Seven steps to business continuity
Currently, there are a huge number of business continuity management techniques that help in carrying out planning, improving the availability of the company's critical business processes. But these techniques contain the theoretical foundations of business continuity and do not answer the question “How to implement such a project?”. This article describes the sequence of actions that will give you an idea of ​​how a business continuity management system is being implemented, and what results you will get at each stage.
The life cycle of the business continuity management process
')
The company's business continuity management is a cyclical process that should take into account possible changes in business, IT, legislation and other areas that affect the organization’s activities, as well as help it adapt to these changes. In other words, business continuity management is a process of continuous improvement, which, in turn, increases the company's confidence in the reliability of business continuity plans.
The life cycle of the business continuity management process includes 7 steps, each of which defines the sequence of steps and the result (the list of steps was built on the basis of the BCM Institute cycle [8]).
Project Initiation
A project is an activity aimed at creating a unique product, service or result.
Project Management Plan / Project Management Plan - a document that describes how the project will be executed, how it will be monitored and controlled.
PMBOK Manual - Fifth Edition
At this stage, the content of the business continuity project is determined and its incremental plan is developed. It defines how the project will be executed, how it will be monitored, controlled and closed, as well as the boundaries of the project, the roles of the project team members and the goals of the project.
In addition to the above actions, it is necessary to determine the need for a project. For some companies, business continuity is about ensuring the effectiveness of critical business functions, as well as demonstrating business sustainability to customers. But we must not forget that there are regulatory and regulatory requirements for business continuity. The table below lists and describes the standards / regulatory acts (NLAs) widely used in the territory of the Russian Federation, as well as a number of requirements that impose these standards / NLA on the business continuity system.
After the project plan is finalized and developed, it must be sent to the company’s management for approval. Work on the plan should begin only after consultation with the management.
Note! In some companies, the project sponsor does not pay enough attention to it, and the responsibility lies with the middle manager. This can lead to problems in stakeholder communication and reduced support for top management. This problem can be solved by creating a project committee, which will include representatives of all stakeholders. The committee should periodically meet, solve problems and discuss the progress of the project.
Business Impact Analysis
Business Impact Analysis is a method that allows you to investigate the impact of incidents on key company activities and processes.
At this stage, a detailed study of the company's processes is provided. To this end, the consultant conducts interviews with the management of departments within the project area. During the conversation, information is requested about the activities of the department and a list of the processes / functions that it performs. Further, for a detailed study of the processes / functions, the owners of the processes are interviewed and the type of business impact (material, reputational) and the degree of process dependence on IT and external services are determined. And then the maximum allowed downtime (Maximum Allowable Outage) is determined.
Maximum Allowable Outage - a period of time after which there is a threat of the final loss of the viability of the organization, in the event that the supply of products and / or the provision of services is not resumed.
GOST R ISO / IEC 31010—2011 “Risk management. Risk assessment methods
After the owner of the process / function has been determined by the MAO, the IT department (based on the MAO) determines the RTO, RPO, SDO indicators.
- Recovery Time Objective (RTO) . The time during which the recovery of a business function or resource should take place in the event of abnormal situations.
- Recovery Point Objective (RPO ). The target recovery point determines the amount of acceptable data loss in case of interruption of operations. For example, if the RPO is 15 minutes, data loss in the last 15 minutes is allowed.
- Service Delivery Objective (SDO) . The level of service availability at a specific point in time.
The figure shows how the above metrics are determined.
The result of a business impact analysis are:
- a list of prioritized critical processes and corresponding interdependencies;
- registered economic and industrial impacts caused by the violation of critical processes;
- support resources required for the identified critical processes;
- possible deadlines and recovery of critical processes and interconnected information technologies.
Note! Often, business process owners intentionally or unknowingly overestimate the target value of recovery standards, which contributes to the distortion of the analysis and entails unreasonable costs. To avoid this problem, it is necessary to consider the value of the business function in the context of the incident that affected the entire company together with the project team, as well as with stakeholders. This approach will allow you to objectively determine recovery standards.
Risk assessment
Risk - the effect of uncertainty on goals.
Exceptions: this article does not consider the details of risk assessment.
Risk assessment is a process involving risk identification, risk analysis and risk assessment.
