2 1.1 Business Continuity Planning
plan should be very clearly stated. The plan should include a general time-
line or some other relevant schedule of activity information. There should
be a section describing key outcomes and benefits expected when the plan is
executed. Allocated budget information (often allocated by activity) is
important and should be included. A table of resource requirements is a
critical component of the plan. Since resource allocation may be dependent
on contracts, the specific details of all pertinent contracts should be
included in the plan. A section discussing the various risks and issues
should be a part of the plan. Finally, it is the responsibility of the plan
owner to provide details of distribution and storage (showing how people
will get a copy of the plan so that they can take the appropriate action).
Business continuity (BC) refers to the ability of a business to maintain
continuous operations in the face of disaster [1]. How does one plan for that?
Why plan for a disaster when the chances are so remote? We live in an age
where environmental disasters are almost commonplace. They probably
always have been commonplace, but with the instantaneous news reporting
we have become accustomed to, it is not uncommon to hear of a typhoon
striking the Japanese coast, a forest fire raging out of control in the western
section of the United States, extreme flooding in Europe, and earthquakes
in Turkey—all in the same week! The devastating tsunami that hit South-
east Asia in late December 2004 is one of the most recent examples of why
business continuity planning is so necessary. What is often not mentioned
in the news is the havoc that is wreaked on the businesses and organizations
that have to cope with the aftermath of such disasters.
1.1 Business Continuity Planning
Business continuity planning and disaster recovery planning are subsets of a
more wide-ranging discipline: business contingency. Business contingency
is the practice of formally preparing for variations in the business environ-
ment. These variations can be of any kind, but the primary aim of business
contingency planning is to ensure the survival of an organization by prepar-
ing for, reacting to, and adjusting to those variations.
Business continuity is a subset of business contingency targeted specifi-
cally at measures required to ensure that business processes can be main-
tained under adverse, sudden changes (crises). Disaster recovery planning
is a subset of business continuity—it focuses on extreme examples of busi-
ness interruption (disasters). Another subset to business continuity, known
as continuous availability, has emerged since organizations have become
dependent on technology. This discipline emerged because if an organiza-
1.1 Business Continuity Planning3
Chapter 1
tion’s information technology (IT) resources suddenly become unavailable,
all supporting business processes of that organization generally cannot con-
tinue, and this threatens the survival of an organization.
Disasters can take many forms. We can survive and recover from envi-
ronmental disasters such as those mentioned above, of course. However,
the events of September 11, 2001 also showed us that disasters of an orga-
nized and deliberate nature can cause severe disruption to business opera-
tions. Disruptions can occur from a loss of utilities and services such as
water or gas, from failures in equipment, and from system failures. Each of
these types of disasters forces businesses and other organizations to cope
with them in order to preserve their unique continuity of operations. Disas-
ter can also occur from compromise of information, creating a serious
information security incident. Look what happened to Enron when their
sad story of stock manipulation, illegal trading, and shell company money-
laundering schemes emerged [2].
1.1.1 Building the Business Continuity Plan
When first initiating the business continuity planning (BCP) project, it is a
good idea to form a core team from all segments of the business or organi-
zation. As part of the project initiation (kick-off) process, the core team
should gather up and review all of the existing BC plans (if available). The
core team should understand the benefits of developing a BCP policy state-
ment. This policy statement formalizes their purpose for being! (We will
discuss this in further detail later, in Section 1.3.4, Establish Project Objec-
tives and Deliverables.) The general process of building a BCP is outlined in
six steps below:
Step 1. Project Initiation
Identify customer and business requirements
Identify external dependencies (i.e., government, industry, and legal)
Perform a business risk assessment
Obtain management support
Implement project planning and control process
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
