Business Continuity & Disaster Planning

Business Continuity

• A Business Continuity Plan (BCP) are the guidelines used to help an organization to restore their services and business functions when a disaster occurs.

• The Business Impact Analysis (BIA) is used to identify the business critical processes, procedures and resources which are needed to ensure the business can function.

• Business Impact analysis (BIA) is a systematic approach used to evaluate the potential effects of the disruption of critical business processes and operations.

• When defining a Business Impact Analysis, it's important to determine how much Available is needed by the business process.

• Some companies uses a measurement in percentage such as 99.999% per annual. 

• Identify the processes and procedures to perform a recovery on the organization.

Continuity of operations planning

Exercises/tabletop

• When planning for a business continuity, it's important to perform regular exercise to ensure everyone is prepared.

• These exercises may cost a lot of money and can be very time consuming.

• A Tabletop exercise allows an organization to reduce cost and time by simply discussing a simulated disaster. 

• In a tabletop exercise, persons does not physically participate but rather discusses that happens at reach stage of the plan.

After-action reports

• After completing the a disaster recovery exercise, the after-action report is required.

• The report may contain the details of each step of the methodology and any explanations through the procedures.

• Ensure details about everything that worked smoothly and those that did not work as expected. 

Failover

• Having a failover site is important in the event disaster occurs, it's easy to migrate to the failover site.

• Ensure all data is full replicated or synchronized between the organization and the failover site. 

Alternate business practices

• During a disaster, things may not always go as planned. It's important to alternate between different methods of achieving the same task.

• This technique is useful in the event the network or devices such as printers are not available to print a receipt for a customer. 

• It's important to ensure proper documentation is kept for all the primary and alternate business process before a disaster occurs. 

Disaster Recovery

• Outlining the objective of the disaster recovery plan.

  • Recovery Time Objective (RTO) - Defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes.

  • Recovery Point Objective (RPO) - The point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage.

• Create a team of persons to for handling disaster recovery.

• Ensure proper documentation of the infrastructure is always up-to-date.

• Training and testing of the plan.

• Resource - https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-34r1.pdf