ISO 73: 2009, Risk Management. Vocabulary"
The purpose of risk assessment within the framework of business continuity management is to identify events that may lead to disruption of the company's activities, as well as their consequences (damage).
Risk assessment provides:
- understanding of the potential hazards and the impact of their consequences on the achievement of the established goals of the company;
- understanding of threats and their sources;
- identification of key risk factors; vulnerabilities of the company and its systems;
- choice of risk treatment methods;
- compliance with the standards.
The risk assessment process consists of:
- Risk identification - the process of identifying elements of risk, describing each of them, drawing up a list of them. The purpose of risk identification is to compile a list of sources of risk and threats that may affect the achievement of each of the established goals of the company;
- Risk analysis is the process of researching risk information. Risk analysis provides input to the overall risk assessment process, helps in making decisions about the need for risk treatment, as well as in choosing the appropriate treatment strategy and methods;
- Comparative risk assessment - comparing its level with the criteria established in determining the scope of risk management, to determine the type of risk and its significance.
Risk assessment in the future will allow you to reasonably develop a business continuity strategy, as well as help determine the optimal scenario for its implementation.
Business Continuity Strategy Development
After analyzing the requirements for continuity, it is necessary to select and substantiate possible technical and organizational solutions. In the process of choosing a solution, it is necessary to consider in detail possible actions in relation to premises, technologies, information assets, contractors, and partners. These solutions are usually chosen to:
- protection of priority activities of the company;
- their effective recovery;
- mitigation of the consequences of incidents, development of response and preventive measures.
Note: the choice of solution should be based on the cost of restoration and the cost of downtime.
These solutions may include:
- "Mirror" site;
- "Hot" site;
- “Warm” sites;
- “Cold” grounds;
- areas of dynamic load distribution;
- Outsourcing \ Agreement;
- Mobile sites.
Deviation: the above solutions will be discussed in detail in a separate article.
The main differences of the above solutions are the cost and time of recovery of the company.
Note! Solutions help implement an effective business continuity strategy. But in order to determine the best option, it is necessary to choose strategic decisions based on the results of business impact analysis and risk assessment (this approach will help management justify the need for investment in a business continuity management project).
Development and implementation of business continuity plans
A plan is a prearranged system of measures, providing for the order, sequence, and timing of the work.
In accordance with the best practices [1, 2, 4], continuity management plans should consist of three components:
1. Emergency response - determines the sequence of actions that must be taken when an incident is detected.
2. Incident Management - defines the methods needed to mitigate or reduce the size of the incident.
3. Restore activity - determines the sequence of actions that must be carried out in order to restore the service at a given level.
Note: For clarity, use flowcharts and other graphical ways of presenting information.
Approximate structure of a business continuity plan:
1. Introduction
1.1. Background Information
1.2. Boundaries of action plan
1.3. Prerequisites for creating a plan
2.Concept
2.1. Description of the continuity system
2.2. Description of the steps to restore continuity
2.3. Roles and their responsibilities
3.Activation plan
3.1. Criteria and order of activation
3.2.The order of notification of interested persons
3.3. Accident evaluation procedure
4. Control
5. Restoration
5.1. Sequence of restoring continuity
NIST developed a guide [1] that describes in some detail the necessary) business continuity plans. The following is a table describing each of the plans (specified in the NIST manual), and also provides references to standards / NLAs that prescribe the development of such plans.
The above documents are based on the needs of the company, but in practice the following types of plans are most often used:
- Incident response plan - this type of plan may include a cyber incident response plan, a contingency plan in information systems. This plan will help reduce the scale of the disaster and mitigate its consequences, which will make it possible to save time and an additional advantage when activating other types of plans;
- The personnel action plan in emergency situations - in accordance with the requirements of the Federal Law of December 21, 1994 No. 68 68 “On the Protection of the Population and the Territory from Natural and Technogenic Emergencies” and the Federal Law of December 21, 1994 No. 69 “On fire safety "this plan is mandatory for all companies;
- Disaster recovery plan - focused on recovering critical information systems. This type of plan supports the business continuity plan and is aimed at restoring the performance of individual systems and applications;
- Business Continuity Plan - focused on supporting the company's business processes during and after an emergency; aims to ensure that the company can continue to perform critical activities critical to it at an established acceptable level;
- Anti-crisis communications plan - this plan will help preserve the company's reputation in a crisis situation. It documents the procedure for interaction with the media, law enforcement agencies, MoES, etc.
