Community Toolbox

September 28, 2009

One of the objectives of this website is to provide its readers with tools, resources, and information regarding business continuity and contingency planning for organizations ranging in size from the enterprise level to the small business category, but, also to include even the micro businesses and/or single proprietor owned home-based businesses.

This area of our website has been labeled the “Community Sandbox” to illustrate the intent of using an area to allow input from our readers to view a proposed project tool or resource, test that tool or resource in real time, and then be part of the community contribution to suggest ways and methods to improve that tool or resource, and, finally allow that ongoing improvement process to deliver a best of class tool or resource back to the readers of this site.

As defined by Wikipedia, the free encyclopedia, a “sandbox” is a testing environment that allows changes and experimentation to take place in an isolated environment where it is safe to make modifications and improvements until a final output is produced.

It is the goal of this site to create such a “sandbox” environment, and promote a community sharing spirit that will attempt to answer the most pressing needs and wants of its users, and then, provide a methodology to answer those needs and wants with community created, relevant, value-added and simple to use tools and resources.

The first tool to be developed in this environment will address the necessity of having to perform a Business Impact Analysis in or for an organization.

The output of this request will involve first a presentation of relevant information related to the objective. In this case, it is a white paper on the subject written by Don Byrne, a contributing editor and writer to this site. And, then a simple BIA Work Effort Calculator developed by Lisa DuBrock, also a contributing editor for this site. This Calculator was developed utilizing information received from consultants, which detailed their BIA development experiences.

We encourage our readers to review this information, test this calculator and then share their comments, their suggestions for improvement and their ideas for making an even more valuable tool that will then be shared with our community of readers.

We also welcome additional writers and others to contribute their ideas for making this BIA Work Effort Calculator the benchmark of excellence in the business continuity industry.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Tools & Resources | Leave a Comment

Business Continuity Plan Template

September 8, 2009

By Deb Ladendorf, CBCP

A business continuity plan template is a form or set of forms used to standardize the collection of information necessary to develop a business continuity plan. The template provides a road map for the organization to follow in creating their business continuity plans. Many organizations develop their own templates and others rely on consultants or vendors to supply customized templates. Business continuity plan templates simplify the plan development process, but care should be taken when using templates to ensure effective plans are developed.

Advantages

Templates have their pros and cons. On the positive side, they can speed the development of a plan, standardize the format and content of the plan, ensure the collection of minimum levels of required information, and guide department and business unit leaders, who may not be familiar with business continuity concepts, through the planning process.

Disadvantages

On the con side, business continuity plan templates may not provide enough flexibility for complex departments or business units, may oversimplify the process and resulting plan, may keep department heads and leaders from thinking about situations, scenarios and data that fall outside the parameters of the template, and may create a false sense of security – just because the template is completed, does not mean a viable plan exists.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | Leave a Comment

The Business Continuity Institute (The BCI)

September 8, 2009

By: Deb Ladendorf, CBCP

Business continuity managers looking to be professionally recognized and to advance their knowledge of business continuity best practices may want to look into obtaining professional certification and membership in a business continuity association. One of several organizations providing business continuity education, training and certification, the Business Continuity Institute’s mission is to “promote the art and science of business continuity management”. The organization was founded in 1994 and is based in Caversham, United Kingdom. Members of the Business Continuity Institute must be certified by the organization and are held to a professional code of ethics. The BCI’s 4,800 members network with each other through chapters located in over 89 countries, including the United States.

The Business Continuity Institute works to define business continuity professional competencies, provide learning and educational resources, maintain high ethical standards, provide certification programs for business continuity management professionals, globally influence policy makers and stakeholders regarding business continuity issues, and develop, communicate and evaluate business continuity management standards and best practices.

