Scribd Logo
Upload

Welcome to Scribd!

  • Business Continuity Policy

    Uploaded by

    ncc
    126 views5 pages

    Original Title

    BUSINESS_CONTINUITY_POLICY.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    126 views5 pages

    Business Continuity Policy

    Uploaded by

    ncc

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Magda CHELLY, Ph.

    D, CISSP®

    Entrepreneur| @Responsible Cyber|CISO On Demand |CyberFeminist |TOP 50 Cyber Influencer

    BUSINESS CONTINUITY POLICY

    INTRODUCTION

    EXECUTIVE SUMMARY

    This policy describes how the company implements appropriate controls for a recovery and continuity business
    plan in the delivery of services covering IT and business operations, in case of an event or disaster.

    The company shall establish necessary processes to effectively deliver services at any point of time, with no
    interruption. This includes employees’ activities, data processing, and security controls in place as well as third
    parties’ management.

    The Policy takes into account the requirements of ISO 27001 and other relevant standards.

    SCOPE

    The policy addresses controls and IT processes to enabling and ensuring continuous service to customers. It does
    cover information technology processes providing service availability as per the business impact analysis in the
    event of major business disruption. It also describes how to validate the continuity plan and test the business
    requirements, taking in consideration:

     Criticality classification

     Alternative procedures

     Back-up and recovery

     Systematic and regular testing and training

    DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
    documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
    professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
    Magda CHELLY, Ph.D, CISSP®

    Entrepreneur| @Responsible Cyber|CISO On Demand |CyberFeminist |TOP 50 Cyber Influencer

     Monitoring and escalation processes

     Internal and external organizational responsibilities

     Business continuity activation, fallback and resumption plans

     Risk management activities

     Assessment of single points of failure

     Problem management

    RESPONSIBILITIES

    Company’s management must establish and build with the business owners a continuity framework, with defined
    roles and responsibility, as well as methodology to adapt in case of disaster.

    Reference: ISO 27002, 14.1.4;

    There should be a written Business Continuity Plan, developed and containing the below details:

    1. Guidelines on how to use the continuity plan


    2. Emergency procedures to ensure the safety of all affected staff members
    3. Recovery procedures meant to bring the business in the same state before the incident or disaster
    4. Procedures to safeguard and reconstruct the company’s site
    5. Co-ordination procedures with public authorities
    6. Communication procedures with stakeholders, employees, customers, suppliers, and management

    7. Critical information on the business

    The continuity plan shall list with all the required identification the:

     Critical applications;

     Third-party services,

     Operating systems,

     Personnel,

     Suppliers

     Related Data

    DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
    documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
    professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
    Magda CHELLY, Ph.D, CISSP®

    Entrepreneur| @Responsible Cyber|CISO On Demand |CyberFeminist |TOP 50 Cyber Influencer

    The critical data and operations shall be identified, documented, prioritized and approved by the business
    owners, in cooperation with IT security players.
    The management should ensure that the business continuity plan related to IT and information security is aligned
    with the global business continuity plan. Both need to be consistent. The plan should ensure the short and long-
    term consistency. The plan should reduce the requirements to the minimum to provide continuity and
    consistency, including all the parts: facilities, hardware, software, equipment, forms, suppliers, etc.

    PROCEDURES

    If the business continuity plan is being outsourced, the below points are crucial:

    a. Senior management approval


    b. Request for Proposals (RFP)
    c. Evaluation Phase
    d. Mandate

    If the business continuity plan is being carried out by IT or management, the below points are crucial:

    a. The IT/security manager collects all information from the IT employees, the business owners and the other
    stakeholders
    b. The IT/security manager builds a short and long-term IT strategy plan. The plan needs senior management
    approval, following by a budget committee approval, to finally being tested structurally, and practically.
    c. The plan should take in consideration as well the change procedures, to ensure the business plan continuity

    validity. It needs to reflect the actual business requirements .

    d. The plan must be maintained, updated, and tested, after any major technology change. The changes that need
    to be taken in consideration should include any updates regarding:
     Personnel;
     Addresses or telephone numbers;
     Business strategy;
     Location, facilities and resources;
     Legislation;
     Contractors, suppliers;

    DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
    documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
    professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
    Magda CHELLY, Ph.D, CISSP®

    Entrepreneur| @Responsible Cyber|CISO On Demand |CyberFeminist |TOP 50 Cyber Influencer

     Processes;
     Clients;
     Risk (Technical, operational and financial).

    The business continuity plan should follow the continuity plan maintenance procedures.
    The business continuity plan updates need to be justified with a business cases and prepared for approval. After
    the approval, the changes might be implemented to the business continuity plan.

    The business continuity plan must be tested on regular basis. The test needs to ensure the plan’s accuracy and
    efficiency. The frequency of testing should be at least once a year.
    The business continuity plan test should prepare, document and report all the test results. The test results should
    support an action plan. The objective of the test should be confirming the efficiency of the plan in real life.

    The assurance test should include:


     Various scenarios with correspondent recovery actions
     Different simulations, including the related parties
     Technical tests

     Alternate site’s tests

     Suppliers’ facilities and services tests

     Full simulation

    An important step for the success of the business continuity plan is the training. In fact, when several
    stakeholders are involved, a clear training session is a must, and it should include all procedures to be followed.

    The continuity plan is confidential and should be only distributed to authorized personnel. The plan should be
    kept in a secured location, with an additional backup. The plan should be distributed on a need-to-know basis.
    The plan shall be classified “Internal Use Only”.

    After a successful resumption of the services after a disaster, the company and its management should assess
    the success and adequacy of the continuity plan and update it accordingly.

    DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
    documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
    professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
    Magda CHELLY, Ph.D, CISSP®

    Entrepreneur| @Responsible Cyber|CISO On Demand |CyberFeminist |TOP 50 Cyber Influencer

    DISASTER RECOVERY AND BUSINESS CONTINUITY


    ASSESSMENT QUESTIONS EXAMPLE

    The questions to ask your vendor:

     Does your company have a formal Business Continuity and Disaster Recovery Plan?

     How often your company test the plan, and update it?

     Does your company have a business continuity policy?

     Does your company assess the business continuity standards?

     Does your company have alternative facilities, if yes which kind and how far away from the principle

    office?

     Does your company offer redundancy options, if yes, how do you test its efficiency?

     Does your company have redundant data centers? How often does the company test backups?

    DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
    documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
    professional advice. Any similarities are coincidental as per usual and standard policies in the industry.

    You might also like