Please enable JavaScript.
Coggle requires JavaScript to display documents.
15:4 (1) (BUSINESS CONTINUITY POLICY (document approved by top management…
15:4 (1)
BUSINESS CONTINUITY POLICY
document approved by top management that defines the
extent and scope of the business continuity effort (a project or an ongoing program) within the organization
.
can be broken into two parts
Internal
message to
internal stakeholders (i.e., employees, management, board of directors)
that the
company is undertaking the effort, committing its resources and expecting the rest of the organization to do the same.
Public
message to
external stakeholders (i.e., shareholders, regulators, authorities, etc.)
that the
organization is treating its obligations (e.g., service delivery, compliance) seriously.
broadly state the general principles on which business continuity will be based
should be proactive
should state the message that
There are preventive and detective controls to reduce the likelihood of a disruption and corrective controls to mitigate the consequences.
BUSINESS CONTINUITY PLANNING INCIDENT
MANAGEMENT
Incidents and crises are dynamic by nature, often rapid and unforeseeable
Depending on an estimation of the level of damage to the organization
, all types of incidents should be categorized
Classification can dynamically change while the incident is resolved
Negligible
incidents are those causing
no perceptible or significant
damage,
very brief OS crashes with full information recovery or momentary power outages with UPS backup
Negligible incidents can be analyzed statistically to identify any systemic or avoidable causes.
Minor
incidents are those that, while
not negligible
,
produce no negative material
(of relative importance) or financial impact
Crisis
a major incident that
can have serious material (of relative importance) impact
on the continued functioning of the business and
may also adversely impact other systems or third parties.
severity of the impact depends on the industry and circumstances .
but is generally
directly proportional to the time elapsed from the inception of the incident to incident resolution
Major
incidents
cause a negative material impact on business processes
and
may affect other systems, departments or even outside clients
security officer (SO) or other designated individual
person should then follow a pre established escalation protocol
may be followed by invoking a recovery plan, such as the IT DRP.
the
service delivery is regulated by SLAs which may state the maximum downtime and recovery estimates
A conservative fail-safe approach would be to assign any nonnegligible incident a starting, provisional severity level 3
As the incident evolves, this level should be reevaluated regularly by the person or team in charge,
often referred to as an incident response or firecall team.
DEVELOPMENT OF BUSINESS CONTINUITY
PLANS
Based on the inputs received from the BIA criticality analysis and recovery strategy selected by management, .
a detailed BCP and DRP should be developed or reviewed
should address all the issues included in the business continuity scope that are involved in interruption to business processes, including recovering from a disaster.
factors that should be considered while developing/reviewing the plan are:
•
Predisaster readiness
covering incident response management
to address all relevant incidents affecting business processes
• Evacuation procedures :runner: :woman-running::skin-tone-4: :woman-running: :runner::skin-tone-3:
•
Procedures for declaring a disaster (rating and escalation procedures)
:loudspeaker:
• Circumstances under which a disaster should be declared. :red_flag:
Not all interruptions are disasters, but a small incident if not addressed in a timely or proper manner may lead to a disaster.
For example, a virus attack not recognized and contained in time may bring down the entire IT facility.
• The clear identification of the responsibilities in the plan :construction_worker: :construction_worker::skin-tone-4:
• The
clear identification of the persons responsible for each function in the plan
• The clear identification of
contract information
• The
step-by-step explanation of the recovery process
• The
clear identification of the various resources required for recovery and continued operation of the organization
🍆🌽🌶🥔🥒🥜🥕
. Copies of the plan should be maintained offsite. The plan must be structured so that its parts can easily be handled by different teams
OTHER ISSUES IN PLAN DEVELOPMENT
personnel
who
must react
to the interruption/disaster are those
responsible
for the most critical resources.
management and user involvement is vital to the success of the execution of the BCP
User management involvement is essential
to the identification of critical systems,
their associated critical recovery times and the specification of needed resources.
three major divisions that
require involvement in the formulation of the BCP are
business operations
(who may suffer from the incident)
information processing support
(who are going to run the recovery)
it is essential to consider the entire organization, not just IS processing services, when developing the plan
Because the underlying purpose of BCP is the recovery and resumption of business operations
support services
(who detect the first signs of
incident/disaster)
a uniform BCP does not exist for the entire organization, the plan for IS processing should be extended to include planning for all divisions and units that depend on IS processing functions
formulating the plan, the following items should also be included:
• A
list of the staff, with redundant contact information
(backups for each contact), required to maintain critical business functions in the short, medium and long term.
• The
configuration of building facilities
, desks, chairs, telephones, etc., required to maintain critical business functions in the short, medium and long term
• The
resources required to resume/continue operations
(not necessarily IT or even technology resources)
SEE FIGURE CHAAR DOT TRISS and chaar dot ekatriss
