(IJCNS) International Journal of Computer and Network Security, 187
Vol. 2, No. 10, 2010
Adoption OF Business Continuity Planning In IT
Services Case Study: MyLinE
Parvaneh Sarshar1 and Mohd Zaidi Abd Rozan2
Universiti Teknologi Malaysia, Faculty of Computer Science and Information System,
1
sparvaneh2@live.utm.my, 2mdzaidi@utm.my
Abstract: The importance of having information technology
(IT) in every single part of any organization is undeniable,
however the systems integrated with it may face some threats,
hazards and risks. One of the most suitable methods to prevent
or recover from risks is Business Continuity Planning. BCP first
was introduced in IT department but since IT has become wide
spread, it has now been applied beyond IT sector. The case study
(MyLinE) chosen by the researcher was because BCP is not
utilized in their organization and was not capable of mitigating
or even identifying existing vulnerabilities and threats, therefore
this research was conducted to investigate the threats that are
faced by MyLinE, the vulnerabilities that are exploited by the
threats and significantly the impact of the incidents that may be
caused by these factors. With adoption of BCP in MyLinE, the
level of threats and vulnerabilities were assessed, mitigation
strategies were delivered to help MyLinE reduce the risk level.
On the other hand, the Business Impact Analysis (BIA) which
had been conducted, illustrated the importance of mitigation
level based on the impact of each incident on the stakeholders.
Finally this paper has been developed to document the
achievement of risk assessment and BIA in MyLinE and the
researcher intend to reach to a comprehensive plan that can be
applied for all IT services.
Keywords: Business Continuity Planning, risk assessment,
BIA, IT services
1. Introduction
IT services have been facing unpleasant incidents or
disasters from the moment of birth and there have been
always lots of attempts to overcome these incidents. They
are two possibilities of incidents; premises-based incidents
such as power outage, fire, flood or service-based incidents
such as email, venue facilities, and network services and so
on. Specialists have always been trying to defeat these
threats to protect IT services, therefore great deals of
solutions have been continuously provided.
One of the most powerful remedies used to overcome and
recover from the likely risks and their impacts on the
business before, during and after an incident or a disaster is
Business Continuity Planning (BCP), to be studied in this
research. Business Continuity Planning is a very essential
tool used in many businesses and the need of this plan in all
the organizations especially for their IT services is deniable.
Since ten years ago, some new concepts such as Computer
Based Training, Computer Based Assessment have been
introduced to the IT world especially among academic
organizations. Today, those terms are represented by “e-
learning”. Factors like flexibility, greater collaboration,
convenience, portable, lower cost and higher retention, are
the benefits of e-learning that caused it to be very popular all
over the world.
There are many types of risk and challenge associated with
e-learning like hack, fire, Internet infrastructure outage,
Communication infrastructure outage and so on. The case
study that is to be examined is an Online Resource for
Learning in English called MyLinE. Since MyLinE as an IT
service and a sort of e-learning, probable to be confronted
with any of the risks that have been mentioned and there is
no suitable plan or strategy in the current service, we need
some organized procedures that enable the organization to
recover from a disaster which may cause interruption to the
business especially on to its critical parts. Since MyLinE is
being used by 20 universities and institutes all over
Malaysia, interruption in the system are not a wise option to
confront.
2. Literature Review
British Standards (BSI) [1] defines BCP as a methodology
used to develop a plan to maintain or store business
operations in the required time scales following interruption
to, or failure of, critical business processes. In addition, in
[2] it is stated that BCP is a documented collection of
procedures and information that is developed, compiled and
maintained in readiness for use in an incident to enable an
organization to continue to deliver its critical activities at an
acceptable predefined level.
Same as any other plans, BCP has objectives and goals
while being adopted by any organizations, this includes:
• avoiding financial ruin
• maintaining market share
• minimizing negative publicity
• identifying hazards that may affect critical functions or
activities
Based on [9] the overall goals of a business continuity plan
are to ensure customers, trading partners and regulatory
agencies maintain confidence in the business and to resume
business as usual for employees as soon as possible.
