Business Continuity Planning (BCP)

Presented by Anjan Mohapatro

Business Continuity Plan

Planning to ensure the continuation of operations in the event of a catastrophic event.

Business continuity planning goes beyond disaster recovery planning to include the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs, and operations in the event of unexpected interruptions.
2

Business Continuity Plan

How to preserve critical business functions in the face of a disaster/Crisis so that it can manage and survive the crisis and take appropriate action to help ensure the organizations continued Viability
A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
3

Business Continuity Plan

Goal

to assist the organization/business to continue functioning even though normal operations are disrupted

Steps

Before disruption

During Disruption

After Disruption

Why BCP is Required

Proactive rather than Reactive It is better to plan activities ahead of time rather than to react when the time comes

Maintain business operations Keep the money coming in Short and long term loss of business

Effect on customers Public image Loss of life

The Problem Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

The Problem
Errors & Omissions Disgruntled employees Fire,water,electrical Outside Threats Dishonest employees

10% 10%

5%

50%

25%

The Problem Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

The Controls

Information Security Redundancy

Backed

up data Alternate equipment Alternate communications Alternate facilities Alternate personnel Alternate procedures

Key Elements
Disaster Recovery Business Recovery Contingency Planning Crisis Management

Create a Business Continuity Management Team

Lead by Top Management Key Players Responsible for creating and Senior Officials Internal Audit Maintaining, testing and Risk Management Legal Implementing comprehensive Finance/Budget Procurement BCP Safety Top down approach Awareness at all levels

Corporate Policy
BCP Policy committed to undertake all reasonable and appropriate steps to protect people, property and all business interests is essential. Corporate policy should contain a definition of crisis Responsibility for systems ,resources and key business process should be clearly identified BCP team should include top senior leaders, major organizational functions and support groups, wide spread acceptance. Communicated throughout the organization

Business Continuity Process

Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of each threat Prepare plan for contingent operations Mitigate - identify actions that may eliminate risks in advance Respond take actions necessary to minimize the impact of risks that materialize Recover return to normal as soon as possible

BIA
Any organizational impacts that could result from an interruption of normal operations should be examined. Identify critical process and document itpurchasing, manufacturing,supplychain Process should be ranked as HML Assess Impact if crisis were to Happen
Human cost Financial cost Corporate Image cost

BIA Review Factors

All Hazards Analysis

Likelihood of Occurrence
Impact of Outage on Operations

System Interdependence
Revenue Risk Personnel and Liability Risks

The Steps in a BCP - 1

Risk Assessment/Analysis
Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost

Key Potential damage Likelihood

LTU CISP Security 16

Definitions
Threat
any event which could have an undesirable impact

Vulnerability
absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset

Risk
the potential for harm or loss, including the degree of confidence of the estimate

LTU CISP Security

17

Definitions
Quantitative Risk Analysis
quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost

Qualitative Risk Analysis

minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling

Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative

LTU CISP Security

18

Results
Loss impact analysis Recovery time frames
Essential business functions Information systems applications

Recommended recovery priorities & strategies Goals

Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process
19

LTU CISP Security

Threats
Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors

Illogical processing Translation of user needs (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse

LTU CISP Security

20

Risk Analysis Steps

1 - Identify essential business functions
Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops

2 - Establish recovery plan parameters

Prioritize business functions

3 - Gather impact data/Threat analysis

Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios

LTU CISP Security

21

Risk Analysis Steps

4 - Analyze and summarize
Estimate potential losses
Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity

Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend

LTU CISP Security

22

Prioritize Risk Factors

Personal Safety Risk Services Risk Operational Risk Revenue Risk Liability Risk Good Will (Societal) Risk

What Are External Risks?

External Risks are risks presented by factors outside the enterprise; these include risk present in natural disaster, labor strife, the possible failures of business partners, suppliers, public utilities, transportation, telecommunications, and other businesses.

Loss of Lifelines
What will we do if there is not power?

No phone service?
No Water? Government services? How will the public react?

