Business Continuity Planning
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there, and welcome to
00:00
our next lesson, Business Continuity Planning.
00:00
In this lesson we will talk about
00:00
what business continuity is,
00:00
how to audit business continuity,
00:00
developing the business continuity plan.
00:00
A little bit about the various disasters
00:00
and disruptive events that might come into play.
00:00
Business continuity policy, BCP, incident management,
00:00
different components of a BCP
00:00
and a few of the planning issues.
00:00
So let's begin.
00:00
Business continuity, it will be
00:00
a common subject of IS audit.
00:00
You as a certified information systems auditor,
00:00
will no doubt come across
00:00
business continuity planning in
00:00
any of the audits you conduct quite commonly.
00:00
Now, a key thing to remember,
00:00
it's different to disaster recovery.
00:00
Business continuity is focusing
00:00
on getting the business functioning.
00:00
Now that could be by restoring the IT systems.
00:00
But at the same time,
00:00
it could be simple as switching to manual processes;
00:00
ledges and books, for example,
00:00
as opposed to IT systems.
00:00
It really depends upon the nature of
00:00
the planning and the nature of the business itself.
00:00
A couple of key points when
00:00
you're auditing business continuity,
00:00
it has to be endorsed.
00:00
Having the plan, but with no visible support from
00:00
senior management or executive management means that
00:00
it probably isn't covering
00:00
all the business strategic interests that it should.
00:00
It also needs to be achievable.
00:00
It needs to be balanced against the resources that are
00:00
allocated to it and the timeframes that it mandates.
00:00
It needs to be a realistic and achievable outcome.
00:00
It also needs to be tested.
00:00
Developing the policy by itself
00:00
is certainly just not enough in its own.
00:00
It needs to be sure that it can
00:00
work for when there is an actual disaster.
00:00
Quite importantly, it needs to be known by the workforce.
00:00
In a lot of organizations,
00:00
you'll see that the business continuity is
00:00
known very well by the people who developed it.
00:00
But if you go outside of that group,
00:00
it may be a little bit less known.
00:00
It needs to be commonly known by the workforce
00:00
because in terms of the business continuity incident,
00:00
you don't know exactly who's
00:00
going to need to be taking the lead with this.
00:00
Now to develop a BCP.
00:00
You need to identify business
00:00
processes that are critical.
00:00
We've covered a little bit about this so far with
00:00
business impact analysis and that sort of work.
00:00
This will feed directly into this process.
00:00
You need to assess and analyze
00:00
the risks to those processes.
00:00
In the risk assessment, you need to consider
00:00
any resources that support critical processes.
00:00
That could be human data infrastructure,
00:00
third party, etc.
00:00
You need to look at the potential vulnerabilities
00:00
to those resources,
00:00
the probability that these threats may occur,
00:00
and any existing mitigations
00:00
controls and their effectiveness.
00:00
In essence, you need to conduct
00:00
a risk assessment against
00:00
the business processes and the things that support it.
00:00
Now IT, business continuity planning is
00:00
essentially the same approach
00:00
as business continuity planning,
00:00
but just focuses on IT processes specifically.
00:00
Now both plans need to be in alignment.
00:00
Your business continuity plan and
00:00
your IT business continuity plan need to work
00:00
together and you need to
00:00
consider the various vulnerabilities.
00:00
It also needs to be tested and identification of
00:00
the dependencies between the two need
00:00
to be very well understood.
00:00
The risk calculations and the business impact analysis
00:00
also needs to be a very important part of this process.
00:00
Disasters and disruptive events.
00:00
This can be pretty much anything and it varies from
00:00
organization to organization and
00:00
even from location to location.
00:00
For example, pandemic planning is something
00:00
that's quite relevant for the last few years.
00:00
But disasters and
00:00
disruptive events could even be something
00:00
simple to damage to image reputation or brand.
00:00
For pharmaceutical companies that
00:00
have a product tampering incident,
00:00
that in itself can be considered
00:00
a disaster and disruptive event.