Fulmer [4] says that the most common reasons for
neglecting BCP are:
• lack of time and resources
• lack of top management support
• lack of money
188
• too many causes of disasters to plan for, effectively
• little awareness of potential hazards
• lack of knowledge in developing a plan
• Lack of sense of urgency
Although in today's environment, where technology reaches
into every corner of almost every organization, business
continuity planning has become imperative, unfortunately, it
falls very low on a long list of IT priorities. [5]
The difference between BCP and BCM (Business Continuity
Management) refers to Business Continuity Planning (a
process) or Business Continuity Plan (the documentation)
and before an organization can develop BCM program, it
should have BCP in advance. BCM is inclusive of BCP
activities, as well as, the on-going activities. [14] Figure 1
shows this difference.
Figure 1. Differences between BCP and BCM [14]
Since understanding the differences between different
contingency plans such as BCP, DRP (Disaster Recovery
Planning) or IRP (incident Recovery Planning) has been a
controversial issue, figure 2 from [13] can show these
differences and contingency planning steps so it can be
understood by everyone.
Figure 2. Contingency Plan steps
3. Framework
A wide variety of frameworks and models are available for
business continuity planning (BCP) [10], [11], [7] & [8].
Except for the project initiation stage in BCP development,
these models are not exactly the same in the other stages.
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
[6]. For this research, since there is not a specific framework
that can suit all the organizations, and the BCP frameworks
vary based on the objectives;
• the type of the products and services that the
company is delivering,
• the size of the organization,
Therefore the researcher decided to come up with a
combination of some frameworks that can be best for
MyLinE which is an IT service.
This modified framework is a combination and modification
of three different frameworks which have been retrieved
from literature review. This framework has five phases and
is cyclic, which means BCP never ends and this process
continues and is being updated.
Figure 3. Modified framework
3.1 Phase One: Project foundation
Project foundation or project initiation is the very first phase
of developing a Business Continuity Plan. The most
important factor for starting a Business Continuity Plan is
having the senior management support. To kick off the
project, these steps are critical [12];
• establish a business continuity working group and
give it specific objectives,
• empower the group by including key business and
technical stakeholders who have the decision-
making authority to make it happen.
This phase of the framework has been derived from
MAMPU (Malaysia Administrative Modernization and
Management Planning Unit) standard for BCM [15]. It
consists of five sub-steps:
3.1.1. Purpose
In the very first step of each plan or project, the purpose of
the project should be mentioned.
3.1.2. Objectives
In this sub-process the objectives of developing a BCP and
Implementation of a suitable framework must be covered.
3.1.3. Scope
The scope of the plan should be defined.
3.1.4. BCM team structure
The members of the plan who are going to be engaged
before, during and after a disaster should be identified.
3.1.5. Roles and responsibilities
 (IJCNS) International Journal of Computer and Network Security, 189
All the responsibilities should be defined well and assigned
to the responding employees. Training may be applied when
needed.
3.2 Phase Two: Business Assessment
This phase has been retrieved from British Standard [16]
and it consists of two very prominent sub-processes:
3.2.1. Risk Assessment
Risk Assessment is an evaluation of the exposures present in
an organization’s external and internal environment. It
identifies whether or not the facility housing the
organization is susceptible to floods, hurricanes, tornadoes,
hack, sabotage, etc. It then documents what mitigating steps
have been taken to address these threats [3].
Based on [16], Risk assessment consists of risk analysis and
risk evaluation.
• Risk analysis should include:
1. identification of assets
2. valuation of the identified assets
3. identification of significant threats and
vulnerabilities for the identified assets
4. assessment of the likelihood of the threats and
vulnerabilities to occur
• Risk evaluation includes:
1. calculation and evaluation of risks based on a
predefined risk scale
3.2.2. Business Impact Analysis
A BIA is an assessment of an organization’s business
functions to develop an understanding of their criticality,
recovery time objectives, and resource needs. By going
through a Business Impact Analysis, the organization will
gain a common understanding of functions that are critical
to its survival. It will enable the client to achieve more
effective planning at a lower cost by focusing on essential
corporate functions [3].
The business impact analysis is an evaluation of the effects
of extended outages on the ability to continue mission
critical business functions. An analysis is business impact
driven, and is both qualitative and quantitative. A business
impact analysis should measure impacts on business
elements including, financial, operations, customers,
regulatory compliance and long-term obligations [17].
3.3 Phase Three: Strategy selection
This phase is about selecting a strategy to mitigate the risks
and vulnerabilities. One of the most important objectives of
this phase is to decrease the total cost of the impact and the
chosen solution. This phase is a proposed framework by
J.C.Barnes [3].