Note! At the business continuity planning stage, some companies focus on technical solutions and do not attach importance to organizational measures. In this regard, it is necessary to point out the need to apply organizational measures on a par with technical ones. For this purpose, training seminars, testing plans, training materials are produced.
Testing and revising plans
Testing is carried out to test the performance of plans in the event of a specific set of circumstances affecting the company's operations. The test plan is selected based on the type of company and its goals.
Tests are assessment tools that use quantitative metrics to test the performance of an IT system or its component.
NIST Special Publication 800-84 "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities"
The objectives of testing include:
- obtaining confirmations of the health plans;
- verification of the adequacy of methodological and technical support;
- obtaining the necessary skills and knowledge.
Once the goal of testing has been determined, a scenario is developed, a testing method is determined, and agreed with management. The following methods are most commonly used [2]:
- Desktop check (Tabletop);
- Imitation;
- Full testing (Full business continuity testing).
Deviation: the above test methods will be discussed in detail in a separate article.
After testing, reports are prepared that indicate the scenarios and test results, as well as suggestions for improving business continuity plans.
Note! Companies must choose a testing method based on their goals and financial capabilities.
Note! Full testing is most effective because it allows you to identify many shortcomings, but because of the high risks, it is hardly used in practice. If the company decided to use this type of testing, it is necessary to enlist the support of partners or use the services of contractors to minimize risks and prevent significant downtime.
Maintain and update plans
As noted above, managing a company's business continuity is a cyclical process. And this means that it is impossible to limit oneself only to the formation of plans, it is necessary to accompany, update and improve them annually, and sometimes more often, for example, in the following cases:
1. Changes in IT infrastructure;
2. Changing the organizational structure of the company;
3. Changes in legislation;
4. Detection of deficiencies in the plans during their testing.
To maintain the relevance of the plans, you must perform the following steps:
- conduct internal audits, including verification of disaster recovery, documentation for ensuring continuity and related procedures;
- to conduct regular practical trainings on the implementation of the plan;
- integrate business continuity issues into the company's change management process.
Conclusion
Business continuity management ensures the integration of all measures applied at the enterprise into a holistic, adequate to real threats and managed complex, which allows the company to continuously provide services, avoid the impact of emergency situations on activities and minimize possible damage.
This complex consists of seven stages, which must be implemented in the company to ensure the continuity of the provision of services and production of products.
This article describes each stage with reference to the Russian realities, as well as points that should be paid attention to when implementing this project.
Literature
1. ISO 22301 Societal Security - Business continuity management systems - Requirements
2. GOST R 53647 "Business Continuity Management"
3. GOST R ISO / IEC 31010 - 2011. “Risk management. Risk assessment methods
4. NIST Special Publication 800-34 Rev. 1 "Contingency Planning Guide for Federal Information Systems"
5. NIST Special Publication 800-84 "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities"
6. The Definitive Handbook of Business Continuity Management Second Edition Copyright 2007 John Wiley & Sons Ltd,
7. MICHAEL GALLAGHER Pearson Education Limited 2003
8. www.bcmpedia.org/wiki/BCM_Body_of_Knowledge_ (BCMBoK)
Information about the project on the site Softline: services.softline.ru/security/upravleniya-ib
Evgeny Kachurov, Consultant, Softline Analytical
The life cycle of the business continuity management process
')
The company's business continuity management is a cyclical process that should take into account possible changes in business, IT, legislation and other areas that affect the organization’s activities, as well as help it adapt to these changes. In other words, business continuity management is a process of continuous improvement, which, in turn, increases the company's confidence in the reliability of business continuity plans.
The life cycle of the business continuity management process includes 7 steps, each of which defines the sequence of steps and the result (the list of steps was built on the basis of the BCM Institute cycle [8]).
Project Initiation
A project is an activity aimed at creating a unique product, service or result.
Project Management Plan / Project Management Plan - a document that describes how the project will be executed, how it will be monitored and controlled.
PMBOK Manual - Fifth Edition
At this stage, the content of the business continuity project is determined and its incremental plan is developed. It defines how the project will be executed, how it will be monitored, controlled and closed, as well as the boundaries of the project, the roles of the project team members and the goals of the project.
