FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Business Continuity Planning





viraj
Hi I am currently working on providing service to various companies for preparing and executing their BCP (Business Continuity Plan).

I have seen that there is now much information available on internet which can be easily accessed and learnt for this topic. Hence, I am taking a pionieering effort to deidivcate this seciton for the same.

I request all those who are already well versed with this to share their views in this regards, this will only make the process more and more available to people and business across the world more and more secured.

Article 1:

In today’s scenario the businesses are becoming more and more dependent on technology. More and more gadgets are been brought into use to make the life of people easy and the process fast.
But at the same time, there has been enormous growth in the data where all the information resides. Imagine a day when all you money is in a bank and your ATM is not been accepted, or even the bank employees are not able to retrieve your data from the database where it is stored as their Data Center Crashed. This may be due to any disaster – natural or man made. What will be your next step? OOPS cannot imagine, as we are so relied on the technology that to be back on the ape age is impossible.
This concept is not a new one. Many a times various companies has experienced such hazardous in small or big nature and have made losses to the count of billions of $. But, after 7/11 this was given a serious thought world over by all the institutions whose business was largely dependent on IT.
This lead to the birth of term Business Continuity…
crdowner
You have to keep in mind the disaster recovery and business continuity are two separate things. Disaster recovery is basically having either hot systems or available cold systems that can perform the same functions during the event of a disaster.

Business Continuity is more about business planning. Even if the systems are in place, a business has to have a location to house their employees after a disaster. That business also needs PCs that its employees can work from. Telephones and data connections must also be taken into account. It is a big undertaking.
viraj
crdowner wrote:
You have to keep in mind the disaster recovery and business continuity are two separate things. Disaster recovery is basically having either hot systems or available cold systems that can perform the same functions during the event of a disaster.

Business Continuity is more about business planning. Even if the systems are in place, a business has to have a location to house their employees after a disaster. That business also needs PCs that its employees can work from. Telephones and data connections must also be taken into account. It is a big undertaking.


Absolutely; you are right, many organizations have Disaster Recovery much concern to data only. But this is not true. What will you do with your secured data at times of disaster. Where you are going to operate from. This is as you truly said a big undertaking.

I am proud to anounce that I am working with an organization called Omnitech InfoSolutions Limited, where we have realised this and have pionered to provide such - Workplace Recovery Services to our clients.

We have a plan to come with a chain of workplace recovery centers which will be spread geographicially in distinct IT hubs on India.
viraj
Omnitech Disaster Recovery
viraj
Business Continuity Planning (BCP) is an interdisciplinary peer mentoring concept used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan. For open source BCP "how-to" guidelines, see Wikibooks - Business and economics

In plain language, BCP is how an organization prepares for future incidents that could jeopardize the organization's core mission and its longterm health. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices.

In December 2006, the British Standards Institute released a new independent standard for BCP — BS 25999-1. Prior to the introduction of BS25999, BCP professionals relied on BSI information security standard BS7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.

In 2004, the United Kingdom enacted the Civil Contingencies Act 2004, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.
viraj
A completed BCP cycle results in a formal printed manual available for reference before, during, and after disruptions have occurred. Its purpose is to reduce adverse stakeholder impacts determined by both the disruption's scope (who and what it affects) and duration (how bad, implications last for hours, months etc). Measureable business impact analysis (BIA) "zones" (areas in which hazards and threats reside)include civil, economic, natural, technical, secondary and subsequent.

For the purposes of this article, the term disaster will be used to represent natural disaster, human-made disaster, and disruptions.

Prior to January 1, 2000, governments anticipated computer failures, called the Y2k problem, in important public utility infrastructures like banking, power, telecommunication, health and financial industries. Since 1983, regulatory agencies like the American Bankers Association and Banking Administration Institute (BAI) required their supporting members to exercise operational continuity practices (later supported by more formal BCP manuals) that protect the public interest. Newer regulations were often based on formalized standards defined under ISO/IEC 17799 or BS 7799.

Both regulatory and global business focus on BCP arguably waned after the problem-free Y2K rollover. Some believe this lax attitude ended September 11th 2001, when simultaneous terrorist attacks devastated downtown New York City and changed the 'worst case scenario' paradigm for business continuity planning. [1]

BCP methodology is scalable for an organization of any size and complexity. Even though the methodology has roots in regulated industries, any type of organization may create a BCP manual, and arguably every organization should have one in order to ensure the organization's longevity. Evidence that firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected.[2] In the 1993 World Trade Center bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the Sept. 11 attacks with well-developed and tested BCP manuals were back in business within days. [3]

