15:4 (1) (BUSINESS CONTINUITY POLICY (document approved by top management…
BUSINESS CONTINUITY POLICY
should state the message that
There are preventive and detective controls to reduce the likelihood of a disruption and corrective controls to mitigate the consequences.
should be proactive
broadly state the general principles on which business continuity will be based
document approved by top management that defines the extent and scope of the business continuity effort (a project or an ongoing program) within the organization.
can be broken into two parts
external stakeholders (i.e., shareholders, regulators, authorities, etc.)
organization is treating its obligations (e.g., service delivery, compliance) seriously.
internal stakeholders (i.e., employees, management, board of directors)
company is undertaking the effort, committing its resources and expecting the rest of the organization to do the same.
BUSINESS CONTINUITY PLANNING INCIDENT
Incidents and crises are dynamic by nature, often rapid and unforeseeable
Depending on an estimation of the level of damage to the organization
, all types of incidents should be categorized
Classification can dynamically change while the incident is resolved
incidents are those causing
no perceptible or significant
very brief OS crashes with full information recovery or momentary power outages with UPS backup
Negligible incidents can be analyzed statistically to identify any systemic or avoidable causes.
incidents are those that, while
, produce no negative material (of relative importance) or financial impact
a major incident that
can have serious material (of relative importance) impact
on the continued functioning of the business and
may also adversely impact other systems or third parties.
severity of the impact depends on the industry and circumstances .
but is generally
directly proportional to the time elapsed from the inception of the incident to incident resolution
cause a negative material impact on business processes
may affect other systems, departments or even outside clients
security officer (SO) or other designated individual
person should then follow a pre established escalation protocol
may be followed by invoking a recovery plan, such as the IT DRP.
service delivery is regulated by SLAs which may state the maximum downtime and recovery estimates
A conservative fail-safe approach would be to assign any nonnegligible incident a starting, provisional severity level 3
As the incident evolves, this level should be reevaluated regularly by the person or team in charge,
often referred to as an incident response or firecall team.
DEVELOPMENT OF BUSINESS CONTINUITY
Based on the inputs received from the BIA criticality analysis and recovery strategy selected by management, .
a detailed BCP and DRP should be developed or reviewed
should address all the issues included in the business continuity scope that are involved in interruption to business processes, including recovering from a disaster.
factors that should be considered while developing/reviewing the plan are:
covering incident response management
to address all relevant incidents affecting business processes
• Evacuation procedures :runner: :woman-running::skin-tone-4: :woman-running: :runner::skin-tone-3:
Procedures for declaring a disaster (rating and escalation procedures)
• Circumstances under which a disaster should be declared. :red_flag:
For example, a virus attack not recognized and contained in time may bring down the entire IT facility.
Not all interruptions are disasters, but a small incident if not addressed in a timely or proper manner may lead to a disaster.
• The clear identification of the responsibilities in the plan :construction_worker: :construction_worker::skin-tone-4:
clear identification of the persons responsible for each function in the plan
• The clear identification of
step-by-step explanation of the recovery process
clear identification of the various resources required for recovery and continued operation of the organization
. Copies of the plan should be maintained offsite. The plan must be structured so that its parts can easily be handled by different teams
OTHER ISSUES IN PLAN DEVELOPMENT
to the interruption/disaster are those
for the most critical resources.
management and user involvement is vital to the success of the execution of the BCP
User management involvement is essential
to the identification of critical systems,
their associated critical recovery times and the specification of needed resources.
three major divisions that
require involvement in the formulation of the BCP are
(who may suffer from the incident)
information processing support
(who are going to run the recovery)
it is essential to consider the entire organization, not just IS processing services, when developing the plan
Because the underlying purpose of BCP is the recovery and resumption of business operations
(who detect the first signs of
a uniform BCP does not exist for the entire organization, the plan for IS processing should be extended to include planning for all divisions and units that depend on IS processing functions
formulating the plan, the following items should also be included:
list of the staff, with redundant contact information
(backups for each contact), required to maintain critical business functions in the short, medium and long term.
configuration of building facilities
, desks, chairs, telephones, etc., required to maintain critical business functions in the short, medium and long term
resources required to resume/continue operations
(not necessarily IT or even technology resources)
SEE FIGURE CHAAR DOT TRISS and chaar dot ekatriss