Writing the BCP

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

6 hours 3 minutes
Video Transcription
Hey, everyone, welcome back of the course. So in the last video, we talked about the B I A or the business impact analysis. Again, there's a lot of things you need to think through when you're doing the actual B I, even if you're not doing the B I A. And you're just somebody working in the organization. You need to think through those scenarios and think through how your job
has critical business systems that you touch every day that somebody may not know about. So always understand that you need a petition from a financial aspect and say, Well, this effects
this part of the organization If you don't understand how it does, ask your manager and say, Hey, how does this particular thing affect the organization
in this video? I want to talk about the key areas that you need when you're writing out the business continuity plan.
So number one, the plants summary. So I, as the executive may not be reading through the entire thing. I may just want to go quickly and see the summary of the plan, things that are gonna tell me more about the company as well as the key areas. I think I need to focus on of the plan. Now, some executives may re through everything some may not so just kind of depends.
I personally would read through it all, but you just definitely want to have a good summary in place, too.
Highlight this Particular areas
plan approval. So again, I really am stressing in this course. If you haven't noticed already, you need buy in from senior leadership rights. You need that sponsor to say yes, we're going to do this. And yes, we need to get this going. And, yes, we're here is the budget for it? We need all these things in place because it's going to benefit our organization,
the business community, plant leadership. So we need to again focus on what is everyone's role for the BCP and what are the responsibilities. So what is the manager doing? What is the executive doing? What are all the team members doing? What is everyone's individual responsibilities? We need to make sure that's clear
for everybody. So when something does occur,
they're not scrambling around trying to read three huge manual of 5000 pages. Everyone knows what they're supposed to do.
We also need to think through having a primary and backup and possibly several backups of leadership, Right? So let's say I've got a certain role and responsibility, but I'm out sick that week, right? Or I'm on vacation that week out of the country. And so I'm not involved in anything, right? I'm I'm off the grid.
Who's my backup? To cover my responsibilities while the disaster or the bomb threat or the employees were leaving, whatever the case might be, manufacturer closes et cetera. Who's that backup person? And again, you probably wanna have several backups with your particular organization.
Internal context. We talked a little bit earlier about communication, internal contact. We need to have something like a contact tree, right? So who do I call it? A list. Who calls me or who Text me. How do I get alerted to the fact that there's something going on? As an example? When I worked for another health care company,
they had everyone's cell phone numbers. They also had personally amount of dresses.
What they did is they. Whenever there was a flood or some kind of storm coming like a hurricane or tropical storm or just a really bad thunderstorm. They would send out messages and say, Yes, the company is open today. Come into the office or we're probably gonna be closed or everyone's gonna have 1/2 day. Whatever. Stay home if it's not safe.
There was always that communication stream in place to make sure everyone understood
what they needed to do. Now on that, along with that is everyone had a contact tree. So, as an example, I knew who I needed to call, and several times it would be
a certain list of patients that I would need to call and say, Hey, we're gonna be closed today. But if you need to reach anyone, here is the on call number and they're out of our area, so they'll always be answering. Now they'll be ableto address your needs and they'll be able to contact the physician to address any emergency needs that you have.
We talked about internal contact. Now we need to do the flip side, the external contact right? This could be a lot of different organizations and people, right? So people like our suppliers possibly could be the customers themselves, right? So going back to the customer service service providers. We also need to think through emergency Service's and that sort of stuff,
facilities and utilities. So thinking through if we're like leasing office space, for example, and we're using electric, which most people are, Hopefully
we need to think through about possibly getting utility shut off. So what's occurring? What risks are there, and should we contact somebody to get something shut off? So let's say that it's not a massive flood or a tornado or some other natural disaster. Let's just say that we've got some broken pipes in our office and it's flooding.
We don't want to go like turn, turn the wrench and, you know, closings offices were not trained. So who do we contact? We contact building management. Where Property management in most cases. Or is there a specific utility company? Maybe the city we have to contact for them to come shut off the pipes so that until it gets fixed. So these are things we need to think through based off our organizations.
Particular situation.
Financial service is how do we actually get to our money, right? So can we still access for bank accounts as the organization do? We have people off site that can access those for us to pay invoices to collect money from customers. How can we do that? So we need to make sure we can still access our capital
as we're trying to run the business. And while all of this is occurring,
regulatory agency, so do we need to contact anybody else, right? So let's say that we've got a RANSOMWARE attack or some other data breach at a health care company. We may have to reach out to HHS, right? And that stands for health and Human Service is. So we may have to reach out to an organization like that and report what's going on.
So we need to think through How do we contact them? What happens? What is their backup plan? Right. So if we can't reach him through normal channels, do they have an emergency
area or emergency plan in place that we can reach him that way if something is going on? So let's say that we're in state area is the main HHS office.