Additional information regarding BCI training and certification can be obtained at www.thebcicertificate.org and information on becoming a member of the Business Continuity Institute can be found at www.thebci.org.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | Leave a Comment

Business Continuity Standards

September 8, 2009

By: Deb Ladendorf, CBCP

A standard is a basis of comparison, which is usually approved by an authority or has general consent from those who are being measured against it. Based on this, it would follow that a business continuity standard is a basis of measuring the business continuity program of an organization against an approved model. There are currently several business continuity standards, British Standard BS25999, the Singapore standard, the Australian standard, but none of them are considered an accepted auditable business continuity standard in the United States. BS25999, the British Standard, is probably the closest to being recognized as an international standard, but with the advent of Public Law 110-53 in the US, other groups are jumping into the business continuity standards arena.

The enactment of Public Law 110-53 in the United States, which evolved from recommendations of the 9/11 Commission, has prompted several standards bodies to begin development of business continuity standards. Title IX of PL110-53 calls for voluntary private sector preparedness certification and empowers the Department of Homeland Security to select the business continuity standard or standards that organizations seeking voluntary preparedness certification will be measured against. The following two groups are the major players working to develop auditable business continuity standards:

ASIS International – They are combining their business continuity guidance with the British Standard 25999 guidance and specification to develop an auditable standard.
NFPA – NFPA is currently revising NFPA 1600 to create an auditable standard that is a combination of business continuity and emergency management elements.
ANSI – They are currently developing an American standard based on the guidance and specifications of the British Standard 25999

ISO already has auditable standards for business continuity as it relates to information security, but no standards for business continuity in and of itself. It is anticipated one of the above groups’ standards will become the ISO business continuity management standard.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Standards & Best Practices | Leave a Comment

Lessons Learned from Data Loss – At a Financial Institution

September 8, 2009

By Lisa DuBrock, CPA, CBC

Small events can have big consequences and can also teach important lessons.

Take for example; a financial institution that experienced a fire at their headquarters cafeteria. While the fire did not spread, the smoke did travel from the cafeteria to the data center which was located next door. Although a small fire, the smoke and heat were enough to trip the sprinkler system into operation thereby shutting down the institutions computer operations.

The firm immediately invoked their business continuity plan which called for relocating their headquarters operations to a mobile recovery center. Having previously identified fire as a serious risk to their data center they made arrangements to mitigate the risk by subscribing to an electronically transmitted back-up of their system to an alternate location. This location is periodically seeded with a full system back-up while incremental back-ups are applied nightly. Additionally, transactional log files are transmitted to the offsite location 3 times a day. Because of this prior planning and disciplined procedures when the fire struck, the firm was prepared to respond. The staff was notified of the change of location and when the next business day began; they were up and running having lost only 2 hours of transactional data.

Heavy clean-up of the data center commenced. The clean-up was awarded to a clean-up company familiar not only with general restoration but one that specialized in rehabilitating damaged data centers. Once the facility clean-up was completed, attention turned to the computer and network infrastructure. The firm’s goal was to quickly restore its server farm using in-house staff and return to normal operations as quickly as possible. Unfortunately, several of the server’s disk drives had been permanently damaged by the combination of heat, smoke and water. The fatal errors to several of the drives necessitated them being replaced in order to complete restoration. The vendor was called and expedited delivery of replacement units was arranged. The IT team pulled together rebuilding the server and reformatted all the drives. Applications were reinstalled and the latest data was applied to the file structure at the beginning of a weekend. The IT department was given the balance of the weekend to thoroughly test the system before start of business on Monday.

This event showed the importance of performing a comprehensive risk assessment and the value of a business continuity plan as opposed to just having a disaster recovery plan. This comprehensive business continuity plan allowed the IT department to:

Establish an alternative recovery site,
Perform regular backups,
Identify a vendor that could provide quick shipment of replacement components,
Identify a qualified restoration company with experience in restoring data centers, and
Adequately train the IT staff on both response and recovery processes.

If the institution had not previously taken these steps to mitigate the risk of fire they could have lost some if not all of their customer’s information, account balances and transaction history, most certainly putting them out of business.

However, weaknesses in the design of the fire suppression system which led to the unnecessary flooding of the data center plus the placement of the center near cafeteria are other decisions which merit further review. Disasters can teach valuable lessons. The real question is, will businesses learn from these experiences?