(No.1 for CA/CWA & MECICEC MASTER MINDS }
4, BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING
Q.No.1. What is meant by Business Continuity Management (BCM)? Explain need of BCM? (A)
(N13-4M)
1. Business Continuity Management (BCM) is a very effective management _process to help
enterprises to manage the disruption of all kinds, providing countermeasures to safeguard from
the incident of disruption.
2. With the BCM Process, enterprises are able to assess the potential threats and manage the
consequences of the disruption, which could reduce or eliminate the losses.
3. In order to ensure effective implementation of BCM, the enterprise should conduct reqular internal
audits at planned intervals to conform to the compliance of Business Continuity Process in line
4. Need of Business Continuity Management (BCM
— To meet the enterprise business objectives
— Ensure continuity of services and operations
5. Business continuity means maintaining the uninterrupted availability of all key business resources
required to support essential business activities
6. Some key terms related to BCM.
a) Business Contingency: A business contingen
computer operations, thereby disruptin
event could be a power outage, hardware f
itis often called a disaster.
is an event with the potential to disrupt
sion_and_business functions. Such an
fe, or storm. If the event is very destructive,
b) BCP Process: BCP is a process Aéstmed to reduce the risk to an enterprise from an
unexpected disruption of its critica $e fins, both manual and automated ones, and assure
continuity of minimum level of saetieaSnecessary for critical operations. The purpose of BCP
is to ensure that vital busi netions ate recovered and operationalized within an
acceptable timeframe.
c) Business Continuity Planning (BCP): It refers to the ability of enterprises to recover from a
disaster and continue operations with least impact
Write short notes on BCP manual and explain the scope of Bu:
(S15 MTP)
4. BCP Manual:
a) Successful organizations have @ comprehensive BCP Manual, which ensures process
readiness, data and system availabilty to ensure business continuity.
b) A BCP manual is a documented description of actions to be taken, resources to be used and
procedures to be followed before, during and after an event that severely disrupts all or part
of the business operations.
c) The BCP is expected to provide
i) Reasonable assurance to senior management of enterprise about the capability to recover
from any unexpected disaster affecting business operations and continue to provide
services with minimal impact
Anticipate various types of incident or disaster scenarios and outline the action plan for
recovering from the incident or disaster with minimum impact and ensuring ‘Continuous
availability of all key services to client
CA Final_17e_ISCA_Business Continuity & Disaster Recovery Planning. 41Ph: 98851 25025/26 www.mastermindsindia.com
d) The BCP Manual is expected to specify the responsibilities of the BCM team, whose mission
is to establish appropriate BCP procedures to ensure the continuity of enterprise's critical
business functions.
@) In the event of an incident or disaster affecting any of the functional areas, the BCM Team
serves as liasioning teams between the functional area affected and other departments
providing support services
2. Scope of Business Continuity:
a) Top management of the enterprise needs to define the scope of the BCM program by
identifying the key products and services that support the enterprise's objectives, obligations
and statutory duties in line with the threat scenario and the business impact analysis.
b) In case of an outsourced service, the risk accountability remains with the enterprise and
necessary controls and process should be in place to manage the risk
Q.No.3, Write are the advantage of Business Continuity? (B) (N15 RTP)
The advantages of BCM are that the enterprise:
a) Is able to proactively assess the threat scenario and potential risks
b) Has planned response to disruptions which can contain the damage and minimize the impact on
the enterprise; and
¢) Is able to demonstrate a response through a process of reqular testing and trainings.
Q.No.4. Explain the BCM policy? Explain its objectwes SAB) (PM, N14 — 4M)
2. This policy document is a high level g@xi
disaster recovery, \"
3. It also provides awareness among the persons in scope about the business continuity aspects
and its importance and to test and review the business continuity planning
4, While developing the BCM policy, the enterprise should consider defining the scope, BCM
principles, guidelines and minimum standards for the enterprise.
5. The BCM policy defines the processes of setting _up activities for establishing @ business
continuity capability and the ongoing management and maintenance of the business continuity
capability.