If something is affecting us, is probably affecting them. So how do we contact them to let us know what else might be going on
are critical systems records again, going back to the business impact analysis we need to analyze. Okay. What are we gonna be doing with these critical systems? What are these critical systems? What we're gonna be doing with our records? How do we store them, for example, going back to health care? How do we store that patient data are restoring paper charts on site
are restoring. Everything in the cloud are restoring it in hume our system.
How are we doing this? Are we doing a combination of everything which is actually probably recommended Thing that you should do. And most health care cos I've worked with will store paper files on site for about three years. 2 to 3 years, and then they'll move them off site force. Long term storage.
Just call it a pans. Depends on the stage and that sort of stuff.
Backup location. So here we're thinking through our data backups. Right. So we talked about that a little earlier, making sure we effectively back up our date, and we do it on the schedule that matches for our particular organizations needs also equipment. Right. So let's say we're producing stuff.
How are we getting our inventory produced? Right? I will introduce our products for customers
as well as I T equipment. So let's say that all of my equipment gets flooded out, as we had seen in a previous video on that image, we've seen all the computers were flooded out.
What do I do? Do I have a backup facility that my employees can go to and whether that's cold, warmer, hot? Do I have a backup facility in another geographic location? So let's say there's a couple of cities that are maybe 50 miles from each other, and everything's happening in my city. But I can drive. I can have my employees safely drive to the next city
to work in that facility where I can have some of the employees
go work in that facility because they live in the north part of town or whatever, Right? So these are things that we need to think through
supplier backup. So let's say we get our stuff from a manufacturer or a distributor.
Are they still gonna be able to stock us up? Right. So let's say we've got a grocery store in this example. Can we still get products in our grocery store from our suppliers, or is something happening in their area? And if yes, do we have a backup supply or backup suppliers that we can use to still get food into the grocery store so everybody can still make their Thanksgiving or Christmas dinner? Right?
Emergency service is kind of touched on this earlier when we were talking about external communications. But we also need to think through, like, who we actually gonna call when things were occurring?
Probably not going to call 911 in most cases because everybody else in the world's gonna be calling them at the same time in the city. But are there other ways we can contact them to say yes or patients air? Okay, So, thinking through a hospital example, do we have a way to contact
the fire department to say yes, everyone's fine were evacuated. Here. We're in the midst of evacuating. We've got a good plan in place and we'll be able to get all the patients out safely or hey, no, we're not gonna evacuate. We're safe here or on the top level floors. We bought all the patients moved to these particular areas. If we need you, we'll call you et cetera. So
basically here, who you gonna call? And hopefully, it's not the Ghostbusters hopeful you're actually calling legitimate
emergency service's.
We need to think through the process of our risk assessment, right? So getting back to our business impact analysis and then we need to think through what's the impact of all these different risk again going back to a natural disaster type of risk? If I am not in an area that's prone to earthquakes or snowstorms,
then I'm probably not going to have a huge impact
from those types of things because they're less likely to occur.
But as I mentioned earlier in the course, I live in an area where flooding is actually pretty prevalent. And so for me as an organization, I would say, Okay, well, the impact from a flood is may not be severe, right? Maybe everything's for our company's up in the cloud and flooding the office building doesn't matter because everyone can work from home.
But it really depends on your particular organization
risk mitigation. So once we've identified those risk and we determine that there actually legitimate risk for organization that we need to figure out ways that we can actually try to mitigate those. So, using a data center example, if we've got a small data center restoring our data on site, a risk mitigation techniques might be too. Also, store
our did it in the cloud, which most organizations do these days.
Emergency supplies. So these are things like our production supply. So what do we need to still maintain things and continue our business operations? Right. So could be the fact that our employees use calculators and not on the computer. They use the old school calculator. So maybe that's something we need to make sure we haven't stopped for them.
Also, let's say we produce something like this clicker.
I probably need plastic. Maybe I produce the batteries for it as well. Maybe I produced all of it, you know, So I need to think through, like, do I have enough parts to actually produce enough of these to maintain business operations wall? This is a curry
and then our plan itself. We need to think through again the activation, like, how do we know we need to activate this? What? Our steps for that. How do we implement this? How do we deactivate it when everything looks fine again? Testing in the maintenance right we need. As I mentioned earlier in the course, we need to continue testing our B, c, p and R D R P to make sure that
it's still relevant for organization. And then we need to maintain things right. So as maybe regulations change in the health care industry or financial service is
industry, we need to make sure that we're staying abreast of that, that our plan matches those things.
So in this video, we just covered a lot of different things you need to think through when you're writing.
Up Next