Business Continuation Planning

Business continuity planning (BCP)

Business continuity planning (BCP) encompasses planning and preparation to ensure that an organization can continue to operate in case of a serious incident, a disaster, or cyber-attacks and is able to recover to an operational state within a reasonably 24-hour short period.

Key Points to Planning

The Three Main Elements

Business continuity planning includes three key elements: Resistance, Recovery, and Contingency.

Most companies don’t have unlimited resources, it is important for them to develop a cost-effective disaster recovery solution and prioritize systems and data that needs to be restored as soon as possible for the organization to operate and a reasonable amount of time to get the business back up and running.

For IT purposes, there are three general types of backup solutions:

Outside of the network infrastructure, make plans for the paper (aka “hard copy”) information that may need to be accessed immediately in your physical office space or at the homes of key employees.

Testing is Critical

Be sure to test all recovery plans to ensure that the planned solutions will provide the level of restoration that you need in the time you need it. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include:

At a minimum, testing should be conducted on a biannual basis.

Testing Methods

Tabletop exercises
Tabletop exercises typically involve a small number of people, and they concentrate on a specific aspect of the plan. They can easily accommodate complete teams from a specific area of business.

Another form involves a single representative from each of several departments or teams. Typically, participants work through a simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.

The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.

Medium exercises
A medium exercise is conducted within a “Virtual World” and brings together several departments, teams, or disciplines. It typically concentrates on multiple BCP scenarios, prompting interdepartmental interaction.

The scope of a medium exercise can range from a few teams from one organization co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable, and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites.

A medium exercise typically lasts a few hours, though it can extend over several days. They typically involve a “Scenario Cell” that adds pre-scripted “surprises” throughout the exercise.

Complex exercises
A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation, and actual invocation of a disaster recovery site.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.