3.4 Phase Four: Plan development
In this step, the Business Continuity Plan for the case study
will be delivered. This phase is also from J.C.Barnes
proposed framework [3]. When a disaster happens, only the
companies with a powerful BCP can survive, the phase of
developing a comprehensive plan is very important. The
objectives of a plan are to get the organization into business
Vol. 2, No. 10, 2010
as soon as possible and to keep the extraordinary expenses
to a minimum.
Two important steps in developing a plan are recovery team
notification and documentation. In BCP the responsibilities
are assigned to each member of the team and the
documentation of the plan should be very good and user
friendly so the members can understand their duties soon in
order not to waste any time.
3.5 Phase Five: Testing and maintenance
In this final step which has been derived from J.C.Barnes
proposed framework [3], while the plan is completed and
being approved by senior management, it needs to be tested
to make sure that it works very well. Testing is an important
step, since shows the planners and the team that the plan is
accurate but some of the organizations ignore or neglect to
do it. In organizations with an exhaustive plan, the testing is
done every 6 months to once a year.
After making sure that the plan is doing well, it should then
be maintained. Most BCPs that are written are not
maintained. Within a year or less the plan becomes useless
because staffs have changed, vendors are different, and the
resources required to get the product out the door have
evolved. By maintaining the plan on a regular basis, the
organization will avoid the time required to create a plan
from scratch and it will be prepared whenever a disaster
strikes.
4. Application and findings
Before proceeding with any analysis, it is very important to
understand about the case study which is MyLinE, at UTM.
Interviews have been conducted with MyLinE manager and
MyLinE admin. The goal of interview is to find out the
current situation of MyLinE towards risk and to find out
what they have done up to now to prevent or solve a disaster
when it occurs and how risky is the system that they are
housing.
From this interview these result have been achieved;
• It is an online self-access resource for learning
English to enhance English language
communication skills among students at tertiary
level.
• The goal of making it a self-access learning
resource is that it persuades students to be
responsible for their learning.
• MyLinE has lots of activities and learning and
teaching resources to help the students and
lecturers to improve their English proficiencies.
• Currently MyLinE has over 200,000 users in 20
universities and institutes all over Malaysia.
A large number of users will be affected and the
consequences considered disastrous and a disruption will
definitely have a severe impact on reputation of MyLinE and
UTM. In addition, the threats are most likely to occur by
technical problems and usually resulted in more than 4
hours but less than 24 hours, but they may repeat frequently
within 30 days. Besides, when a business disruption happens
it causes a delay and missed deliverables and it will affect
190 (IJCNS) International Journal of Computer and Network Security,
all 20 universities which shows that risk level and
vulnerability in MyLinE is definitely high.
BCP framework that has been illustrated in figure 3 has
been applied for this case study. After developing project
foundation in the first step, two types of questionnaires were
conducted, threats and vulnerability questionnaire and BIA
questionnaire.
For identifying threats and evaluation of the identified
threats and vulnerabilities, a questionnaire with two phases
was needed. Through factor analysis, the numbers of factors
achieved from questionnaire are reduced. For identifying the
impact of the risks, second questionnaire for BIA in four
different types for four different kinds of stakeholders, was
developed. Based on this questionnaire, the respondents
were asked to rank the impact that these risks could have on
them if occur on the assets of MyLinE, based on the
following scale:
1 à Almost No impact
2 à Moderate impact
3 à Significant impact
The result of the questionnaires and the analysis of the data
is shown in appendix 1.
In step three, for the threats and vulnerabilities that were
threatening MyLinE, some strategies are required that can
mitigate this threats and the following impact of the risks on
the system and stakeholders. Based on the vulnerabilities of
MyLinE, the researcher came up with this strategies and it
is hoped that they can be useful in order to help MyLinE
prevent or overcome disasters.
In phase four, a comprehensive business continuity plan has
been developed and been submitted to the MyLinE manager
and the plan has been tested in phase five by the MyLinE
employees and the required changes and strategies are being
applied, some plan exercise programs have been established
and then some training for employees was considered.
5. Conclusion
In this paper, several achievements have been obtained,
from interview, the current situation of MyLinE toward
disasters and business continuity planning has been defined.
From literature review; assets, threats and vulnerabilities
that may threaten MyLinE have been identified. Soon after,
via questionnaires, the valuation of assets, threats and
vulnerabilities and risk assessment have been conducted.
From questionnaires, business impact analysis (BIA) has
been delivered and finally, some useful mitigation strategies
have been proposed by the researcher.
