Business Continuity Management, Framework, Planning Lifecycle,

1

• Business Continuity Management, Framework,
  Planning Lifecycle,
• ITD Implementation Strategy

2
Objectives

• To establish a framework for a policy governing
  Business Continuity Planning for the Commonwealth
  of Massachusetts
• Provide a framework for the type of Business
  Continuity services ITD offers to Agencies

2
3
Business Continuity Planning Lifecycle
Step 2 Conduct Business Impact Analysis Risk
Assessment
Step 1 Initiate Business Continuity Program
Step 3 Develop Recovery Strategies
Step 4 Document Business Continuity Plan
Step 6 Update Business Continuity Plan
Step 5 Test Business Continuity Plan

• The Business Continuity Planning Lifecycle is
  comprised of 6 steps, guiding coordinators in
  through their planning efforts.
• The methodology follows industry best practices
  as described by DRII and ITIL.
• Business Continuity is not a one-time project it
  is an ongoing program that will mature over time.

4
Step 1 Initiate Business Continuity Program

• Obtain executive sponsorship
• Educate management stakeholders on BC
• Gain approvals and support
• Review roles and responsibilities
• Agency Steering Committee
• Plan owner
• Understand the agencys current state of BC
  readiness and prior work efforts
• Create BCM Project Plan
• Scope
• Timelines

5
Step 2 Conduct Business Impact Analysis Risk
Assessment

• Business Impact Analysis (BIA) 
• A process designed to prioritize essential
  business functions by assessing quantitative and
  qualitative impacts
• Identify resource dependencies (e.g., telecom
  vital records, staffing, etc)
• Recovery Time Objectives (RTO)
• Recovery Point Objectives (RPO)
• Risk Assessment (RA) Process of identifying the
  risks probabilities to an organization
• Review of potential risks to the business
  processes
• Review of Technical Infrastructure and data
  dependencies
• Identify gaps between function RTO technical
  RPO

6
Step 3 Develop Recovery Strategies

• Identify process recovery strategies based on the
  BIA and RA data
• Recommend risk mitigation measures
• Develop alternative strategies to meet the agency
  RTO/RPO requirements
• Prepare cost benefit analysis timeline for
  recommended solutions
• Evaluate alternative strategies
• Present to Agency Leadership
• Document alternative strategy decisions

7
Step 4 Document Business Continuity Plan

• Document recovery strategies procedures
• Define roles responsibilities
• Scripts and Checklists
• Create activation procedures
• Detail Communication / Notification procedures
• Establish command and control requirements

8
Step 5 Test Business Continuity Plan

• No Business Continuity Plan should be considered
  complete, unless tested
• Testing Objectives
• Assess the Business Continuity Teams ability to
  respond.
• Clarify roles and responsibilities of Team
  members
• Ensure agency Business Continuity Plans contain
  appropriate information and instructions.
• Conduct post-exercise evaluation to identify and
  share lessons learned opportunities for
  improvement

9
Step 6 Update Maintain Business Continuity
Plan

• Business Continuity Plans are updated as
  appropriate based on lessons learned from
  exercises, real events requiring plan activation,
  essential process changes and team member
  updates.
• Republish and distribute updated Plans to
  appropriate stakeholders
• Regular awareness training for agency staff

10
ITD BCP Implementation Strategy
Step 2 Conduct Business Impact Analysis Risk
Assessment
Step 1 Initiate Business Continuity Program
Step 3 Develop Recovery Strategies
Step 4 Document Business Continuity Plan
Step 6 Update Business Continuity Plan
Step 5 Test Business Continuity Plan

• Phase 1
• (Steps 1 2)
• Business Impact Analysis
• Technical Assessment
• Gap Assessment

• Phase 2
• (Steps 3 4)
• Strategy Selection
• BC Plan Development

• Phase 3
• (Steps 5 6)
• BCP Testing
• Plan Maintenance
• Continue with BCP Program lifecycle maturity
• Turnover to agency for BCP program oversight

11
Definitions

• BC Business Continuity is the ability of an
  organization to maintain its viability, while
  continuing to provide service and support to its
  customers, before, during, and after an event
• BIA Business Impact Analysis is a process
  designed to prioritize business functions by
  assessing the potential impacts that might result
  if an organization was to experience a business
  interruption
• DR - Disaster Recovery is the ability of an
  organization to recovery its Information
  Technology (IT) resources, i.e., infrastructure,
  databases, and applications
• ITA Information Technology Assessment is the
  process of identifying dependent critical
  applications and IT infrastructure and
  determining if their RTOs align with the business
  function RTO
• RTO Recovery Time Objective is period of time
  within which systems, applications, or functions
  must be recovered after a business interruption 
• RPO Recovery Point Objective is the maximum
  amount of data loss an agency can sustain during
  as a result of an event

11