Lab #8: Develop an Outline for a Business Continuity

Plan for an IT Infrastructure

Risk Management in Information

Course Name:
Systems (IAA202)

Nguyễn Trí Vương - HE161634

Student Name:
Đào Mạnh Công - HE161422

Instructor Name Hồ Kim Cường

Lab Due Date

Overview
After completing your BCP outline for your scenario and IT infrastructure, answer the
following Lab #8 – Assessment Worksheet questions. These questions are specific to the
BCP you performed for your scenario and IT infrastructure. Justify your answers where
needed.
Lab Assessment Questions

1. How does a BCP help mitigate risk?

BCP involves defining any and all risks that can affect the company's operations,
making it an important part of the organization's risk management strategy. Risks
may include natural disasters—fire, flood, or weather-related events—and cyber-
attacks.

2. What kind of risk does a BCP help mitigate?

 Natural disasters: A BCP can help organizations prepare for and respond to
natural disasters such as hurricanes, earthquakes, wildfires, or floods.
  Cybersecurity incidents: A BCP can help organizations respond to and
recover from cybersecurity incidents such as data breaches, ransomware
attacks, or denial-of-service attacks.
 Equipment failures: A BCP can help organizations minimize the impact of
equipment failures such as server crashes or power outages.
 Supply chain disruptions: A BCP can help organizations identify alternative
suppliers or workarounds in case of supply chain disruptions due to factors
such as shipping delays, raw material shortages, or geopolitical events.
 Human error: A BCP can help organizations minimize the impact of human
errors such as accidental data deletion, misconfigured systems, or
unauthorized access.

3. If you have business liability insurance, asset replacement insurance, and natural
disaster insurance, do you still need a BCP or DRP? Why or why not?

 Yes, having business liability insurance, asset replacement insurance, and

natural disaster insurance is helpful in case of unexpected events.
However, it does not replace the need for a Business Continuity Plan
(BCP) or Disaster Recovery Plan (DRP).
 Business Continuity Planning (BCP) is a proactive approach to ensure that
your company can continue to operate during a disruption or crisis, while a
Disaster Recovery Plan (DRP) is a reactive approach to restoring normal
operations after an event has occurred.
 While insurance policies may cover financial losses or damages, they do
not address all aspects of a crisis such as communication plans, alternative
operating procedures, and backup systems. A BCP and DRP help to
ensure that your company can quickly recover from a disruption with
minimal impact on your customers, employees, and reputation.
 Therefore, it's important to have both insurance policies and a BCP/DRP to
mitigate risks and protect your business in case of any unforeseen
circumstances.

4. From your scenario and BIA from Lab #7, what were the mission critical
business functions and operations you identified? Is this the focus of your BCP?

5. What does a BIA help define for a BCP?

  A Business Impact Analysis (BIA) helps to identify and prioritize critical
business processes, systems, and assets, and assess their potential
impact on the organization in the event of a disruption or disaster. The BIA
helps to determine the Recovery Time Objectives (RTOs) and Recovery
Point Objectives (RPOs) for each critical process, which are key factors
that inform the development of a Business Continuity Plan (BCP).

 The BIA also helps to identify dependencies between different processes,

systems, and assets, as well as key resources such as personnel, facilities,
and technology. This information is used to develop strategies and
procedures for maintaining essential operations during a disruption or
disaster, and to allocate resources effectively to minimize the impact of the
event.

 Overall, the BIA provides critical information that is used to develop a

comprehensive and effective BCP that enables the organization to respond
quickly and effectively to disruptions or disasters, and to minimize the
impact on the business and its stakeholders.

6. Who should develop and participate in the BCP within an organization?

- Developing and participating in a Business Continuity Plan (BCP) requires a

collaborative effort from various individuals and departments within an
organization. The key stakeholders involved in the development and
implementation of a BCP typically include:

1. Executive Management: Senior leaders, including the CEO, CFO, and

other C-level executives, are responsible for providing overall direction and
support for the BCP.
2. Business Continuity Manager / Coordinator: This individual is responsible
for managing the BCP process, coordinating with other teams, and
ensuring that the plan is up-to-date and effective.
3. Information Technology (IT) Department: IT plays a critical role in ensuring
that systems and data are available during a disruption or disaster. The IT
team is responsible for developing and implementing technology-related
strategies and procedures for maintaining essential operations.
 4. Human Resources (HR) Department: HR is responsible for ensuring that
personnel policies and procedures are in place to support business
continuity efforts. This includes identifying essential personnel, developing
alternative staffing plans, and providing training and awareness programs.
5. Operations/Functional Departments: Each department or functional area
within the organization should have a representative involved in the BCP
process. These individuals are responsible for identifying critical processes
and resources, developing recovery strategies, and testing and validating
the BCP.
6. Third-Party Vendors/Service Providers: Organizations often rely on third-
party vendors or service providers to support critical business functions. It's
important to involve these parties in the BCP process and ensure that they
have their own BCPs in place.

