257
© 2011 by Taylor & Francis Group, LLC
Chapter 4
Understanding Business
Continuity Planning
(BCP), Disaster Recovery
Planning (DRP), and
Continuity of Operations
Planning (COOP)
Cheryl Hennell
Contents
Introduction ..................................................................................................... 260
e Concepts of Enterprise Business Continuity Planning and Disaster Recovery ... 266
Types of Plans .............................................................................................. 266
Business Drivers ...................................................................................... 268
Understanding BCP, DRP, and COOP ................................................... 268
Policy Development and Planning the Strategy for Business Continuity,
Disaster Recovery, and Continuity of Operations ..............................................269
Introduction .................................................................................................269
Enterprise Recovery Strategy Development ...................................................269
Aligning Your Business Continuity and Disaster Recovery Policies with
the Human Resource Policy ..........................................................................271
258 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Pre-Disaster Planning Issues .....................................................................272
Emergency Response Issues ......................................................................272
Recovery Issues .........................................................................................273
Post-Disaster Issues ..................................................................................274
Identifying the Strategy and Scope ................................................................275
Project Planning ...........................................................................................275
e Process for Developing the Plans ............................................................276
Project Reporting Structure ......................................................................277
e Business Continuity and Disaster Recovery Project Steering
Committee ...............................................................................................278
e Project Team Identication of Roles, Responsibilities, and
Accountability ..........................................................................................278
Developing the Project Plan and Governance ...........................................278
Business Continuity Plan and Disaster Recovery Plan—Project Planning ..........281
Introduction .................................................................................................281
Develop Contingency Planning Policy ..........................................................281
Objectives .....................................................................................................282
Scope ............................................................................................................282
Conduct Business Impact Analysis ............................................................... 284
e Inside-Out Analysis................................................................................285
Planning, Designing, and Development of Plans ...............................................289
Step 1: Develop the Planning Policy Statement ............................................289
Step 2: Business Impact Analysis ...................................................................290
Determining Critical Needs .....................................................................291
Oshoring Risks ...........................................................................................292
Identication of Critical Activities ................................................................293
reats and Vulnerabilities ............................................................................293
reat Analysis .............................................................................................293
People-Based reats ....................................................................................297
Pandemics ................................................................................................297
Industrial Action ......................................................................................297
eft ........................................................................................................298
Critical Business Processes ............................................................................298
Recovery Time and Recovery Point Objectives (RTO and RPO) ..............299
Risk Assessment and Management ....................................................................301
Step 3: Identify Preventative Measures ..........................................................302
Step 4: Develop Recovery Strategies ..............................................................303
Step 5: Develop the Plan ...............................................................................305
Plan Section 1: Introduction ................................................................... 306
Plan Section 2: Operational Overview ......................................................307
Plan Section 3: Notication/Activation Phase ..........................................307
Plan Section 4: Recovery Phase ................................................................309
Understanding BCP, DRP, and COOP ◾ 259
© 2011 by Taylor & Francis Group, LLC
Plan Section 5: Reconstitution Phase........................................................310
Plan Section 6: Appendices ......................................................................311
Step 6: Plan Testing, Training, and Exercises .................................................311
Test Scope ................................................................................................312
Realistic Testing........................................................................................313
Step 7: Plan Maintenance .............................................................................314
Section Summary ..........................................................................................314
ird-Party Dependencies ............................................................................314
Vendor Support Services ..........................................................................314
Recovery Strategies ............................................................................................315
Types of Contingencies .................................................................................315
Recommendations .............................................................................................316
Site ...............................................................................................................316
IT .................................................................................................................317
Communications ..........................................................................................317
Roles and Responsibilities .............................................................................318
Emergency Operations Center ......................................................................318
Crisis Management Team ..............................................................................318
Reection on Developing the Policy .............................................................320
Keep It Simple ..............................................................................................320
Keep It Understandable ................................................................................320
Keep It Practicable ........................................................................................321
Keep It Cooperative ......................................................................................321
Keep It Dynamic ..........................................................................................321
Background ..............................................................................................322
Denitions ...............................................................................................322
Incident Classication ..............................................................................322
Reporting .................................................................................................323
Invoking Business Continuity ..................................................................323
Process Flow .............................................................................................324
Triage............................................................................................................324
Emergency Response ....................................................................................324
Tornadoes and Hurricanes ........................................................................325
Freezing Conditions and Snowstorms.......................................................325
Floods ......................................................................................................325
Drought ...................................................................................................325
Earthquakes .............................................................................................326
Communications...............................................................................................327
Communications Plan ..................................................................................327
Public Relations ............................................................................................328
Vendors ........................................................................................................328
Utilities .........................................................................................................329
External Agencies ..........................................................................................329
260 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Security managers play a critical role in the continuity of business operations. As
many organizations are critically reliant on their information systems infrastruc-
ture, the need to ensure that these are operational according to the requirements of
the business is an important requirement for security managers, risk ocers, and
auditors. is domain looks at the broad picture of business continuity—keep-
ing the business operational. It also looks at the more focused aspect of disaster
recovery—restoring the information systems themselves. As an information secu-
rity manager there is also the responsibility of continuing to provide operational
support for the organization—help desk and user support, control center manage-
ment and coordination during an incident and rehabilitation from backup of data,
congurations during an incident, and documentation. Key areas of knowledge
include the following:
◾ Understanding the concepts of enterprise business continuity planning and
disaster recovery
◾ Understanding enterprise recovery strategy development
◾ Understanding project planning
◾ Understanding planning, designing, and development of plans
◾ Implementing and marketing plans
◾ Restoration planning
Introduction
Failure to plan is planning to fail, and yet unlike the other chapters in this book,
this chapter is dominated by the concept of failure. e secret is to understand
Recovery Plans ..............................................................................................329
Logistics ........................................................................................................329
Plan Implementation ....................................................................................331
Testing .....................................................................................................331
Methods ...................................................................................................331
Schedule ...................................................................................................332
Approval ..................................................................................................332
Success Criteria ........................................................................................332
Reporting .................................................................................................333
Plan Feedback and Update .......................................................................333
Training, Education, and Awareness ..................................................................333
Audit .................................................................................................................334
Restoration ........................................................................................................334
Review Questions ..............................................................................................334
Reference...........................................................................................................337
Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
