BUSINESS CONTINUITY PLANNING (BCP)

&
DISASTER RECOVERY PLANNING(DRP)
Business Continuity Planning
The business continuity plan (BCP) describes
critical processes, procedures, and personnel
that must be protected in the event of an
emergency
uses the business impact analysis (BIA) to
evaluate risks to the organization and
prioritizes the systems in use for purposes of
recovery.
Disaster Recovery Planning
Disaster recovery plan (DRP) describes
the exact steps and procedures personnel in
key departments, specifically the IT
department, must follow in order to recover
critical business systems in the event of a
disaster that causes the loss of access to
systems required for business operations.

Disasters natural, man-made
Earthquakes, Fire, floods, hurricane, tornado,
mudslides, volcanoes, snow ice and so forth
Explosions, power outages, plane crashes,
vandalism, smoke and water damage, terrorism,
riots, sabotage, loss of personnel, etc.
Anything that diminishes or destroys normal data
processing capabilities

Disasters are defined in terms of the
business
If it harms critical business processes, it may be a
disaster
Time-based definition how long can the
business stand the pain?
Probability of occurrence

Steps in the BCP
Step 1 Identify the scope and boundaries of the BCP
which include audit analysis of the organizations assets &
risk analysis
Step 2 creation of Business Impact Assessment(BIA) as
a result of complete analysis of step 1
Step 3 Concept of BCP is sold to Top management for
financial commitment
Step 4 Once BCP is approved by management, Plan,
Design & Support are needed by each department
Step 5 Training, testing, ongoing review, support and
maintenance
Importance of BCP
Reduces the risk to the business in the event
of disruptions
Allow timely recovery of critical business
operations
Minimize loss
Meet legal and regulatory requirements

Scope of BCP

Critical business processes and services
Distributed operations
Personnel, networks, power
All aspects of the IT environment

Business Impact Analysis(BIA)
A Business Impact Analysis (BIA) is an
exploratory review of the important functions that
are essential for the operation of the business.
Identifies the risks that specific threats pose to
the business
Quantifies the risk, establishes priorities
Performs cost verses benefit analysis
Goal: obtain formal agreement with senior management
on the maximum tolerable downtime (MTD) for each time-
critical business resource

Disaster Recovery Planning
Goals of DRP
To keep the business running
Meeting formal and informal service level
agreements
Being proactive rather reactive
Identify Recovery Strategies
Shared site Agreements arrangements between companies
with similar but not identical data processing centers.
Alternate Sites Use of third party vendor to provide DRP services
Hot Site Vendor assumes all responsibility for providing backup
computing services for the customer
Cold Site vendor provides the facilities including power, air
conditioning, heat and other systems but not the computer
hardware or software
Warm Site is compromise between the services offered by hot
and cold site vendors. This facility provides building and
environmental services in addition to hardware and network links
Identify Recovery Strategies
Technical recovery strategies methods
Multiple centers
Service bureaus
Mobile units

Recovery Strategies
Strategies should address recovery of:
Business operations
Facilities & supplies
Users (workers and end-users)
Network, data center (technical)
Data (off-site backups of data and applications)

Testing a Disaster Recovery
Plan
The importance of testing: Find problems, work faster
Walk-throughs
Key business units members meet to trace steps through
the plan
Basically, looking for omissions and inaccuracies
Simulations
Critical personnel meet to perform dry run of the
emergency
Mimicking the response to a true emergency
Checklists
Members of the key departments check off the tasks
Report on the accuracy of the checklist
Testing a Disaster Recovery
Plan
Parallel testing
Backup processes occurs in parallel with production
services
Normally complex systems running in parallel with
existing production system until new system proves to
be stable
Full interruption
Known as True/False test
Production systems are stopped to see how backup
services perform

SUMMARY
Business continuity planning (BCP) and
Disaster recovery planning (DRP) are formal
processes in any business that is concern
about maintaining its operation when a
disaster occurs or interruptions that prevents
people from gaining access to their place of
employment.
References
Merkow, M., Breithaupt, J., (2006). Information Security Principles and
Practices. New Jersey: Prentice Hall
Bidgoli, H., (2006). HANDBOOK OF INFORMATION SECURITY
Threats, Vulnerabilities, Prevention, Detection, and Management. Volume
3 New Jersey: John Wiley & Sons