Business Continuity Plan (BCP)

00:00

Hello, everyone. This is instructor Gerry Roberts, and this is risk policies and security controls.

00:06

In this video, we're gonna talk about what the BCP or business continuity plan is.

00:11

Who are the actors that are involved with the plan?

00:14

The planning process,

00:16

some standards

00:18

it will wrap up.

00:20

So what exactly is the business continuity?

00:23

The BCP, or Business continuity plan, is a document that has put together by various individuals in an organization.

00:30

The idea is that they're going to be able to plan for longer term outages and disasters.

00:36

A good example of a long term Alger disaster

00:39

might be Hurricane Marie. In Puerto Rico,

00:42

they sustained 92 million US and damage

00:46

and in some places, the island. They're still no utilities,

00:50

even though this happened in 2017 which is almost two years ago.

00:56

This is different from a D. R P or disaster recovery response plan,

01:00

which is meant to cover short term disaster so the company can get back to work as soon as possible.

01:07

So who is involved with your BCP?

01:11

First of all, you're management has to start the process.

01:15

A business continuity coordinator is identified by management and that person's gonna be responsible for making sure all the different things that need to be done are done.

01:25

You also have a business Continuity committee

01:27

who management and the coordinator put together,

01:32

and this is comprised of members from management I t Security, communications and Legal.

01:38

And you want a good mix of different people from different departments and different levels of management. So you have visual and the different areas of your company, so you can better plan

01:48

now. In some cases, the entire company might be involved

01:52

if there's a training that used to be done

01:55

or, in some cases, during testing and drills the entire company night be involved.

02:01

So the BCP planning process.

02:06

So when you start to plan, the first thing you're gonna do is what's called a continuity policy.

02:10

This is a policy that's put together by management's, the committee and the coordinator. That pretty much says what we want to get out of our policy and what things we need to look at for continuity.

02:23

This will help guide the BCP document

02:28

next a B I A or business impact analysis system.

02:31

This helps us identify important functions, and resource is as Bella's identify threats.

02:38

Remember earlier when we were talking about risk management? We can't do anything unless we know what the threat is. So identifying threats along with important functions and resource is is very important.

02:52

Once those items are identified, then you can identify preventative controls.

02:58

In this stage, you're gonna identify. Implement those controls. They could help lower the overall risk to the organization.

03:06

Next, you want to develop some recovery strategies.

03:09

So that way, if an event happens, even though there are controls in place,

03:15

you'll be able to recover faster.

03:16

Now you'll create methods for bringing critical infrastructure back online quickly. First

03:23

business won't be able to run without critical infrastructure.

03:28

Next, you developed the contingency plan,

03:31

thes air procedures and guidelines for how the business can stay afloat even in a critical failure.

03:38

This is very important because businesses can't actually disappear and go out of business if they're not able to stay afloat

03:46

during a major disaster

03:51

exercise Test syndrome

03:53

test your plans

03:54

improved the players. If you find there's an issue with them,

03:59

train your employees. This is very important.

04:01

If you don't train your employees and something happens, they may not know what to do, or they may not be comfortable with what they have to do.

04:12

Also, if you can't do drills if possible

04:15

and these could be simple drills,

04:16

just help employees get ready

04:19

and last but not least maintain.

04:24

There's no reason to do all of this if you're not gonna maintain it.

04:29

Situations change equipment changes. Location changes, people change.

04:34

Threats change. Everything changes.

04:36

So have a plan

04:40

for maintenance.

04:42

And make sure you go through with that plan and maintain

04:46

your disaster recovery

04:47

and your BCP planet

04:53

standards.

04:54

Yeah, there's some standards out there available for your BCP.

04:58

Some of these air standards some of these air frameworks,

05:01

but the important part is they help you put together your BCP with some best practices.

05:09

You may use these to help guide your organization in the process.

05:13

Some standards that are available that you might be able to use

05:17

Ernest has several

05:19

they 834 and there are multiple others available.

05:24

There's the B s 2599 which is a British Standards Institute standard.

05:30

I So I'II see 27 0 31

05:33

and I saw 22031

05:38

You also have the business continuity institutes good practice guidelines, which is just pretty much a document of best practices.

05:46

You also have the D. R i international institutes professional practices for business continuity planners, which is also another document with a bunch of best practices that might help you out.

05:58

You know, if you're part of the United States government, they're probably gonna have to comply with some of the standards, not just look at them,

06:04

most likely n'est and I. So

06:06

if you're in other countries

06:10

such as England,

06:12

you may have to do things for the British Standards Institute shut just the B s 2599

06:17

And I know quite a few other countries that do business with the U. S. Government also have to comply with some of these standards.

06:26

So that's it for our lecture time for a question. So our post assessment questions

06:31

which stage of the BCP planning process will you identify an implement controls

06:38

is that during the developed the contingency plan stage

06:42

the maintain stage,

06:44

the continuity policy stage

06:46

or the identified preventative control stage.

06:50

I'll give you a moment to see if he could figure that out.

06:54

As always, you can pause and we'll come back to the answer in a moment.

07:01

The answer's de identified preventative controls.

07:06

During that particular stage, you're gonna identify preventative controls that can help you address the issues that you found in the previous stage where you were going through an identifying threats.