00:00
It can essentially be anything that's
00:00
unanticipated and
00:00
outside the standard business operation.
00:00
Now the business continuity policy will define
00:00
the extent and scope of the
00:00
>> business continuity efforts.
00:00
>> This is an overarching document to which
00:00
the business continuity plan is governed by.
00:00
It really determines exactly
00:00
how the business continuity plan is made up.
00:00
It's broken into two parts
00:00
generally, an internal portion.
00:00
So this is what happens
00:00
from the inside view of the organization.
00:00
Who in the organization does what, where, when and how,
00:00
in the event of business continuity incident?
00:00
Also there's a public portion.
00:00
If you have a customer-facing business, so for example,
00:00
a major retailer will have
00:00
a public portion of the business continuity
00:00
to ensure that the customers
00:00
understand what is happening and are informed with
00:00
appropriate information that the business is
00:00
continuing on and has enacted its continuity plan.
00:00
Now BCP incident management because
00:00
BCP can cover any number of things.
00:00
It needs to be very dynamic.
00:00
There's no playbook, et cetera that
00:00
will determine exactly what an incident may be.
00:00
It needs to roll with the punches quite a bit.
00:00
Basically just like with business impact analysis,
00:00
it will be categorized into
00:00
different levels from negligible through to crisis.
00:00
This will depend upon a lot of the internal policy and
00:00
procedures and there also needs to be notifications.
00:00
If an incident has occurred,
00:00
there needs to be very clear idea
00:00
of who it needs to be communicated to.
00:00
All right, so in terms of BCP development,
00:00
there's a couple of things to consider,
00:00
pre-disaster readiness.
00:00
It's one thing to have the plan in place,
00:00
but you also need to make sure
00:00
the resources and the tools
00:00
and all the information is known for
00:00
the people who have to enact the plan.
00:00
Evacuation procedures,
00:00
quite a critical part of it as security professionals,
00:00
certainly personnel security and
00:00
personal safety is quite paramount.
00:00
There also needs to be procedures
00:00
for declaring a disaster.
00:00
Well, certainly a fire in
00:00
a building could be very clear cut case.
00:00
But there might be
00:00
some other lesser significant incidence
00:00
which could basically fit into a disaster or might not.
00:00
There needs to be a clear understanding of how
00:00
a disaster is declared or not, basically.
00:00
There needs to be the circumstances for
00:00
disaster declaration.
00:00
That needs to be very clear understanding what
00:00
constitutes a disaster and what does not.
00:00
In terms of BCP development,
00:00
a couple of key things as
00:00
an order to the chimney to look for.
00:00
It should clearly defined responsibilities.
00:00
Who is responsible for the plan?
00:00
It needs to also define roles.
00:00
There will be a number of
00:00
different roles depending upon the organization
00:00
that needs to be very clearly enunciated.
00:00
Contract information is quite critical.
00:00
If we're talking about outsource suppliers,
00:00
for example, third party contractors,
00:00
there needs to be an understanding of what the agreements
00:00
are in regards to those those individuals.
00:00
There also needs to be recovery process.
00:00
What is the actual process
00:00
of getting the business backup and running?
00:00
Will it be simply manual processes or will it be
00:00
a full hot site that will be developed
00:00
and transferred to [inaudible]?
00:00
There also needs to be an understanding
00:00
of what additional resources will need to
00:00
come into play for the BCP plan itself.
00:00
Now we've got different components of BCP,
00:00
so we have continuity of operations plan.
00:00
How is the business going to
00:00
keep ticking over and basically
00:00
maintain a business during this time?
00:00
The disaster recovery plan,
00:00
which in some cases,
00:00
and we will be basically
00:00
talking about this in a separate module,
00:00
will be separate, but it needs to
00:00
align very closely to the BCP.
00:00
So as I mentioned before,
00:00
BCP is getting the business up and running,
00:00
which may involve responding
00:00
to a disaster or it might be something different.
