocol
may be followed by invoking a recovery plan, such as the IT DRP.
the service delivery is regulated by SLAs which may state the maximum downtime and recovery estimates
A conservative fail-safe approach would be to assign any nonnegligible incident a starting, provisional severity level 3
As the incident evolves, this level should be reevaluated regularly by the person or team in charge, often referred to as an incident response or firecall team.
DEVELOPMENT OF BUSINESS CONTINUITY
PLANS
Based on the inputs received from the BIA criticality analysis and recovery strategy selected by management, .
a detailed BCP and DRP should be developed or reviewed
should address all the issues included in the business continuity scope that are involved in interruption to business processes, including recovering from a disaster.
factors that should be considered while developing/reviewing the plan are:
• Predisaster readiness covering incident response management to address all relevant incidents affecting business processes
• Evacuation procedures 🏃 🏃🏽♀️ 🏃♀️ 🏃🏼
• Procedures for declaring a disaster (rating and escalation procedures) 📢
• Circumstances under which a disaster should be declared. 🚩
• The clear identification of the responsibilities in the plan 👷 👷🏽
• The clear identification of the persons responsible for each function in the plan
• The clear identification of contract information
• The step-by-step explanation of the recovery process
• The clear identification of the various resources required for recovery and continued operation of the organization 🍆🌽🌶🥔🥒🥜🥕
. Copies of the plan should be maintained offsite. The plan must be structured so that its parts can easily be handled by different teams
OTHER ISSUES IN PLAN DEVELOPMENT
personnel who must react to the interruption/disaster are those responsible for the most critical resources. 
management and user involvement is vital to the success of the execution of the BCP
User management involvement is essential to the identification of critical systems, their associated critical recovery times and the specification of needed resources.
three major divisions that require involvement in the formulation of the BCP are
business operations (who may suffer from the incident)
information processing support (who are going to run the recovery)
support services (who detect the first signs of
incident/disaster)
it is essential to consider the entire organization, not just IS processing services, when developing the plan
Because the underlying purpose of BCP is the recovery and resumption of business operations
a uniform BCP does not exist for the entire organization, the plan for IS processing should be extended to include planning for all divisions and units that depend on IS processing functions
formulating the plan, the following items should also be included:
• A list of the staff, with redundant contact information (backups for each contact), required to maintain critical business functions in the short, medium and long term.
• The configuration of building facilities, desks, chairs, telephones, etc., required to maintain critical business functions in the short, medium and long term
• The resources required to resume/continue operations (not necessarily IT or even technology resources)
Not all interruptions are disasters, but a small incident if not addressed in a timely or proper manner may lead to a disaster.
For example, a virus attack not recognized and contained in time may bring down the entire IT facility.