IT

 AUDIT  
Business  Con*nuity  Planning  
 BCP
•  Disaster Recovery Planning is a set of procedures and
instructions that detail the processes to be followed to
restore critical technical and business functions.

•  A Business Continuity Plan provides the vital preplanned

framework for initiating recovery operations immediately
following a disruption. It also provides guidance for
damage assessment and the planned actions that must
be taken to resume critical services and restore full
business operations with minimum delay.
 BCP
•  Natural disasters like: earthquake, flood, volcano eruptions,
fire etc.
•  Extreme weather phenomena: storms, hurricanes, tornadoes
etc.
•  Climate phenomena: excessive temperature, magnetic storms,
snow storms etc.
•  Social & terrorist events.

All these threats mentioned above expose the companies and

their information systems to important risks:
•  hardware and communication components, data and software
storage devices can be destroyed,
•  human resource affected,
•  power supply networks can be affected and as consequence
the information systems availability and integrity and also the
quality of the data processing will be affected etc.
 BCP

Establish and maintain an organization-wide business

continuity plan that addresses:

1.  Critical services and operations provided by internal and

external sources;
2.  Resources needed to support the critical functions;
3.  Steps to be taken in a business disruption;
4.  Coordination with outside parties when necessary;
5.  Defined Business Continuity and Recovery Teams;
6.  Board approval and annual review and schedule.

The information for 1 and 2 is provided by a phase in BRP’s

design - BIA (Business Impact Analysis)
 BCP
Recovery strategies are necessary to limit the consequence of
damaging events and ensure the timely resumption of critical
operations.
There are various strategies for recovering critical information
resources. The appropriate strategy is the one that is most
efficient and effective based on the relative risk level identified
in the business impact analysis.
This strategy is often dictated by the defined recovery timeline
and expectations.
 BCP

Establish IT recovery strategies and procedures for

mission critical systems, which:
–  Prioritize system recovery;
–  Define responsibilities;
–  Establish expectations for recovery time;
–  Allow flexibility by providing alternate solutions when
necessary.
 BCP
•  Business Continuity Plan (BCP). The
BCP focuses on sustaining an
organization’s business functions during
and after a disruption.
 BCP

•  Regular training should be conducted in the

agreed emergency procedures and processes,
including crisis management. This should ensure
that the execution of the Business Continuity
Plan is effective when a disruption occurs. It is
also important that an effective cross training
program be in place to ensure that vital
functions can be effectively performed if key
personnel are unavailable at the time of a
disruption.
•  IT systems are considered in the BCP in terms of their
support to the business processes. In some cases,
the BCP may not address long-term recovery of
processes and return to normal operations, solely
covering interim business continuity requirements. A
disaster recovery plan, business resumption plan, and
occupant emergency plan may be appended to the BCP.
Responsibilities and priorities set in the BCP should be
coordinated with those in the Continuity of Operations
Plan (COOP) to eliminate possible conflicts.
•  Business Recovery Plan (BRP), also
Business Resumption Plan. The BRP
addresses the restoration of business processes
after an emergency, but unlike the BCP, lacks
procedures to ensure continuity of critical
processes throughout an emergency or
disruption. Development of the BRP should be
coordinated with the disaster recovery plan and
BCP. The BRP may be appended to the BCP.
•  Continuity of Operations Plan (COOP). The
COOP focuses on restoring an organization’s
(usually a headquarters element) essential
functions at an alternate site and performing
those functions for up to 30 days before
returning to normal operations. Because a COOP
addresses headquarters-level issues, it is
developed and executed independently from the
BCP.
•  Continuity of Support Plan/IT
Contingency Plan. Because an IT
contingency plan should be developed for
each major application and general
support system, multiple contingency
plans may be maintained within the
organization’s BCP.
 BCP
•  Crisis Communications Plan. Organizations should
prepare their internal and external communications
procedures prior to a disaster.
•  A crisis communications plan is often developed by the
organization responsible for public relations.
•  The crisis communication plan procedures should be
coordinated with all other plans to ensure that only
approved statements are released to the public.
•  Plan procedures should be included as an appendix to
the BCP.
•  The communications plan typically designates specific
individuals as the only authority for answering questions
from the public regarding disaster response. It may also
include procedures for disseminating status reports to
personnel and to the public. Templates for press releases
are included in the plan.
•  Cyber Incident Response Plan. The Cyber Incident
Response Plan establishes procedures to address cyber
attacks against an organization’s IT system(s). These
procedures are designed to enable security personnel to
identify, mitigate, and recover from malicious computer
incidents, such as unauthorized access to a system or
denial of service, or unauthorized changes to system
hardware, software, or data (e.g., malicious logic, such
as a virus, worm, or Trojan). This plan may be included
among the appendices of the BCP.
•  Disaster Recovery Plan (DRP). As suggested by its
name, the DRP applies to major, usually catastrophic,
events that deny access to the normal facility for an
extended period. Frequently, DRP refers to an IT-focused
plan designed to restore operability of the target system,
applications, or computer facility at an alternate site
after an emergency. The DRP scope may overlap that of
an IT contingency plan; however, the DRP is narrower in
scope and does not address minor disruptions that do
not require relocation. Dependent on the organization’s
needs, several DRPs may be appended to the BCP.
•  Occupant Emergency Plan (OEP). The OEP provides
the response procedures for occupants of a facility in the
event of a situation posing a potential threat to the
health and safety of personnel, the environment, or
property.
•  Such events would include a fire, hurricane, criminal
attack, or a medical emergency.
•  OEPs are developed at the facility level, specific to the
geographic location and structural design of the building.
General Services Administration (GSA)-owned facilities
maintain plans based on the GSA OEP template. The
facility OEP may be appended to the BCP, but is
executed separately.
Types of Contingency-Related
Plans
Types of Contingency-Related
Plans
 BCP – Key points

•  Train the personnel involved in

executing the Business Continuity
Plan and recovery strategies.
•  Review and update training needs as
changes in plans occur—at least
annually
 BCP
Develop and implement backup, storage, and
rotation procedures of critical systems including
hardware, software, and documents. Consider the
following in the backup and storage process:
• Location of backup media (in-house and offsite);
• Physical and data security at the backup site;
• Backup routines for corporate and branches;
• Current list of personnel authorized to access the
off-site storage location.
 Solu*ons  for  IT  recovery  
•  Redundant  site:  it  is  a  duplicate  site  that  can  immediately  perform  
the  tasks  of  the  opera*onal  center  if  it  is  affected.  Recommended  
for  processes  that  can  not  be  interrupted.  
•  Hot  site:  preconfigured.  Data  restore  opera*on  is  needed.  
Opera*onal  in  4  to  24  hours.  
•  Warm  site:  needs  equipment  installa*on.  Opera*onal  in  days.  
•  Cold  site  (there  is  a  space  with  minimum  facili*es.  We  have  
contracts  with  suppliers  for  hardware  components)  
•  Facili9es  for  duplicate  data  processing  
•  Reciprocity  agreements  with  other  en99es  
•  Mobile  units