31 octobre 2007

Business continuity planning for department council

The department council manages the whole county. It acts in many fields: economy, tourism, health, welfare, education, sport, culture, roads, environment, country planning.

Business Continuity Planning (BCP) is a methodology used to create a plan for how Department Council will resume critical function after a disaster.
BCP reduces risk with information controls and the practice of risk management.

Three very goods reasons for a BCP :
  1. 80% of businesses affected by a major incident close within 18 months,
  2. 90% of businesses that lose data from a disaster are forced to shut within 2 years
  3. 58% of organisations were disrupted by September 11th. One in eight was seriously affected.
The British Standards Institute set BCP best practices under ISO 17799.

A BCP cycle results in a manual available during disruptions. The disaster will represent natural disaster, man-made disaster, and disruptions. The regulations base on the formalized standards defined under ISO/IEC 17799 or BS 7799.

BCP methodology is for an organization of any size and complexity.
The methodology has roots in industries in United States. Any type of organization may create a BCP to ensure the organization's longevity. The firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected.

A BCP manual for Department Council may be a printed manual. It is store safely away from the main location.
It contains the names, addresses, and phone numbers of:
  • Crisis management staff,
  • General staff members,
  • Suppliers
It contains also:
  • The location of the offsite data backup storage media,
  • Copies of contracts,
  • Others materials necessary for organization.
A BCP manual give a secondary work site, technical requirements and readiness, reporting requirements, work recovery measures, place for physical records, and place to establish new production. Department Council should ensure that their BCP manual is realistic and easy to use during a crisis. BCP give disaster recovery planning.

The development of a BCP manual has five main phases:
  1. Analysis,
  2. Solution design,
  3. Organization acceptance
  4. Implementation,
  5. Testing and maintenance.
  6. Analysis
The analysis phase in the development of a BCP consists of an impact analysis.
Threat analysis, and impact scenarios with the resulting BCP plan requirement documentations.

An impact analysis results in the differentiation between critical and non-critical functions of Department Council. A function may be considered critical, if the implications of damage to the Department Council are unacceptable. Perceptions may be modified by the cost recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function.

Recovery requirements consist of the following information:
  • The time in which the critical function must be resumed after the disaster
  • The business requirements for recovery of the critical function,
  • The technical requirements for recovery of the critical function.
After defining recovery requirements, documenting is recommended to detail a specific disaster’s recovery steps.
Some common threats include the following:
  • Disease
  • Earthquake
  • Fire
  • Flood
  • Cyber attack
  • Hurricane
  • Utility outage
  • Terrorism
Defining potential threats and documenting the impact scenarios are the basis of the business recovery plan. A business continuity plan may also document impact scenarios if the Department Council has more than one building. We specify impact scenarios for the temporary or permanent loss of a specific floor in a building.

For IT, the plan may cover the following elements:
  • The applications and data require for critical business functions
  • The manual workaround solutions
  • The maximum outage allowed for the applications
  • The peripheral requirements like printers, copier, etc.
After the completion of the analysis phase, we document the solution design.

Solution design

The goal of the solution design phase is to identify the most cost effective solution. That meets two main requirements from the impact analysis stage. For IT applications, this is commonly express as:
  1. The minimum application and application data requirements: RPO (Recovery Point Objective)
  2. The time frame in which the minimum application and application data must be available: Recovery Time Objective (RTO)
Disaster recovery plans may also be required outside the IT applications domain, for example in preservation of information, or restoration of embedded technology. The solution phase determines:
  • The crisis management command structure
  • The location of a secondary work site
  • Telecommunication architecture between primary and secondary work sites
  • Data replication methodology between primary and secondary work sites
  • The application and software required at the secondary work site,
  • The type of physical data requirements at the secondary work site.
Organizational acceptance

The purpose of solutions is achieving organizational acceptance. The business continuity solution must satisfy the organization's requirements.
Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements or solution implementation errors.

We verify:
  • Crisis team call
  • Technical primary and secondary work locations
  • Application tests
  • Business process

Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.


The implementation phase is the execution of the elements identified in the solution design phase. Work testing may take place during the implementation of the solution. But it does not take the place of organizational testing.
Testing and maintenance

Maintenance and testing of a BCP manual is important. At minimum, testing is generally conducted on a biannual or annual schedule. The first activity is the confirmation of information in the manual. The second activity is the testing and verification of technical solutions. The last activity is the testing and verification of documented organization recovery procedures.
All organizations change over time, a BCP manual must change to stay relevant to the organization. Normally a test is conducted to evaluate the plan's efficiency. Some types of changes that should be identified and updated in the manual include:
  • Staffing changes
  • Changes to important clients and their contact details
  • Changes to important vendors/suppliers and their contact details
  • Departmental changes like new, closed or fundamentally changed departments.
Some checks include:
  • Are all work processes for critical functions documented?
  • Have the systems used in the execution of critical functions changed?
  • Are the documented work checklists meaningful for staff?
There is a direct relationship between the test and maintenance phases. When establishing a BCP manual and recovery infrastructure from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.

Aucun commentaire: