IT6583 Business Continuity Planning and Implementation

Exercise 5- Risk Mitigation and BC/DR Plan Development- Chapters 7 & 8 of Textbook
Developed by Richard Halstead-Nussloch, Version 05Jan15
Course Textbook: Susan Snedaker and Chris Rima Business Continuity & Disaster
Recovery for IT Professionals 2nd Edition. Burlington:Syngress, 2014, ISBN-13 978-012-410526-3.

Your name: Sandeep Aluru

Policies:

Submissions made through a means other than the D2L Dropbox will be ignored
and earn a 0.

Submissions without your name stated above earn a 0.

Submissions not in an rtf or pdf file or with the original questions and/or
formatting removed from the file earn a 0.

Submissions without adequate references or acknowledgements will earn a

discounted grade, potentially a 0.

Submissions that I can not open or require a password will earn a 0.

Second chances might be requested at any time through D2L email, and are
awarded at the sole discretion of the instructor.

Risk Mitigation and BC/DR Planning

Being successful in this course requires you to understand how mitigation of risk plays a
significant role in planning for and achieving business continuity. Also, all the BC/DR
planning efforts should be documented in a plan. This exercise intends to aid you in
doing so.

Readings for this assignment:

Selected readings on the web for deepening your understanding

Course Textbook [1] Chapters 6 and 7

Actions/Deliverables for this assignment:

Read as per above

Research what you read and other information business continuity and risk
mitigation and also BC/DR plan development

Respond to this assignment within the rtf file (leaving all questions and formatting
intact)

Deliverable: Upload your response using the D2L dropbox

Deliverable: Make entries on the Module 5 Discussion

Q1) Read, review and analyze Chapter 6 of the textbook:

How does the author define risk mitigation?

Solution: According to author, the steps taken to reduce the adverse effects caused by
natural threats and risks to the company is referred as risk mitigation.

For an instance, fire extinguishers are arranged in every corner of the building to use
them during fire emergency. This can mitigate the risk of things getting burnt in the
fire.

What is the process of risk mitigation that the author recommends?

Solution: Risk mitigation primarily focuses on developing various strategies to

mitigate the probability of all possible risks defined through quantitative and
qualitative analysis in the risk assessment.
In the process of risk mitigation, the risks are assigned priorities and further steps are
designed accordingly.

What four types of risk mitigation strategies does the author describe?
Comment on the four types chosen.

Solution: Risk mitigation strategies are four types.

Avoidance
Acceptance
Limitation
Transference
Acceptance: Risk acceptance is not a fully risk mitigation strategy, but there are few
instances where expenses for avoiding the risk will be costlier than accepting a risk.
Small business who cannot afford the expense for risk avoidance may fall into this
category.

Risks having very low priority are usually accepted such as, software CDs in the
shelf are likely to have 2% to fail when required. The alternative is replacing it with a
new CD and can delay the process by a day or two which is acceptable.

Avoidance: The name itself suggests the process of avoiding risks, based on risk
assessment report and BIA, risks with high probability are taken into account and
expenses are paid to mitigate or avoid the occurrence of the threats.

Limitation: The combined factors of risk acceptance and avoidance would be risk
limitation. For an instance, a service based company can accept a disk failure once in
while which avoids the backups to happen.
Transference: Transferring the services within the company to third party vendors
which is just like transferring the responsibilities which can reduce the probability of
a risk to occur. Payroll, customer service support can stand as the examples for risk
transference.

What is the Cost vs. Time for Risk Mitigation and how is it related to
business continuity planning?

Solution:
The costs that are directly proportional to each other. More the time more the cost.
These costs include expenses for resources and risk mitigation steps based on
business impact analysis. Sometimes the cost of mitigating the risk will be high than
cost of assuming the risk and its consequences. The probability and impact of each

risk should be evaluated against the mitigation strategy cost before implementing the
contingency plan in the event or after business disruption.
Mitigation strategies that cost less than risk probability calculation should be given
serious consideration. Taking early steps to reduce the probability of an adverse risk
occurring may be more effective and less costly than repairing the damage after a risk
has occurred. However, some risk mitigation options may simply be too costly in
time or money to consider. Mitigation activities should be documented in the Risk
Register, and reviewed on a regular basis.

