|
|
 |
SPYRUS Policies and Procedures - Business Continuity Plan
The BCP is a requirement of security standards on which the PKI is based, and is stated as a requirement in the CP. The BCP describes the policy and the procedures to ensure that the business can continue in the event of unexpected contingencies that interrupt the business in any way. The BCP is an internal document, but should be subject to external review for audit and accreditation purposes.
Business continuity planning has also been known as business resumption planning and disaster recovery. Both of these terms, however, leave out an essential element, that of continuing to conduct business in the event of unexpected contingencies. It is simply sound business practice to have in place procedures to continue to operate, even if at a reduced capacity, should the unexpected occur to disrupt business. The term "disaster recovery" has come to be associated with IT systems, hardware, software and networks. Yet, too often, plans are put in place that do not address all of the elements involved in an IT system - such as the people needed to run certain programs and tasks. Nor do they consider unexpected events that might not affect IT systems themselves, but their environment, making them unusable or inaccessible, such as a demonstration or a strike. Continuity planning, using a methodologically sound framework, covers all possible contingencies, and promotes ongoing communication, training and
testing, to ensure the continuing effectiveness of the plan.
Business continuity planning should also encompass elements of critical infrastructure protection - a particularly important consideration following 9/11. The Threat and Risk Assessment categorizes information and assets, and provides a venue for identifying critical infrastructure pertaining to an organization.
Business continuity planning is defined as planning to ensure the continued availability of essential services, programs, operations, including electronic business activity. It includes all resources involved; those that are addressed in continuity planning are information, assets, people and facilities. Business continuity planning prepares organizations for recovery from contingencies, defined as any event that may interrupt an operation or affect service delivery, and for continuing business as usual - or as usual as possible.
Two important factors in successful business continuity planning are, first, determining the nature of the business, and, second, security management commitment. The nature of business is the purpose or raison d'etre of the organization. Understanding the organization's purpose will allow planners to focus on those functions that are essential for the organization to carry out its business. Defining the nature of business is the responsibility of senior management, and the definition is likely to be found in statements of business objectives and requirements. Business continuity planning will succeed only with strong and visible support from management. As well, planning should be undertaken on a broad scale, involving as many staff as possible, to ensure that they understand and support it. Only then will staff be prepared to act on the plan when needed.
The SPYRUS Business Continuity Plan template contains the following guidance:
- High-level description of the activities to be undertaken to develop, implement, test and maintain the plan;
- Detailed steps on plan development;
- Guidance on threat and risk assessment in the context of business continuity planning, and
- Checklist of elements and factors to be addressed in developing and maintaining the plan.
The SPYRUS template is comprehensive and based on standard methodology. It has been tested and found highly effective in assisting customers through difficult times - and surviving.
|
|