6. BCM policy objectives: The objective of Business Continuity Management Policy is to provide a
structure through which’ (PM)
lent, which guide to make a systematic approach for
a) The loss to enterprise's business in terms of revenue loss, loss of reputation, loss of
productivity and customer satisfaction is minimized.
b) Critical services and activities undertaken by the enterprise operation for the customer will be
identified
c) Plans will be developed to ensure continuity of key service delivery following a business
d) Disruption, which may arise from the loss of facilities, personnel, IT and/or communication or
failure within the supply and support chains.
) Invocation of incident management and business continuity plans can be managed
f) Incident Management Plans & Business Continuity Plans are subject to ongoing testing
revision and updating as required
CA Final_17e_ ISCA_ Business Continuity & Disaster Recovery Planning, 4.2[No.1 for CA/CWA & MECICEC MASTER MINDS
9) Planning and management responsibility are assigned to a member of the relevant senior
management team
(Explain the objectives of Business Continuity Management Policy briefly?)
Q.No.5. What is meant by Business Continuity Plan (BCP)? (A) (N-10, RTPM16)
4. Business Continuity Planning (BCP) refers to plans focused on maintaining the operations of an
organization, especially the IT infrastructure in face of a threat that has materialized
2. Business Continuity Planning (BCP) is the creation and validation of a practical logistical plan for
how an organization will recover and restore partially or completely interrupted critical functions
within a predetermined time after a disaster or extended disruption
3. The logistical plan is called a business continuity plan
4, Planning is an activity to be performed before the disaster occurs.
5. The resulting outage from such a disaster can have serious effects on the viability of a firm's
operations, profitability, quality of service, and convenience.
Q.No.6. What are the areas covered by Business Conti
9? (A)(PM, N-10, RTPM16)
Business continuity covers the following areas:
4. Business resumption planning: The operation's.
2. Disaster recovery planning: The technolo
advance planning and preparation necessar
business functions of the organization in th gQs
3. Grisis management: The overall co,dpdingtion of an organization's response to a crisis in an
effective timely manner, with the goat avoiding or minimizing damage to the organization's
profitability reputation or ability toc’
Q.No.7. Write short notes on Business Continuous life cycle? (B) |
1. The business continuity life cycle is broken down into four broad and sequential sections:
a) Risk assessment,
b) Determination of recovery alternatives,
c) Recovery plan implementation, and
f business continuity planning,
ect of business continuity planning, the
mize losses and ensure continuity of critical
of disaster
d) Recovery plan validation
2. Within each of these lifecycle sections, the applicable resource sets are manipulated to provide
the organization with the best mix or critical resource quantities at optimum costs with minimum
tangible and intangible losses.
3. These resource sets can be broken down into the following components’
a) Information d) Process
b) Technology e) People
c) Telecommunication f) Facilities.
CA Final_17e_ISCA_Business Continuity & Disaster Recovery Planning. 43[No.1 for CA/CWA & MECICEC MASTER MINDS
Q.No.8. Explain objectives and goals of Business Continuity Planning? (A)
(PM, N-08, RTP N44, M15, M16, N16, M17, MTP F16, S16, M17)
4. The primary objective of a business continuity plan is to minimize loss by minimizing the cost
associated with disruptions and enable an organization to survive a disaster and to reestablish
normal business operations
2. In order to survive, the organization must assure that critical operations can resume normal
processing within a reasonable time frame.
3. The key objectives of the contingency plan should be to
a) Provide for the safety and well-being of people on the premises at the time of disaster,
b) Continue critical business operations
¢) Minimize the duration of a serious disruption to operations and resources
d) Minimize immediate damage and losses
) Establish management succession and emergency powers
f) Facilitate effective co-ordination of recovery tasks
g) Reduce the complexity of the recovery effort
h) Identify critical lines of business and supporting fupgtions
4. The goals of the business continuity plan should
a) Identify weaknesses and implement a dis: ‘vention program
b) Minimize the duration of a serious dist fo business operations
c) Facilitate effective co-ordination of,
d) Reduce the complexity of the er effort.
Q.No.9. Write short notes on methodology of developing a Business Continuity Planning?
(or)Mention all the phases that are prescribed under the methodology of developing a BCP?