Develop Scenarios

How bad will the big one be? Extended Power, Water, or Telecom Outages? Supply Chain Disruptions? Civil unrest? Develop various scenarios and pick which ones to plan for.

Evaluating Alternatives

Functionality - provides an acceptable level of service Practicality - is reasonable in terms of the time and resources needed to acquire, test, and implement the plan Cost Benefit - cost is justified by the benefit to be derived from the plan

The Steps in a BCP - 2

Strategy Development (Alternative Selection)
Management support Team structure Strategy selection
Cost effective Workable

LTU CISP Security

29

Resources required for recovery

Identify resources required for recovery and resumption. ReSources personnel,hardware,software,specilised equipment, facility/space and critical records Backing up and storing critical and vital business records in a safe and accessible location is a prerequisite.

Risk assessment and BIA provide the foundation on which organisations BCP can rest.

Crisis Management and Response team development

Establishment of appropriate administrative structure to deal with crisis management. Clear definition of the management structure authority for decisions and responsibility for implementation. Should have crisis management team to lead incident response. Team should comprises of members of critical business process lead by senior management. Crisis mnagement team supported by response teams. Response plans to address various aspects of potential crises

Crisis Management and Response team development

Establishment of appropriate administrative structure to deal with crisis management. Clear definition of the management structure authority for decisions and responsibility for implementation. Should have crisis management team to lead incident response. Team should comprises of members of critical business process lead by senior management. Crisis mnagement team supported by response teams. Response plans to address various aspects of potential crises

The Steps in a BCP - 3

Implementation (Plan Development)
Specify resources needed for recovery Make necessary advance arrangements Mitigate exposures

LTU CISP Security

33

The Steps in a BCP - 3

Risk Prevention/Mitigation
Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability
Journaling, Mirroring, Shadowing On-line/near-line/off-line

Insurance Emergency response plans Procedures Training Risk management program

LTU CISP Security

34

Mitigation Strategies

Cost effective mitigation strategies should be employed to prevent or lessen the impact of potential crises. Securing equipments and tables by strapping to the wall preventation from earthquake ,Sprinkler systems can lessen the risk of fire ,a strong records management can mitigate the loss of key datas. Resources required for mitigation process should be identified. Systems and resources should be monitored continually as a part of mitigation startegy

MTD

Establish an estimate of the maximum tolerable downtime (MTD) for each business process. Determine how long process can be non functional before impacts becomes unacceptable Determine how soon process should be restored(Shortest allowable outage restored first) Identify alternate procedures to a process Evaluate costs of alternate procedures vs waiting for system to be restored Determine the priorities and processes for recovery of critical business processes.

The Steps in a BCP - 3

Decision Making
Cost effectiveness
Total cost

Human intervention requirements

Manual functions are weakest

Overrides and defaults

Shutdown capability Default to no access

Design openness Least Privilege

Minimum information Visible safeguards

Entrapment
Selected vulnerabilities made attractive

LTU CISP Security

37

The Steps in a BCP - 3

Decision Making
Universality Compartmentalization, defense in depth Isolation Completeness Instrumentation Independence of controller and subject Acceptance Sustainability Auditability Accountability Recovery

LTU CISP Security

38

Remedial Measures
Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance

LTU CISP Security

39

Remedial Measures
Fire
Detection, suppression

Water
Detection, equipment covers, positioning

Electrical
UPS, generators

Environmental
Backups

Good housekeeping Backup procedures Emergency response procedures

LTU CISP Security

40

The Steps in a BCP - 3

Plan Development
Specify resources needed for recovery Team-based Recovery plans Mitigation steps Testing plans Prepared by those who will carry them out

LTU CISP Security

41

Review External Dependencies

Infrastructure Dependence (power, telecom, etc.)

Supplie rs Clie nts /

Your
Subcontractors

Custome rs
Conduit Organizations

Organization

Ve ndors

System Up Time (computing, data,networks, etc.)

Contact Information

Contact information of crisis management team and response team should be maintained. Information should be updated regularly . Compliance audits should be conducted to enforce BCP Policies.

