Community Projects

Business Continuity & Business Compliance Terms (Cont. 1)

August 27, 2009 By Continuity_Compliance Leave a Comment

Compliance
Certification or confirmation that the doer of an action (such as the writer of an audit report), or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.

Compliance audit
Audit undertaken to confirm whether a firm is following the terms of an agreement (such as a bond indenture), or the rules and regulations applicable to an activity or practice prescribed by an external agency or authority.

Compliance test
Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice. See also substantive test.

Conformance
Certification or confirmation that a good, service, or conduct meets the requirements of legislation, accepted practices, prescribed rules and regulations, specified standards, or terms of a contract.

Supplier quality assurance
Confidence in a supplier’s ability to deliver a good or service that will satisfy the customer’s needs. Achievable through interactive relationship between the customer and the supplier, it aims at ensuring the product’s ‘fit’ to the customer’s requirements with little or no adjustment or inspection. The US quality guru Joseph Moses Juran (born 1904 in Romania ) divides the supplier quality assurance process into nine steps: (1) definition of the product’s quality requirements, (2) evaluation of alternative suppliers. (3) selection of the most appropriate supplier, (4) conduction of joint quality planning, (5) cooperation during relationship period, (6) validation of conformance to requirements, (7) certification of qualified suppliers, (8) conduction of quality improvement plans, (9) creation and use of supplier ratings.

Conflict resolution
Intervention aimed at alleviating or eliminating discord through conciliation.

Chronological division of work to be performed under a contract or subcontract in the completion of a project. Also called work scope.

Work scope
Alternative term for scope of work.

Information security
Safe-guarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity.

Inherent risk
Probability of loss arising out of circumstances or existing in an environment.

Risk mitigation
Systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

Business continuity
Ability of the key operations of a firm to continue without stoppage, irrespective of the adverse circumstances or events.

Business continuity planning (BCP)
Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm’s key operations in the event of an accident, disaster, emergency, and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2) business recovery planning (i.e. ensuring continued operation in the aftermath of a disaster).

Business continuity program
Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysis.

Business risk
Probability of loss inherent in a firm’s operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. Business risk plus the financial risk arising from use of debt (borrowed capital and/or trade credit) equal total corporate risk.

Disaster recovery
Process of returning an organization, society, or system to a state of normality after the occurrence of a disastrous event.

Operational risk
Probability of loss occurring from the internal inadequacies of a firm or a breakdown in its controls, operations, or procedures.

System testing
The process of performing a variety of tests on a system to explore functionality or to identify problems. System testing is usually required before and after a system is put in place. A series of systematic procedures are referred to while testing is being performed. These procedures tell the tester how the system should perform and where common mistakes may be found. Testers usually try to “break the system” by entering data that may cause the system to malfunction or return incorrect information. For example, a tester may put in a city in a search engine designed to only accept states, to see how the system will respond to the incorrect input.

System analysis
Use of experimental approach (simulation) in understanding the behavior of an economy, market, or other complex phenomenon where mathematical analysis techniques are inadequate or unfeasible. See also system dynamics and systems analysis.

System dependability
Probability that a computer or other system will perform its intended functions in its specified environment without significant degradation.

Quality management system (QMS)
Collective policies, plans, practices, and the supporting infrastructure by which an organization aims to reduce and eventually eliminate non-conformance to specifications, standards, and customer expectations in the most cost effective and efficient manner.

Niche marketing

This is the practice of concentrating all marketing efforts on a small but specific and well defined segment of the population. Niches do not ‘exist’ but are ‘created’ by identifying needs, wants, and requirements that are being addressed poorly or not at all by other firms, and developing and delivering goods or services to satisfy them. As a strategy, niche marketing is aimed at being a big fish in a small pond instead of being a small fish in a big pond.

Regulations

A type of “delegated legislation” promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature; they are also referred to as “rules” or simply “administrative law.”

Source: Georgetown Law School

Best Practices

Methods and techniques that have consistently shown results more superior than those achieved with other means, and which are used as benchmarks to strive for.

Source: Business Dictionary, COM

Standards

Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.

Source: International Standards Organization – ISO

Spoliation

Spoliation, in a legal context, is any act that renders potential evidence invalid, either intentionally or through negligence. In the case of a document, for example, destroying, altering or hiding it would all be considered spoliation if the document were relevant to current litigation.

Spoliation is illegal in many countries, including the United States, and is punishable by fine and/or incarceration. Furthermore, the legal system has established through case law that when spoliation has occurred it may be inferred that the evidence was unfavorable to the responsible party. As a result, that inference may be factored into the decision of the case.

Spoliation comes from the Latin spoliare, meaning to plunder. The use of the word in its current legal context dates back to a Roman rule of conduct, Omnia praesumuntur contra spoliatorem, which translates, roughly, as “Let everything be presumed against the spoiler of evidence.”

