Establishing a Business Continuity Plan - Essay Example

Establishing a Business Continuity Plan A complete BCP consists of five characteristics mentioned below: BCP Governance Business Impact Analysis (BIA) Procedures, strategy and provisions for business continuity Instant procedures Quality assurance techniques (exercises, maintenance and auditing) 1.1 Forming a Governance Structure A governance structure that is in the form of a committee is embedded within a BCP. In fact, the BCP allows senior management assurance, as well as delineates the responsibilities of senior management. The role of BCP senior management committee provides oversight, initiation, planning, approval, testing and audit. However, the implementation of the BCP is responsible for the coordination of activities, BIA surveys approval, creating continuity plans and evaluation of the quality assurance activities. Following are the some responsibilities that are performed by the senior leadership of the BCP Committee Governance structure approval. Specify the responsibilities of the persons involved in the program. Administration of the procedures and planning committee, developing teams and working groups. Necessary messages and strategies must be communicated. BIA results must be approved. Assessment of identified significant services and products. Continuity procedures and plans approvals. Quality of the services must be observed. Determining problems and demonstrating its solutions. The members that are involved in the BCP are the executive sponsor that controls all the responsibilities related to the BCP. Moreover, they also ensure the availability of sufficient funding as well as the procedures regarding senior management support and directions. In fact, the senior managements support is responsible for BCP Coordinator security, evaluation of necessary funds, policy making of BCP, observing the BIA procedures, effective consumer participation, observing development plans related to business continuity, forming working groups and teams, organizing proper trainings and offers routine testing, auditing and analysis of the BCP. In order to ensure all the security requirements of the BCP in any organization the security officer must work with the coordinator. In addition, the Chief Information Officer (CIO), IT specialist and the BCP coordinator works together for the development of effective business continuity. The performance is further analyzed through the input provided by the business unit representatives. However, the BCP committee is generally co-chaired by the coordinator and the executive sponsor. 1.2 Prioritizing Critical Services or Functions The prioritizations of the services or the products that are initially identified are based on the lower delivery levels and higher time period of the services. In order to conclude the significant ranking related to the services the information is needed for the determination of a distracted impact on the service delivery, loss of revenue, additional expenses and intangible losses. 1.3 Classifying Business Impacts for Interruptions or Incidents The disruption impact on significant services or the products helps in the verification of how long functions of an organization can work without services or products. It is essential for the business continuity to find out the time period before major impact on the unavailability product is experienced. 1.4 Business Impact Analysis (BIA) The function of the BIA is to recognize the authorization and the significant services or products of the business. In addition, the identification of the internal as well as the external disruption and the priority services or products ranking for the fast or continuous delivery of the products is identified and controlled by the BIA. 1.5 Classify Dependencies The delivery of services depends upon internal and external dependencies of significant services or products. The internal dependencies comprise of availability of staff, information, equipment, applications, transport, human resource, security and information technology (IT) support services. On the other hand, external dependencies consist of contractor, management facilities, utilities, financial institutions, health, safety, legal advisors, government services, insurance policy providers, and other external assets. 1.6 Mitigating Threats and Associated Risks The threats and risks that are faced by the organizations are evaluated or identified in the BIA via a full-threat-and-risk assessment. The risks that are considered as reasonable can be resolved even if the BCP is not activated. For instance, if electricity is required for any production and the organization is going through the risk of power shortage then the stand-by generators can be installed for risk prevention. Similarly, if the organization is dependent on the internal and external telecommunication then the communication failure risk might be minimized through installing alternate communication network systems. 1.7 Classify Immaterial (Intangible) losses In order to determine the customer’s loss, shareholders confidence, harm to reputation, loss of competitiveness, lower market shares and violation of laws and regulations, necessary estimation is needed. The harm to reputation plays a vital role for loss in revenue of organizations as they are expected to have higher standards. 1.8 Insurance Necessities The cost of recovery can be made fully or partially financed through insurance in order to ensure possibility of recovery. Unfortunately many organizations cannot afford to pay the cost of a recovery therefore having insurance can ensure the recovery cost is possible. It is essential to utilize BIA to determine the insurance threats coverage and insurance coverage of a corresponding level. It is also important to consider the insurance options related to the threats that an organization is facing. Unfortunately, some of the important characteristics remain under insured or become over insured. Therefore, consider all the aspects carefully in order to minimize the risk of any faults in insurance, coverage. The uninsured areas and non-précised levels of coverage must be examined properly. The documentation must be maintained for the insurance policy of an organization. The insurance coverage of some aspects for example the property insurance that may not include several risks such as, steam explosion, water damage, damage from excessive snow or ice if not removed by the owner can be insured via extension in insurance policy. Therefore, before submitting any claims a conversation must be made between the adjustor and claimer. In fact, the probable recovery time must be understood by the adjustor properly while submitting any claims. The policyholder has the burden of proof and all the other required documents. 