Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

Related Terms: Business Impact Analysis (BIA), Continuity of Operations Plan (COOP),

DRP and BCP are sometimes used interchangeably - but there is a difference.

BCP – Answers how a company continues operations after a disruptive event

Proactive

Strategic, long term focus

Focus is on Prevention

Last line of defense against uncontrolled risks

DRP – Answers what happens when a disaster occurs and how IT systems are restored after an event

Reactive

Short term focus

Is a subset of BCP

Involves: recovery of data center, business operations, business locations, business processes

On a Timeline:

------/Event/---------------------------------------------/ ------------------------/ ----------------

BCP Backup Site Normalize BCP
Disaster Recovery Activities Complete Recovery

BCP Project

1. Project Initiation
a. Scope project (goals, priorities)
b. Put someone in charge
c. Look at available resources (to devote to this project)
2. Current State Assessment
a. Gather Information (Risk Assessment)
b. Pen Testing
c. Business Impact Assessment (Get this info from Vulnerability Assessment)
d. Benchmarking
 3. Design and Development
4. Implementation Phase
a. Testing
b. Tabletops, etc.
5. Management Phase – Update personnel charts, train, test.

BCP Components

ID and triage all threats (That’s from the BIA)

Assess likelihood and impact of each threat

Plan for Contingences

Take actions (Like build controls) to minimize impact of risks when they arise

Recover

BCP Deliverables

Risk Analysis and Business Impact Reports

Risk Analysis – Probability of Loss, What are threats. What are critical systems and info?

1. ID Assets
2. What threatens the Assets (What are Vulnerabilities)
3. What can we do to protect the assets and mitigate the vulnerabilities
4. Document this
5. Test
6. Train
7. Repeat

Disaster Recovery Involves

A Plan for Testing

A Plan for Training

A Plan for keeping everything up to date

Here are general steps involved in creating a Business Continuity Plan:

1. Risk Assessment: Identify potential risks and threats to the organization. This will help to
prioritize and focus planning efforts.

2. Business Impact Analysis (BIA): Assess and prioritize business functions and processes,
determining which are critical to survival. The BIA helps identify how different threats will impact
business operations and the potential losses in various scenarios.
 3. Recovery Strategy Development: Based on the results of the BIA, create strategies to recover
the most critical functions. This may involve setting up alternate locations, diversifying suppliers,
backing up data in multiple places, etc.

4. Plan Development: Write the Business Continuity Plan. This is the detailed roadmap that will be
followed during and after a disruption. It includes lists of key personnel, their roles,
communication strategies, relocation plans, IT recovery strategies, and more.

5. Training & Testing: Train the relevant personnel so that they are aware of the plan and their
respective roles. Regularly test the plan to ensure its viability and to keep it up-to-date.

6. Review & Update: As the business environment and potential risks change, it's important to
revisit and update the BCP regularly.

Business Impact Analysis – Answers the question – How long can we go when compromised?

Goal: What is Maximum Allowable Downtime for any given system – EG Hospital

Immediate Recovery – No Downtime allowed (eg electricity, computers for emergency

room)

Quick Recovery – 4 hours of downtime allowed (Kitchen/Food)

Same Day Recovery – 8 Hours (Janitorial, Sheets)

24 Hour Recovery (Billing, Accounting)

72 Hour Recovery (Parking Lot Open again)

Greater than 72 Hours (Landscaping, etc.)

Prioritze what are my most important business functions.

Use this to calculate Business Impact

The Vulnerability Assessment is a subset of the Business Impact Analysis.

Smaller than a full risk assessment

Only address the Critical Business infrastructure

DRP – Back up solutions

1. Electronic Vault – (Warm) Batch processes, remote server

2. Remote Journalling – Hot, real time
 3. Database Shadowing (Same as 2, but in multiple locations)
4. Duplexing – Exact Copy of everything

Here are some sample Questions you might see regarding these topics.

Which of the following is NOT a part of a good BCP?

a. Post- Disaster Recovery
b. Fiscal Budget Forecasting
c. Backup Operations
d. Emergency Response

What is the difference between the BCP and the DRP?

e. The BCP deals with restoration of business processes while the DRP deals with
restoration of the critical information systems that support business processes.
f. BCP deals with restoration while the DRP deals with recovery from disaster
g. BCP deals with long term resource upgrades over time to deal with incidents while DRP
deals with restoration of the critical information systems that support business
processes.
h. The differences are minor in that BCP deals with processes before a disaster while DRP
deals with what is done just after the disaster

Which statement is true?

i. BCP is focused on long term while DRP is short term
j. BCP is short term while DRP is long term
k. BCP and DRP are long term
l. Timeframe is only relevant to BCP

Which of the following BEST describes the primary objective of Business Continuity Planning (BCP)?

A) Detecting cyber threats.

B) Monitoring network traffic.
C) Ensuring operational continuity during and after disruptions.
D) Upgrading IT infrastructure.
Answer: C) Ensuring operational continuity during and after disruptions.

Explanation: BCP focuses on maintaining and restoring business operations in the event of disruptions,
not on threat detection, network traffic, or infrastructure upgrades.
Which phase of BCP involves determining which business functions are essential to the organization's
survival?

A) Risk Assessment
B) Business Impact Analysis (BIA)
C) Recovery Strategy Development
D) Review & Update
Answer: B) Business Impact Analysis (BIA)

Explanation: BIA is the phase where the critical functions of an organization are identified and
prioritized.

Which document provides detailed technical steps to recover IT systems following a

disruption?

A) Business Continuity Plan

B) Disaster Recovery Plan
C) Incident Response Plan
D) Security Policy Document
Answer: B) Disaster Recovery Plan

Explanation: A Disaster Recovery Plan focuses specifically on the recovery of IT systems and data after an
adverse event.

Which of the following BEST ensures that an organization's BCP is effective and current?

A) Regular auditing
B) Yearly training sessions
C) Regular testing and reviews
D) Daily monitoring of network traffic
Answer: C) Regular testing and reviews

Explanation: Regular testing and reviews of the BCP ensure its applicability, effectiveness, and readiness
in the face of potential disruptions.

Which strategy involves duplicating data in real-time to ensure its immediate availability after
an adverse event?

A) Backups
B) Checkpoints
C) Mirroring
D) Archives
Answer: C) Mirroring

Explanation: Mirroring is the process of creating an exact replica of data in real-time to another system
or site.

In which type of site would you find fully operational and ready-to-use systems and data?

A) Cold site
 B) Warm site
C) Hot site
D) Mirror site
Answer: C) Hot site

Explanation: A hot site is a disaster recovery solution that has fully operational systems, applications,
and data ready to take over operations immediately after a disaster.

Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA)?

A) Identify vulnerabilities in the system.

B) Calculate the cost of potential solutions.
C) Determine the potential effects of disruptions on critical business functions.
D) Detect intrusion attempts on the network.
Answer: C) Determine the potential effects of disruptions on critical business functions.

Explanation: BIA is used to understand and prioritize the impact of potential disruptions on the
organization's most vital functions.