BCP Step 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

12 hours 25 minutes
Video Transcription
So just like we talked about with step one Project scope and planning our first piece. Get the business. Organizational analysis. This is gonna help us build on what our processes are. It will give us information about the different organizational structure of
off the organization. I didn't say that very well. Let's try that again
All right, so just like we said, Step one of I S C Square's four step process begins with getting a business organizational analysis. Now, this is really important because it means that we have to understand truly the mission of the organization, the objectives of the organization,
the structure, the hierarchy,
the company, culture, the environment, all of those things. Because this is gonna be the foundation for who's gonna be on the team. And ultimately it's gonna lead into helping us create a successful business impact assessment as well.
So we've got a look at all of those elements about our organization. Are we I so compliant?
Is it a government environment? What is the context of risk in which we operate? What type of threats are likely to materialize, Right. So what this piece is is trying to understand the business as a whole
now, like I said, that's gonna feed into giving us 90 of who should be part of the business continuity team.
So once we understand the organization in the different departments within the organization and how they're structured and how they function now, we can ensure that each department has representation on the business. Continuity team
doesn't mean that I've got 372 people sitting around a board room on my BCP team,
but it does mean that we make sure every department is represented. Maybe we solicit information from them via surveys. Or maybe they have a lead technician or department manager who is on the team. But ultimately we need that cross functional understanding
certainly important that we have representation from our legal team
from R H R team. We want to make sure that we're in compliance with regulations and standards, of course, information, security, production, all of those different teams we need to bring in. We need technical representation. So once we understand the business, it'll be easier
for us to understand what the departments are
and what our needs it in what our needs to have represented on the team.
Now, once we have our team pulled together, then we're gonna have to meet with senior management and say, Look, here's what we've got. And like I said, we're gonna need Resource is for this. So when we talk about the business continuity plan,
this is gonna be, you know, some business continuity plans take a year to create. And then by the time you create them, you got a stern right around and start evaluating them again.
So once again, senior management has to be aware of the needs for resource, and we have to make sure that we have access to those. Resource is we're also gonna have to run tests on the business continuity plan. Of course,
uh, this will make or break our organization. So
when we talk about testing and training and maintenance, what that means is it's not just enough to write the plan. We've got the plan. Great. Let's all go home and celebrate. Now. The work has just begun because now we have to take that plan and find out if it works, and
that will take multiple tests in multiple environments with lots of feedback.
And then even when it works. Now we've got to train our people, make sure people can carry out the plan and then we've gotta maintain it and come back in once a year or in the event that business changes, we've got to come back and revisit it and determine Is it sufficient for today?
Ah, then of course, we implement the plan once we have that confidence in the plan, that takes a lot of training that will require that in order to meet the needs that air specified in the business continuity plan, we may have to reconfigure our network infrastructure. We may have to upgrade components.
We may find that we can't meet management's needs in the event of a disaster
with the current infrastructure we have now. So we've got to sit down, figure out what's necessary to make this business continuity, plan work and to make it viable. And then we have to get that commit that commitment from senior management.
Hey, then legal and regulatory compliance has to be involved again because ultimately, whatever regulations govern us, they're going to carry through in the event of a disaster or reduced functionality. So we have to make sure our legal team is involved
in ensuring
uh, lots of different pieces, making sure that compliance doesn't lapse, but also making sure things like who goes out and speaks to the media because anything that our employees say to the media could be held against us. So we want to make sure that there's a prepared statement
for people that don't have the authority to go out and speak to the media,
and I will gear into you. This can sink you when you get the wrong person going out in front of the cameras. If you go back and think about the BP oil spill years ago. And Tony Hayward came out to the media time and time again and just said some terribly
ridiculous things,
you know, when the first things I heard from him was, Listen, nobody's been affected by this more than me. I haven't slept in three days yet. 12 people died in the initial explosion, so that was That was a really awful thing to say, But every time I would here he was gonna come on TV.
I just get a little back a popcorn out, and I would just sit back and wait and see what this guy was going to say because it was one disaster after another,
one of his executive said. Look, you can get shrimp in places other than the Gulf
you can.
But it's probably not
the best thing to say to the media. He participated in Ah yachting race, a regatta, while oil was still pumping into the Gulf. It was just a PR nightmare, and BP still can't bid on certain contracts. And still, we have kind of that negative taste in our mouth.
We want to make sure that we don't just put anybody in front of the camera,
particularly we don't go to our CEO and shove him out there. We put somebody who is qualified and trained to talk to the media, and that's who goes out there. We want to make sure that we present our best Selves to the camera. We don't want to come up being liable,
were causing
our stock to drop our customers to lose confidence. We need to make sure that we maintain compliance and that we present that to the media, so legal and regulatory compliance doesn't cease because you're in a disaster state and it's no less important, and as a matter of fact it's even more important
because now all eyes are on us.
We've got to remember that there are numerous laws that address business continuity, and I just have a handful off them. I just included a couple HIPPA, which you know is in relation to healthcare in the medical profession.
The government talks about fisma and protecting
federal information security systems with the finance. There's Thea federal Institutions Examination Counsel. But you could just go on and on and on per industry. And you're going to continue to see that these regulations are gonna
address the needs of business continuity
and have specific requirements that are going to require
preparedness across these industries. So BCP regulation examples. These individual examples aren't testable like they're not going to say what is hip a say about BCP. But man, to really understand
what regulations or to understand the fact that regulations don't lesson in the event of a disaster and most regulations have very specific guidelines on how our organization has to be prepared for a disaster based on its industry
Up Next