In addition to the above actions, it is necessary to determine the need for a project. For some companies, business continuity is about ensuring the effectiveness of critical business functions, as well as demonstrating business sustainability to customers. But we must not forget that there are regulatory and regulatory requirements for business continuity. The table below lists and describes the standards / regulatory acts (NLAs) widely used in the territory of the Russian Federation, as well as a number of requirements that impose these standards / NLA on the business continuity system.
| Standard / NPA | Demand | Description | Status |
|---|---|---|---|
| ISO / IEC 27001: 2013 "Information technology - Security techniques - Information security management systems - Requirements" (Information technology. Security management methods. Information security management systems) | A.17 Information security aspects of business continuity management (Aspects of information security in business continuity management) | Information security continuity should be built into the company's business continuity system. For this you need: - plan the continuity of information security; - introduce information security continuity; - check, evaluate the continuity of information security. | Information security continuity is one of the requirements if a company seeks to obtain a certificate of compliance with the requirements of ISO / IEC 27001: 2013 "Information technology - Security techniques - Information security management systems - Requirements". |
| ISO 22301: 2012 "Societal security - Business continuity management systems - Requirements" (Social security. Business continuity management systems) | This standard is dedicated to business continuity. | The standard spelled out: - requirements necessary to establish a business continuity management system in a company; - requirements for senior management functions in the business continuity management system; - requirements for setting strategic objectives and guidelines for a business continuity management system; - requirements for ensuring business continuity, the procedure for developing management procedures in the context of the incident. | The existence of BCP / DRP plans (these plans are discussed in the “Development and Implementation of Plans” section) is a prerequisite if the company is seeking to obtain a certificate of compliance with ISO 22301: 2012 “Societal security - Business continuity management systems - Requirements”. |
| GOST R 53647 "Business Continuity Management" | This standard is dedicated to business continuity. | This standard establishes the requirements for planning, creating, operating, monitoring, analyzing, conducting exercises, supporting and improving the documented system of business continuity management. | Is advisory in nature. |
| STO BR IBBS-1.0-2014 "Ensuring the information security of organizations of the banking system of the Russian Federation" | 8.11. Business Continuity Requirements and its recovery after interruptions | In the organization of the banking system, a plan should be defined to ensure business continuity and restore it after a possible interruption. The plan should contain instructions and procedures for the workers of the organization of the banking system to restore the business. In particular, the plan should include: - conditions for the activation of the plan; - actions to be taken after an information security incident; - recovery procedures; - testing and verification procedures; - a plan for staff training and awareness raising; - duties of employees with an indication of the responsible for the implementation of each of the provisions of the plan. There should also be established requirements for ensuring information security that regulate issues of ensuring business continuity and its recovery after an interruption, including requirements for measures to restore the necessary information, software, hardware, and communication channels. | Is advisory in nature. |
| Order of the FSTEC of Russia of February 11, 2013 No. 17 “On approval of requirements for the protection of information that is not a state secret contained in state information systems” | X. Ensuring Accessibility of Information (OTD) | In accordance with the Order of the FSTEC of Russia No. 17 of February 11, 2013, “On Approving Requirements to Protect Information Not Containing State Secrets Contained in State Information Systems”, it is necessary to: - use fault-tolerant technical means; - reserve hardware, software, information transfer channels, means of ensuring the functioning of the information system; - control the failure-free operation of technical equipment; - to ensure the detection and localization of failures of the functioning of technical means; - take measures to restore the failed funds; - test hardware; - to carry out periodic backup of information on backup machine carriers; - to ensure the possibility of data recovery from backup computer storage media (backups) during the established time interval; - control the state and quality of the provision of computing resources (capacities) by an authorized person, including the transfer of information. | If the system is classified according to security class 1 or 2, the requirements described in the order are mandatory. |
| Order of FSTEC of Russia dated February 18, 2013, No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” | X. Ensuring the availability of personal data (OTD) | In accordance with the Order of the FSTEC of Russia of February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data when Processing in Personal Information Systems”, it is necessary to ensure: - control of trouble-free functioning of technical means; - detection and localization of failures; - taking measures to restore the failed funds and their testing; - backup of personal data to backup personal data storage media; - the ability to restore personal data from backup personal data storage media (backups) during a set time interval. | In the event that a security level of 1 or 2 is defined for the personal data information system, the requirements described in the order are mandatory. |
After the project plan is finalized and developed, it must be sent to the company’s management for approval. Work on the plan should begin only after consultation with the management.
