Business Continuity Plans
Small companies working on a
low profit margin can literally be put out of business by a computer incident.
Large, financially sound businesses can weather a modest incident that
interrupts their use of computers for a while, although it is painful to them.
But even rich companies do
not want to spend money unnecessarily. The analysis is sometimes as simple as
no computers means no customers means no sales means no profit.
Government agencies, educational
institutions, and nonprofit organizations also have limited budgets, which they
want to use to further their needs. They may not have a direct profit motive,
but being able to meet the needs of their customersthe public, students, and
constituentspartially determines how well they will fare in the future. All
kinds of organizations must plan for ways to cope with emergency situations.
A business continuity plan documents how a business will continue to
function during a computer security incident. An ordinary security plan covers
computer security during normal times and deals with protecting against a wide
range of vulnerabilities from the usual sources. A business continuity plan
deals with situations having two characteristics:
catastrophic situations, in
which all or a major part of a computing capability is suddenly unavailable
long duration, in which the
outage is expected to last for so long that business will suffer
There are many situations in
which a business continuity plan would be helpful. Here are some examples that
typify what you might find in reading your daily newspaper:
A fire destroys a company's
entire network.
A seemingly permanent failure
of a critical software component renders the computing system unusable.
A business must deal with the
abrupt failure of its supplier of electricity, telecommunications, network
access, or other critical service.
A flood prevents the
essential network support staff from getting to the operations center.
As you can see, these
examples are likely to recur, and each disables a vital function.
You may also have noticed how
often "the computer" is blamed for an inability to provide a service
or product. For instance, the clerk in a shop is unable to use the cash
register because "the computer is down." You may have a CD in your
hand, plus exactly the cash to pay for it. But the clerk will not take your
money and send you on your way. Often, computer service is restored shortly.
But sometimes it is not.
Once we were delayed for over
an hour in an airport because of an electrical storm that caused a power
failure and disabled the airlines' computers. Although our tickets showed
clearly our reservations on a particular flight, the airline agents refused to
let anyone board
because they could not assign
seats. As the computer remained down, the agents were frantic because the
technology was delaying the flight and, more importantly, disrupting hundreds
of connections.
The key to coping with such
disasters is advance planning and preparation, identifying activities that will
keep a business viable when the computing technology is disabled. The steps in
business continuity planning are these:
·
Assess the business impact of a crisis.
·
Develop a strategy to control impact.
·
Develop and implement a plan for the strategy
Assess Business Impact
To assess the impact of a
failure on your business, you begin by asking two key questions:
What are the essential assets? What are the things that will
prevent the business from doing business? Answers are typically of the form
"the network," "the customer reservations database," or
"the system controlling traffic lights."
What could disrupt use of these assets? The vulnerability is more
important than the threat agent. For example, whether destroyed by a fire or
zapped in an electrical storm, the network is nevertheless down. Answers might
be "failure," "corrupted," or "loss of power."
You probably will find only a
handful of key assets when doing this analysis.
Do not overlook people and
the things they need for support, such as documentation and communications
equipment. Another way to think about your assets is to ask yourself,
"What is the minimum set of things or activities needed to keep business
operational, at least to some degree?" If a manual system would compensate
for a failed computer system, albeit inefficiently, you may want to consider
building such a manual system as a potential critical asset. Think of the
airline unable to assign seats from a chart of the cabin.
Later in this chapter we
study risk analysis, a comprehensive examination of assets, vulnerabilities,
and controls. For business continuity planning we do not need a full risk
analysis. Instead, we focus on only those things that are critical to continued
operation. We also look at larger classes of objects, such as "the
network," whose loss or compromise can have catastrophic effect.
Develop Strategy
The continuity strategy
investigates how the key assets can be safeguarded. In some cases, a backup
copy of data or redundant hardware or an alternative manual process is good
enough. Sometimes, the most reasonable answer is reduced capacity. For example,
a planner might conclude that if the call center in London fails, the business
can divert all calls to Tokyo. It is possible, though, that the staff in Tokyo
cannot handle the full load of the London traffic; this situation may result in
irritated or even lost customers, but at least some business can be transacted.
Ideally, you would like to
continue business with no loss. But with catastrophic failures, usually only a
portion of the business function can be preserved. In this case, you must
develop a strategy appropriate for your business and customers. For instance,
you can decide whether it is better to preserve half of function A and half of
B, or most of A and none of B.
You also must consider the
time frame in which business is done. Some catastrophes last longer than
others. For example, rebuilding after a fire is a long process and implies a
long time in disaster mode. Your strategy may have several steps, each
dependent on how long the business is disabled. Thus, you may take one action
in response to a one-hour outage, and another if the outage might last a day or
longer.
Because you are planning in
advance, you have the luxury of being able to think about possible
circumstances and evaluate alternatives. For instance, you may realize that if
the Tokyo site takes on work for the disabled London site, there will be a
significant difference in time zones. It may be better to divert morning calls
to Tokyo and afternoon ones to Dallas, to avoid asking Tokyo workers to work
extra hours.
The result of a strategy analysis
is a selection of the best actions, organized by circumstances. The strategy
can then be used as the basis for your business continuity plan.
Develop Plan
The business continuity plan
specifies several important things:
who is in charge when an incident
occurs
what to do
who does it
The plan justifies making
advance arrangements, such as acquiring redundant equipment, arranging for data
backups, and stockpiling supplies, before the catastrophe. The plan also
justifies advance training so that people know how they should react. In a
catastrophe there will be confusion; you do not want to add confused people to
the already severe problem.
The person in charge declares
the state of emergency and instructs people to follow the procedures documented
in the plan. The person in charge also declares when the emergency is over and
conditions can revert to normal.
Thus, the business continuity
planning addresses how to maintain some degree of critical business activity in
spite of a catastrophe. Its focus is on keeping the business viable. It is
based on the asset survey, which focuses on only a few critical assets and
serious vulnerabilities that could threaten operation for a long or
undetermined period of time.
The focus of the business
continuity plan is to keep the business going while someone else addresses the
crisis. That is, the business continuity plan does not include calling the fire
department or evacuating the building, important though those steps are. The
focus of a business continuity plan is the business and how to keep it
functioning to the degree possible in the situation. Handling the emergency is
someone else's problem.
Now we turn to a different
plan that deals specifically with computer crises.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.