TI0075

Perencanaan Kelangsungan
Bisnis
BC/DR Plan Maintenance
Overview
• In this chapter, we’ll discuss various considerations for
maintaining your BC/DR plan, especially in the face of indifference
or resistance.
Objectives
• Maintaining the plan you’ve developed may end up being the
biggest challenge you face in the entire business continuity and
disaster recovery plan process.
• If you found lack of enthusiasm or outright resistance to the
BC/DR process, you may find that support for maintaining the
plan simply vanishes.
• Many people assume that once the project is complete, they can
simply chalk up another successful project and move on, but that’s
far from true. Maintaining the plan is essential to continued
readiness.
Contents
• BC/DR change management
• Strategies for managing change
• BC/DR plan audit
• Plan maintenance activities
• Project close out
BC/DR PLAN CHANGE
MANAGEMENT
• Change is constant in organizations—change in operations,
change in technology, change in personnel, change in
regulations—the list goes on.
• You might be wondering how you can possibly reflect these
changes in your BC/DR plan without having a full-time dedicated
BC/DR team.
• It is challenging, but there are a few strategies you can use to
reduce the complexity and enormity of the task.
• Change management has several discrete steps, as depicted in
Figure 10.2.
Change management steps
Training, testing, and auditing
• In Chapter 9, we discussed the activities related to developing,
delivering, and evaluating training.
• You learned that training often involves testing the plan, and that
testing the plan trains staff on how to implement the plan and
carry out the tasks assigned.
• Changes will naturally come out of these processes, and that’s part
of the purpose of training and testing.
• It’s difficult, if not impossible, to develop a perfect plan the first
time through.
• It’s not until you try putting the plan to work that you discover
steps out of order, errors, omissions, or redundancies.
• As you deliver your training and perform your testing, you should
capture a list of changes that need to be made to the BC/DR plan.
• These changes should be submitted for review.
Changes in information
technologies
• The IT audit discussed in Chapter 9 is one of the ways you can
keep track of changes to IT, but clearly this area is the one most
subject to change and risk.
• You and your IT team are more than likely extremely familiar with
reviewing and assessing change—from the location and duties of
various servers to the implementation of new applications to the
reorganization of existing infrastructure.
• As you know, even the most innocuous changes can suddenly
inject all kinds of problems into your network and systems.
• As you continue to manage your day-to-day IT operations, you
should consider including an additional step in some of your
processes that remind you to assess the process against BC/DR.
• As systems are upgraded, swapped out, modified, or retired, be
sure to include a line item task to consider the impact on BC/DR
plans.
Changes in operations
• During your risk assessment, you determined the mission-critical
business functions that needed to be addressed in your BC/DR plan.
• Clearly, operations are not static, and changes over time to operations
may impact the BC/DR plan.
• Reorganization, expansion, new departments, new facilities, and new
management structures can all impact operations in a variety of ways.
• In some cases, changes in operation happen slowly over time and these
changes may go unnoticed as it relates to the BC/DR plan.
• The key is to be sure your BC/DR plan addresses your mission-critical
business functions and if those shift over time, your plan needs to be
updated.
• Changes to operational processes should be implemented as needed, but
it would help if your operations staff understood that any changes to
their key processes should be flagged so the BC/DR team can review the
impact of those changes on the plan and revise as needed.
Corporate changes
• Corporate mergers, acquisitions, spin-offs, restructuring, and other types
of corporate changes can have a major impact on the BC/DR plan.
• IT staff will have a big enough challenge figuring out how to incorporate
the required IT changes for daily operations much less trying to figure
out how all this impacts BC/DR activities.
• The best you can do most of the time is to continually look to incorporate
BC/DR activities into your normal operations and planning activities and
to continually look to protecting data first. If you know with certainty
that your critical data are safe, putting systems in place to access and
utilize that data can be secondary during times of turbulent or
unexpected change.
• Sometimes, the BC/DR elements can be addressed through standard IT
planning processes with an additional line item task.
• Assessing how the plans impact BC/DR may help the team choose from
among several viable alternatives or it might point out a path that
optimizes immediate BC/DR capabilities.
Legal, regulatory, or compliance
changes
• Changes to the legal, regulatory, or compliance landscape will
certainly trigger required changes to your BC/DR plan.
• For example, if laws change regarding data security, you will have
to review your BC/DR plan to determine whether your existing
plan meets these new requirements or whether you’ll need to
implement additional tools, technologies, or processes.
Strategies for managing change
• Two key strategies for managing change are having a process for
monitoring and a process for evaluating change requests.
• It’s usually easier to monitor change and respond to it as needed
over time rather than sitting down once a year and trying to
remember (or determine) what’s changed since your last review
of the plan.
• The easiest way to monitor change throughout the organization,
as it relates to BC/DR plans, is to include an additional step or two
in standard operating procedures.