00:00
There's similarities and differences.
00:00
There needs to be a plan for business resumption.
00:00
At what stage do we get back to normal operations
00:00
and obviously a support and an IT contingency plan.
00:00
We need to make sure that the necessary IT resources
00:00
are available to support the BCP process.
00:00
>> Additional aspects, crisis communication plan,
00:00
particularly for customer-facing organizations
00:00
and even for not customer-facing organizations.
00:00
There needs to be an understanding of who needs to
00:00
know what's happening at what particular time.
00:00
An incident response plan,
00:00
transportation plan, particularly if, for example,
00:00
it could be something as simple as
00:00
retrieving a backup types from a remote location.
00:00
You need to work out how that's going to happen
00:00
and who is actually going to do that.
00:00
Occupant emergency plan in
00:00
the event that premises are impacted,
00:00
for example, where are your staff going to work from?
00:00
Are they able to work from home or do they need to be in
00:00
a secondary premises that's been
00:00
determined for use in these events,
00:00
and evacuation emergency relocation plans?
00:00
How do you get your people out of
00:00
the organization or they added
00:00
the building into a safe location and resume business?
00:00
A couple of other BCP planning issues.
00:00
Key decision-making personnel need to be clearly
00:00
identified and they also need to be
00:00
mentioned in the plan itself
00:00
and endorsed the plan and know
00:00
exactly what is happening with the plan.
00:00
This is essentially the link
00:00
to the strategic part of the business.
00:00
There needs to be a good backup of any required supplies,
00:00
which could be something simple from
00:00
stationery supplies all the way
00:00
through to service laptops,
00:00
anything that can support the business.
00:00
Now there are also two important measures
00:00
within business continuity planning.
00:00
Recovery point objective and recovery time objective.
00:00
These will basically define exactly what happens
00:00
within the plan and how
00:00
the plan is actually put in place.
00:00
Recovery point objective is
00:00
recovering the business to a particular point in time.
00:00
It makes things rolling back to all the work that
00:00
was completed up until the beginning of the incident,
00:00
for example, or one week prior or
00:00
whatever they require business needs are.
00:00
Recovery time objective is exactly how long it
00:00
takes to get the business back up and running.
00:00
There also needs to be aspects
00:00
of insurance planning which
00:00
will feature key into any business continuity plan.
00:00
That every plan needs a good test.
00:00
You need to look at,
00:00
and particularly from an order perspective,
00:00
you need to verify that the plan is complete and precise.
00:00
There needs to be no gaps.
00:00
It needs to really cover and do
00:00
exactly what it's set out to do.
00:00
Evaluation of the performance of personnel
00:00
during testing needs to take place.
00:00
Are they aware of the plan?
00:00
Did they know exactly what they need to do?
00:00
This leads into the identification of
00:00
the awareness of the BCP outside of the BCP team.
00:00
As I've mentioned,
00:00
while often cases you'll find that the people who are
00:00
responsible for developing and
00:00
managing the BCP are the subject matter experts.
00:00
But this needs to go
00:00
organization-wide and there needs to be evidence
00:00
that everyone within the organization is
00:00
aware of exactly what
00:00
their roles and responsibilities are.
00:00
There also needs to be measurements
00:00
of operational performance.
00:00
How well is the actual plan being executed?
00:00
Additional testing, so evaluation
00:00
of the state of backup site supplies.
00:00
If you have a full backup site and that's
00:00
your plan to move your business over to your backup site.
00:00
Is the backup site fully equipped and ready for you to
00:00
commence running business that doesn't have
00:00
all the necessary resources at
00:00
your business and your employees need?
00:00
Assess any record retrieval capability.
00:00
This comes to our backup and storage.
00:00
While you may take your backups on a regular basis,
00:00
do you have a plan in terms of how that's been tested?
00:00
How long since you've retrieved any data from
00:00
backup and do you know if it's still can be retrieved?
