Week 2 Assignment

Kisha Coleman ISSC361

Business continuity planning is a methodology used to create a plan for continuous business operations before, during, and after a disaster or disruptive event. Some industries, such as banking and corporate networks cannot afford downtime and thus they create and maintain BCPs along with DRs (Disaster Recovery) plans. Why a business or IT Professional would be concerned with having a BCP? BCPs first gained popularity back in the 1990s. The looming Y2K event had businesses scrambling to patch, update and prepare their businesses or systems to keep functioning and cushion the financial loss if the event did occur. Luckily nothing happed but businesses and the IT sector began to focus on what ifs and the possibility that experiencing any downtime would be financially disastrous. The whole idea of BCP is to ensure the business keeps on running regardless of cost, risk or threat. Implementing a BCP can be very expensive to maintain. Regardless whether a business decide to purchase a redundant system/network or set up a temporary one, the costs would be justifiable as opposed to the losses associated with a disruption in business. According to The Disaster Recovery Institute International (www.drii.org), Fortune 500 companies, business and system downtime costs an average of $96,000 per minute! An IT Professionals role, in addition to developing or participating in the development of the BCP, is to understand what happens with technology components during different types of disasters. Some types of disasters to consider could be natural and man-made or accidents such as power outages, water, and gas and communication disruption. There are also state and federal mandates that require a company to have contingency plan or a plan of action to protect consumers from PII or data leakage. The HIPAA Security Rule has a set of security standards for the securing electronic health information. Its important to understand that not all disasters can be avoided. You can mitigate the risk with a welldefined plan. Also, the plan will not typically address any one particular disaster. It merely addresses a worst case scenario. The steps should include the following:

1. Project Initiation This is the planning phase where the IT Professional defines the purpose of the BCD, outlines the goals, objectives, scope and assumptions. You also choose the stake holders and team members.

2. Assess the Risk Usually this is done early in the development of the plan. Look at existing plans that are already in place. Consult with external organizations including local government agencies, public utilities, law enforcement and industry experts. Identify internal and external resources. 3. Do A Business Impact Analysis using a chart, assign a number to estimating the impact an event could have on the business. You should consider all resources such as voice and data communications, data files both hard copy and electronic. The data center, IT infrastructure, off-site facilities, Hardware, software, etc. Some resources will take precedence over others. For example, it may be ok to have the email server go down, but the systems that run financial data cannot go down. 4. Mitigation Strategy Development This could be as simple as a tape rotation cycle in which tapes are rotated offsite. Or as big as moving operations to a cold, warm or hot site. During this stage the critical question to ask is how can risk be reduced, avoided, transferred or accepted? 5. Plan Development This is where you outline the steps that will be taken if the plan is activated. And the methods you will follow, the requirements, the scope, budget, quality assurance and timeframe. Its essentially the what, where, how, and who. 6. Training, Testing, Auditing- All the key players will be involved in this step. They will need to be trained on what to do in the event of a disaster. The plan should outline a procedure for notifying key players. For example, the person who is first made aware of the incident will notify the immediate supervisor who will then notify the top stakeholder and so on. Usually a mock table-top exercise is conducted annually to simulate an event and the steps taken to recover. Afterwards, an assessment or Lessons Learned meeting should be conducted to determine if the CBP was followed as outlined, what mistakes were made, if any and what changes are needed or modified. 7. Plan Maintenance Threats to a business or IT infrastructure are constantly evolving. Back in the 70s and 80s, a business did not have to worry about a virus bringing down their networks or someone trying to detonate a bomb. The Y2K event, the 911 tragedy, Hurricane Katrina, the Pacific Tsunami, Earthquakes, hacker syndicates and world unrest means that the plan will have to be reassessed periodically to ensure that all possible threats are taken into consideration. Nearly all businesses are developed from a Business Plan which outlines how the business will operate. But not all businesses develop a business continuity plan which outlines how the business will continue to function in the event of a disaster or data loss. The downside of not having a plan could mean that the business will likely lose an untold sum of money, or will cease operations altogether. The IT professional should understand the risks to an organization and develop a plan that will avoid risk, transfer it, or accept it to some degree. Having a viable plan will ensure that the business will continue on in some capacity until it can fully recovery from an event.

The plan should be thorough and include the recommendations/input of both internal and external agencies. The stake holders should be properly trained and an annual mock exercise needs to be conducted to simulate an event and recovery. The plan needs to be reevaluated periodically as new threats are assessed.