VOLUME DISKSET 1
DISK 1: Project Initiation and Management
Organizing and managing resources in such a way that these resources deliver all the work required to complete a full business continuity program within defined scope, time, and cost constraints. Setting the vision, mission, goals, and objectives of the program as it relates to the policies of the entity. Establishing and defining responsibilities for the program finance authority, including its reporting relationships to the program coordinator. Designing the processes for a Business Continuity Management (BCM) program, this would include obtaining management support and organizing and managing the process. This phase is discussed in relation to the key elements of disaster/emergency management project initiation and management. Business Continuity Program is an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance.
DISK 2: Risk Evaluation and Control
Risk is the possibility of loss, damage, or any other undesirable event and the evaluation and control lend themselves to a systematic and comprehensive methodology to evaluate risks. A comprehensive risk assessment identifies the range of possible hazards, threats, or perils that have or might impact the entity, surrounding area, or critical infrastructure supporting the entity. Events that can affect the entity and controls that can be utilized to mitigate the effects of potential loss. How to identify hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards.
DISK 3: Business Impact Analysis
Identifying the critical and time-sensitive applications, vital records, processes, and functions that shall be maintained, as well as the personnel and procedures necessary to do so, their recovery priorities, and inter-dependencies so that recovery time objectives can be set. Techniques for analysis based on both the quantifiable and qualifiable impacts, Determining which hazards are most likely to occur; what entity facilities, functions, or services are affected based on their vulnerability to that hazard; what actions will most effectively protect them; and the potential impact on the entity, Documenting impacts to the entity in terms oftime, money, people, materials, energy, space, provisions, communication,quality, etc Considering the impact external to its area of influence that can affect the entity’s ability to cope with a disaster/emergency.
DISK 4: Developing Business Continuity Management Strategies
Developing and implement a strategy to eliminate hazards or mitigate the effects of hazards that cannot be eliminated. Selecting business operating strategies for continuation of business within the recovery point objective and recovery time objective that will allow for maintaining the organization’s critical functions. Basing it on the results of hazard identification and risk assessment, impact analysis, program assessment, operational experience, and cost-benefit analysis.Considering the resource capability shortfalls and the steps necessary to overcome any shortfalls. Determining roles and responsibilities for functions. Establishing interim and long-term actions to reduce the risks from hazards such as protective systems or equipment that can reduce the probability of occurrence or the severity of consequences.
DISK 5: Emergency Response and Operations
Assigning responsibilities to entity and individuals for carrying out specific actions at projected times and places in an emergency or disaster. Procedures for response and stabilizing the situation, including an Emergency Operations Center. Directing, controlling, and coordinating response operation. Developing procedures including life safety, incident stabilization, and property conservation.
BONUS DISK 1: WORKBOOK
VOLUME DISKSET 2
DISK 6: Developing and Implementing Business Continuity and Crisis Management Plans
Written plans using strategies based on the short-term and long-term priorities, processes, vital resources, and acceptable time frames for restoration of services, facilities, programs, and infrastructure, that provide continuity within the recovery time and recovery point objectives. Including the critical and time-sensitive applications, vital records, processes, and functions that shall be maintained, as well as the personnel and procedures necessary to do so, while the entity is being recovered.. Developing procedures and policies for coordinating response, continuity, and recovery activities. . Directing, controlling, and coordinating response operations
DISK 7: Awareness and Training Programs
Developing and implementing a training/educational curriculum to support the program and increase the entities awareness of the program. Supporting the Business Continuity Management Program through supporting activities.
DISK 8. Maintaining and Exercising Plans
Pre-planed exercises which are evaluated and documented to exercise such areas as the logistical capability and procedures to locate, acquire, store, distribute, and account for services, personnel, resources, materials, and facilities procured or donated to support the program. Evaluating the program plans, procedures, and capabilities through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises. Establishing procedures to ensure that corrective action is taken on any deficiency identified in the evaluation process and to revising the plan. Developing processes to maintain the currency of continuity capabilities and the plan document in accordance with the Entities vision and mission. Reporting results in a such a way that they are usable to management in improving the program.
DISK 9. Crisis Communications
Addressing communication needs and capabilities to execute all components of the response and recovery plans, and the inter-operability of multiple responding organizations and personnel. Designing, utilizing and implementing an incident management system that can be used for communicating and coordination with resources identified within the plan and others. Designing procedures for response to requests for pre-disaster, disaster, and post-disaster information. Developing, coordinating, evaluating, and exercising plans to communicate with employees, management, families. vendors, suppliers, the media and others.