00:00
You need to measure the ability of
00:00
the backup facilities to maintain
00:00
your business processes.
00:00
If you are counting from
00:00
your primary site over to your backup site,
00:00
does your backups side have
00:00
the ability to maintain your business processes
00:00
all the time it'll take for you to get
00:00
back into normal operations?
00:00
You also need to measure the ability and
00:00
capacity of your backup facilities.
00:00
Will they run your business for
00:00
the foreseeable future if need be, for example?
00:00
In terms of test execution,
00:00
there are three phases.
00:00
It's very simply pre-test,
00:00
test, and post-test.
00:00
Planning for the test, conducting
00:00
the actual test, and lessons learned.
00:00
There are a couple of types of testing as well.
00:00
Desk-based evaluation, which could be
00:00
very much simply number of
00:00
relevant stakeholders in a room and walking through
00:00
scenarios essentially on a desk.
00:00
Preparedness test so running basically.
00:00
Essentially, these would be drills.
00:00
Basically running a drill to determine the capabilities
00:00
of your employee and the readiness
00:00
of your employees and your processes.
00:00
Of course, there's a full operational test
00:00
where the plan is enacted as if it was for real.
00:00
Out of this execution,
00:00
you need to analyze the results and
00:00
feed that back into the maintenance of the plan
00:00
so that you can actually learn
00:00
from the results of the test and improve them.
00:00
Now as an auditor, business continuity,
00:00
as I said, will be a very
00:00
key thing that you'll be looking at.
00:00
You need to evaluate the BCP strategy
00:00
and it's connected to the business objectives.
00:00
The BCP needs to very much be in lockstep
00:00
with what the business strategic goals are.
00:00
You need to also review the
00:00
business impact analysis findings.
00:00
One has to exist obviously,
00:00
and you need to ensure that whatever the findings
00:00
in the BIA they are linked into the BCP.
00:00
You need to determine the BCP adequacy and currency.
00:00
If the business continuity plan
00:00
was developed 10 years ago,
00:00
is that still going to
00:00
reflect the needs of the business today.
00:00
Looking at any of the outcomes of the previous tests.
00:00
First of all, have the test been
00:00
conducted and if they've been conducted,
00:00
have lessons learned been fed back
00:00
into the BCP process to improve it.
00:00
Depending if you've got any cloud-based mechanisms
00:00
which are often a BCP feature these days.
00:00
You need to evaluate if they are ready and
00:00
capable of doing what
00:00
they're being planned to be used for.
00:00
Additional aspects.
00:00
Evaluation of the off-site storage so is sufficient to
00:00
manage the requirements transport
00:00
arrangements for offsite media.
00:00
If a business continuity incident occurs,
00:00
you need to ensure that you have someone who can just
00:00
realistically get the types from the secondary side.
00:00
Personnel response.
00:00
How well has the personnel responded to the incident?
00:00
Are they aware of what they need to
00:00
do and where they need to be?
00:00
Any plan, maintenance, and updating.
00:00
Again, has the plan been updated since last test,
00:00
and has it been basically
00:00
maintained and relevant to business as it is today?
00:00
And you'll also need to look at the documentation.
00:00
The manuals and procedures need to be easy to understand.
00:00
There needs to be detailed procedures,
00:00
but there also needs to be
00:00
detailed standard operating procedures and
00:00
work instructions so that the people who
00:00
are operating on the front lines in this incident
00:00
have a good understanding of
00:00
exactly what they need to do and when.
00:00
That's business continuity.
00:00
We've talked a bit about business continuity,
00:00
auditing of the business continuity plans,
00:00
how to develop BCP,
00:00
disasters in different disruptive events.
00:00
We've talked about business continuity policy and
00:00
the differences between policy and a plan.
00:00
BCP incident management,
00:00
different components of the BCP,
00:00
and a few other planning issues that need to be
00:00
taken into account when developing a BCP.
00:00
I hope you enjoyed the lesson
00:00
and I will see you at the next one.
Up Next