(A) (PM, M14-4M, N-08, N14 RTP)
‘The methodology emphasizes on:
a) Providing management with a comprehensive understanding of the total efforts required to
develop and maintain an effective recovery plan
b) Obtaining commitment from appropriate management to support and participate in the effort
¢) Defining recovery requirements from the perspective of business functions;
d) Documenting the impact of an extended loss to operations and key business functions;
) Focusing appropriately on disaster prevention and impact minimization, as well as orderly
recovery,
f) Selecting business continuity teams that ensure the proper balance required for plan
development;
g) Developing a business continuity plan that is understandable, easy to use and maintain
h) Defining how business continuity considerations must be integrated into ongoing business
planning and system development processes.
CA Final_17e_ISCA_Business Continuity & Disaster Recovery Planning. 45Ph: 98851 25025/26 www.mastermindsindia.com
Q.No.10. List the phased in developing a Business Continuity Planning? (A)
Discuss the development of a BCP? (PM, RTP M15, M16, MTP A16 )
Pre-Planning Activities (Business continuity plan Initiation)
Vulnerability Assessment and General Definition of Requirements
Business Impact Analysis
Detailed Definition of Requirements
Plan Development
Testing Program
Maintenance Program
SNP PRED
Initial Plan Testing and Plan Implementation
Q.No.11. Write short notes on Phase! (or) Pre-Planning activity or Project initiation phase? (B)
4. In phase 1, we obtain an understanding of the existing and projected systems environment of the
organization.
2. This enables us to
a) Refine the scope of business continuity planning a
b) Develop project schedules
¢) Identify and address issues that could hava Sea on the delivery and the success of the
plan. KS
3. During this phase a Steering Committee should be established that should undertake an overall
responsibility for providing direction and guidance to the business continuity planning team.
associated work program
The committee should also make all decisions related to the recovery planning effort
The Business Continuity Manager should work with the Steering Committee in finalizing the
detailed work plan and developing interview schedules for conducting the Security Assessment
and the Business Impact Analysis.
6. Two key deliverables of this phase are:
a) The development of a policy to support the recovery programs
b) Awareness program to educate management and senior individuals who will be required to
participate in the business continuity program
Q.No.12. Write short notes on Phase 2 (or) Vulnerability assessment and general definition of
requirements? (B) (OR) (PM, N14 RTP)
While developing a Business Continuity Plan, the key tasks that should be covered in the
second phase ‘Vulnerability assessment and general definition of requirement’
4. This phase focuses on identifying the Vulnerability of the assets to any disaster and to reduce the
probability of occurrence.
Security and control within an organization is a continuing concer.
It is to concentrate on activities that have the effect of reducing the possibility of disaster
occurrence, rather than concentrating primarily on minimizing the impact of an actual disaster.
4. This phase include the following tasks:
CA Final_17e_ ISCA_ Business Continuity & Disaster Recovery Planning, 46[No.1 for CA/CWA & MECICEC MASTER MINDS
a) A thorough Security Assessment of the system and communications environment including
i) Personnel practices vii) Data and voice communications seourty
ii) Physical security vili) Systems and access control
software security
ix) Insurance
x) Securtty planning and administration
iii) Operating procedures
iv) Backup and contingency planning
v) Systems development and
maintenance xi) Application controls,
vi) Database security xii) Personal computers,
b) Present findings and recommendations resulting from the activities of the Security Assessment
to the Steering Committee so that corrective actions can be initiated in a timely manner.
¢) Define the scope of the planning effort,
d) Analyze, recommend and purchase recovery planning and maintenance software required to
support the development and maintenance of the plans
) Develop a Plan Framework
) Assemble business. continuity team and conduct awareness sessions.
Q.No.13. What is meant by Business Impact Assessment (BIA) (or) Explain the 3" Phase of|
BCP? (A)
1. A Business Impact Assessment (BIA) of all
S units that are part of the business
environment enables the project team to: S
a) Identify critical systems, processes and S
b) Assess the economic impact of in: “and disasters that result in a denial of access to
systems services and other service 2" facilities
c) Assess the “pain threshold," the length of time business units can survive without
access to systems, services a\Wailities.
2. The BIA Report should be presented to the Steering Committee. This report identifies critical
service functions and the timeframes in which they must be recovered after interruption.
3. The BIA Report should then be used as a basis for identifying systems and resources required to
support the critical services provided by information processing and other services and facilities,
Q.No.14. What do you mean by Detailed Definition of requirements in BCP process (or) Phase
4 of BCP? (B)
During this phase, a profile of recovery requirements is developed.