- Overall, involving a cross-functional team in the BCP process helps to ensure

that all critical components of the organization are considered, and that the
plan is comprehensive and effective.

7. Why does disaster planning and disaster recovery belong in a BCP?

 Disaster planning and disaster recovery are crucial components of

Business Continuity Planning (BCP) because they help to ensure that a
business can continue to operate in the event of a disaster or other
unexpected interruption. When a disaster strikes, it can have a significant
impact on a business's ability to function, and without proper planning and
preparation, the consequences can be severe.
 By including disaster planning and recovery in their BCP, businesses can
identify potential risks and vulnerabilities, develop plans to mitigate those
risks, and establish procedures for responding to and recovering from
disruptions. This can include implementing backup systems and processes,
establishing emergency contacts and communication protocols, and
creating contingency plans for critical business functions.
 Ultimately, by incorporating disaster planning and recovery into their BCP,
businesses can minimize the risk of downtime, reduce the impact of
disruptions, and increase their overall resilience and ability to adapt in the
face of unexpected events.
8. What is the purpose of having documented IT system, application, and data
recovery procedures and steps?

 Having documented IT system, application, and data recovery procedures

and steps is crucial for businesses to ensure efficient and effective
recovery of critical systems and data during and after a disruption. These
procedures help standardize the recovery process, minimize errors, train
personnel, maintain compliance with regulatory requirements, and ensure
efficient recovery efforts that minimize downtime and financial losses while
protecting the organization's reputation.

9. Why must you include testing of the plan in your BCP?

Testing the plan is important in a Business Continuity Plan (BCP) because it

helps to identify any gaps or weaknesses before an actual disaster occurs.
Regular testing allows organizations to evaluate the effectiveness of their BCP,
train staff, and make necessary adjustments to improve its ability to protect the
organization. Therefore, testing should be included as part of the overall planning
process.

10. How often should you update your BCP document?

The frequency of updating a BCP document depends on various factors such as

changes in business operations and environment, emergence of new risks,
information security concerns, and compliance with legal regulations. Therefore,
updating the BCP document should be done on a regular basis to ensure
effectiveness and meet the requirements of the business.

11. Within your BCP outline, where will you find a list of prioritized business
operations, functions, and processes?

In a BCP outline, a list of prioritized business operations, functions, and

processes can be found in the Business Impact Analysis (BIA) section. The BIA
assesses the potential impact of a disruption on critical business operations,
identifies essential resources required to resume operations, and prioritizes
recovery efforts based on the criticality of the business functions.
12. Within your BCP outline, where will you find detailed back-up and system
recovery information?

The detailed backup and system recovery information is located in the "Recovery
Procedures" section of a Business Continuity Plan (BCP) outline. This section
provides a step-by-step guide for restoring critical systems and processes in the
event of a disruption or disaster. It includes information on backup procedures,
recovery processes, responsibility, required tools, and resources. Regular review
and update of this section are necessary to ensure its effectiveness and
relevance to the organization's IT environment and business needs.

13. Within your BCP outline, where will you find a policy definition defining how
to engage your BCP due to a major outage or disaster?

The policy defining how to engage the BCP due to a major outage or disaster is located
in the "Activation Procedures" section of a BCP outline. This section outlines the criteria
for activating the plan, steps to initiate it, and the roles/responsibilities of key personnel
involved.

14. Within your BCP outline, where will you find a policy definition defining the
resources that are needed to perform the tasks associated with BC or DR?

The policy definition for resources required to execute tasks associated with Business
Continuity (BC) or Disaster Recovery (DR) is found in the "Resource Requirements"
section of a Business Continuity Plan (BCP) outline. This section specifies the hardware,
software, communication systems, and personnel needed to execute the BC or DR plan.
It also details how these resources will be obtained during an emergency and identifies
any relevant agreements with third-party vendors and service providers. The Resource
Requirements section needs to be reviewed regularly to maintain its effectiveness and
relevance to the organization's IT environment and business goals.

15. What is the purpose of testing your BCP and DRP procedures, back-ups, and
recovery steps?
Testing BCP and DRP procedures, backups, and recovery steps is crucial to identifying
weaknesses and improving an organization's response to disruptions. It familiarizes
employees with their roles, resolves technical issues, and allows for refining processes.
Overall, testing ensures that the plans and procedures are effective and reliable during
an emergency.