Policy violations should be highlighted and corrective actions to be taken

Monitoring Systems and Resources

Resources include

Emergency equipment

Fire alarms' and suppression systems

Local resources and vendors Alternate work sites System backups and offsite storage.

Avoidance ,deterrence and detection

BCP should address the specifics of potential crisis and include overall deterrence and any precursors and warning signs ,detection measures.

Workplace violence Natural disasters

Protests/riots
Product or manufacture failure Hostile takeover Terrorism Lawsuits

Avoidance ,deterrence and detection

Employee should be appropriately motivated to feel personally responsible for avoidance ,deterrence and detection. Facilities enhancing Avoidance Architectural Natural or manmade barriers

Operational: Security officers check posts, employee awareness programmes, surveillance and counter intelligence Technological: Intrusion Detection, access control, cctv, package and baggage screening.

Potential Crisis Recognition

If potential crisis exists. Organization should be able to recognize when specific dangers occur . Identification of danger signals coupled with the likelihood of an event is indicative of an imminent crisis.

Unusual changes in sales volume

Legislative changes
Corporate policy changes Changes to competitive environment Changes to supply based environment Warning of natural disasters

Potential Crisis Recognition

Identification of danger signals coupled with the likelihood of an event is indicative of an imminent crisis.

Cash flow changes Potential for civil or political instability Hostile labor negotiations Strikes

Report Potential crisis

Certain departments and functions are well placed to observe warning signs of imminent crisis. Personnel assigned to these functions should be trained appropriately. Crisis should be communicated to all EMPLOYEES A Potential crisis once recognized should be immediately reported. Parameters for notification criteria should be established ,documented and adhered to by all employees.

Report Potential crisis

Qualified personnel should have ready access to the updated ,confidential listings of persons and organizations to be contacted when certain conditions or parameters of a potential crisis are met. Types of Notification Notifications in a crisis situation should be timely and clear and should use variety of procedures and technologies. Sometimes notification systems are also impacted by the disaster thus redundancies built into the notification Assessment of the situation: size of the problem potential for escalation, possible impact of the situation.

Declare a Crisis
The point at which a situation is declared as a criisis should be clearly defined ,documented and fit every specific and controlled parameters.

Activities that declaring a crisis will trigger

Evacuation,shelter and relocation Safety protocol Response site and alternate site activation Team deployment Operational Changes

Execute the Plan

BCP should be developed around worst case scenario, response can be scaled up to match the actual crisis. Goals should protect the following interests

Save lives and reduce chances of further injuries and deaths Protect assets Restore critical business processes and systems Reduce downtime Protect reputation damage

Control media coverage

Maintain Customer relation

Communications
Effective communications is one of the most important ingredients in crisis management.
Identify the Audience Internal and external audience should be identified to convey crisis and organizational response. It is often appropriate to segment the audiences. Messages tailored specifically for a group can be released. Internal Audience

Employees and their families

Business owners and Partners

Board of Directors

Communications
External Audience

Present and potential Customers/clients Contractors and vendors Media Govt and regulatory agencies

Local law enforcement

Investors and shareholders Surrounding Communities

EMERGENCY RESPONDERS

Communications With Audience

Communications should be timely and honest An audience should hear the news from the organization Should provide objective and subjective assessment All employees should be informed at the same time Give bad news all at once do not sugar coat it Provide regular updates

Communications- Face to face meetings, News conference, Voice mail, Company intranet and internet sites, toll free hotline, special newsletter, local and national newspaper

Communications With Audience

Official Spokesman : The company should designate a single primary spokesperson. This person should be trained in media relationship prior to crisis. All in formations should be funneled through a single source to assure that the messages being delivered are consistent. Resource Management : How Human resources are managed will decide success or failure of Crisis management Accounting for All Individuals : A system should be devised by which all personnel can be accounted for quickly after the onset of a crisis. Accurate contact information should be maintained and updated Notification of Next of Kin by a senior manager in case of injury or fatality

Resource Management
Family Representatives : Family representative program in case of injuries and fatality. Family representative should be some one other than the Person who performed the notification. Link between the Organization and The Employees family.

