What the BCP Needs to Include

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

5 hours 33 minutes
Video Transcription
everyone Welcome back to the course. So in the last video, we talked about the difference between a business community plan and disaster recovery plan. Again, think of the BCP as the holistic view of the critical business operations that we need to focus on to be able to maintain our business and then think of the d. R. P as just the I t systems or the systems that were using.
And we need to be able to recover those at some point so we can get to continue those business operations
and this video. We're gonna talk about what the BCP needs to include. So we're gonna think through these different areas.
So learning objective. Just talking about what this the BCP is gonna include.
So number one I t systems, right? So we're talking about things like our critical systems so thes might be things like our financial systems for accounting. So maybe they have to process sales that we're getting a revenue thes might be systems that control the production process have got a tangible asset that we're creating for our customers.
So let's say that those I t systems that are managing that go off line. Can we still produce products? Do we have another facility
that we can use to produce things for our customers as well as maybe the sales team?
What things were they using? Are they using like Salesforce, for example? Let's say the salesforce completely goes off line. Do we have a way to still get that data on our customers and contact those leads during that entire process?
We need to think about the human capital again, right? The people of our companies. So if something happens where they're gonna work out off, right, If we've got a physical office location, we only have one location can ever employees can they be remote? Do we have? Do we have that set up where they can?
How can they work? And they do things remotely. Do they even need to access our particular systems? Or do we have stuff up in the cloud
that they could potentially use? So we need to think through these things based off our organizational needs
production. We talked a little bit about I T systems with producing things, but let's say that we have a manufacturing facility and the production gets shut down because of a massive flood, right? So we don't have the ability to produce what we need to sell. Do we have back of facilities that we have partnerships in place
where another company could produce those things for us? Even at a lower scale? Just we can continue to build revenue
backup, so
we talk about backup in this situation. We're talking about the physical structure itself, right? So our building. So how quickly can we get things back up again? How quickly, if there's damage to the building, how quickly can we get construction done? Do we have a backup facility that our employees come work out of in the interim?
Is it maybe in a different geographic location? So these are things we need to think through as part of our BCP
inventory. Let's see that we're Amazon, right? And we've got a fulfillment center and we got a ton of product in there, were carried all this inventory
and ah, flood happens and it wipes everything out. Do we have inventory someplace else? Do we need to carry inventory during this? Do we need an offsite storage facility someplace where we got some backup inventory to still fulfill his customer or orders during this, and I'll give an example here. I used to work as a nurse for an infusion company,
and one situation actually occurred with flooding. Right? So
this particular organization also had a pharmacy where they created medications for patients and the ship those around the country. Now what happened with the flooding is it flooded out both the corporate offices, Wealthy pharmacy area so they couldn't produce the medication for patients.
What do you do? Well in that situation? They have partnerships with local hospitals and other pharmacies around the country to produce the medication
again. It was at a lower scale, but they were still able to get patients the medication that they needed, even though the particular organization was suffering from the flood.
So again, these are things you need to think through if you're carrying physical products or if you're manufacturing products for your particular organization
distribution. So how did your grandma get her medicine? Right? If we think about Amazon in a context of the distribute a lot right, that's one of the key aspects of the business is all the fulfillment centers. So how are we still distributing whatever we need to and going back to that infusion company example,
How are they able to get the medications to the patients even if they could produce them?
There wasn't any way to get them out of the flood zone, right? We couldn't shift the medication anywhere. So fortunately, those parts partnerships existed in the local geographic areas to be able to still get Grandma her medication.
Communication is something else we need to think through, not not just internal communication between our teams and having that tree structure. We also need to think through external communications. What if we need to report something to like the CDC, for example, or we need to call an emergency service is so thinking through all the communication that we might have to do as part of our BCP
customer service. Granted, some customers will be understanding of your situation, especially if there's a national disaster going on. But there are some jerks out there that just don't care that you have a flood going on in your office. They still want their product, right, so we need to think through How could we still maintain customer service?
How can we still get our customers what they need.
This may include having a backup plan of using overseas or local customer service companies to handle the volume of calls. While we're out of commission
are data backups themselves, Right? So I talked earlier about when we talked about a flood not having with my mini data center on the ground floor. Right. That's kind of common sense.
So make sure that you're doing appropriate data backup, so we need to think through where is our data being backed up to write? A lot of times, we're going to do that to the cloud. But we also need to consider other geographical locations
that are not cloud based. That we actually own is well, depending on the type of data we're working with.
We also need to think through how often we're backing up, right. A lot of companies will do a combination of backup, so things like incremental backups as well as full backup. So check with your company. If you're working in the I T. Or cyber realm, check with your company's policies.
If you're not familiar with them on exactly what kind of data backups you're doing and how often you're doing those to make sure that you're appropriately protecting your information.
Another example real quick because I worked for healthcare healthcare Company that they were only backing up like every three months of the data. And what happened is it got hit with the ransomware attack
and they had to go back three months, and that's the only data that they had. So because a lot of issues cause a lot of litigation for them cost him a lot of money, they almost went out of business because of it. So make sure that you're backing up your data appropriately and making sure that you're backing it up often enough
to make sense for your particular organizations needs.
So the rules of herself responsibilities or something we need to think through before things actually go sour. Right? So we need to think through number one. Do we have a sponsor from executive management or someone in the top leadership? Because any BCP needs that sponsorship to be successfully approved and implemented,
then what did you think through? What does everybody actually do? Right. So if I'm
getting contacted saying Yes, sir, it's an emergency going on. What are my responsibilities to do so. If you don't know that right now, if you're watching this video, understand? I have no clue what I should be doing. Talk to your manager. Talk to your supervisor and see what you need to do for your particular role in your organization.
For the BCP itself, we need to also think through how are we gonna activate this, right? So what's our policy? Do we see that a hurricane's coming? Then we activate this right away. Do we wait a certain period of time? Do we wait till disaster struck to do this? Do we wait till something else has occurred? To activate this, we need to think through that also implementation. How do we implement this
deactivation? So once everything's perfectly fine again,
what do we need to do to come back down off the BCP? And then we also need to think through recovery times as well. So what's acceptable for our organization compared to another organization
testing, we need to test the BCP. We also need to train people in the B, C P and then based off the results of that testing, we need to review things and say yes this is working or you know what? Let's go back to the drawing board and make some changes over here because we just found out when we tested with accounting that they've got this critical system we didn't even think about when we did. Our business impact analysis,
which is the B i. A. Will talk about a little later on.
So just a quick summary here we talked about what the B C B action needs to include. So again, that's things like your data backups, your physical location backups. We need to talk about the roles and responsibilities for everyone to do so. Everybody has a clear understanding of where they fall out
in the process. M really critically. We need to always test the BCP, make sure everyone's trained on it and then review it
and implement improvements as our organizational needs change.
Up Next