DISK 10. Coordination with External Agencies
Establishing procedures for coordinating continuity and restoration activities with external agencies while making sure the actions are in compliance with applicable statutes or regulations.
BONUS DISK 2: QUESTIONS AND ANSWERS
Actual questions from students of a Redmond Worldwide Teleseminar on the areas of Business Continuity with responses from Ms. Michael C. Redmond.
DISK 11:Risk Assessment General Background
Delves into the Risk categories including reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, Outsourcing, people, technology and knowledge. Conducting an economic and financial impact analysis to arrive at a general loss expectancy that demonstrates what is at risk and to guide measures to mitigate the effects of a disaster/emergency. Failure mode and effects analysis (FMEA): Each element in a system is examined individually and collectively to determine the effect when one or more elements fail. Fault-tree analysis (FTA): This is a top-down approach where an undesirable event is identified and the range of potential causes that could lead to the undesirable event is identified.
DISK 12: Gap Analysis
Overview of a Business Continuity Program Gap Analysis starting with the development of a Gap Analysis Checklist. This is a list of recommended requirements from sources such as NFPA 1600, Disaster Recovery Institute, FFIEC , HIPPA ,etc. documented in a “report card”. Gap assessment is a preparedness evaluation to know where the program is now versus what is preferred practice for planning activities. Tips for Quality: Assessments as a mechanism to keep your program up to date and ready. Scope, administration, management issues, program evaluation. Key components of a Gap Analysis such as report considerations and communicating assessment results as well as control of assessment information and legal issues that must be considered.
DISK 13: RESTORATION PLANNING
When a catastrophe of any kind occurs, whether its fire, smoke, water, wind, oil/chemical spill, biological hazard, explosion or radiological release the best approach is a rapid, safe and thorough remediation. Restoration is the process of planning for and/or implementing procedures for the repair of hardware, relocation of the primary site and its contents, and returning to normal operations at the permanent operational location. Three questions: What's damaged, who's fixing it and who's paying for it. Performing a coordinated assessment to determine the appropriate actions to be performed on impacted assets. The assessment can be coordinated with Insurance adjusters, facilities personnel, or other involved parties. Appropriate actions may include: disposal, replacement, reclamation, refurbishment, recovery or receiving compensation for unrecoverable organizational assets
Business Continuity/Disaster Recovery Professional Practices
NFPA 1600, The US National Preparedness Standard on
Disaster / Emergency Management & Business Continuity Programs (NFPA 1600)
DRII, Disaster Recovery Institute International and BCI, Business Continuity Institute
DRII sets standards that provide the minimum acceptable level of measurable knowledge, thus providing a baseline for levels of knowledge and capabilities. Accordingly, in 1997, DRII, together with BCI, published the Professional Practices for Business Continuity Planners as the industry's international standard.
FFIEC, The Federal Financial Institutions Examination Council is an interagency set out to dictate policies, standards, and report forms for the scrutiny of financial institutions by the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, National Credit Union Administration, the Office of the Comptroller of Currency, and the Office of Thrift Supervision).
HIPPA, The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule 164.308(a)(7)(i) identifies Contingency Plan as a standard under Administrative Safeguards. Contingency plans address the “availability” security principle. The availability principle addresses threats related to business disruption –so that authorized individuals have access to vital systems and information when required.
Sarbanes Oxley, 404 - The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) . Section 404 of the Act mandates that adequate "internal controls" exist to ensure compliance. SOX clearly states a harsh set of fines and other punishments for failure to comply with the law; however, it doesn't offer any leeway when it comes to being unable to meet your requirements due to a disaster or other data-loss event. Entites must be able to file reports and have the data to back them up, no matter what else may be going on in the organization or its data center. SOX details what must be reported from a financial view of the corporation, and when those reports must be made. It also details guidelines for internal compliance operations to ensure that these reports can be created on time and accurately. The SOX requirements have serious implications for DR planning.
COSO, National Commission on Fraudulent Financial Reporting that was created in 1985. This is also known as the Treadway Commission. They made a number of recommendations that directly addressed internal controls.
FMECA, Failure Mode, Effects, and Criticality Analysis, dates back to a U.S. military report from 1949. Since then, FMECA (also known as simply FMEA) has spread from just pre Disaster Maintenance and evolved today to become an important part of restoration risk analysis and restoration management.
In addition, when developing these CD’s thought was been given to regulatory considerations such as: