Please enable JavaScript.
Coggle requires JavaScript to display documents.
BUSINESS CONTINUITY&RESILIENCE. - Coggle Diagram
BUSINESS CONTINUITY&RESILIENCE.
Cyber resilience
A defense strategy that acknowledges cyber security attacks will happen and therefore it is better to develop the capability to anticipate withstand recovery from and adapt to adverse conditions stresses attacks or compromises on cyber resources.
Business Continuity Management
This is the process applied by an organisation's management,who identify and review the mission-critical components of an organisation.
Possible threats to an organisation's ongoing operations are identified, as well as the impact such threats could have on the organisation's ability to continue operating.Management also devises a framework to improve the resilience of the organisation to such threats in order to achieve business continuity.
The capability of an organisation include (non-IT)resources, such as staff, buildings supply chains, and delivery capability to continue delivering its products and/or services to a satisfactory level following a disruptive incident
BUSINESS CONTINUITY PLAN
This refers to the documents and procedures that describe how an organisation's products and/or services will be maintained at a satisfactory level following a disruptive incident.
BCP lifecycle
Recognising appropriate internal and external audiences
Differences between audiences impact on the language, focus and level of detail needed.
Identifying, acquiring or developing awareness tools
Awareness tools can include different communication channels, promotional events, guest speakers and competitions. See also the training delivery channels listed in Table 4.14 (Section 2.6.2).
Leveraging external awareness opportunities
This includes linking to external events, such as conferences, training and talks in related fields (such as an analysis of notable cyber attacks).
Establishing the foundation for evaluating the BCM programme’s effectiveness
It is not enough to put something in place and then assume it is working. Decisions need to be made on what to measure and how to measure it in order to determine the ‘effectiveness’.
Ensuring continual improvement of the BCM programme
Related to the previous point, there are a number of reasons why a BCM programme should be reviewed: testing may reveal areas for improvement; the threats (especially cyber-based) that an organisation faces are changing; and changes in requirements, such as legislation, may require changes in processes.
Communicating implications of not conforming to BCM programme
Part of the role of promoting awareness is to make clear the consequences of not conforming. The implications are likely to be at an organisational level, but may also involve disciplinary measures.
TRAINING.
Training delivery channels.
Delivery method Content complexity Size and distribution of audience Frequency of instruction Frequency of content change
Hard copy documentation
Detailed content
Not too complex
Medium to large audience
Geography independent
High Low
Web-based documentation
Detailed content
Not too complex
Medium to large audience
Geographically dispersed
High High
Physical reminders (e.g. stickers and magnets)
Not complex
Medium to large audience
Geography independent
Face-to-face, live training
Highly complex content Small audience located in a similar geography Low High
Web-based, live training
Highly complex content
Smaller audience
Geographically dispersed
Low High
Self-led computer-based training Complex content
Large audience
Geographically dispersed
High Low
Interactive group training Complex content Small audience located in a similar geography Low
BCP
5 sections
SECTION.1
The purpose and remit of the plan
Document control procedures
Plan owner
Responsibility for maintenance, review, testing and updating
Distribution methods
Plan storage
Electronic methods (and location), distributed hard copies, backups
Review date
Plan testing
SECTION.2
Circumstances for activation, along with responsibilities
Loss of personnel, ICT failure, cyber attack, natural disaster, etc.
Process for activation
Nature of disruption, criticality, continuity arrangements, actions, review
SECTION.3
Purpose
Incident management procedures
Protection of staff, visitors, public, evacuation details, emergency services
Communication procedures
Actions depending on severity, key contacts, recovery and resumption
SECTION.4
Purpose
Activities
Critical and non-critical actions
Responsibility for continuity actions
SECTION.5
Actions to resume normal activity
Logging
Long-term support needs
Debriefing
Lessons learned
EMERGENCY RESPONE PLAN.
The main purpose of the emergency response plan is to provide an immediate response to an incident. Because incidents can be in many forms, the plan should include procedures on protecting the safety of staff and visitors, and limiting damage to assets and systems. Where there has been a failure of power, for example, part of this plan is likely to require checks to be made to ensure backup power systems or generators are online. The initial response to network breaches or ransomware attacks may require initial isolation of systems to mitigate any spread.
The plan should outline when (during the initial response) the crisis management team is contacted to invoke the organisation’s business continuity plan.
Generally speaking, emergency response will be of limited duration and require the most amount of effort, due to the many unknowns at the outset of the phase.
CRISIS MANAGEMENT PLAN.
The crisis management plan contains guidance on what to do in the immediate aftermath of an incident. The plan normally provides guidance on who to contact and when, aligned to any relevant regulatory and/or legal requirements, such as GDPR (Information Commissioner’s Office, 2021). Contacts typically include stakeholders such as customers, industry regulators and suppliers.