This profile is to be used as a basis for analyzing alternative recovery strategies.
3. The profile is developed by identifying resources required to support critical functions identified in
the Business Impact Analysis,
4, This profile should include
a) Hardware (mainframe, data and voice communication and personal computers)
b) Software (vendor supplied, in-house developed, etc.)
c) Documentation (DP, user, procedures)
d) Outside support (public networks, DP services, etc.) To MASTER MINDS, Guntur
€) Facilites (office space, office equipments, ete.)
f) Personnel for each business unit
CA Final_17e_ISCA_Business Continuity & Disaster Recovery Planning. 47Ph: 98851 25025/26 www.mastermindsindia.com
5. Recovery Strategies will be based on short term, intermediate term and long term outages.
6. Another key deliverable of this phase is the definition of the plan scope, objectives and
assumptions.
Q.No.15. Write short notes on Plan Development Phased of BCP or 5 Phase of BCP)? (B) |
1. In this phase, recovery plans components are defined and plans are documented.
2. This phase also includes the implementation of changes to user procedures, upgrading of existing
data processing operating, vendor contract negotiations andthe definition of recovery teams, their
roles and responsibilities.
3. Recovery standards are developed and for the recovery of the core business processes. In the
event of a disaster, itis survival and not business as usual.
Q.No.16. Write short notes on the Testing program Phased of BCP or 6 Phase of BCP? (C)
1. The plan Testing/Exercising Program is developed during this phase.
2. Testing/Exercising goals are established and atternative testing strategies are evaluated
3. Testing strategies tailored to the environment should be selected and an on-going testing
program should be established
4. Unless the plan is tested on a reqular basis, there is no assurance that in the event the plan is
activated, the organization will survive a disaster.
Q.No.17. List the tasks undertaken in Maintenan, ram Phase of BCP (7"" step of BCP)?
(c)
a) Maintenance of the plans is critical to the success of actual recovery.
b) The plans must reflect changes to the environment. (N16-4M, N14 RTP)
¢) It is critical that existing change management processes are revised to take recovery plan
maintenance into account,
d) In areas where change management does not exist, change management procedures will be
recommended and implemented
e) Many recovery software products take this requirement into account.
Q.No.18. Write short notes on Testing and Implementation phases of BCP or 8" phase of|
BCP? (C) (N14 RTP)
a) Once plans are developed, initial tests of the plans are conducted and any necessary
modifications to the plans are made based on an analysis of the test results,
b) Specific activities of this phase include the following:
i) Defining the test purpose/approach iv) Condueting the test;
Identifying test teams; v) Analyzing test results; and
Structuring the test vi) Modifying the plans as appropriate.
c) The approach taken to test the plans depends laraely on the recovery strategies selected to meet
the recovery requirements of the organization
d) As the recovery strategies are defined, specific testing procedures should be developed to ensure
that the written plans are comprehensive and accurate
CA Final_17e_ ISCA_ Business Continuity & Disaster Recovery Planning, 48(No.1 for CA/CWA & MECICEC MASTER MINDS )
Q.No.19. Explain the components of BCM process? (OR) Explain the Six stages or
components of BCM Process. (B) (M17 - 6M, M16 - 5M)
= Business Impact analysis
Information |] > Risk Assosameont
Collection
= Organization BOM Strategy
+ Process Level BCM Stratoay
+ Resource Recovery BCM Strategy
> Implement Management Plan
+ Business Continutty Plans.
+ Testing of BM Pans
Testing and || > BCMMaintonance
Maintenance) |_+ _&CM Audit and Review arrangementa
+ Accessing Neods
cM + Designing & Delvering Trainings
Traininas_||_- Measuring Results
Components of BCM Process:
Ws”
Saget
Stage?
Stage5 Staged Staged
Components of BCM Process are:
a) BCM - Management Process: The
capacity and capability to be establis!
