Công Đại

SE150684
IAA202
Lab due date: 11/3/2022
Lab #8: Develop an Outline for a Business Continuity Plan for an IT Infrastructure
Part A – Develop an Outline for a Business Continuity Plan for an IT Infrastructure
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
• Initiation of the BCP – Introduction, Definitions, BCP Organizational Structure, BCP
Declaration, BCP Communications and Information Sharing, etc.
A reliable business continuity plan is crucial for all businesses, but none more so than the healthcare sector.
Healthcare providers handle some of the most sensitive data and personal records available, and it’s vital that you know
how to properly keep this data safe and accessible in times of disaster.
• Business Impact Analysis – risk assessment and analysis prioritizing business functions and
operations aligned to IT systems, applications, and resources.

If there’s one industry, in particular, that’s vulnerable to serious harm caused by outages and lost data, it’s the healthcare
industry.
Healthcare providers are particularly vulnerable to cyber-attacks and data breaches. In 2019 alone, over 38 million US
healthcare records were exposed, and over 93 percent of healthcare providers have suffered a data breach in the last five
years.
What’s more, healthcare breaches are among the most expensive, with breaches costing providers at least $150 per record
lost.
• Business Continuity / Disaster Readiness / Recovery – RTO, RPO, business continuity
benchmarks, disaster recovery planning (DRP as a sub-set of a BCP plan), recovery steps and
procedures for mission critical IT systems, applications, and data.
A communication plan
A detailed asset inventory
A data restoration priority plan
A vendor communication and service restoration plan
• Develop & Implement the Plan – the plan is a living and breathing document that requires
annual updates and change control revisions. Implementation and the instructions for how to
engage the BCP are part of this section.

Choose a Privacy Officer who will be responsible for overseeing the development, implementation, maintenance of, and
adherence to privacy policies and procedures regarding the safe use and handling of PHI and a Security Officer who will be
in charge of the ongoing management of information security policies, procedures, and technical systems.

Conduct a risk assessment and implement a security management process

Develop and implement policies and procedures
Train workforce members on HIPAA regulations and the organization’s policies and compliance plan

Monitor, audit, and update facility security measures on an ongoing basis

Test & Update the Plan – the most important part of a BCP or DRP is to test the plan with a
“mock” business continuity disruption or disaster scenario. Table-top reviews of the processes
and procedures can be conducted to inform all BCP and DRP team members of their roles,
responsibilities, and accountabilities.
Lab Assessment Questions
1. How does a BCP help mitigate risk?
A BCP helps to mitigate risk by making sure the organization is ready for any possible disruption to everyday operations.
By having an outlined plan of how every department should respond to the disaster, the organization will be able to resume
the most critical functions and return to typical business operations as quickly as possible, minimizing financial losses and
other problems resulting from the disruption.
2. What kind of risk does a BCP help mitigate?
The interruption of business critical operations or process. The BCP helps in planning and testing of procedures to allow
business to continue during a disaster. The prevention of lost data, and services not available for customers.
3. If you have business liability insurance, asset replacement insurance, and natural disaster insurance,
do you still need a BCP or DRP? Why or why not?
Yes, the BCP’s objective is to get business back to functioning normally, The DRP is focused on restoring and recovering
IT functions of the business. Insurance may replace buildings, equipment, but without plans where would the business start
to get back to functionality? Those are the questions that are answered by the BCP and DRP.
4. From your scenario and BIA from Lab #7, what were the mission critical business functions and
operations you identified? Is this the focus of your BCP?
Network Management and technical support, DNS- for internal and external IP communication, Accounting and Finance
support; Accounts payable, Accounts receivable.
5. What does a BIA help define for a BCP?
By defining the critical and non-critical process/operations of a business.
6. Who should develop and participate in the BCP within an organization?
All personnel that has an interest in the survivability of a business. All levels of management, IT personnel, and users
essential to the normal functions/operations of the business
7. Why does disaster planning and disaster recovery belong in a BCP?
To define the steps necessary for the continuation of business, in the event of a disaster
8. What is the purpose of having documented IT system, application, and data recovery procedures and
steps?
To provide a lay of the land in the event a network has to rebuild from scratch, the original configurations and applications
can be rebuilt to avoid conflicts in the network.
9. Why must you include testing of the plan in your BCP?
To verify that the plan works prior to the actual need of the BCP. The testing procedures should not interfere with normal
operations
10. How often should you update your BCP document?
Ensure the BCP is reviewed and updated at least annually. If critical systems are changed or modified between annual
reviews, the BCP should be updated.
11. Within your BCP outline, where will you find a list of prioritized business operations, functions, and
processes?
This will be found in the Business Impact Analysis section.
12. Within your BCP outline, where will you find detailed back-up and system recovery information?
This will be found in the Business Continuity/Disaster Readiness/Recovery section.
13. Within your BCP outline, where will you find a policy definition defining how to engage your BCP
due to a major outage or disaster?
This will be found in the Develop and Implement the Plan section
14. Within your BCP outline, where will you find a policy definition defining the resources that are
needed to perform the tasks associated with BC or DR?
This will be found in the Initiation of the BCP section.
15. What is the purpose of testing your BCP and DRP procedures, back-ups, and recovery steps?
The purpose of testing is to ensure all personnel understand their roles and responsibilities,
allows for training to evaluate recovery team capability to effectively implement the plan, to
ensure the plan works if its needed, identify weaknesses and short comings, to verify
recovery objectives and procedures, verify the adequacy alternate sites, and to help achieve
RTO and RPO times.