The Binomial Bookstore

BUSINESS CONTINUITY PLANNING METHODOLOGY
by Akhtar Syed, Ph.D., CISSP and Afsar Syed, BMath., ABCP

“An easy to follow step-by-step guide to help you implement a business continuity program,
and develop, test, and maintain a business continuity plan.

“Detailed analysis and steps for conducting a business impact analysis, managing risks, and
developing a continuity strategy.

“Based on industry standards, guidelines, and best practices such as ISO/IEC 17799, NFPA
1600, CobiT, and DRII.

“An in-depth step-by-step guide to help you develop, test, and maintain your business
continuity plan.

“The business continuity planning process consists of six key stages:
- risk management;
- business impact analysis;
- business continuity strategy development;
- business continuity plan development;
- business continuity plan testing; and,
- business continuity plan maintenance.

“Although there are many publications that explain business continuity planning, very few
provide detailed methods on how to implement it; even fewer cover implementation of all six
stages.

“Business Continuity Planning Methodology is a single, comprehensive, text that explains the
principles of business continuity planning and presents an easy to follow step-by-step
methodology to implement its six stages. The methodology considers protection of mission
critical business processes, resources, and services. It focuses on key resources such as IT
systems and infrastructure, manufacturing and production equipment and products, facilities,
work areas, vital records, and critical data. The methodology is consistent with business
continuity industry standards, guidelines, and best practices such as ISO/IEC 17799, NFPA
1600, COBIT, and DRI International.”

- - - - - -

CONTENTS

“This book gives readers the skills to manage risks, conduct a business impact analysis,
develop a business continuity strategy, and develop, test, and maintain a business continuity
plan. The main body of the book contains chapters structured according to the six business
continuity planning stages:

RISK MANAGEMENT

“This chapter introduces the key concepts of risk management and describes a framework
for managing risks to business continuity. The framework includes steps for risk assessment,
risk control options analysis, risk control implementation, risk control decision, and risk
reporting. The chapter explains the concepts and implementation of these steps through
examples of business continuity risk.

BUSINESS IMPACT ANALYSIS

“This chapter describes the steps for conducting a Business Impact Analysis (BIA) and
explains the implementation of these steps through an example BIA scenario. The BIA steps
include assessment of financial and operational impacts, identification of mission critical
business functions and processes, identification of critical IT systems and applications, and
determination of recovery requirements. Topics in this chapter include comparison of BIA
and risk management; BIA benefits and responsibilities; methods of conducting a BIA;
disaster-to-recovery time line and events; elements of the BIA such as Maximum Tolerable
Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO), Work
Backlog, and Data Loss; summarized findings; and BIA report content.

BUSINESS CONTINUITY STRATEGY DEVELOPMENT

“The business continuity strategy development framework presented in this chapter is
designed to help the reader determine the best strategy that will enable a timely and cost
effective recovery from a potential business disruption. It describes the steps to identify
recovery requirements and options, conduct a cost-benefit assessment, and identity and
select the most viable recovery options. This chapter also discusses general considerations
for developing a business continuity strategy, and provides recommendations for recovery
contracts and service level agreements.

BUSINESS CONTINUITY PLAN DEVELOPMENT

“This chapter is a guide for developing an effective business continuity plan based on the
results of the preceding stages. It explains the detailed structure and content for an effective
plan and covers the key plan execution phases: initial response and notification, problem
assessment and escalation, disaster declaration, plan implementation logistics, recovery and
resumption, and restoration. Numerous examples of plan activities, procedures, and tasks
help to explain the content required in the plan. This chapter also addresses the requirements
for an emergency response plan and crisis communication plan.

BUSINESS CONTINUITY PLAN TESTING

“This chapter introduces the key concepts of business continuity plan testing and provides a
framework for developing an effective test plan. The topics include test objectives, test
benefits, test methods, test scenarios, test evaluation criteria, and test budget. The
framework then explains the sequence of test plan development steps and addresses
various issues and concerns that influence the test plan, such as test constraints, strategy,
logistics, and risks.