• These steps can be as simple as “Determine impact, if any, on
BC/DR plan.
• If impact exists, submit BC/DR change request to [insert position
responsible for managing BC/DR change requests].”
Monitor change
• Implementing processes for monitoring change can make your job
of maintaining the BC/DR plan much easier.
• Develop processes that can be incorporated into everyday
workflows so that as changes occur, they can quickly be assessed
for their potential impact on the BC/DR plan.
• If the change has no impact, it can be ignored (from a BC/DR
perspective).
• If the change will have an impact, a change request should be
submitted to the BC/DR team.
• (Note: We’ll use the term change request to keep it simple,
but it will refer to either a change request or notification.)
People
• People leave organizations, get promoted, or move into different
jobs.
• A periodic review of changes to the organization can help you
determine if there have been personnel changes that impact your
plan.
Process
• Changes to processes should be monitored as well. Subject matter
experts or members of the BC/DR team can be tasked with
monitoring changes to key processes and flagging changes for
BC/DR review.
• Many corporate processes remain fairly unchanged over time;
however, some companies that are in high growth mode or that
are streamlining operations, for example, might have significant
changes to their daily operations.
• Changes to mission-critical functions should be reviewed with the
highest priority since these changes could potentially cause the
BC/DR plan to fail if implemented without these changes.
Technology
• If your company works with scientific equipment, manufacturing
equipment, medical equipment, or other specialized technology,
changes in this arena should be monitored and assessed to
determine whether the BC/DR plan requires modification.
• Often changes in technology create changes in processes, so the
trigger for review and modification may come from either area.
• However, a process for triggering a review should be included in
your technology implementation plans to make BC/DR plan
maintenance as low as possible.
Evaluate and incorporate change
• The change review process should be well defined for your BC/DR plan and someone
should be specifically responsible for processing change requests.
• In some cases, this is the BC/DR project manager, in other cases, it may be a role
assigned to a team member or it may be managed through some other existing process.
• Regardless, remember the project management adage: Every task must have an owner.
• If no one on your team is specifically tasked with this deliverable, it will not get done
and it’s the single most important facet of keeping your BC/DR plan up to date.
• Most project managers use a change management process for managing their projects
and the same types of processes are useful here.
• As you know, not all changes requested can or should be implemented into a plan.
• Additionally, even if a change should be made to a plan, there are numerous
considerations before incorporating the change into the plan.
• If you have a standardized change management process that you’ve worked with
successfully in the past, you may want to use it here.
• Be sure to review your process to ensure it’s appropriate to change management in the
BC/DR process.
Manage change
• Here are some points to consider for a periodic process to manage change:
1. Compile all change requests and prioritize based on potential risk,
vulnerability, impact (if applicable).
2. Determine if any change requests are required for legal, regulatory, or
compliance reasons. If so, flag these as required changes.
3. Review compiled change requests, review for redundancy, relevancy, etc.
Revise compiled list as appropriate.
4. Prioritize compiled list. For each item, determine how the change impacts
(or is impacted by):
• Selected risks and threats
• Threat vulnerability
• Business impact analysis
• Risk mitigation strategies
5. Assess potential cost, risk profile (does it inject or reduce risk?), desirability,
feasibility, and interaction with other elements of the plan.
Manage change
6. Determine if change request should be incorporated, delayed,
rejected, or closed.
7. For each change request incorporated, document impact to BC/DR
plan in detail. Advise change requestor of change acceptance, if
appropriate.
8. For each change incorporated, determine need for additional
training or testing activities. Trigger notification for training,
testing, or auditing if appropriate.
9. For each change delayed, document reason for delay and how
change will be processed later. Communicate decision to change
requestor, if appropriate.
10. For each change rejected or closed, document reason for denying
change. Communicate the status of the change with the rationale to
the requestor, if appropriate.
11. For all approved changes, make revisions to BC/DR plan, note
change in plan, and notify plan stakeholders of plan revision, if
appropriate.
BC/DR PLAN AUDIT
• The plan audit is a process in which you review the BC/DR plan against
specific requirements.
• The audit does not test the plan.
• From an audit perspective, there is no assurance that the steps and processes
included in the plan will work.
• The audit does not train people in the use of the plan or in the skills needed
to implement and execute the plan.
• The audit is a more impartial review of the plan to assess whether it meets
the company’s overall needs.
• An audit should be performed as a standard project and an audit plan should
be created. This plan should include, at minimum:
• Audit scope, timeline, requirements, and constraints
• Review of corporate risks and risk management strategies including BC/DR
• Review of business impact
• Review of BC/DR plan development activities
• Review of BC/DR plan test plans and activities
• Review of BC/DR plan training plans and activities
• Review of BC/DR change management and plan maintenance processes
PLAN MAINTENANCE ACTIVITIES
• There are a number of activities beyond change management that can help you keep your
plan up to date and ready to go.
1. If the plan is revised, the BC/DR team members (or those who should have the latest
copy of the plan) should be notified in a timely manner.
2. The plan should use a revision numbering system so team members know whether they
have the latest version of the plan.
3. Review, update, and revise key contact information regularly. This includes staff, vendors,
contractors, key customers, alternate sites, and facilities, among others.
4. Create a BC/DR plan distribution list that is limited to authorized personnel but that
includes all relevant parties. This distribution list should include off-site and remote
facilities that may be used in the event of BC/DR plan activation.
5. Be sure there are up-to-date copies of the BC/DR plan off-site in the event the building is
inaccessible. Alternatively, be sure a copy is secure but accessible in the cloud and
provide secure access to these documents.
6. Be sure there are up-to-date paper copies and/or CDs/DVDs/thumb drives of the BC/DR
plan on-site in the event IT systems go down. If these contain sensitive information such
as key codes, passwords, or other credentialing data, ensure they are encrypted or kept
in a secure location that would be accessible during a disaster.
7. Implement a process whereby all old versions of the plan are destroyed or archived and
new versions replace them. This helps avoid a scenario where team members are
working from different versions of the plan.
PLAN MAINTENANCE ACTIVITIES
8. Always check soft copy and remote storage copies of your plan when changes are
made to the plan. If you store copies off-site or at your alternate work site, these
versions should be updated any time the plan is modified.
9. Whenever significant changes are requested or implemented, test the plan. This will
ensure there are no new areas of concern and will help train staff on the changes.
10. Integrate BC/DR considerations into operational processes to reduce plan
maintenance efforts in the future.
11. Assign responsibility for managing BC/DR change notification and requests to
someone on the BC/DR team. The project management adage that “a task without
an owner won’t get done” is especially true here.
12. Document plan maintenance procedures and follow these procedures to avoid
introducing additional risk into the project. Use periodic prescheduled meetings to
ensure these events occur on a regular basis.
13. Incorporate training into the change process so changes to people, process, and
technology that are incorporated into the BC/DR plan also trigger changes to
training plans.
14. Include BC/DR plan testing, training, auditing, and maintenance activities in your IT
or corporate budget for future activities related to BC/DR.
PROJECT CLOSE OUT
• Now that you’ve completed work on your plan, you may be ready
to launch into a training or testing activity, or you may be ready to
put the whole project away until the next review period.
Regardless of what you decide your next steps are, you should
take time to do several project close-out activities.
1. Ensure all documentation is complete and finalized.
2. Ensure the BC/DR plan is distributed to appropriate personnel.
3. Announce plan completion to project sponsor and other project
stakeholders; gain formal approval or sign-off.
4. Announce plan completion to company to increase awareness
and celebrate success.
5. Announce plan completion to regulatory authorities, as
appropriate or required.
6. Announce training or testing plans, if appropriate.
PROJECT CLOSE OUT
7. Hold a project review session to discuss lessons learned and
incorporate into process. This should not be held at the same
time as a project close out or celebration. This should be a
working meeting to capture best practices and lessons learned.
8. Hold project close-out meeting to celebrate completion and
recognize individual efforts, as appropriate.
9. Complete any staff reviews related to project work.
10. Submit summary or close out report to project sponsor,
executive team, or other stakeholders, as appropriate.
11. Update legal or compliance documentation to reflect BC/DR
readiness, as appropriate.
12. Set date for next BC/DR audit, review, testing, or training.
Lesson Overview
• Changes in IT are constant and incorporating methods of assessing
impact to the BC/DR plan in standard operating procedures will help
reduce maintenance efforts.
• Changes in operations may happen slowly over time and be almost
imperceptible, or they may happen quickly and in obvious ways.
Developing a process for change notification within standard operating
procedures can help reduce resistance to plan maintenance.
• Corporate changes include mergers, acquisitions, and downsizing.
Corporate changes often are planned behind closed doors and are then
announced. The BC/DR team must respond to these changes by
evaluating the potential impact to the plan.
• In many cases, the best approach to plan maintenance is to incorporate
an additional step or two in procedures so that the potential impact to
BC/DR plans can be evaluated.
• Legal regulatory compliance may trigger required changes to the BC/DR
plan. These should be flagged for special handling to ensure they are
incorporated per requirements.
Summary
• After all your hard work and diligent effort, the best scenario will
be that your plan is never implemented.
• Even though you may not see your plan in action, you may find
that the process of creating this plan has vastly improved your
knowledge and understanding of your company and perhaps
improved some of your company’s business processes along the
way.
• Perhaps even more important, you’ll know that you’ve done the
best job possible protecting your company’s valuable data and
helping to ensure the continuity of the business.
• Congratulations on completing your BC/DR plan.
Question & Answers