BCP Step 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Just like we talked about with Step 1,
00:00
project scope and planning our first piece,
00:00
get the business organizational analysis.
00:00
This is going to help us build on
00:00
>> what our processes are.
00:00
>> It will give us information about
00:00
the different organizational structures
00:00
of the organization.
00:00
Very well, Let's try that again.
00:00
Just like we said, Step 1 of
00:00
the ISE squares four-step process
00:00
begins with getting a business organizational analysis.
00:00
Now, this is really important because it means that we
00:00
have to understand truly the mission of the organization,
00:00
the objectives of the organization, the structure,
00:00
the hierarchy, the company culture,
00:00
the environment, all of those things.
00:00
Because this is going to be
00:00
the foundation for who's going to be on the team,
00:00
and ultimately it's going to lead into
00:00
helping us create a successful
00:00
business impact assessment as well.
00:00
We've got to look at all of
00:00
those elements of our organization.
00:00
Are we ISO compliant?
00:00
Isn't a government environment?
00:00
What is the context of risk in which we operate?
00:00
What type of threats are likely to materialize, right?
00:00
What this piece is trying to
00:00
understand the business as a whole.
00:00
Now, like I said, that's going to feed into giving us
00:00
an idea of who should be part
00:00
of the business continuity team.
00:00
Once we understand the organization
00:00
and the different departments
00:00
within the organization and
00:00
how they're structured and how they function.
00:00
Now, we can ensure that each department has
00:00
representation on the business continuity team.
00:00
Doesn't mean that I've got 372 people
00:00
sitting around a board room on my BCP team.
00:00
But it does mean that we
00:00
make sure every department is represented.
00:00
Maybe we solicit information from them
00:00
via surveys or maybe
00:00
they have a lead technician or
00:00
department manager who is on the team.
00:00
But ultimately we need that
00:00
cross-functional understanding.
00:00
Certainly important that we
00:00
have representation from our legal team,
00:00
from our HR team.
00:00
We want to make sure that we're in compliance
00:00
with regulations and standards.
00:00
Of course, Information Security production,
00:00
all of those different teams we need to bring in.
00:00
We need technical representation.
00:00
Once we understand the business,
00:00
it'll be easier for us to
00:00
understand what the departments are and what are
00:00
needs to have represented on the team.
00:00
Now, once we have our team pulled together,
00:00
then we're going to have
00:00
to meet with senior management and say,
00:00
look, here's what we've got.
00:00
Like I said, we're going to need resources for this.
00:00
When we talk about the business continuity plan,
00:00
this is going to be
00:00
some business continuity plans take a year to create.
00:00
Then by the time you create them,
00:00
you got to turn right around and
00:00
start evaluating them again.
00:00
Once again, senior management
00:00
has to be aware of the needs
00:00
for resource and we have to make sure
00:00
that we have access to those resources.
00:00
We're also going to have to
00:00
run tests on the business continuity plan.
00:00
Of course, this will make or break our organization.
00:00
When we talk about testing and training and maintenance,
00:00
what that means is it's not just
00:00
enough to write the plan.
00:00
We've got the plan.
00:00
Great. Let's all go home and celebrate.
00:00
No, the work has just begun.
00:00
Because now we have to take
00:00
that plan and find out if it works.
00:00
That will take multiple tests and
00:00
multiple environments with lots of feedback,
00:00
then even when it works
00:00
now we've got to train our people,
00:00
make sure people can carry out the plan.
00:00
Then we've got to maintain it and come back in once
00:00
a year or in the event that business changes,
00:00
we've got to come back and revisit it and
00:00
determine is it sufficient for today.
00:00
Then of course, we implement the plan
00:00
once we have that confidence in the plan,
00:00
that takes a lot of training that will require
00:00
that in order to meet the needs that are
00:00
specified in the business continuity plan,
00:00
we may have to reconfigure our network infrastructure.
00:00
We may have to upgrade component.
00:00
We may find that we can't meet management needs in
00:00
the event of a disaster with
00:00
the current infrastructure we have now.
00:00
We've got a sit down,
00:00
figure out what's necessary to make
00:00
this business continuity plan work and to make it viable.
00:00
Then we have to get that
00:00
commitment from senior management.
00:00
Then legal and regulatory compliance has to be
00:00
involved again because ultimately,
00:00
whatever regulations govern us,
00:00
they're going to carry through in the event of
00:00
a disaster or reduced functionality.
00:00
We have to make sure our legal team is
00:00
involved in ensuring lots of different pieces,
00:00
making sure that compliance doesn't lapse,
00:00
but also making sure things
00:00
like who goes out and speaks to the media.
00:00
Because anything that our employees say to
00:00
the media could be held against us.
00:00
We want to make sure that there's a prepared statement
00:00
for people that don't have
00:00
the authority to go out and speak to the media.
00:00
I will guarantee you this can sink
00:00
you when you get
00:00
the wrong person going out in front of the cameras.
00:00
If you go back and think about
00:00
the BP oil spill years ago,
00:00
and Tony Hayward came out to
00:00
the media time and time again and
00:00
just said some terribly ridiculous things.
00:00
One of the first things I heard from him was,
00:00
listen, nobody's been affected by this more than me.
00:00
I haven't slept in three days yet
00:00
12 people died in the initial explosion.
00:00
That was a really awful thing to say.
00:00
But every time I would hear he was going to come on TV.
00:00
I just get my little bag of popcorn out and I
00:00
would just sit back and wait and
00:00
see what this guy was going to say,
00:00
because it was one disaster after another.
00:00
One of his executive said, look,
00:00
you can get shrimp in places other than the golf.
00:00
You can, but it's probably
00:00
not the best thing to say to the media.
00:00
He participated in a yachting race or
00:00
regatta while oil was still pumping into the golf.
00:00
I mean, it was just a PR nightmare.
00:00
BP still can't bid on certain contracts and
00:00
still we have that negative taste in our mouth.
00:00
We want to make sure that we don't just
00:00
put anybody in front of the camera.
00:00
Particularly, we don't go to
00:00
our CEO and shove them out there.
00:00
We put somebody who is qualified and trained to
00:00
talk to the media and that's who goes out there.
00:00
We want to make sure that we
00:00
present our best selves to the camera.
00:00
We don't want to come up being liable
00:00
or causing our stock to drop,
00:00
our customers to lose confidence,
00:00
we need to make sure that we maintain
00:00
compliance and that we present that to the media.
00:00
Legal and regulatory compliance doesn't
00:00
cease because you're in a disaster state.
00:00
It's no less important, and as matter of fact,
00:00
it's even more important because now all eyes are on us.
00:00
We've got to remember that there are
00:00
numerous laws that address business continuity,
00:00
and I just have a handful of them.
00:00
I just included a couple HIPAA,
00:00
which is in relation
00:00
to health care in the medical profession.
00:00
The government talks about FISMA and
00:00
protecting federal information security systems.
00:00
With the finance, there's
00:00
the federal institutions examination council.
00:00
But you could just go on and on and on per industry,
00:00
and you're going to continue to see that
00:00
these regulations are going to address
00:00
the needs of business continuity
00:00
and have specific requirements that are
00:00
going to require preparedness across these industries.
00:00
BCP regulation examples,
00:00
these individual examples aren't
00:00
testable like they're not going to say what
00:00
is HIPAA say about BCP.
00:00
But man, to really understand what regulations or to
00:00
understand the fact that regulations
00:00
don't lesson in the event of a disaster.
00:00
Most regulations have very specific guidelines on how
00:00
an organization has to be
00:00
prepared for a disaster based on its industry.
Up Next