BUSINESS CONTINUITY PLAN MAINTENANCE

“The focus of this chapter is on maintaining the business continuity plan in a constant
ready-state. It describes activities needed to ensure that the business continuity plan always
remains accurate, current, and complete. Topics covered in this chapter include business
continuity plan change management, plan testing, training, and audit.

“This book also contains the following appendices: a summary of deliverables resulting from
the six stages of the business continuity planning process; summary of business continuity
standard guidelines and best practices; business continuity resource information; and a
glossary of business continuity terminology.”

- - - - - -

WHO SHOULD READ THIS BOOK?

“This comprehensive text is an excellent resource for those who develop business continuity
plans, manage business continuity projects, or want to learn about the subject of BCP. It is a
valuable reference for people seeking certifications such as CISSP (Certified Information
Systems Security Professional) or CBCP (Certified Business Continuity Professional).”

- - - - - - -

EXCERPT FROM THE INTRODUCTION

Disasters can strike quickly and without warning. Webster’s dictionary defines disaster as:

“a calamitous event, especially one occurring suddenly and causing great loss of life,
damage, or hardship, as a flood, airplane crash, or business failure” [1].

“Floods, earthquakes, tornadoes, and hurricanes are examples of major calamitous events.

“Businesses are vulnerable to the impact of not only major calamities but also minor
business
disruptions. Factors such as increased dependency on technology and “speed to market”
pressures have made businesses sensitive to even minor disruptions. Some examples of
minor disruptive events are power outages, information technology (IT) system failures,
manufacturing equipment failures, hazardous material contamination, voice and data
communication failure, and computer viruses.

“Over the past decade, the risks of natural disasters, technical and accidental failures, and
malicious activities have increased the possibility of business disruptions. In spite of
increased risks, studies show that many businesses have remained complacent. According
to Gartner, “… many enterprises that experience a disaster never recover. Gartner estimates
that two out of five enterprises that experience a disaster go out of business within five
years.” These findings reflect the failure of businesses to invest in adequate disaster planning
and preparations.

“Serious consequences of business disruptions can be avoided through business continuity
planning (BCP). BCP is a discipline that prepares an organization to maintain continuity of
business during a disaster through an implementation of a business continuity plan. A
business continuity plan is a document that contains procedures and guidelines to help
recover and restore disrupted processes and resources to normal operational status within
an acceptable time frame.

“This book explains the concept of BCP with a specific emphasis on the process and
methodology for developing, maintaining, and implementing a business continuity plan.

“The methodology considers people, business processes, and resources as essential
elements of a business continuity plan. A business continuity plan cannot function effectively
without the collective efforts of the people assigned to various roles and responsibilities
defined in the plan. Continuity of business cannot be maintained without the continuous
support of critical business processes—tasks and operations performed by business units or
functions—and various resources required by these processes.”

- - - - - - -

TABLE OF CONTENTS

PREFACE

CHAPTER 1 INTRODUCTION
1.1 Chapter Overview
1.2 Reasons for BCP
1.3 BCP and Other Planning Approaches
1.4 Business Continuity Planning Concept
1.5 BCP Process: Best Practices and Industry Guidelines
1.6 Key Deliverables of the BCP Process
1.7 Roadmap to this Book
Appendix 1A: BCP Related Rules and Regulations

CHAPTER 2 RISK MANAGEMENT
2.1 Chapter Overview
2.2 Risk Concepts
2.3 Risk Management Framework
Appendix 2A: Risk Assessment Data Collection Process

CHAPTER 3 BUSINESS IMPACT ANALYSIS
3.1 Chapter Overview
3.2 Risk Management and BIA
3.3 BIA Benefits
3.4 Who should be involved in a BIA?
3.5 Methods for Gathering BIA Information
3.6 Recovery Time Requirements
3.7 BIA’s Functional Overview
3.8 BIA Process
3.9 BIA Report

