Home

Business Continuity Requirements

|
|  Updated:  
2016-09-12 16:47:03
|   From The Book:  
No items found.
CISSP For Dummies
Explore Book
Buy On Amazon
Business continuity and disaster recovery work hand in hand to provide an organization with the means to continue and recover business operations when a disaster strikes. Business continuity and disaster recovery are two sides of the same coin. Each springs into action when a disaster strikes. But they do have different goals:
  • Business continuity deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck.
  • Disaster recovery deals with restoring normal business operations after the disaster takes place.
While the business continuity team is busy keeping business operations running via one of possibly several contingency plans, the disaster recovery team members are busy restoring the original facilities and equipment so that they can resume normal operations.

Here's an analogy. Two boys kick a big anthill — a disaster for the ant colony. Some of the ants scramble to save the eggs and the food supply; that's Ant City business continuity. Other ants work on rebuilding the anthill; that's Ant City disaster recovery. Both teams work to ensure the anthill's survival, but each team has its own role to play.

Business continuity and disaster recovery planning have these common elements:

  • Identification of critical business functions: The Business Impact Analysis (BIA) and Risk Assessment (discussed in the section "Conduct Business Impact Analysis," later in this chapter) identify these functions.
  • Identification of possible scenarios: The planning team identifies all the likely man-made and natural activation scenarios, ranked by probability and impact to the organization.
  • Experts: People who understand the organization's critical business processes.
The similarities end with this list. Business continuity planning concentrates on continuing business operations, whereas disaster recovery planning focuses on recovering the original business functions. Although both plans deal with the long-term survival of the business, they involve different activities. When a significant disaster occurs, both activities kick into gear at the same time, keeping vital business functions running (business continuity) and getting things back to normal as soon as possible (disaster recovery).

Business continuity (and disaster recovery) planning exist because bad things happen. Organizations that want to survive a disastrous event need to make formal and extensive plans — contingency plans to keep the business running and recovery plans to return operations to normal.

Keeping a business operating during a disaster can be like juggling with one arm tied behind your back (we first thought of plate-spinning and one-armed paper hangers, but most of our readers are probably too young to understand these). You'd better plan in advance how you're going to do it, and practice! It could happen at night, you know (one-handed juggling in the dark is a lot harder).

Before business continuity planning can begin, everyone on the project team has to make and understand some basic definitions and assumptions. These critical items include

  • Senior management support: The development of a Business Continuity Plan (BCP) is time consuming, with no immediate or tangible return on investment (ROI). To ensure a successful business continuity planning project, you need the support of the organization's senior management, including adequate budget, manpower, and visible statements backing the project. Senior management needs to make explicit statements identifying the responsible parties, as well as the importance of the business continuity planning project, budget, priorities, urgency, and timing.
  • Senior management involvement: Senior management can't just bless the business continuity planning project. Because senior managers and directors may have implicit and explicit responsibility for the organization's ability to recover from a disaster, senior management needs to have a degree of direct involvement in the business continuity planning effort. The careers that these people save may be their own.
  • Project team membership: Which people do you want to put on the business continuity planning project team? The team must represent all relevant functions and business units. Many of the team members probably have their usual jobs, too, so the team needs to develop a realistic timeline for how quickly the business continuity planning project can make progress.
  • Who brings the donuts: Because it's critical that business continuity planning meetings are well attended, quality donuts are an essential success component.
A business continuity planning project typically has four components: scope determination, the Business Impact Analysis (BIA), the Business Continuity Plan (BCP), and implementation.

About This Article

This article is from the book: 

No items found.

About the book author:

Peter H. Gregory, CISSP, is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, manufacturing, healthcare, and beyond. Larry and Peter have been coauthors of CISSP For Dummies for more than 20 years.

Lawrence C. Miller, CISSP, is a veteran information security professional. He has served as a consultant for multinational corporations and holds many networking certifications.