CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers roles and responsibilities in the business continuity plan (BCP). In a business continuity plan; there are the following roles and responsibilities: Senior Executive management - Offers consistent support and final approval of plans - Setting the business continuity policy - Prioritizing critical business functions - Allocating sufficient resources and personnel - Directing and reviewing rest results - Ensuring maintenance of a current plan Senior Functional management - Develop and document maintenance and testing strategy - Identify and prioritize mission-critical systems - Monitor progress of plan development and execution - Ensure periodic tests - Create the various teams necessary to execute the plans BCP Steering committee - Conduct the BIA - Coordinate with the department representatives - Develop analysis group BCP Teams - Rescue - Recovery - Salvage

Video Transcription

00:04
Okay, so we have an idea now of some of the plans that are part of the business continuity plan. Let's look at who is responsible for what and we know ultimately, when push comes to shove, it always goes back. The senior management. They're the ones with the ultimate responsibility to protect their assets, the assets of the company,
00:22
regardless, disaster or no disaster.
00:25
It's up to them. So, of course, the ultimate responsibility lies with senior management. But what does that look like? You know, what else are they actually doing? Well, first of all,
00:36
one of the things we'll see in a few minutes when we talk about the phases of writing the plan is the very first phase is always get policy from senior management,
00:45
Get senior management by n, get their blessing, get their commitment to funding. So that's an essential piece. It's senior management's job to support this process and defunded if any of you have ever been on the business continuity planning team before
01:00
Ah, BCP isn't something you knock out over margaritas at Chili's one Friday afternoon. This is a long term project.
01:07
Um, we're not even talking weeks. We're talking months I've been on the BCP teen where it took us, I believe, 14 months to pull together the business Continuity Team. By the time you have planted. By the time you have that plan pulled together, it's time to go back and revisit it for changes within the organization.
01:26
So this is very long term. It can cost a lot of money.
01:27
And once again we're looking at something that senior management doesn't see a tie in immediately to profitability. I don't make any money with a well written BCP.
01:38
I don't get the charge people admission to come in and read my business. Continuity Planet makes me no money. Now I can keep my business going in the event of a disaster, but it doesn't make me a problem,
01:49
all right, so senior management's job is to support it, and they will put their support in writing for this process through the business continuity policy.
02:00
All right, now, one of the things we talked about, it's figuring out what service is air most critical to our organization. Who does that? It has to come from senior management, you know, I work in I t. So what's the most critical Department I T
02:15
sales people may mistakenly think their departments the most critical or production or whatever. So the idea is senior management has that bird's eye view of the organization, and they should be able to prioritize based on criticality.
02:29
They've gotta allow the support. The personnel they've got, approved the plans and you'll notice there's a reference somewhere up here to the business impact analysis. Ah, OK, it's not referenced here, but really, that's what happens when we talk about critical business functions. That's done in a document called the B I A. Which stands for business
02:49
impact analysis, will get there in just a moment,
02:52
but its senior management's job to prioritize those functions. Ah, and to make sure that they sign off, they put in writing what is most critical and how critical it is.
03:05
The reason that's so important is ultimately, if you think about it when you go to senior management, you say, Well, how long can our organization be without a Web presence?
03:14
What do you think? Senior management's immediate responses?
03:17
No, we can't be without a Web presence. We need 24 7 up time.
03:23
Well, I could do that for you. I can give you very, very, very, very close to 24 7 up time. But what's the trade off for that?
03:30
You can probably imagine it's gonna cost a lot of money.
03:34
So when I go back to senior management, say, Well, I can get you 24 7 up time, get your checkbook out
03:39
then senior management comes back and says, What I mean was two hours tolerance for downtime. So this is, Ah, point time where we can do some negotiation. This is a point in time where we look at the systems we already currently have in place and decide if they're gonna meet our needs.