The plan should identify resources and key tasks for roles that have authority in key areas of the organisation, in order to coordinate and manage the response. One example is corporate lawyers who liaise with external lawyers or other legal professionals. Another example is logistics support staff who may need to arrange travel for staff to reach remote, possibly unmanned locations affected by the incident.
recovery restoration plan
The recovery/restoration plan has the primary goal of getting the organisation back to normal operation as soon as possible. The plan normally includes procedures covering tasks such as repairs to systems (e.g. restoring compromised operating systems), recovery of costs from insurers, and relocation to alternative business premises.
BUSINESS CONTINUITY MANGEMENT PROGRAM.
This is a management and governance process led by senior management who provide resources and oversight to enable BCM to operate on an ongoing basis.
A BIA identifies and documents a variety of things related to an organisation, such as its key products and services, the critical activities required to deliver these, the impact that a disruption of these activities would have on the organisation and the resources required to resume the activities
6 area's of the Business Impact Analysis
People One of the most visible impacts of Brexit has been the challenges the hospitality industry has faced when it comes to recruiting staff, particularly as demand has increased following the easing of the COVID-19 restrictions.
Premises The COVID-19 outbreak in 2020 led to widespread disruption as a result of staff being unable to access places of work. Lockdown restrictions meant many organisations had to adapt their working practices to allow staff to work remotely and so maintain business continuity.
Technology (assets) In 2012 a product safety recall for TX4 black cabs led to the manufacturer warning investors of a ‘very material and detrimental’ impact on its cash flow. For taxi drivers, this loss of a key business asset would also result in lost revenue.
Information The WannaCry ransomware attack on NHS IT systems led to significantly fewer emergency and elective admissions. This meant many routine operations were cancelled, impacting on patients. It is also very likely that staff would have had to find and update paper-based medical notes. This is slower and more prone to human error (as automated data entry checks cannot be made).
Suppliers and partners In April 2021, Transylvania-based car parts supplier Unix Auto SRL was subjected to a cyber attack in which the company’s main database was encrypted and hackers demanded payment for restoring it.
Stakeholders Stakeholders can include investors, regulatory bodies and customers. Cyber attacks such as the DigitalOcean data breach can have a significant impact on the privacy of customers.
Business resilience.
DISASTER RECOVERY PLAN
This is not quite the same thing a business continuity but it is included here! as BCP's & DRP's and are often used interchangeably.
These are some elements common to both.However,a BCP's focus is on the mitigation of a disaster,while a DRP deals solely with the aftermath of events.
The Disaster Recovery Journal (DRJ, 2022) provides a comprehensive Glossary of Business Continuity Terms. The glossary states that BCM professionals need to prepare for ‘Black Swan’ events. Referring to the glossary, how would you define a Black Swan event in your own words, and would you be able to provide any examples? Record your answer in your learning journal.
RESILIENCE.
These are a variety of definitions for resilience,but broadly speaking we can take this term to mean the extent to which an organisation can continue to deliver it's business objectives.despite the occurrence of adverse events.
Continuity of Operations.
Plan-do-check-act.cycle
Options to mitigate the risks identified in the previous step are identified. Solutions need to take into account any regulatory or legal compliance obligations. Solutions will also be bound by the available resources and should align to the overall strategy set by senior managers.
Making strategic decisions, creating policies and procedures, and identifying roles will not make a BCP happen in practice. For that you need to instil a cultural change in staff. In practice, this means running awareness campaigns (e.g. training, flyers, email updates and perhaps promotional events). Getting stakeholders engaged and invested in the process is important. This helps ensure a smooth transition in the event of an incident. Training and practice is important to minimise any delays when enacting a BCP.
Once the planning is complete, consideration must be given to how it should be implemented. Large organisations may be spread over multiple continents, each with legal, regulatory and cultural differences. Different offices may also provide different products or services or have different processes for similar organisation functions.
To help identify the greatest vulnerabilities in an organisation’s business continuity, an impact analysis for processes (e.g. sales), products, services or office locations should be done. The policy and programme management part of the life cycle carries out this risk analysis at a strategic level; here, it is performed at a more detailed, technical level.
As mentioned for the embedding step, practice is important to get staff engaged and proficient in BCP procedures. However, practice is also important to check that the plans actually work and provide a workable solution that meets the requirements. One of the metrics that might be used here is the time it takes to restore operational capability following an incident. If the whole process works but takes too long to use, it may fail the validity test.
Overall outcomes and support strategy are decided by management. To work effectively, senior management must be engaged and committed to the process. Policy establishes the guiding principles around which the programme is built; for example, setting conditions relating to supply chains. Programme management should identify which parts of an organisation need a BCP and will have a BCP applied to them. These parts can include processes (e.g. sales), products, services or office locations. Programme management should also identify roles and responsibilities that enable the programme to operate.
BCP and 6 processes model employed in ISO/IEC 22313:202
Google BCP