SearchCIO.com Definitions (Powered by WhatIs.com)

Cold site

In business continuity planning, empty building equipped with electric power, air conditioning, telephone connections, water, etc., but without computers, office equipment, and furniture. A cold site provides a less timely response to a disaster because it must be converted into a hot-site for use.

Source: Business Dictionary, COM

Hot site

Fully-equipped alternative computer center, office, work space or industrial facility that can be made immediately available to continue critical business functions affected by a disaster at the primary location. See also cold site and warm site.

Source: Business Dictionary, COM

Internal Audit

An audit conducted by, or on behalf of, the organization itself for management review and other internal purposes, and which might form the basis for an organization’s self-declaration of conformity.

Source: International Standards Organization – ISO

Organization

A group of people and facilities with an arrangement of responsibilities, authorities and relationships. An organization can be public or private.

Source: International Standards Organization – ISO

Process

A set of interrelated or interacting activities which transforms inputs into outputs.

Source: International Standards Organization – ISO

Recovery time objective (RTO)

A target time set for resumption of product, service or activity delivery after an incident.

Source: International Standards Organization – ISO

Resiliency

The ability of an organization to resist being affected by an incident.

Source: International Standards Organization – ISO

System

A set of interrelated or interacting elements.

Source: International Standards Organization – ISO

Incident

A situation that might be, or could lead to, a business disruption, loss, emergency or crisis.

Source: International Standards Organization – ISO

Critical activities

Those activities which have to be performed in order to deliver the key products and services which enable an organization to meet its most important and time-sensitive objectives.

Source: International Standards Organization – ISO

Consequence

The outcome of an incident that will have an impact on an organization’s objectives. There can be a range of consequences from one incident. A consequence can be certain or uncertain and can have positive or negative impact on objectives.

Source: International Standards Organization – ISO

Cost-benefit analysis

A financial technique that measures the cost of implementing a particular solution and compares this with the benefit delivered by that solution. The benefit may be defined in financial, reputational, service delivery, regulatory or other terms appropriate to the organization.

Source: International Standards Organization – ISO

Disruption

An event, whether anticipated or unanticipated, which causes an unplanned, negative deviation from the expected delivery of products or services according to the organization’s objectives.

Source: International Standards Organization – ISO

Exercise

An activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired results when put into effect. An exercise can involve invoking business continuity procedures, but is more likely to involve the simulation of a business continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation.

Source: International Standards Organization – ISO

Invocation

An act of declaring that an organization’s business continuity plan needs to be put into effect in order to continue delivery of key products or services.

Source: International Standards Organization – ISO

>Maximum Tolerable Period of Disruption

The duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

Source: International Standards Organization – ISO

Nonconformity

The non-fulfillment of a requirement. A nonconformity can be any deviation from relevant work standards, practices, procedures, legal requirements, etc.

Source: International Standards Organization – ISO

Emergency planning

The development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.

Source: International Standards Organization – ISO

Likelihood

The chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities. Likelihood can be expressed qualitatively or quantitatively. The word “probability” can be used instead of “likelihood” in some non-English languages that have no direct equivalent.

Source: International Standards Organization – ISO

Filed Under: Community Projects, Glossary, Tools & Resources Tagged With: Business Compliance Terms, Business Continuity Terms

Business Continuity & Business Compliance Terms

August 24, 2009 By Continuity_Compliance 4 Comments

Audit:

au·dit (ôdt)

1. An examination of records or financial accounts to check their accuracy.

2. An adjustment or correction of accounts.

3. An examined and verified account.

v. au·dit·ed, au·dit·ing, au·dits

v.tr.

1. To examine, verify, or correct the financial accounts of: Independent accountants audit the company annually. The IRS audits questionable income tax returns.

2. To attend (a course) without requesting or receiving academic credit.

v.intr.

To examine financial accounts.

[Middle English (influenced by auditor, auditor), from Latin audtus, a hearing, from past participle of audre, to hear; see au- in Indo-European roots.]

au dit·a·ble adj.

Audit Business Continuity

An organization should provide for the independent audit if its Business Continuity Management system’s competence and capability to identify actual and potential shortcomings. It should establish, implement and maintain procedures for dealing with these. Independent audits should be conducted by competent persons, whether internal or external

Source: BS25999-1:2006; 9.5.5

Business Continuity

Business Continuity is the strategic capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level.

Source: BS25999-1:2006; 2.2

Business Continuity Institute

The Business Continuity Institute (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. The BCI currently has over 4000 members in 85+ countries.

Professional membership of the BCI provides internationally recognized status as this valued certification demonstrates the members’ competence to carry out business continuity management (BCM) to a consistent high standard.

In order to apply for full membership of the Institute it is necessary to first obtain a ‘Pass with Merit’ of the Certificate of the Business Continuity Institute. Following the introduction of the BCI Certificate in 2007, a non-membership credential was launched in April 2008 – CBCI. Holders of the CBCI have achieved success in the BCI Certificate demonstrating a through knowledge and understanding of the BCI’s Good Practice Guidelines. Holders of the CBCI may proceed to professional membership of the BCI if they can also prove practical experience of BCM to supplement their knowledge and understanding.