8
n_Collection@stess: The activities of assessment process do the
Prioritization of an enferprise’s proWcts and services and the urgency of the activities that are
Tequired to deliver them. This sets the requirements that will determine the selection of
appropriate BCM strategies in the next process.
ment process enables the business continuity,
b)
¢) BCM ~ Strategy Process: Finalization of business continuity strategy requires assessment of a
range of strategies. This requires an appropriate response to be selected at an acceptable level
and during and after a disruption within an acceptable timeframe for each product or service.
d) BCM — Development and Implementation Process: Development of a management framework
and a structure of incident management, business continuity and business recovery and
restoration plans
) BCM Testing and Maintenance Process: BCM testing, maintenance and audit testify the
enterprise BCM to prove the extent to which its strategies and plans are complete, current and
accurate; and Identifies opportunities for improvement
f) BCM Training Process: Extensive trainings in BCM framework, incident management, business
continuity and business recovery and restoration plans enable it to become part of the
enterprise's core values and provide confidence in all stakeholders in the ability of the enterprise
to cope with minimum disruptions and loss of service
Q.No.20. Explain the BCM management process? (C) |
1. ABCM process should be in place to address the policy and objectives as defined in the business
continuity policy by providing organization structure with responsibilities and authority,
implementation and maintenance of business continuity management.
CA Final_17e_ISCA_Business Continuity & Disaster Recovery Planning. 49Ph: 98851 25025/26 www.mastermindsindia.com
2. The BCM Processes are mapped as follows
a) Organization Structure:
i) The organization should nominate @ person or a team with appropriate seniority and
authority to be accountable for BCM policy implementation and maintenance.
ii) It should clearly define the person's responsibilities
b) Implementing Business Continuity in the Enterprise and Maintenance:
i) In establishing and implementing the BCM system in the organization, managers from
each function on site represent their areas of the operation
li) These people are also responsible for the ongoing operation and maintenance of the
system within their area of responsibility,
) Where training is required to enable as a colleague to effectively carry out their BCM
responsibilities, this will be identified as part of the ongoing staff appraisal and training
process.
Q.No.21. What are the major activities in BCM implementation? (B) (17-4)
a) Defining the scope & context
b) Defining roles and responsibilities ‘Copyrights Reserved
c) Engaging and involving all stakeholders To MASTER MINDS, Guntur
d) Testing of program on regular basis ¢
e) Maintaining the currency & appropriateness of busi ntinuity program
f) Reviewing, reworking and updating the busine; Inuity capability, risk assessments (RA) and
business impact analysis (BIAs)
g) Managing costs and benefits associated,
h) Convert policies and strategies int
Ry
Q.No.22. What are the major documents that should be the part of a Business Continuity
Management System? Explain in brief? (A) (PM, M17-6M, M16 RTP)
4. All documents that form the BCM are subject to the document control and record control
processes.
2. The following documents are classified as being part of the business continuity management
system:
a) The business continuity policy
b) The business continuity management system
¢) The business impact analysis report
4d) The risk assessment report Copyrights Reserved
€) The aims and objectives of each function TL
) The activities undertaken by each function
9) The business continuity strategies
h) The overall and specific incident management plans;
i) The business continuity plans
i) Change control, preventative action, corrective action, document control and record control
processes
CA Final_17e_ ISCA_ Business Continuity & Disaster Recovery Planning, 4.10[No.1 for CA/CWA & MECICEC MASTER MINDS
K) Local Authority Risk Register
I) Exercise schedule and results
m) Incident log
n) Training program.
Q.
lo.
Write about the BCM information collection process? (C)
To design an effective BCM, it is important to understand the enterprise from all perspectives of
interdependencies of its activities, external enterprises and including:
a) Enterprise's objectives, stakeholder obligations, statutory duties and the environment in which the
enterprise operates
b) Activities, assets and resources, including those outside the enterprise, that support the delivery
of these products and services
¢) Impact and consequences over time of the failure of these activities, assets and resources
d) Perceived threats that could disrupt the enterprise's key products and services and the critical
activities, assets and resources that support them.
Q.No.24. What analysis should be done for understanding the degree of potential loss (such
as reputation damage, regulation effects) of an organization? Enumerate the tasks to be
undertaken in this analysis. In what ways the intra can be obtained for this analysis?
S
What is the significance of a Business I inalysis (BIA)? Enumerate the tasks to be
undertaken in this Analysis. In what way: formation can be obtained for this analysis?
(A) (M13-6M, N11-8M, RTP M16)
(NO9-10M)
4. Business Impact Analysis (BIA)