Process of Business Continuity Management

The goal of the Business Continuity Management (BCM) is a management framework used to provide an organization with the ability to effectively respond to threats such as natural or man-made disasters or failures in order to keep a business running and to prevent interruptions. BCM process consist of creating a Disaster Recovery and a Business Continuity Plan.

Business Continuity Plan

A business continuity plan is concerned with the timely recovery of business operations after a natural or manmade disaster occurs. It is a plan, which main goal is to reduce the overall impact in case a major disaster occurs and ensure continuity of the critical business functions. The Business Continuity Plan is a part of the Business Continuity Management and it kick in after the disaster strikes.

According to NIST 800-34 the BCP process is divided into the following 7 steps:
1. Develop the continuity plan.
2. Conduct the Business Impact Analysis (BIA).
3. Identify Preventive Controls.
4. Develop Recovery Strategy.
5. Develop the Contingency Plan.
6. Test the plan, conduct training and exercise.
7. Maintain the plan.

Elements of the BCP

The prime elements of the BCP are:
1. Awareness and Discovery
2. Contingency planning goals
3. Statement of importance
4. Statement of priorities
5. Statement of organizational responsibility
6. Statement of urgency and training
7. Risk Assessment
8. Vital Record Program

Resource Categories of BCP

Six important resource categories are:
1. Human resources
2. Processing capabilities
3. Computer based services
4. Automated applications and data
5. Physical infrastructure
6. Documents, records and media

Business Impact Analysis

Business impact analysis is a component of the organization’s business continuity planning. In general it comprises of discovering threats and vulnerabilities to business critical functions and calculating the risk for each individual function. The result of the BIA is a business impact analysis report. The business impact analysis is important in predicting the consequences of disruption of a business function and process and gathering information needed to develop recovery strategies. The following are the detailed steps of the BIA:
1. Select the individuals to interview for data gathering.
2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3. Identify the company’s critical business functions.
4. Identify the resources these functions depend upon.
5. Calculate how long these functions can survive without these resources.
6. Identify vulnerabilities and threats to these functions.
7. Calculate the risk for each different business function.
8. Document findings and report them to management.

Disaster Recovery

The goal of disaster recovery is to minimize the effect of disruptive events and is to protect the organization in the event that all or part of its operations and/or computer services are rendered unusable. It is executed at the time this events occur; it describes the necessary steps that have to be taken to ensure that business operations are resumed within timely manner. Other objectives of disaster recovery planning include: providing a sense of security; minimizing risk of delays; guaranteeing the reliability of standby systems; providing a standard for testing the plan; minimizing decision-making during a disaster. A disaster recovery plan is a comprehensive statement of consistent actions to be taken before, during and after a disaster. The plan should be documented and tested to ensure the continuity of operations and availability of critical resources in the event of a disaster.

DR Planning Process

The DR process methodology includes the following steps:
1. Obtain Top Management Commitment - management must support and be involved in the development of the disaster recovery planning process. Management should be responsible for coordinating the disaster recovery plan and ensuring its effectiveness within the organization.
2. Establish a planning committee - the planning committee should include representatives from all functional areas of the organization. Key committee members should include the operations manager and the data processing manager. The committee also should define the scope of the plan.
3. Perform a risk assessment
4. Establish priorities for processing and operations - processing and operations should be analyzed to determine the maximum amount of time that the department and organization can operate without each critical system.
5. Determine Recovery Strategies
6. Perform Data Collection - recommended data gathering materials and documentation includes: backup position listing; critical telephone numbers; communications inventory; equipment inventory; documentation inventory; insurance policy inventory; cain computer hardware inventory.
7. Organize and document a written plan
8. Develop testing criteria and procedures
9. Test the Plan
10. Approve the plan

SWOT Analysis

SWOT analysis is a structured planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. A SWOT analysis can be carried out for a product, place, industry or person. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective. The SWOT analysis is a key component in strategic planning. The analysis subjectively evaluates the impact of internal and external factors for a business objective. Internal processes and resources are considered strengths and weaknesses (S and W, respectively). External factors affecting the business and industry are considered opportunities and threats (O and T, respectively). An evaluation of these factors develops a strategic perspective that includes the competitive landscape and current market conditions.
A SWOT analysis is important in the BCM process in order to ensure that each individual objectives that make up the scope of the project are properly defined and planned for. Each individual objective must be analyzed to ensure that it is actually attainable.

Backup Sites

A backup site is a location where an organization can easily relocate following a disaster, such as fire, flood, terrorist threat or other disruptive event. This is an integral part of the disaster recovery plan and wider business continuity planning of an organization.

Cold Site

A cold site is the least expensive type of backup site. It does not have set up hardware or backed up copies of data and information from the original location of the organization. The lack of hardware contributes to the minimal start-up costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.

Hot Site

A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. The data, however is not synchronized in real time. Following a disruption to the original site, the hot site exists so that the organization can relocate with minimal losses to normal operations. Ideally, a hot site will be up and running within a matter of hours or even less.

Warm Site

A warm site is a compromise between hot and cold. These sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. Warm sites will have backups on hand, but they may not be complete and may be between several days and a week old. An example would be backup tapes sent to the warm site by courier.

Mobile Site

A mobile site provides mobile equipment on wheels, typically available on a trailer.

Redundant Site

It is in an improvement of a hot site because data replication facility exists. This means that in case of a disaster there can be completely transparent switch between the original and the redundant site.

Backup Types

Full Backup

All the data on the device is backed up completely every time the backup runs. This type of backup can be restored completely independently from any other backups. The disadvantages associated with this type of backup is that is is more time consuming and it takes more backup space.

Differential Backup

A differential backup backs up the files that were changed since the last full backup. Only the files that are different since the last full backup are being saved. The differential backups require less space and the backup time is faster. The disadvantages are that the restore times may be longer due to the fact that you have to restore the full and the differential backup.

Incremental Backups

Incremental backup backups the files that have changed since the last incremental backup. Backup time is fast and the required disk space is less that with full backup. To restore the data, however you have to have all the incremental backups. It may take long time to restore specific files.