Note! In some companies, the project sponsor does not pay enough attention to it, and the responsibility lies with the middle manager. This can lead to problems in stakeholder communication and reduced support for top management. This problem can be solved by creating a project committee, which will include representatives of all stakeholders. The committee should periodically meet, solve problems and discuss the progress of the project.
Business Impact Analysis
Business Impact Analysis is a method that allows you to investigate the impact of incidents on key company activities and processes.
At this stage, a detailed study of the company's processes is provided. To this end, the consultant conducts interviews with the management of departments within the project area. During the conversation, information is requested about the activities of the department and a list of the processes / functions that it performs. Further, for a detailed study of the processes / functions, the owners of the processes are interviewed and the type of business impact (material, reputational) and the degree of process dependence on IT and external services are determined. And then the maximum allowed downtime (Maximum Allowable Outage) is determined.
Maximum Allowable Outage - a period of time after which there is a threat of the final loss of the viability of the organization, in the event that the supply of products and / or the provision of services is not resumed.
GOST R ISO / IEC 31010—2011 “Risk management. Risk assessment methods
After the owner of the process / function has been determined by the MAO, the IT department (based on the MAO) determines the RTO, RPO, SDO indicators.
- Recovery Time Objective (RTO) . The time during which the recovery of a business function or resource should take place in the event of abnormal situations.
- Recovery Point Objective (RPO ). The target recovery point determines the amount of acceptable data loss in case of interruption of operations. For example, if the RPO is 15 minutes, data loss in the last 15 minutes is allowed.
- Service Delivery Objective (SDO) . The level of service availability at a specific point in time.
The figure shows how the above metrics are determined.
The result of a business impact analysis are:
- a list of prioritized critical processes and corresponding interdependencies;
- registered economic and industrial impacts caused by the violation of critical processes;
- support resources required for the identified critical processes;
- possible deadlines and recovery of critical processes and interconnected information technologies.
Note! Often, business process owners intentionally or unknowingly overestimate the target value of recovery standards, which contributes to the distortion of the analysis and entails unreasonable costs. To avoid this problem, it is necessary to consider the value of the business function in the context of the incident that affected the entire company together with the project team, as well as with stakeholders. This approach will allow you to objectively determine recovery standards.
Risk assessment
Risk - the effect of uncertainty on goals.
Exceptions: this article does not consider the details of risk assessment.
Risk assessment is a process involving risk identification, risk analysis and risk assessment.
ISO 73: 2009, Risk Management. Vocabulary"
The purpose of risk assessment within the framework of business continuity management is to identify events that may lead to disruption of the company's activities, as well as their consequences (damage).
Risk assessment provides:
- understanding of the potential hazards and the impact of their consequences on the achievement of the established goals of the company;
- understanding of threats and their sources;
- identification of key risk factors; vulnerabilities of the company and its systems;
- choice of risk treatment methods;
- compliance with the standards.
The risk assessment process consists of:
- Risk identification - the process of identifying elements of risk, describing each of them, drawing up a list of them. The purpose of risk identification is to compile a list of sources of risk and threats that may affect the achievement of each of the established goals of the company;
- Risk analysis is the process of researching risk information. Risk analysis provides input to the overall risk assessment process, helps in making decisions about the need for risk treatment, as well as in choosing the appropriate treatment strategy and methods;
- Comparative risk assessment - comparing its level with the criteria established in determining the scope of risk management, to determine the type of risk and its significance.
Risk assessment in the future will allow you to reasonably develop a business continuity strategy, as well as help determine the optimal scenario for its implementation.
Business Continuity Strategy Development
After analyzing the requirements for continuity, it is necessary to select and substantiate possible technical and organizational solutions. In the process of choosing a solution, it is necessary to consider in detail possible actions in relation to premises, technologies, information assets, contractors, and partners. These solutions are usually chosen to:
- protection of priority activities of the company;
- their effective recovery;
- mitigation of the consequences of incidents, development of response and preventive measures.
Note: the choice of solution should be based on the cost of restoration and the cost of downtime.
