Posted: January 24th, 2023

Info Security & Risk Mgmt

 Discuss the difference between a Continuity of Operations Plan (COOP), a Business Continuity Plan (BCP), and a Disaster Recovery Plan (DRP).  You might want to start with the definitions from the NIST SP 800-34, located at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1 .  Section 3.5 discusses the different types of Plan Testing, Training, and Exercises. 

Managing Risk in Information Systems

Don't use plagiarized sources. Get Your Custom Essay on
Info Security & Risk Mgmt
Just from $13/Page
Order Essay

Lesson 6

Business Impact Analysis
and Continuity Planning

© 20

1

5 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objectives

Perform a business impact analysis.

Create a business continuity plan (BCP) based on the findings of a given risk assessment for an organization.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
Key Concepts
Purpose of BIA
Critical success factors of BIA
Steps involved in implementing a BIA
BIA best practices
Comparing a BCP and a DRP
Major elements of BCP
Phases of a BCP
Steps for implementing a BCP

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 13 Slides

Chapter 13: “Mitigating Risk with a
Business Continuity Plan”

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Business Continuity Plan?
A plan designed to help an organization continue to operate during and after a disruption
BIA is included as part of a BCP

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Business Continuity Plan?
BIA key objectives that directly support the BCP:
Identify critical business functions (CBFs)
Identify critical processes supporting the CBFs
Identify critical IT services supporting the CBFs, including any dependencies
Determine acceptable downtimes for CBFs, processes, and IT service

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements of a BCP
Purpose and scope
Assumptions and planning principles
System description and architecture
Responsibilities
Phases
Plan training, testing, and exercises
Plan maintenance

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

System Description and Architecture

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Description and Architecture
Show system
interaction

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BCP Roles and Responsibilities
BCP program manager
BCP coordinator
BCP teams
Emergency Management Team (EMT)
Damage Assessment Team (DAT)
Technical Recovery Team (TRT)

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Phases within a BCP Plan

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Notification/activation phase

Recovery phase

Reconstitution phase

Defining Data that Needs to Be Protected

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The BCP should list all the critical components for the system.
There are two reasons for including this data:
First, it makes it clear which components are needed for the critical business functions (CBF).
Second, it provides a list that you can use to restore the system from scratch.
This list includes any equipment, such as servers, switches, and routers.
The servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system.
If an image is used to rebuild servers, it will list the version number.
Data can include a database hosted on the system.
It can also include any type of files, such as documents or spreadsheets.
Last, the list can include any needed supplies:
This can be simple office supplies, such as printer paper and toner.
For some systems, it can include technical supplies, such as special oils for machinery or tools needed for maintenance.

12

Identify all critical components for the system

Identify all equipment ~ servers, switches, routers

Include databases hosted on the system

Include files ~ documents or spreadsheets

Include necessary supplies

BCP Best Practices
Complete the BIA early
Exercise caution when returning functionality from alternate locations
Restore least critical functions first
Review and update the BCP
Test all individual pieces of the plan
Conduct test exercises of the plan

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Complete the BIA early—Ensure the BIA is done early in the process for the BCP.
Without the BIA, you won’t know what systems are critical.
Exercise caution when returning functionality from alternate locations—When restoring functionality from an alternate location to the primary location, consider these best practices:
Restore least critical functions first to the primary location—This allows you to get the bugs out of the process without affecting critical functions.
Review and update the BCP regularly—The BCP coordinator should review and update the BCP at least annually.
If critical systems are changed or modified between annual reviews, the BCP should be reviewed when those changes or modifications occur.
Test all the individual pieces of the plan—This includes basic procedures, such as recalls.
Exercise the plan—Verify the plan works by performing test exercises.
These exercises should not affect normal operations.
13

Summary
Purpose of BIA
Critical success factors of BIA
Steps involved in implementing a BIA
BIA best practices
Comparing a BCP and a DRP
Major elements of BCP
Phases of a BCP
Steps for implementing a BCP

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/15/2018
15

Chapter 13 Optional Slides

Chapter 13: “Mitigating Risk with a
Business Continuity Plan”

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Continuity vs. Disaster Recovery

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BCP
Covers all functional areas of a business, it ensures the entire business can continue to operate in the event of a disruption.
Includes a BIA, and also address other non-technical elements of the event.
Focused on getting the overall business functions back to normal.
DRP
Is a function of the IT department,
Includes the elements necessary to recover from a disaster, once one is declared.
Involves copying the critical data to media or online and then, if required, moving the IT operations off site to recover, if required.
Focused on restoring and recovering IT functions.
17

BCP

Covers all functional areas of business

Includes a business impact analysis (BIA)

Focused on business function recovery

DRP

Function of the IT department

Focused on IT function recovery

Recovery from a declared disaster

Steps for Implementing a BCP
Create BCP scope statements
Conduct business impact analysis (BIA)
Identify countermeasures and controls
Develop individual disaster recovery plans (DRPs)
Implement training
Test and exercise plans
Maintain and update plans

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Why Use a Business Continuity Plan?
What happens if electrical power is lost?
What happens if servers go down?
What are the critical business functions to maintain?
What must remain intact to conduct business?
What is the risk of being without a BCP?

Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00

Order your essay today and save 20% with the discount code Newyr