03:54
And then ultimately, senior management's gonna say, All right, here's what we've decided on
04:00
and I want their signature by those decisions because when senior management comes back to me and says, Okay, realistically, we can be without a Web presence for two hours. I want their sign off because when that Web server comes down,
04:15
what they're going to remember, I thought we said you had no tolerance for downtime.
04:19
I want 24 7 availability. No, I've got your signature that says you and I agreed to two hours, downtime and the idea. There again, there's always a trade off. I can get you extremely high availability, but it costs money. It's not cheap
04:38
now. If I'm an organization like Amazon
04:41
and I'm looking at losing $4 million for every 15 minutes, I'm down all of a sudden, getting your checkbook out to provide 24 7 up time makes a lot of sense.
04:53
But I'm a mom and pop company that really can afford downtime. The cost of having 24 7 up time is too much, but the bottom line is that's not my decision. I'm the head of the business continuity planning team. I write the plan, but what I write really stems from senior management. I want their sign off.
05:12
They're the ones that ultimately approved the plan.
05:15
They're also the ones that have to make sure that the plan gets tested on a periodic basis. And as a general rule, we want to test this plan at least once per year or in the event of a major change. Hey, and that's definitely testable. How often we review the plan once per year, at least
05:33
certainly Maur. If driven by risk,
05:36
it's their job senior management job to make sure those tests happen, but also to review the results of the test and make sure there any changes that need to happen. Those changes get done,
05:48
and I would like you to have the definition for what a test is, and I know that sounds silly, but tests are different than exercises and drills.
05:58
A test verifies your plan
06:01
for accuracy and completeness.
06:04
Okay, so test verifies the plan. It's about the plan. Is the plan accurate? Is it complete?
06:11
But if we conduct exercises and drills, that's about employee response, obviously with the purpose of improving.
06:18
So when you think about fire drills, by the time your company would ever even have a fire drill, your plan has been tested,
06:27
right? And I have confidence of the planets well written that we've covered everything. Now I'm gonna conduct the drill
06:33
if I expect my people to be out of the building in 10 minutes.
06:40
And yet when I conduct the drill, it takes them 20.
06:44
The problem probably is not with the plan, but it's more about employee response, and we know how employees do during a fire drill. Everybody kind of gets that casual air up. Let me stop by and get a drink or let me go by the restroom and, um, you know, let me run this, Aaron, let me finish this email.
07:02
So what we do is we'll conduct drills until employees respond appropriately.
07:06
But usually by the time we get to a drill we've already tested the plan test is about the plan, Drill or exercise is about employee response.
07:17
All right, and then, last but not least, senior management's responsible for making sure the plan gets reviewed and maintain.
07:26
Now, senior management. These air the folks with the chief rolls, you know, chief executive offer officer, chief financial officer. But then from senior management, we also have functional management.
07:38
These are your department heads. So where a senior funk? A senior management may say the Web presence is very critical,
07:46
and we need ah, less than 30 minutes downtime for the Web presence. It's functional management that maps that too specific servers in specific action items, if you will like. For instance, I don't expect my chief officers to know I've got a nine node cluster
08:05
and which servers, or which and what our backup strategy is
08:09
they're just going to say, Here's what we need is hard business function.
08:13
My functional managers again are gonna figure out the how to income to accomplish that.
08:20
Now, I'll also have a B C P committee and that Business Continuity Planning Committee on this exam. You're gonna assume you're the leader of the BCP Committee. Writing a business continuity plan is very much a project. So you will be the project manager for this endeavor.
08:39
And so these air the most ah, noteworthy activities because they're under our responsibility.
08:46
So right off the bat, the very first thing of BCP committee does is they conduct the B I A. And I want you to have this. I'm gonna give you a very specific, very carefully worded definition. So if you need to stop and Paul's to make sure you get this definition exactly as I want you to have it, please do so.
09:05
All right, So be I A A. And that stands for business impact analysis, a business impact analysis. And this is all about identifying
09:16
and prioritizing
09:18
all business processes based on criticality.