These solutions may include:
- "Mirror" site;
- "Hot" site;
- “Warm” sites;
- “Cold” grounds;
- areas of dynamic load distribution;
- Outsourcing \ Agreement;
- Mobile sites.
Deviation: the above solutions will be discussed in detail in a separate article.
The main differences of the above solutions are the cost and time of recovery of the company.
Note! Solutions help implement an effective business continuity strategy. But in order to determine the best option, it is necessary to choose strategic decisions based on the results of business impact analysis and risk assessment (this approach will help management justify the need for investment in a business continuity management project).
Development and implementation of business continuity plans
A plan is a prearranged system of measures, providing for the order, sequence, and timing of the work.
In accordance with the best practices [1, 2, 4], continuity management plans should consist of three components:
1. Emergency response - determines the sequence of actions that must be taken when an incident is detected.
2. Incident Management - defines the methods needed to mitigate or reduce the size of the incident.
3. Restore activity - determines the sequence of actions that must be carried out in order to restore the service at a given level.
Note: For clarity, use flowcharts and other graphical ways of presenting information.
Approximate structure of a business continuity plan:
1. Introduction
1.1. Background Information
1.2. Boundaries of action plan
1.3. Prerequisites for creating a plan
2.Concept
2.1. Description of the continuity system
2.2. Description of the steps to restore continuity
2.3. Roles and their responsibilities
3.Activation plan
3.1. Criteria and order of activation
3.2.The order of notification of interested persons
3.3. Accident evaluation procedure
4. Control
5. Restoration
5.1. Sequence of restoring continuity
NIST developed a guide [1] that describes in some detail the necessary) business continuity plans. The following is a table describing each of the plans (specified in the NIST manual), and also provides references to standards / NLAs that prescribe the development of such plans.
| Name of the plan | Plan description | Standard / NPA |
|---|---|---|
| Business Continuity Plan (BCP) Business Continuity Plan | A set of documented procedures that have been developed, compiled and updated for use in the event of an incident, and are aimed at ensuring that the company can continue to perform critical important activities at an established acceptable level. | ISO 22301 “Social security. Business Continuity Management Systems: 8.4.4 Business Continuity Plans (Business continuity plans) |
| Continuity of Operations Plan (COOP) Continuity plan | It focuses on the restoration of critical company functions at an alternative site and on their implementation within 30 days. | - |
| Crisis Communication Plan Anti-crisis communications plan | In this plan, the procedures and rules of external and internal communications in case of emergencies are documented. | Federal Law of December 21, 1994 No. 68 “On the Protection of the Population and Territories from Natural and Man-Made Emergencies”: Article 14. Obligations of organizations in the field of protection of population and territories from emergency situations ( “Organizations are obliged to provide information in the established order in the field of protection of population and territories from emergency situations, as well as notify employees of organizations about the threat or emergence of emergency situations ”). |
| Critical Infrastructure Protection Plan (CIP) Critical Infrastructure Protection Plan | The plan aims to protect key resources and components of the national infrastructure. | Presidential Decree of January 15, 2013 N 31c "On the establishment of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation". |
| Cyber ​​Incident Response Plan Cyber ​​Incident Response Plan | A plan that describes the procedures for responding to incidents involving hacker attacks, invasions of information systems, and other security issues. | GOST R ISO / IEC TO 18044—2007 “Information technology. Methods and means of security. Information Security Incident Management; NIST 800-61 “Computer Security. Incident Handling Guide. |
| Disaster Recovery Plan (DRP) Disaster recovery plan | Plan to restore the company's infrastructure after an accident. | ISO 22301 “Social security. Business Continuity Management Systems: 8.4.5 Recovery. |
| Information System Contingency Plan (ISCP) Contingency Plan for Information Systems | Plan to restore the system, networks and major applications after an accident. This plan needs to be developed for each critical system and / or application. | - |
| Occupant Emergency Plan (OEP) Personnel action plan in case of emergency | This plan defines the procedure for ensuring the safety of personnel and evacuation procedures in case of emergencies. | Federal Law of December 21, 1994 No. 68 “On the Protection of the Population and the Territory from Natural and Man-Made Emergencies”; Federal law of 21.12.1994 number 69 "On fire safety." |
The above documents are based on the needs of the company, but in practice the following types of plans are most often used:
- Incident response plan - this type of plan may include a cyber incident response plan, a contingency plan in information systems. This plan will help reduce the scale of the disaster and mitigate its consequences, which will make it possible to save time and an additional advantage when activating other types of plans;
- The personnel action plan in emergency situations - in accordance with the requirements of the Federal Law of December 21, 1994 No. 68 68 “On the Protection of the Population and the Territory from Natural and Technogenic Emergencies” and the Federal Law of December 21, 1994 No. 69 “On fire safety "this plan is mandatory for all companies;
- Disaster recovery plan - focused on recovering critical information systems. This type of plan supports the business continuity plan and is aimed at restoring the performance of individual systems and applications;
- Business Continuity Plan - focused on supporting the company's business processes during and after an emergency; aims to ensure that the company can continue to perform critical activities critical to it at an established acceptable level;
- Anti-crisis communications plan - this plan will help preserve the company's reputation in a crisis situation. It documents the procedure for interaction with the media, law enforcement agencies, MoES, etc.