Since BCP is very critical for all organizations, especially
for the ones that are holding important information and data
such as MyLinE, the researcher highly recommend to
MyLinE unit that they have to take BCP seriously, because
the importance of having BCP in any organization have
been proved.
Another recommendation is that to consider the mitigation
strategies that the researcher has suggested to them, and try
to adopt them based on their importance priorities, budget
and alignment with mission, vision and goal of MyLinE.
Finally, MyLinE staff should not neglect to update the
Vol. 2, No. 10, 2010
existing BCP and test it regularly, so it can always be
applicable, and if a change occurs in the system, BCP can be
updated easily and it will not lead to losing the existing BCP
and having a new one, which is very costly for all
organizations.
References
[1] BSI , Information technology – Code of practice for
information security management BS ISO/IEC
17799:2000, BSI, pp.56-60, 2001
[2] BSI, Business continuity management –Part 2:
Specification, BS 25999-2, 2007
[3] J.C.Barnes, 'A Guide to Business Continuity Planning',
John Wiley & Sons, Chichester, UK, 2001.
[4] Kenneth L. Fulmer, 'Business Continuity Planning: A
Step-by-Step Guide with Planning Forms', Rothstein
Associates, Third Edition 2005.
[5] Susan Snedaker, ' Business Continuity and Disaster
Recovery Planning for IT Professionals', Burlington,
MA. Syngress Publishing, Inc., 2007.
[6] Roberta J.Witty, 'Research Roundup: Business
Continuity Management and IT Disaster Recovery',
Gartner, January 2009
[7] Pitt, M.and Goyal, S. (2004), “Business continuity
planning as a facilities management tool”, Facilities,
Vol. 22, No. 3/4, 2004, pp 87-99.
[8] BCPG, (1998), PACE - Business Continuity Planning
Guide (BCPG), Office of Government Commerce
(OGC), London, UK, May 1998.
[9] Jim Hoffer, 'Backing Up Business - Industry Trend or
Event', Health Management Technology, Jan, 2001
[10] Elliott, D. et al. (2002), Business continuity
management-a crisis management approach, Routledge,
2002
[11] Savage, M. (2002), “Business continuity planning”,
Work study, Vol. 51, No. 5, 2002, pp 254-261.
[12] Wing Lam, 'ensuring business continuity', 2002
[13] Michael E.Whitman and Herbert J.Mattord,
'management of information security', Course
Technology- Cengage Learning, 2008
[14] http://www.bcprm.com/demo/bcm/htmlhelp/ProjectMan
agement.htm, [online] (Retrieved on 10/12/2009)
[15] http://gcert.mampu.gov.my/doc, [online] (Retrieved on
15/04/2010)
[16] BSI , Information security management systems – Part
3: Guidelines for information security risk
management, BS 7799-3: 2006
[17] Robert McDonald, 'New Considerations for Security
Compliance, Reliability and Business Continuity', 2008.
Author’s Profile
Parvaneh Sarshar received her B.S.
degree in Computer Engineering from
Azad University of Lahijan in 2008 and
M.S. degrees in IT-Management from
University Technology Malaysia (UTM)
in 2010. She is now doing some research
on the impact of social networks on
different concepts and new ideas on BCP.
 (IJCNS) International Journal of Computer and Network Security, 191
Vol. 2, No. 10, 2010

Mohd Zaidi Abd Rozan (Dr.) received

his B.Sc. (Hons.) in Physics & Comp w.
Ed., and M.Sc. IT from Universiti
Teknologi Malaysia (UTM), Malaysia. He
received a Doctorate of Engineering (D.
Eng) in Information Science & Control
Engineering from Nagaoka University of
Technology, Japan. He is also a PRINCE2 Certified &
Registered Project Management Practitioner. Currently, he
is the Head Department of Information Systems, Faculty of
Computer Science & Information Systems, Universiti
Teknologi Malaysia (UTM), and also the UTM MSc IT-
Entrepreneurship (SKIT) Programme Coordinator. He is the
Founder and Leader of PRIMELAB (Project Innovation
Management & tEchnoentrepreneurship). His research
interests are IT Project Management, Technopreneurship,
Disaster Management, Profiling and Data Mining utilizing
Multivariate Approach. He holds a Radio Amateur Licence,
with callsign 9W2DZD.

Appendix 1
Table 1: Risk Assessment and BIA