09:24
Okay, the B I A is about identifying and prioritizing
09:28
all business functions based on criticality.
09:33
Hey, there are a couple of really important pieces there. First of all, you identify first, always,
09:41
then prioritize. So what that means is, when I'm brainstorming the business processes, I'm putting everything down. Sorry about that. I'm trying to put everything down in a list. I'm not trying to say, OK, this is important. That's important. This is not so important. The first thing I do is just brainstorm.
10:00
The reason for that is if I'm trying to prioritize while I'm listing and identifying, my temptation will be to leave certain elements out. Let's leave that business process out. It's not all that important. Let's just focus on the important ones. But the problem with that is, as an individual in I t.
10:18
I don't know all the critical functions of
10:20
accounting or of production or whatever. So my job as the head of the BCP Committee is to make sure first of all, we identify all of our business processes.
10:33
Then with my team business, contrary planning team, we will prioritize those processes. My team should be a cross functional unit so that I have representatives from all departments within the organization.
10:48
All right, we're gonna prioritize those processes.
10:52
So identify Prioritize all business processes again. We're not identifying just critical ones, because at that phase, we may not know what's critical of what isn't. So we can identify and prioritize all
11:03
business functions, not I t driven. This is business driven. What are those elements that are essential to the running of the business?
11:13
And then last, we're gonna prioritize those based on criticality once again. Time sensitivity, not importance. Importance and criticality are different. Criticality is about time sensitivity. And what we're doing is we're identifying those areas of the business
11:31
that will cause us the greatest amount of loss
11:33
the longer they're down.
11:37
All right, we're gonna coordinate with all the department representatives, give them a means of feedback, and we're gonna have an analysis group. And their whole plan is gonna be Let's go through and let's identify and prioritize thes elements. And then ultimately, who signs off on the B I A.
11:54
If you'll recall from the side before
11:56
that, senior management,
12:00
we will also name ah. Couple of other teams that are essential is part of the business recovery. Business continuity plan Will main rescue recovery in salvage teams
12:11
rescues what it sounds like. Let's get people out of that burning building. Their top priority is to protect,
12:16
protect human life first and foremost, but also protect company equipment materials. Ah, we'll have a team that's responsible. You know, these would be your folks that were the orange safety vest and help people evacuate. Ah, there might also be certain people designated to crash the server room if that's the term you're familiar with.
12:37
You know, a lot of times we have water based sprinkler systems. We don't want that water dumping in the live systems,
12:41
so they're gonna power off the servers. Usually there's just a button they can hit, but also that's from a security perspective as well. We don't want to evacuate the building, lead those servers up and running because there might be compromised
12:54
recovery. They're responsible for getting the offsite facility back up and running. Recovery is all about restoring most critical server systems first, so maybe we have to move to an off site facility. These are the guys that bring that off site facility up.
13:09
But don't forget
13:11
a disaster is to find this simply having the building unusable for a day or more
13:18
so we could enter the disaster recovery plan. Phase one just for Snow Storm. You know, it snowed. We get six inches of snow were out of work for a day.
13:28
Okay, well, recovery might mean certain key elements of our organization. Certain key personnel works from home.
13:33
Okay, so that's a recovery operation. So just making sure the policies were established. For that people know what their roles are and what they're expected to do. That would be part of recovery.
13:45
All right. And then probably the most difficult role is salvage getting that primary facility back up and running. Or maybe the primary facilities totally destroyed, getting us back to a permanent facility, whatever that might be. Getting us back to state of permanence.
14:01
And the emergency really isn't over until
14:05
salvage is complete. Until we're back in that state of permanent.
14:09
Here, let me back up with recovery. We want to get the most critical. Service is back online. First with salvage. We want the least critical because the ideas were operating okay. At our offsite facility. I want to come back and bring up those critical. Those service is that have the least risk associated with them
14:28
so most critical here,
14:30
least critical with South

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor