BCP Checklist Roopesh Sha h
BCP Checklist Introduction This study's objective is to prepare a checklist to put together a business continuity plan. It is a comprehensive checklist prepared from various sources and author’s experience. After recent tragic events, such as 9/11, the northeast power outage, and Hurricane Katrina, developing a business continuity plan is essential for any business. A business continuity plan (BCP) is a comprehensive plan that focuses on how to keep the business running, even after an unplanned outage or disaster. Disaster recovery is a subset of BCP, which focuses on plans, procedures, and recovery of an organization’s critical functions after an unplanned disruption. The following checklist outlines on what should be covered in a BCP.
BCP Phases BCP is divided into the following phases. Each phase is sub-divided to outline a complete plan for business continuity in the event of an unplanned interruption: •
Project Initiation
•
Business impact analysis (BIA)
•
Identify preventative controls
•
Develop recovery strategies
•
Testing BCP
•
Maintaining plan
BCP Checklist Here is a checklist to put together a BCP: •
•
Project Initiation o Prepare a business case and obtain management support. o Identify any regulation requirement. o Identify the continuity plan coordinator. Business Impact Analysis o Select knowledgeable individuals from each business unit for data gathering. Senior management team HR & legal team
Facilities team Public relations team Network team Systems team Application team Storage team Security team Documentation team o Perform inventory on company’s hard and soft assets. o Identify company’s critical business functions that must be recovered in case of an emergency. To identify critical business functions, ask four key questions: What is the financial impact? What is the operational impact? What is company’s legal obligation? Is it going to damage the reputation? o Identify resources these functions depend upon (interdependencies between the function and resource). o Calculate maximum tolerable downtime these functions can be without these resources and classify them. o Identify risks associated to these functions. Man-made threats, such as hackers, terrorism, fires Natural threats, such as tornado, floods, hurricanes, earthquakes Technical threats, such as power outage, hardware or software failure Vendor or service provider becomes unavailable Critical personnel are not available Critical documentation or records are not available o Calculate risk for each business function based on qualitative and quantitative analysis. o Consider employee safety issues. o Develop backup solutions for resources based on SLA and data classification. Differential backup Incremental backup Full backup Continuous backup o Consider the backup location and the distance from the restoring facility. o Develop recover solutions for the company’s individual departments and for the company as a whole. Identify preventative controls o Controls are based on the BIA results. o Provide a brief statement for each threat and corresponding countermeasure. o Ensure that each control is cost effective. o Purchase insurance where necessary.
•
Identify necessary support with vendors in conjunction with the SLA. Develop recovery strategies o Recovery strategies are identified after reviewing BIA results and performing cost-benefit analysis. o Facility recovery Cold site Warm site Hot site Mobile site Redundant site Reciprocal or mutual aid agreements Testing BCP o Structured walk-through o Checklist test o Simulation o Parallel test o Full interruption test Maintaining plan o Periodically incorporate any changes to the plan. Reorganization of the company, layoffs, or mergers Hardware or technical changes Business functions that were critical before might not be critical anymore, or vice versa Vendor or service provider changes BCP awareness training o
•
•
•
Summary All organizations should have a well documented and thoroughly tested business continuity plan. After 9/11 and Hurricane Katrina, organizations became more aware for the need to develop a business continuity plan to anticipate widespread disasters. To develop a solid business continuity plan, the business should consider the worst-case scenario to protect interest of its customers and stakeholders.
References DMReview Editorial Staff, July 26, 2006. " BakBone Reveals 10-Step Checklist to Effective Business Continuity Planning" http://www.dmreview.com/article_sub.cfm?articleId=1060510 FFEIC IT Examination Handbook, March 2003. " Business Continuity Planning" http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf Greg Greer, Greg May 13, 2002. " Management of Information Systems" http://www3.baylor.edu/~Gregg_Greer/BusinessContinuity.htm
Hansche, Susan, John Berti and Chris Hare (2003). " Official (ISC)2 Guide to the CISSP Exam" “ NIST SP800-34 Contingency Planning Guide for Information Technology systems”, June 2002 Shon, Harris (2005), " CISSP All-in-One Exam Guide, Third Edition (All-in-One)"