What are the three options for risk mitigation during recovery and the cost
relationship of these options?

Solution: There are three basic recovery options

Needed
Prearrange
Pre-establish
Needed: The resources are acquired whenever necessary. For an instance after a
business disaster the resources are collected from the market as per the existing
rates and availability. Cost and quantity availability can be a challenge here. This
option can take longer time to implement and is expensive.
Pre-arrange: The resources are pre-arranged so that they will be ready
immediately after a business impact. Organization makes a contract with the
vendors for the resources to supply after disruption which are slightly expensive
than the market rates.

Pre-establish: Cost for the supply of resources is given well before a disaster
which saves time and cost to the company. The cost for this option is low per unit
since everything (payment) is timed (well in advance).

What is done when we analyze the recovery time of risk mitigation options?
What is the role of the MTD (maximum tolerable downtime) in this analysis?

Solution: During recovery planning, every company decides MTD levels for all
the business functions and processes based on their criticality based on BIA.
MTD varies accordingly. Higher the business impact of a process, low the
tolerance due to unavailability.
Pre-established and pre-arranged usually have low MTDs since they will be
already preset and ready to go whenever required. The MTD for all the business
operations required to resume the business should be identified and compared
with that of recovery time of options and those options that doesnt meet MTD
requirements should be discarded and the other acceptable options should be
assessed in terms of cost and capability.

What does it mean to trade-off the cost of recovery options with their
capability? What is the importance of this trade-off in business continuity
planning? What attributes are typically used in such trade-off analyses?

Post completion of the risk assessment and BIA, mitigation strategies are
developed for the business processes to run. The selection of mitigation strategy
generally involves the trade-off between the cost, capability and effectiveness.
Cost to the company for developing mitigation strategy depends on the capability
of the strategy and the size of the company. Therefore, the size and the

complexity of the organization should be taken into account while developing the
mitigation strategies. There exists a trade-off between cost of recovery and the
recovery period. Cost recovery time trade off should be considered while
developing the mitigation strategies. The cost-recovery time will not be linear as
the cost to shorten the recovery time, This is seen when it is required to recover
critical activities, processes, and systems, within minutes which enables the
organization in making investment in replication of systems, mirroring of data,
redundancy of communication etc.

The attributes that are typically used in trade off analysis are:

Cost for developing mitigation plans.

Effort required to implement and manage the plan.

The quality of the product, service, or data associated with the option.

Control retained by the company over the critical business processes.

Safety pertaining to physical environment.

What is a Recovery Service Level Agreement? What value is it in business

continuity? What are typical metrics employed? What are typical elements
in such an agreement?

Solution: Service level agreement is documented design of the company

including all the business functions and processes within the company.
Recovery can be a part of the service level agreement. This part of the agreement
defines the RTO, MTD and penalties to the company after a business impact.
Recovery service level agreement has the following metrics:
Response time to initial request for services
Technical capacities of the hardware components that are being used.
Access guidelines to work area and for staff
Security procedures
Processing recovery controls

What is done typically when existing controls are reviewed for risk
mitigation?
Solution:
When the existing controls are reviews, company can come up with a robust
strategy and solutions which aids in resuming the business systems.
As we already know, recovery solutions are also designed based on bias, this can
be avoided by reviewing the recovery options and then comparing the optimal
solutions to the existing solutions. These existing controls have to be incorporated
into the risk mitigation strategies document and the corresponding BC/DR plans
should be changed over time. Any company should always review its existing

controls and test the robustness of them to make sure a company is ready to face a
business disruption.
What is done step-wise in developing a risk mitigation strategy for IT? What
are the critical inputs and outputs to this process? What use do you
recommend be made of the risk assessment (Exercise 3) and/or business
impact analysis (Exercise 4)?
Solution:
For developing a risk mitigation strategy, the following steps have to be taken:
1. Gather your recovery data
2. Compare cost, capability, and service levels of options in each category
3. Determine if the options remaining are risk acceptance, avoidance,
limitation or transference and which, if any are more desirable
4. Select the option or options that meet best meet your companys needs
The inputs for developing a risk mitigation strategy are mentioned below:
Infrastructure
Software
System interface
People
Process
Data
Current and planned controls
Security testing
Threat probability

The outputs
Developing the methodology
Recommended controls
Schedule and risk categories
Roles and responsibilities of personnel in the event of disaster
Documentation regarding how the mitigation measures will be tracked etc.,
MTDs as per SLA

What are some information gathering methods and data points that you
would recommend for developing a risk mitigation strategy for personal1
business continuity?

Gathering data for risk mitigation is a significant undertaking. Enlisting SMEs from
around the company is a vital part.
Using scenario based questions lets the SMEs know what exactly Im thinking about.
The data should include business function, business process, criticality, and time to
recovery, dependencies, financial and operational impact and any other data if
necessary.

Site visit : General internet research

Discussions: Discussions held among employees and managers about their daily
routine in the office and main operations they perform which consider to be
critical to their respective departments.

Questionnaires: conducting questionnaires among the employees

If you are unclear about this requirement consider as those threats and their impacts that are in the way of
your personal business, i.e., those steps you need to take in maintaining your status as a student, e.g.,
assignments, records, etc.

Document review

Surveys

workshops

Can risk mitigation be applied to people, buildings and infrastructure in

addition to IT? If so, comment on how those steps can be taken or aided by
the IT professional?

Solution: This varies form company to company, for an instance if risk mitigation
has to be applied for people, buildings and infrastructure.

People: As a part of risk mitigation strategy, employees must be trained to act

during emergency. Fire drills are conducted to evacuate the building. Various
techniques such as firemans carry, single arm carry are demonstrated.

Buildings: It depends if the building is nonoperational or works as a data center.

Plan must be made if the building has cracks, earthquakes etc.

Infrastructure: During a disaster, There can be nothing done for saving

infrastructure usually. But there should be an emergency evacuation point for the
critical infrastructure as well. If there are server rooms. They can be built
earthquake proof rooms.

What is a Go Kit [2] and how might it be used as an element in risk

mitigation strategy for personal business continuity? Do you have a Go
Kit? If not, will you put one together?

Solution: Go kit is a collection of basic items one may need in the event of an
emergency. My go kit can contain the following items assuming at least 72hours.

1. Water (1-2 gallons)

2. Food
3. Weather radio
4. Flash light
5. First aid kit
6. Whistle for calling help
7. Dust mask
8. Garbage bags
9. Multipurpose utility knife
10. Maps
11. Cell phone, laptop with solar chargers

What is the process for IT risk mitigation and what are the key elements for
cost-effectively accomplishing it? What should be done in reviewing critical
system priorities and what are the roles of risk assessment and business
impact analysis in doing so? What should the IT professional have when the
review of critical system priorities is complete?
Solution:
Risk mitigation plan can be represented as figure below

Risk mitigation plan serves as a checklist of anticipated risks based on their

probability as high, medium or low. A document is prepared using the risks and their
probablity.

The main objective of risk management is to curtail the effects of possible threats of
unnatural events.
First step is to establish critical poitns where threats may take place follwoed by
identifying the set of mitigation strategies which can be applied to mitigate those risks
The risk mitigation strategies are contained in a crisis management plan and shall
form part of the initial emergency measures to take, in order to contain and prevent
the worsening of the damages caused by an accident or catastrophe.
Monitoring risks and mitigation: Effective project management becomes more
critical and will require rigid monitoring of all executions by way of an efficient and
constant communication with the team members. The project manager tracks the
progress of assigned tasks and inquires from team members of any issues that may
affect the successful completion of the projects objectives.

A point of conventional wisdom in IT is that backup and recovery is a

critical, baseline function of the IT professional that has a major role in risk
mitigation. Define and differentiate among using a) alternate business
processes and b) IT recovery systems. What role do these play in risk
mitigation and effective business continuity?

Solution: Achieving business goals using specific set of objectives depending on

the current conditions are referred as alternate business processes.
As a part of business processes, the alternative business processes can be designed
for
1. Administrative operations
2. Service desk
3. Paper based data storage
4. Infrastructure

The process of rebuilding the computer system so that the operating system can
be installed and business operations can start running is called IT system
recovery.
As a part of IT recovery systems, Alternative plans can be
1. Alternate site
2. Fully mirrored site
3. Hot site
4. Warm site
5. Cold site
6. Offline & online data storage solutions

What questions do you have remaining after your review and analysis of
Chapter 6?

Nothing as of now
Q2) our course textbook covers many of the materials, frameworks and resources
for risk mitigation. Search the web for suitable additional and supplementary

materials. (Hint: The section of Chapter 4 on IT-Specific Risk Management

identifies many sources that are also suitable for mitigating risk.) Identify, scan and
assess at least two of these for use in this class; report your findings here providing a
summary paragraph of the contents of each of your chosen sources:
Source1: http://www.mitre.org/publications/systems-engineering-guide/acquisitionsystems-engineering/risk-management/risk-mitigation-planning-implementation-andprogress-monitoring
Risk mitigation handling options include:
Assume/Accept: Acknowledge the existence of a particular risk, and make a deliberate
decision to accept it without engaging in special efforts to control it. Approval of project
or program leaders is required.
Avoid: Adjust program requirements or constraints to eliminate or reduce the risk. This
adjustment could be accommodated by a change in funding, schedule, or technical
requirements.
Control: Implement actions to minimize the impact or likelihood of the risk.
Transfer: Reassign organizational accountability, responsibility, and authority to another
stakeholder willing to accept the risk.
Watch/Monitor: Monitor the environment for changes that affect the nature and/or the
impact of the risk.
Source2: http://www.ica.bc.ca/ii/ii.php?catid=17

Risk management is all about understanding risks that can impact your organizational
objectives, and implementing strategies to mitigate and manage those risks. In this article,
we examine the most common mitigation strategies and how they can be used to

effectively manage risk. When mitigating or managing risks, here are three steps to
consider:

1. What is the organization's appetite and tolerance for risk? Set the level of risk the
board and management is willing to take.
2. Prioritize, or rank, each risk for significance and likelihood. By ranking risk,
management is better able to determine the strategy that will be most effective.
3. Determine appropriate risk mitigation strategies. The four most common
mitigation strategies are avoidance, acceptance, transference, and control.

Risk mitigation strategies

Avoidance

Some risks aren't worth taking in the first place. Is the risk a result of activities within the
core business or outside of it? If outside, and the level of risk is deemed relatively high,

then consideration should be given to ceasing or avoiding to undertake those activities. If

the activities are part of the core business, then consider if there is another way of doing
things that will avoid or minimize the risk or loss.

Acceptance

Without risk there is no reward. If the risk is low enough, then accept it as a cost of doing
businessacknowledging that little to no action is being taken to mitigate that risk. An
entity could establish a contingency fund or build a contingency plan to minimize any
loss not previously anticipated from these risks.

Transference

Risk transference is the process of transferring any losses incurred to a third party, such
as through the use of insurance policies. Another method of transferring risk is to
outsource activities to a third party. If there are activities that are not core to the business,
then it might make more sense to transfer these activities to a third party to whose core
business they do belong, especially if internal resources are limited. Many back-office
functions, such as payroll and purchasing, are outsourced to service providers that
specialize in these areas.

Control

A control is a procedure used to either prevent a risk from occurring or detect a risk after
it has occurred. If the risk is worth taking and is part of an organization's core operating
activities, then controls can be used to mitigate and manage the risk.

Q3) Insert a worksheet in your spreadsheet from Exercises 3 and 4 with columns
that will help with a recommended set of risk mitigation steps. There are many
possibilities outlined in Chapter 6. If you cannot choose one, try these four
columns:

Supporting IT System (for your personal business, see footnote 1), e.g.,
Banking

Recommended mitigation strategy, e.g., use alternate site

Expected cost of recovery, e.g., low

Expected recovery time frame, e.g., 1 day

List up to five IT systems that are part of your personal business in column one;
then, for each IT system, do some research to complete the other three columns.
Attach the spreadsheet to your assignment submission and your blog discussion
posting. What thoughts do you have about scaling up such a spreadsheet from your
personal business to the business of a larger organization, e.g., KSU?

Q4) Review, compare and analyze what you did on the worksheet for Exercise 3 and
4 (risk assessment and business impact analysis) and what you have just done for
Exercise 5 (risk mitigation). What ideas do you have about linking these analyses
together? Answer at least the question of whether you see a way to develop a risk
priority number2 that would be valuable for planning business continuity and
mitigation of risk.
Solution:

We suggest searching for information on Failure Mode and Effects Analysis.

Risk analysis was to identify the possible risks to a company. It is useful to identify the
vulnerabilities for a business to run and calculate vulnerability and probability in
qualitative and quantitative methods.
Business impact analysis is to identify potential risks involved in a business due to
unavailability of services and calculate financial impacts and customer impact on the
company.
Both have common factor of criticality matrix. Both of the reports could be joined
together to make a perfect BIA. Both the reports can be combined which leads to failure
mode analysis. This calculate the probability of possible risks and impact of the risk to a
company or the equipment.

Risk mitigation is based on the risk assessment and BIA. In Risk assessment I calculated
the probability of the occurrence of the risk or threats to people, infrastructure and
process.
In BIA, I calculated the impact created by an unnatural event on people, process and
technology.
Risk mitigation helps in saving the cost to company, danger to people due to threat.
Based on the priority number mentioned in the risk assessment document. Risk
mitigation steps are evolved.

Q5) Read, review and analyze Chapter 7 of the textbook:

What is the step-wise process of business continuity plan development that

the author recommends? How far along does the author indicate that we
are?

According to the author, business continuity plan has majorly two steps.
Set the tasks you can take which can reduce the risk before a disaster event.
The second part of the plan is defining the steps to be taken if a disaster occurs.
An efficient BC/DR plan should state risks, vulnerabilities and potential impact
due to each of them to business functions followed by mitigation strategies which
can be applied. A BC/DR plan can be break down as below
1. Identify risks
2. Assess vulnerability to risks
3. Determine potential impact on business
4. Identify mission critical business functions (completed till here)
5. Develop teams
6. Implement mitigation strategies
7. Develop plan activation guidelines
8. Develop plan transition guidelines
9. Develop and plan, training testing and auditioning procedures
10. Develop plan maintenance procedures

What phases of business continuity and disaster recovery does the author
describe? Comment on the phases described.

According to the author, there are 5 phases during the development of BC/DR
plan.
1. Activation phase
2. Recovery phase
3. Business continuity phase
4. Maintenance/review phase
5. Update appendices

Activation phase: Clear parameters are set as when to kick start the BC plan during
this phase. Company determines when to activate the BC/DR plan. A small glitch in
the company doesnt need a BC plan. Along with this, Authority is determined and
what the steps to be taken by the personnel is clearly defined in activation phase.
Activation includes initial response and notification, problem assessment and
escalation, disaster declaration, and plan implementation.
Recovery phase: It is the first phase that should be taken immediately after a disaster
has occurred. This state is triggered only when the disaster subsides. Many triggers
along with their respective MTD's are to be developed at this phase that defines the
situation to move from recovery phase to business continuity phase.
Business continuity phase: This phase includes the steps to be followed as a part of
BC plan. It generally defines the procedures for resuming operations, work around
procedures that should be followed and implemented and the manual procedures.
Finally it addresses the process of moving from temporary location to its repaired
facility, re-integration of the recovered systems and the synchronization of the
corrupted or lost data.

Review phase: Review phase is just like auditioning or testing the BC/DR plan. This
occurs irrespective of the disasters. For an instance, Fire drill is conducted once in
2months to check and verify the alertness of the employees ensuring their safety at all
times. Similarly, Data is tested and reviewed (data recovery) in this phase

What teams and key personnel are required as indicated by the author?
How should people be assigned to teams? How should they be assigned roles
and responsibilities?
A team is required to assess the damage to systems and begin the DR plan once it
is activated. This IT team shall work closely with rest of the operations team
make Dr Plan successful. Before deciding the team, it should have the expertise
on below functions
1. Operating system administration
2. Systems software
3. Server recovery (client server, Web server, application server, etc.)
4. Storage recovery
5. Database recovery
6. Network operations recovery
7. LAN/WAN recovery
8. Application and data recovery
9. Telecommunications
10. Hardware salvage
11. Alternate site recovery coordination

12. Original site restoration/salvage coordination

13. Test team
14. Information security team
Based on the above functions, we need the below teams as well as a part of Bc
according to the author
Crisis Management Team
Management
Damage Assessment Team
Operations Assessment Team
IT Team
Administrative Support Team
Transportation and Relocation Team
Media Relations Team
Human Resources Team
Legal Affairs Team
Physical/Personnel Security Team
Procurement Team (Equipment & Supplies)

Is contact information necessary for effective business continuity planning?

What steps does the author recommend for compiling and managing contact
information?

Yes, Contact information hardcopy as well as softcopy is mandatory for any

organization since a computer systems are often impacted by various business
disruptions. The list of contact information should include

Management
Key operations staff
BC/DR team members
Key suppliers, vendors, and contractors
Key customers
Emergency numbers (fire, police, etc.)
Media representatives or PR firm (if appropriate)
Other
Along with the contact information, contact tree should also be maintained that
defines the members responsible for contacting others in the event of the disaster thus,
giving scope for division of labor by making specific calls to specific people thereby
Streamlining the notification process and mass communication capability.

What is done when we define tasks and assign resources as we develop a

business continuity plan?

Solution:
Initially work breakdown structure, tasks resources and timelines for are allocated as
a part of risk mitigation strategy and any other tasks required to be done before any
disruption.
For an instance, buying infrastructure, uninterruptable power supplies, fire
suppression systems etc.
Once the tasks are defined and resources are allocated, they should be able to
implement the mitigation strategies as well as rest of the plan. For an instance,

creating a project with new initiatives which needs to be taken meeting risk
mitigation.
After all the tasks are done, roles, and responsibilities; defining plan phase transition
triggers; and gathering additional data are arranged accordingly. Alternate sites are taken
care later depending on the SLA.

The standard management process defines set of things to be identified and implanted
after all the resources and tasks are allocated.

Identify high-level tasks

Break large tasks into smaller tasks until the work unit is manageable.
Define duration or deadlines.
Identify milestones.
Assign task owners.
Define task resources and other task requirements.
Identify functional and technical requirements for task, if any.
Define completion criteria for each task.
Identify internal and external dependencies.

What does it mean to have an alternate site? What special considerations

does the author recommend be given to an alternate site?
Solution: Alternate sites are built to support the servers when the main servers are
unavailable.

Fully mirrored site: Mirrored site is exact replica of the main site with exact
functionality and availability. But this option is expensive
Mirror sites also increase the speed with which files or Web sites can be accessed:
users can download files more quickly from a server that is geographically closer
to them.
Hot site: A hot site is a commercial disaster recovery service that allows a
business to continue computer and network operations in the event of a computer
or equipment disaster. For example, if an enterprise's data center becomes
inoperable, that enterprise can move all data processing operations to a hot site. A
hot site has all the equipment needed for the enterprise to continue operation,
including office space and furniture, telephone jacks and computer equipment.
Cold Site: For a cold site, customer provides and installs all the equipment needed
to continue operations. A cold site is less expensive, but it takes longer to get an
enterprise in full operation after the disaster.
Warm site: A preventative warm site allows you to pre-install your hardware
and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to
do is load your software and data to restore your business systems.
The selection criteria for an alternate site to continue the business operations are
1. Geographical location of the data center should be risk free from
all possible threats
2. It should have sufficient space to install all the infrastructure
3. Should be able to communicate with all the devices required for
operations to run