A BCP manual for a small organization may be simply a printed manual stored safely away from the primary work location, containing the names, addresses, and phone numbers for crisis management staff, general staff members, clients, and vendors along with the location of the offsite data backup storage media, copies of insurance contracts, and other critical materials necessary for organizational survival. At its most complex, a BCP manual may outline a secondary work site, technical requirements and readiness, regulatory reporting requirements, work recovery measures, the means to reestablish physical records, the means to establish a new supply chain, or the means to establish new production centers. Firms should ensure that their BCP manual is realistic and easy to use during a crisis. As such, BCP sits along side crisis management and disaster recovery planning and is a part of an organization's overall risk management.
viraj
Impact analysis
An impact analysis results in the differentiation between critical and non-critical organization functions. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:

The time frame in which the critical function must be resumed after the disaster
The business requirements for recovery of the critical function, and/or
The technical requirements for recovery of the critical function
viraj
Threat analysis

The coronavirus suggested as a causative agent for the SARS outbreak in 2002After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. Some common threats include the following:

Disease
Earthquake
Fire
Flood
Cyber attack
Bribery
Hurricane
Utility outage
Terrorism

All threats in the examples above share a common impact: the potential of damage to organizational infrastructure - except one (disease). The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down. During the 2002-2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organizations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organizations increased their resiliency against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease. Damage from flooding also has a unique characteristic. If an office environment is flooded with non-salinated and contamination-free water (e.g., in the event of a pipe burst), equipment can be thoroughly dried and may still be functional.
viraj
Solution Designing

The goal of the solution design phase is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as:

The minimum application and application data requirements
The time frame in which the minimum application and application data must be available
Disaster recovery plans may also be required outside the IT applications domain, for example in preservation of information in hard copy format, or restoration of embedded technology in process plant. This BCP phase overlaps with Disaster recovery planning methodology. The solution phase determines:

The crisis management command structure
The location of a secondary work site (where necessary)
Telecommunication architecture between primary and secondary work sites
Data replication methodology between primary and secondary work sites
The application and software required at the secondary work site, and
The type of physical data requirements at the secondary work site
viraj
BS 25999 is BSI's standard in the field of Business Continuity Management (BCM). This standard replaces PAS56, a Publicly Available Specification, published in 2003 on the same subject

Structure
BS 25999 is a Business Continuity Management (BCM) standard in two parts.

The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.

The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.

A useful means of understanding the difference between the two is Part 1 is a guidance document and uses the term 'should', Part 2 is an independently verifiable specification that uses the word 'shall'

Certification (independent verification) is available from accredited certification bodies, for example BSI or LRQA amongst others and is a multi stage process usually involving a number of initial assessment visits. The assessor will then make a recommendation that the organisation receive certification or not. After initial certification a number of surveillance visits are made to ensure that the organisation is still in compliance.
viraj
[edit] Contents
The contents of the code of practice (BS 25999-1) are as follows:

Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that is describes generic best practice that should be tailored to the organisation implementing it

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overal processes, its relationship with risk management and reasons for an organisation to implement along with the benefits

Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy

Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach

Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organisation has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.

Section 7 - Determining BCM Strategies. Once the organisation is understand the overall business continuity strategies can be defined that are appropriate.

Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.

Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organisation cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organisations goals.

Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organisation is managed.
viraj
viraj wrote:
[edit] Contents
The contents of the code of practice (BS 25999-1) are as follows:

Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that is describes generic best practice that should be tailored to the organisation implementing it

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overal processes, its relationship with risk management and reasons for an organisation to implement along with the benefits

Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy

Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach

Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organisation has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.

Section 7 - Determining BCM Strategies. Once the organisation is understand the overall business continuity strategies can be defined that are appropriate.

Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.

Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organisation cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organisations goals.

Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organisation is managed.



The contents of the specification (BS 25999-2) are as follows:

Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system.

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organisation.

Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section encompasses 4 sections of Part 1, that is understand the organisation, determine BC strategy, develop & implement a BCM response and finally exercise/maintenance/review.

Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS

Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action
busry
crdowner wrote:
You have to keep in mind the disaster recovery and business continuity are two separate things.

Yes, actually, they are different in nature but they are similar in their purposes. If you make a business continuity plan, you should always consider the company and the customers. It’s good to hear the updates in here which is very informative.
Related topics
Just curious... what's your folks' business model?
welcome the spaceport
What was the most AMAZING thing you have ever done in life ?
Making own business?
Marketing and Business Planning
Second Life (don't i deserve a sticky? :) )
Need Business...Any Suggestions..
BS 25999 Standards for Business Continuity
Need advice in starting a business doing IT repair/service
Any body interested in entrepreneurship?
Promote Your online Business
How to become successful businessman?
Social Media Marketing
Home Business
Reply to topic    Frihost Forum Index -> Lifestyle and News -> Jobs and Learning

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.