Financial Support During the crisis there may be financial implications for the organization and the families of the employees. Implications may include financial support to victims family
Pay roll : Should be functional throughout the crisis.

Logistics
Logistical decisions made in advance will impact the success or failure of a good BCP Crisis Management Centre Should be identified in advance. This is the initial site used by the crisis management team and response team for directing and overseeing crisis management activities. It should have uninterruptible power supply, computer communication, heating and ventilating conditions system and other support systems. Emergency supplies should be identified and kept in the centre.

Access control system should be implemented with the members of team given 24x7 access.
A secondary Crisis management centre should be identified in the event that the primary centre is impacted due to the crisis

Logistics
Alternate Worksite Organization should have alternate worksite identified for business recovery and resumption. Offsite storage Allows rapid crisis response and business recovery. Critical documents and information are stored. Sufficient distance form the primary facility Financial and Insurance issue : Existing funding and Insurance policies should be examined ,additional funding and insurance coverage should be identified and obtained Amount of fund required for continuity of operations should be identified

Some cash and credit should be available for weekend and after office hours .
Insurance providers should be contacted as soon as possible.

Logistics
Transportation at the time of Crisis may be a challenge

Evacuation of personnel Transportation to an alternate site Supplies to an alternate site Transportation of critical data to alternate site Transportation of staff with special needs. Suppliers/Service Providers Critical vendor or service provider agreements should be established and contact information maintained. Evaluate their ability to provide necessary supplies and services in the case of far reaching crisis.

Mutual Aid Agreements

Identify resources that may be borrowed from other organizations during a crisis as well as mutual support that may be shared with other organization.

Damage and Impact assessment : Once the Crisis Management team is activated damage should be assessed . All incidents should be recorded and documented including the response actions.
Crisis Involving Physical Damage Crisis Management team should be mobilized at site .

Entry approval by Public safety authority. Make a preliminary assessment of the extent of damage and the likely length of time that the facility will be unusable.

Recovery

Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.

Resumptiions of critical process

Resumptions of other processes Return to Normal operations - Return to pre crisis normal /New normal Organization springs back to productive work

Crisis may be officially declared over

Recovery

Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.

Resumptiions of critical process

Resumptions of other processes Return to Normal operations - Return to pre crisis normal /New normal Organization springs back to productive work

Crisis may be officially declared over

Implementing plan

BCP is a living document ,evolutionary that grows and changes with the organization and remains relevant and actionable.

Educate and train only as valuable as others have the knowledge of it. Time commitment from all stakeholders
Crisis management team and response teams are to be trained at least annually , new members when they join Responsibilities and accountabilities authority should be clearly defined.

Educate and train all personnel.

Test the BCP

Plan Testing
Proves feasibility of recovery process Verifies compatibility of backup facilities Ensures adequacy of team procedures
Identifies deficiencies in procedures

Trains team members Provides mechanism for maintaining/updating the plan Upper management comfort
LTU CISP Security 65

The Steps in a BCP - Finally

Plan Testing
Checklist Structured Walkthroughs Life exercises/Simulations Periodic off-site recovery tests/Parallel Full interruption drills

LTU CISP Security

66

Test Monitoring
Test Monitoring Assign observers to take notes during the test. Video tape/Audio recording can be done .Assign to document events chronologically Testing scenarios should be designed using the events identified in the risk assessment

Participants should understand their individual roles and should be allowed to interact freely
After completion of exercise/test it should be critically evaluated, effectiveness of the test, desired level of goals attended.
LTU CISP Security 67

Develop BCP Review Schedule

BCP should be reviewed and evaluated according to the predetermined schedule. Reviewed every time a risk assessment is carried out. Major trends in the sector or industry or any initiative taken should initiate a review. New regulatory requirement Test and exercise results.

Recovery

Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.

Resumptiions of critical process

Resumptions of other processes Return to Normal operations - Return to pre crisis normal /New normal Organization springs back to productive work

Crisis may be officially declared over