2007 also saw the launch of the BCI Partnership enabling organizations to work more closely with the Business Continuity Institute to deliver the overall BCI mission of:

Promoting the art and science of business continuity management worldwide

The wider role of the BCI and the BCI Partnership is to promote the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity planning and services.

The BCI is the world’s most eminent BCM institute and the name is instantly recognized as standing for good practice and professionalism.

From: Wikipedia, the free Encyclopedia

Business Continuity Management

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Additionally, it involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall program through training, exercises and reviews to ensure the business continuity plan(s) stays current and up-to-date.

Source: BS25999-1:2006; 2.3

Business Continuity Manager

The individual in charge of a group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster.

Disaster Recovery Journal (DRJ)

Business Continuity Methodology

A holistic process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of that organization’s key stakeholders, reputation, brand and value creating activities.

Business Continuity Plan

A Business Continuity Plan (BCP) is a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable pre-defined level.

Source: BS25999-1:2006; 2.6

Business Continuity Planning

Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.

In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices.

In December 2006, the British Standards Institution (BSI) released a new independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard BS 7799, which only peripherally addressed BCP to improve an organization’s information security compliance. BS 25999′s applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.

In 2007, the BSI published the second part, BS 25999-2 “Specification for Business Continuity Management”, that specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS).

In 2004, the United Kingdom enacted the Civil Contingencies Act 2004, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.

From: Wikipedia, the free Encyclopedia

Business Continuity Process

That process that provides guidance on good practices that cover the whole Business Continuity Management (BCM) lifecycle and combines five (5) key elements: (1) Understanding your business, (2) BCM strategies, (3) Developing a BCM response, (4) Establishing a BCM culture, and (5) Exercising, Maintenance and Audit.

Disaster Recovery Journal (DRJ)

Business Continuity Strategy

An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one solution to fulfill an organization’s strategy. Examples: Internal or external hot-site, or cold site, Alternate Work Area reciprocal agreement, Mobile Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc.

Disaster Recovery Journal (DRJ)

Business Impact Analysis (BIA)

A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event.

Disaster Recovery Journal (DRJ)

Compliance

-noun

1. the act of conforming, acquiescing, or yielding.

2. a tendency to yield readily to others, esp. in a weak and subservient way

3. conformity; accordance; in compliance with orders.

4. cooperation or obedience: Compliance with the law is expected of all.

5. Physics: (a) the strain of an elastic body expressed as a function of the force producing the strain; and (b) a coefficient expressing the responsiveness of a mechanical system to a periodic force.

Contingency Plan

A plan used by an organization or business unit to respond to a specific systems failure or disruption of operations.

Disaster Recovery Journal (DRJ)

Contingency Planning

A process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.

Disaster Recovery Journal (DRJ)

Crisis Management

The overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organizations’ profitability, reputation, and ability to operate.

Disaster Recovery Journal (DRJ)

Disaster Recovery

The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions.

Disaster Recovery Journal (DRJ)

Disaster Recovery Training

Methods, classes and/or coursed that teach you the methods in identifying vulnerabilities and takes appropriate countermeasures to prevent and mitigate failure risks for an organization. It also provides the networking professional with a foundation in disaster recovery principles, including preparation of a disaster recovery plan, assessment of risks in the enterprise, development of policies, and procedures, and understanding of the roles and relationships of various members of an organization, implementation of the plan, and recovering from a disaster.

Information Security

The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization.

Disaster Recovery Journal (DRJ)

Information Security Policy

A guideline document written by an organization intended to help it’s employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of the organization without proper authorization.

SANS Institute

Risk Analysis

The process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Disaster Recovery Journal (DRJ)

Risk Assessment

Disaster Recovery Journal (DRJ)

Risk Management

The culture and processes and structures that are put in place to effectively manage potential negative events. As it is not possible or desirable to eliminate all risk, the objective is to reduce risks to an acceptable level.

Disaster Recovery Journal (DRJ)

Security

security. (n.d.). The Free On-line Dictionary of Computing. Retrieved, from Dictionary.com website: http://dictionary.reference.com/browse/security

security. Dictionary.com. The Free On-line Dictionary of Computing. Denis Howe. http://dictionary.reference.com/browse/security .

“security.” The Free On-line Dictionary of Computing. Denis Howe. 13 Aug. 2009. <Dictionary.com http://dictionary.reference.com/browse/security>.

Dictionary.com, “security,” in The Free On-line Dictionary of Computing. Source location: Denis Howe. http://dictionary.reference.com/browse/security. Available: http://dictionary.reference.com.

BibTeX Bibliography Style (BibTeX)

@article {Dictionary.com2009,
title = {The Free On-line Dictionary of Computing},
month = {Aug},
day = {13},
year = {2009},
url = {http://dictionary.reference.com/browse/security},