CHAPTER 4 BUSINESS CONTINUITY STRATEGY DEVELOPMENT
4.1 Chapter Overview
4.2 A Framework for BC Strategy Development
4.3 General Recovery Strategy Considerations
4.4 Recovery Contracts and Service Level Agreements
Appendix 4A: Examples of Availability Time Concerns for Recovery Options

CHAPTER 5 BUSINESS CONTINUITY PLAN DEVELOPMENT
5.1 Chapter Overview
5.2 Business Continuity Plan Outline
5.3 Objective and Scope
5.4 Definition of a Disaster
5.5 Risk Management Summary
5.6 Business Impact Analysis Summary
5.7 Business Continuity Strategy Summary
5.8 Business Continuity Teams
5.9 Contact Information
5.10 Activities for BC Plan Execution Phases
5.11 Mapping Resources to BC Plan Execution Phases, Activities, Procedures, and
Tasks
5.12 Assigning Activities, Procedures, and Tasks
5.13 BC Plan Change Control
5.14 BC Plan Appendices
Appendix 5A: Emergency Response Plan Requirements
Appendix 5B: Crisis Communication Plan Requirements
Appendix 5C: Critical Data and Critical/Vital Record Off-site Storage Requirements

CHAPTER 6 BUSINESS CONTINUITY PLAN TESTING
6.0 Chapter Overview
6.1 Objective of BC Plan Testing Stage
6.2 BC Plan Testing Benefits
6.3 Test Methods
6.4 BC Test Plan Document
6.5 A Framework for BC Test Plan Development

CHAPTER 7 BUSINESS CONTINUITY PLAN MAINTENANCE
7.1 Chapter Overview
7.2 BC Plan Change Management Process
7.3 Business Continuity Plan Testing
7.4 Business Continuity Training
7.5 Business Continuity Audits
7.6 Suggestions for BC Plan Maintenance

CHAPTER 8 BCP PROCESS: REPORTS AND DOCUMENTS SUMMARY
8.1 Stage 1: Risk Management
8.2 Stage 2: Business Impact Analysis
8.3 Stage 3: Business Continuity Strategy Development
8.4 Stage 4: Business Continuity Plan Development
8.5 Stage 5: Business Continuity Plan Testing
8.6 Stage 6: Business Continuity Plan Maintenance

APPENDIX A: BCP STANDARDS, GUIDELINES, AND BEST PRACTICES

APPENDIX B: BUSINESS CONTINUITY RESOURCE INFORMATION

GLOSSARY OF BCP TERMS AND ABBREVIATIONS

REFERENCES

ABOUT THE AUTHORS

INDEX

- - - - - - -

ABOUT THE AUTHORS

DR. AKHTAR SYED, PH.D., CISSP

“Dr. Syed has extensive training and consulting experience in the field of Business Continuity
Planning (BCP). As a consultant and trainer, he has assisted numerous organizations with
BCP training, business impact analysis, continuity strategy assessment, and business
continuity plan development and testing. He has also worked with IBM Global Services as a
senior business continuity consultant, helping businesses with alternate disaster recovery
facility solutions.

“Dr. Syed holds a doctorate degree in systems design engineering, masters degree in the
field of data communication services, and a bachelors degree in computer science. He is
also a Certified Information Systems Security Professional (CISSP).”

AFSAR SYED, BMATH., ABCP

“Afsar is a senior business continuity consultant, and has over 15 years of progressive
business and technical experience in telecommunications, wireless and wireline data
networking, voice over IP services, Internet security, database systems, computer
programming, and product and project management. He possesses a bachelor of
mathematics degree in computer science and is an Associate Business Continuity
Professional (ABCP).”

- - - - - -
2004, 315 pages. Order #DR730.
- - - - - -

The Binomial Bookstore

Business Continuity & Disaster Recovery

Rothstein Associates Inc.