4. The area should have items which support basic life amenities
5. The site should have all the requirements to make the business
processes operational with minimum amount of time, effort and
cost.
SITE

COST

HARDWARE TELECOMMUNICAITONS SETUP

EQUIPMENT

LOCATION

TIME

Cold

Low

None

None

Long

Fixed

Warm

Medium

Partial

Partial

Medium

fixed

Hot

High

Full

Full

Short

Fixed

Mobile

High

Depends on

Depends

depends

Not fixed

Null

None

Fixed

location
Mirrored

High

Null

What special considerations does the author recommend be given in letting

contracts for business continuity services? Why? What five actions does the
author recommend must be done for such contracts?

Solution:
Before letting off the contract for business continuity services, the company should
assess the worth of their company and the amount they are going to pay for the
contract services.
If a companys downtime leads to a loss of 10,000$ and the services by third party
vendor is charging more than 10k then there is no point approaching them for

providing the services. Hence, before moving forward with a contract provider the
following points should be taken into account
Develop clear functional and technical requirements: The company should be
able to assess requirements and options. Since more options costs more, a
company should write down only those which are extremely necessary for
contract services. With the help of Subject matter experts and IT experts a list
of business functions must be specified which need protection from the
vendor
Determine required service levels: All the technical details should be provided
to the vendor and also our SLA metrics to vendor if possible so that he can
understand companys environment and come with a right quotation. This is
referred as request proposal
Compare vendor proposal/response to requirements: Compare all the
quotations from all different vendors. While taking a decision, it should be
satisfying our companys customers. Make sure their SLA is applicable for
our environment and decide whichever is better
Identify requirements not met by vendor proposal: Just in case if a single
vendor is offering one option which we need and another vendor is also
offering a different option which we need. We may club both the vendors
Identify vendor options not specified in requirements: There is a possibility
that vendors can offer few more options saying that even those are pretty
useful and are a must to the environment. But again, one should do some
independent research and discuss with SMEs if required and then take a

decision if company can afford it and it is applicable to the companys

policies.

What communication plans should be part of a business continuity plan?

What value and role does communication planning have in business
continuity planning?
Name of communication team, members of team, team lead, or chain of
command
Responsibilities and deliverables for this team
The boundaries of responsibilities (what they should and should not do)
Timing and coordination of communication messages (dependencies,
triggers)
Escalation path
Other information, as appropriate
Depending on the size of the company, there are various communication
plans, few of them are list below
Internal: The internal communication plan is required for BC/DR plan
activation and implementation. The procedure to notify and update the team
members, the tools, techniques and processes to address them should be
included in the project plan in the additional resources area by the internal
communication team members.

Employee: Employee communication focuses on employees in the company.

The employees are sent emails about the disruption and steps taken after
disruption, and may be scheduled downtime.
Customers and Vendors: This way of communication is similar to employee
communication except a trained personnel notifies them about the details of
disruption and steps taken post business disaster
Shareholders: Shareholders are sent emails regarding financial impact due to
the disaster by a trained personnel who is expert in investor relations

What roles do event logs, change control and appendices have in business
continuity planning?
Event logs helps tracking events, in order, over time, and can help in identifying
appropriate triggers for key activities. With these logs one can know what was
done, which user did it, at what time did it happen. All these things can also
become an evidence as well.
Certain regulatory or legal requirements should be followed by the company to
log specific events in the event log book. These should be mentioned in the
BC/DR plan therefore, enabling the team members to know about the notification
requirements.

Change control: Change control has two types in it.

Develop a method to update BC/DR plan whenever there is a change in
the company
Method to monitor the changes

The changes include infrastructure changes, new applications, new

technologies etc.
Distribution: The BC/DR plan should be documented and must be stored in a
safe place. Only authorized personnel should be able to access the folder. Since the
information is very sensitive, if the data is stored as a softcopy then the folder should be
restricted.
Otherwise, only few people should be given CDs with the information loaded in it.
Appendices: Appendices is a minor document covering information about vendor
contracts, event log templates, work site information, crisis management resources etc.

