Business Continuity Plan & Disaster Recovery

Business Continuity Plan & Disaster Recovery

Business Continuity Plan & Disaster Recovery Plan

Chapter 14: certifications

 

 

IT Framework standards

 

ITIL – Information Technology Infrastructure Library

 

 

ISO – International Standards Organization

 

 

COBIT – Control Objectives for Information and Related Technologies

 

 

CMMI – Capability Maturity Model Integration

 

 

 

 

Benefits of certification

 

Companies showcase their certifications as a means to show your plans are tested

 

 

Certifications build confidence in the plan

 

 

Increase value for the company to be certified

 

 

 

 

ITIL

 

Information Technology Infrastructure Library was created in 1980s to bring order to its various data operations

 

 

Eventually evolved into a broad body of knowledge

 

 

Emphasis on service management

 

 

Certifies the individual who creates and implements the program

 

 

 

 

ITIL – SLA

 

ITIL is based on service-level agreements (SLAs)

 

 

SLAs govern IT support for everyday incident resolution

 

 

SLA are periodically analyzed

 

 

Periodic performance reports are issued to all parties

 

 

SLA are updated based upon business needs

 

 

 

 

ITIL – Discipline Areas

 

Business Impact Analysis

 

 

Business Continuity Strategy

 

 

Specific recovery actions, written disaster recovery plan, proactive plan of business resilience, testing plan, training plan

 

 

Manager is appointed to lead the effort

 

 

Program remains active to keep plans current

 

 

 

 

 

ISO

International Standards Organization contains several standards:

ISO22300: Societal security – terminology

ISO 22301: Societal security – business

and ISO 22313: Societal security – business continuity management systems

ISO 22317: Societal security – business continuity management systems – guidelines for BIA

ISO 22398: Societal security – guidelines for exercises

 

 

 

Clause 4: Company’s context

Clause 4 requires the company to understand the needs of all critical stakeholders

1. Review with legal advisor what is required to meet regulatory obligations

2. Ask the Board for their guidance for disaster recovery and business continuity planning

3. Review how the DR/BCP program fits with the company’s business strategies and goals

4. Talk to your customers to learn what they expect in a crisis

5. Talk to employees

 

 

 

Clause 5: Leadership

Examine top management involvement and it the appropriate leadership support is provided at all levels

1. Issue appropriate company policies supporting the program

2. provide the necessary resources for the program

3. Generate company-side support

 

 

 

Clause 6: Planning

Expands the DR/BCP program scope into specific objectives

Well-written objective has measurable criteria

Project plan to create DR/BCP is drafter

 

 

 

Clause 7: support

Identifies the requirements for supporting the ongoing program

Ensure that the personnel tasked with supporting the various recovery plans understand their role and responsibilities

Ensure that people who run the program have the proper training

Create a documented and tested plan to communicated with significant stakeholders

 

 

 

Clause 8: Operations

Details the basic documents of the plan

Conducts a formal Business Impact Analysis (BIA)

Risk assessment is conducted on vital functions

Business Continuity Strategies is developed

Prewritten plan is drafter

 

 

 

Clause 9: evaluation

Reviews the plan’s performance against expectations and Key Process Indicators (KPIs) are identified

 

Common KPIs are:

Length of time to prepare the recovery site

Amount of time required to recover vital system

Amount of data lost between disaster and last backup

Time required for DR/BCP team members to join the recovery effort

 

 

 

Clause 10: improvement

Implement a continuous improvement program to enhance the recovery plan

Similar to ITIL continuous improvement program

Apply Lean/Six Sigma quality improvement approaches

 

 

Certifying your plan

 

ISO 22301 standard is the basis for certifying an organization’s DR/BCP.

 

 

Based on an examination of the program by an ISO-approved auditor

 

 

ISO audits can be expensive

 

 

Other actions:

 

 

Start a formal project to prepare

 

 

Standarize the DR/BCP documentation format

 

 

Document and findings from your internal audit

 

 

Fully inform auditor of scope

 

 

 

 

cobit

 

Control Objectives for Information and Related Technologies (COBIT)

 

 

Provided by the Information Systems Audit and Control Associated (ISACA)

 

 

Originally designed to audit data systems – evolved to include set of controls and processes for IT systems

 

 

ISACA provides training and support for COBIT

 

 

 

CMMI

 

Capability Maturity Model Integration (CMMI)

 

 

Developed by Carnegie Mellon University to improve development of software

 

 

Expanded to provide a process improvement model for all aspects of an organization

 

 

Uses appraisals by third-party evaluators

 

 

summary

 

Building a DR/BCP is a lot of work

 

 

Published standards assemble best practices into one document for comparison purposes

 

 

Find the right standard for your business

Business

Business