1.9 Incident Management Incident handling procedures are not similar as they vary according to the different business processes of the organization. Network dictionary defines “Incident Handling as an action plan for dealing with a natural disaster such as fire. It is comprised of a six-step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned”. Depending on the nature of business, processes can be associated with law enforcement agencies, government institutions, public information providers, information technology etc. in order to handle security incident within our organization premises, incident response teams can be established. As per network dictionary, “Incident response team refers to a group of people who are responsible for handling information security incidents when they occur”. Incident handling is an essential process to address security incidents that are initiated in organizations, breach data servers containing confidential and mission critical data and disrupt business processes. The impact of these incidents can potentially provide severe losses in terms of organization reputation in the market, trust in customers and credibility. For minimizing incident handling within the organization, a questionnaire can be created that will highlight solutions for minimizing incident handling and security breaches in an organization. An effective incident management approach will minimize issues related to security breaches and other possible threats. The information provided in this proposal is handled with strict confidence. One of the common human mistakes incorporates mishaps from concerned security administrators for installing default programs from a compact disc. These stored programs on a compact disc facilitates hackers to breach security by storing porn contents, configuring an illegal server, initiating attacks on other information assets and breaching server on the network. In order to eliminate all these threats and vulnerabilities, reviewing and learning the functionality of threats is essential. This will certainly reduce the probability of security incident in organizations (Compromise recovery and incident handling.2003). Research was conducted related to a Proposed Integrated Framework for Coordinating Computer Security Incident Response Team. Conventionally, computer security incident response teams (CSIRT) are responsive for viruses, hacking and unauthorized access of employees. The CSIRT is defined as “Computer security incident response team (CSIRT) is a term used by the CERT Coordination Center (CERT/ CC) to describe a service organization that responds to computer security incidents” (Dong, n.d). The research transformed these teams into efficient tools that will maintain efficiency of business operations, compliance along with new regulations and national security. Those organization possessing incident response teams follow a systematic approach and steps to recover the system efficiently from any security breach or incident. Moreover, the existence of teams eliminates loss or information theft and service disruption. Furthermore, the information gained by detecting and resolving an incident, facilitates support teams to be more efficient for handling future incidents. Likewise, these teams are called security incident response teams (SIRT). They are triggered when a security breach shows its existence within the network of an organization. However, these teams conduct investigation of suspect workstations and servers. For instance, if a server is responding slowly, or a workstation is broadcasting messages, are examined for any possible security incidents. After specifying the incident that is related to security, the incident recovery steps are performed accordingly to assure adequate information collection and documentation. There are cases where security incidents also involves the contribution of law enforcement agencies, concerned managers, board of directors of an organization and security professionals to resolve and recover from security incidents. Incidents in the context of adverse events demonstrate a negative impact for organizations. Adverse events include a system crash, flooding of network packets, unauthorized access of system privileges, viruses, malicious codes etc. Incidents in the context of computer security are referred as a policy violation for computer security policies and standard security practices. 2 Future Work After establishing BCP/DR planning and Incident response teams/planning, quality assurance techniques must be integrated with all these functions. Periodic review of the BCP will validate the plan and enhance its effectiveness. Moreover, it may also highlight the areas for further improvements or modifications and the assessment can be conducted by an internal review or external review or audit. The internal review process incorporates a scheduled review on periodic basis, whenever the threat environment changes or a merger to another organization. On the other hand external review or audit of the BCP document is carried out by the third party consulting firms. The external auditors of this firm validate procedures and evaluate mission critical services and processes. Moreover, BCP methods, accuracy, extensiveness also audited along with what actions are performed when an incident or disruption arises. However, disruptions can be handled in three steps i.e. response, continuity of critical services, restoration and recovery. References Read More