Note! At the business continuity planning stage, some companies focus on technical solutions and do not attach importance to organizational measures. In this regard, it is necessary to point out the need to apply organizational measures on a par with technical ones. For this purpose, training seminars, testing plans, training materials are produced.
Testing and revising plans
Testing is carried out to test the performance of plans in the event of a specific set of circumstances affecting the company's operations. The test plan is selected based on the type of company and its goals.
Tests are assessment tools that use quantitative metrics to test the performance of an IT system or its component.
NIST Special Publication 800-84 "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities"
The objectives of testing include:
- obtaining confirmations of the health plans;
- verification of the adequacy of methodological and technical support;
- obtaining the necessary skills and knowledge.
Once the goal of testing has been determined, a scenario is developed, a testing method is determined, and agreed with management. The following methods are most commonly used [2]:
- Desktop check (Tabletop);
- Imitation;
- Full testing (Full business continuity testing).
Deviation: the above test methods will be discussed in detail in a separate article.
After testing, reports are prepared that indicate the scenarios and test results, as well as suggestions for improving business continuity plans.
Note! Companies must choose a testing method based on their goals and financial capabilities.
Note! Full testing is most effective because it allows you to identify many shortcomings, but because of the high risks, it is hardly used in practice. If the company decided to use this type of testing, it is necessary to enlist the support of partners or use the services of contractors to minimize risks and prevent significant downtime.
Maintain and update plans
As noted above, managing a company's business continuity is a cyclical process. And this means that it is impossible to limit oneself only to the formation of plans, it is necessary to accompany, update and improve them annually, and sometimes more often, for example, in the following cases:
1. Changes in IT infrastructure;
2. Changing the organizational structure of the company;
3. Changes in legislation;
4. Detection of deficiencies in the plans during their testing.
To maintain the relevance of the plans, you must perform the following steps:
- conduct internal audits, including verification of disaster recovery, documentation for ensuring continuity and related procedures;
- to conduct regular practical trainings on the implementation of the plan;
- integrate business continuity issues into the company's change management process.
Conclusion
Business continuity management ensures the integration of all measures applied at the enterprise into a holistic, adequate to real threats and managed complex, which allows the company to continuously provide services, avoid the impact of emergency situations on activities and minimize possible damage.
This complex consists of seven stages, which must be implemented in the company to ensure the continuity of the provision of services and production of products.
This article describes each stage with reference to the Russian realities, as well as points that should be paid attention to when implementing this project.
Literature
1. ISO 22301 Societal Security - Business continuity management systems - Requirements
2. GOST R 53647 "Business Continuity Management"
3. GOST R ISO / IEC 31010 - 2011. “Risk management. Risk assessment methods
4. NIST Special Publication 800-34 Rev. 1 "Contingency Planning Guide for Federal Information Systems"
5. NIST Special Publication 800-84 "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities"
6. The Definitive Handbook of Business Continuity Management Second Edition Copyright 2007 John Wiley & Sons Ltd,
7. MICHAEL GALLAGHER Pearson Education Limited 2003
8. www.bcmpedia.org/wiki/BCM_Body_of_Knowledge_ (BCMBoK)
Information about the project on the site Softline: services.softline.ru/security/upravleniya-ib
Evgeny Kachurov, Consultant, Softline Analytical
Source: https://habr.com/ru/post/261053/
All Articles