Business Continuity Plan
Unpredictability relating to disasters in the business and information technology world may result to losses. A business continuity plan seeks to help the organization resume its normal operation within the shortest time possible after a disaster or after a network or data intrusion attack. Whitman and Mattord (2012) note, “a business continuity plan ensures the continuation of an organization when the scale of a disaster exceeds the ability of the disaster recovery plan to restore operations” (p. 148).
Policies need to be defined on the best approach to handle such a network attack or intrusion. Important issues that need to be addressed include the presence of a remote site, which may be used for re-launching operations, communication protocols to used, assuring clients that data will not be compromised and training of the employees on the BCP will be executed. All this issues need to be factored in the process of preparing a business continuity plan.
The BCP plan will ensure:
- Recovery from interruptions within the shortest duration possible
- Maintenance of maximum service levels of the critical business functions
- Maintain business operations thus reduce financial losses
Components of the BCP
Business Impact analysis
A business impact analysis will entail the identification of the critical business functions of Sunshine Machine Works and analyze the potential disruptive impact an attack on network and data will have on the company’s business. This will allow the establishment of priorities of the critical IT applications of the core business functions (Whitman and Mattord, 2012).
Several steps will be followed in the business impact analysis. The first step will involve the gathering of information about the key IT applications that are necessary for the running of the organization. According to Goh ( 2008) “gather intial information about business functions, support systems and IT applications through the use of BIA Questionnaires” (p. 9). From an IT perspective, it is essential to relate the main critical business functions to specific IT systems. This will allow the understanding and establishment of the interdependencies that exists and which may be affected when the network or data is compromised. After establishing the interdependencies, it will be necessary to establish a recovery time objective for each critical business function of the organization.
Business Impact Analysis team
For purposes of performing an effective business impact analysis, it will be essential to have a team of experts in the various fields such as finance, business and technology. Some of these team members will be obtained from Sunshine Machine Works. According to Goh (2008), the technology team will consist of IT specialists who can be able to identify critical IT systems and staff members who use IT systems extensively. Further, the IT experts will be able to determine the main IT applications that support the different business units and are at a high risk of being comprised. Financial experts will be responsible for assessing the financial loses that may be incurred from the critical business functions in case of an intrusion or network attack. Business experts will help provide more information concerning the attack, for instance cost of additional resources and additional personnel.
Identification of Preventive Controls
It becomes important to identify and review the current information security status. The business continuity plan will have preventive controls that will ensure the safety of online and physical information storage. Data storage techniques need to be reviewed and analyzed. This will ensure that there is an effective data storage and recovery procedure.
Disaster Response and Recovery Plans
Response phase will require the development of an emergency response plan and a crisis communication plan. Developing a crisis management team will be required and it will consist of the senior management and heads of the different business units. Whitman and Mattord, (2012) writes, “The disaster recovery team works closely with the crisis management team” (p. 235). They will assess the level of the disaster and may declare whether it is a disaster or not. Recovery plans will be conducted once the crisis management team has done a full assessment. If the situation is a crisis, it will warrant the application of a recovery plan with priority being given to the critical business functions. According to Snedaker and Rima (2013), crisis communication will require teams to work in a coordinated fashion. This implies that the emergency response team and the disaster recovery team will have to work hand in hand. A cyber intrusion incident plan will provide procedures that will be used to address cyber attacks on the IT infrastructure of the organization.
It will be important to form an IT recovery team, which will specialize in the recovery operations after a network attack. The Sunshine Machine Works team will compose of IT experts trained and equipped to handle any IT disaster scenario. The IT recovery team will be responsible for monitoring, alerting, mobilizing, assessing, stabilizing and reviewing all IT related incidents such as network attacks and data intrusion (Snedaker and Rima, 2013). The communication plan will include plans for internal communication and announcements and detailed records of contacts for important clients and suppliers. The communication plan will outline the responsible individuals who will have the authority of answering and releasing any information to the public and clients. Thus, the plan needs to have templates of news release statements (Peltier and Peltier, 2006).
Data Center Recovery Alternatives
Data centers for the organization are significant areas since they contain client data that is crucial to the organization (Whitman and Mattord, 2012). Following an intrusion to a network, critical company data may become in accessible. Having a back-up site is important to ensure the resumption of business activities. Having this back up site will require data to be transferred on a daily basis to ensure the system is updated (Whitman and Mattord, 2012). Further, security measures will have to be put in place to prevent any form of attack. Alternatively, the organization will need to setup a duplicate facility site, which will allow immediate resumption of company’s activities.
Testing and Maintenance
The BCP will have to have a training program that will ensure all personnel involve in the business are aware of what is required of them in case of a disaster. Training will need to be conducted on a regular basis as attacks from a cyber world keeping changing drastically hence and emergency response plan becomes outdated easily.
Generally, to ensure that the business continuity plan has a high effectiveness at Sunshine Machine works, training is essential to quip personnel with the necessary requirements and follow-up activities, which will ensure no disruption of the business processes for a long period. All teams need to be equipped with appropriate internet procedures that will reduce likelihood of network intrusions. Further, the attachment of a cyber intrusion plan, crisis communication plan and disaster recovery plan to the business continuity plan (BCP) is necessary. Sunshine Machine works BCP will need to have procedures to ensure the organization takes advantage of refined approaches of securing data such as secure data centers. Further, the BCP needs to ensure and give priority to recovery of critical business data, information and functions.
Goh, M. H. (2008). Conducting your impact analysis for business continuity planning. Singapore: GMH Pte Ltd.
Whitman, M. E., & Mattord, H. J. (2012). Principles of information security. Boston, MA: Course Technology.
Peltier, T. R., & Peltier, J. (2006). Complete guide to CISM certification. Boca Raton, FL: Auerbach Publications.
Snedaker, S., & Rima, C. (2013). Business continuity and disaster recovery planning for IT professionals.