What questions do you have remaining after your review and analysis of
Chapter 7?

Nothing as of now

Q6) Do you have any questions about the course?

Nothing as of now
Q7) Lab Exercise Question:

Review and summarize your ideas and experience about risk mitigation and its
value in business continuity planning. Discuss the steps you might recommend
in scaling up what you did in this assignment for your personal business to a
larger organization such as KSU. Optionally, attach your spreadsheet and plan
outline to your discussion posting.

Record your answers here.

Also, enter your answers on the Module 5 Discussion.

Risk mitigation, Risk assessment and Business impact analysis are three vital parts for
designing an efficient BC/Dr plan. Summary can be, as a first step, all the probable risks
must be assessed based on their occurrence priority numbers are given. This is called risk
assessment

Secondly, financial impact to the company is calculated due to the business disruption
and various business processes and dependent functions are mentioned during BIA and
financial impact is calculated due to unavailability of these services

Further, Risk mitigation plan is designed based on the priority numbers mentioned in risk
assessment phase and financial impact created by them in BIA phase. Risk mitigation
plan is developed and implemented accordingly.

For a bigger organization like KSU, Based on the Risk assessment I did in the last
assignment
Identify the possible threats -> Robust security
Identify the vulnerabilities -> strong network
Calculate the current value of the assets
Prepare a report focusing on the loss impact factor
Based on the probability of the occurrence of unnatural events form a team
Make sure risk strategy fits enough to face the disaster.
Document the work including all the analysis and reports and strategy developed
Perform frequent testing to know the functionality of the system

 I would only test and review the data availability and maintain a cold or warm site
if possible so that college server is available even during the scheduled downtime.
My minor factors would be worrying about the network and security. (assuming
no earthquakes or tsunamis in Atlanta)

Sources and works used in completing this exercise (if none, please explicitly state so):

1. Susan Snedaker and Chris Rima Business Continuity & Disaster Recovery for IT
Professionals 2nd Edition. Burlington:Syngress, 2014.
2. Ready.gov. Build a Go-Kit. Retrieved on 5 January 2015 from
http://www.ready.gov/build-a-kit
3. "Risk Mitigation Strategies and Risk Mitigation Plan: Tips for Documentation &
Implementation in Project Management." Brighthub Project Management. N.p., n.d.
Web. 29 Mar. 2015. <http://www.brighthubpm.com/risk-management/47934-riskmitigation-strategies-and-risk-mitigation-plan/>.

4. "Disaster Recovery Hot, Warm, Cold Sites: Key Differences." Disaster Recovery Hot,
Warm, Cold Sites: Key Differences. N.p., n.d. Web. 29 Mar. 2015.
<http://www.corexchange.com/blog/disaster-recovery-hot-warm-cold-sites-keydifferences>.

5. "Risk+mitigation - Google Search." Risk+mitigation - Google Search. N.p., n.d. Web.

29 Mar. 2015.
<https://www.google.com/search?q=risk%2Bmitigation&rlz=1C1CHWA_enUS616US
616&es_sm=93&source=lnms&tbm=isch&sa=X&ei=98UYVYedN8OnNrb4gJAO&ved

=0CAcQ_AUoAQ&biw=1366&bih=667#imgdii=_&imgrc=gzSfpEgLhynSsM%253A%3
Bxbc3CELRwb2RM%3Bhttp%253A%252F%252Fwww.mitre.org%252Fsites%252Fdefault%25
2Ffiles%252Fimages%252Fase-rmfig1.gif%3Bhttp%253A%252F%252Fwww.mitre.org%252Fpublications%252Fsystem
s-engineering-guide%252Facquisition-systems-engineering%252Friskmanagement%252Frisk-mitigation-planning-implementation-and-progressmonitoring%3B498%3B441>.

Acknowledgements of people (and other exercise submissions) used in completing this

exercise (if none, please explicitly state so):