CISSP For Dummies

By now you’ve defined the scope of the BCP project and developed the Business Impact Assessment, Criticality Analysis and MTDs. Here’s what you know so far:

• You know what portion of the organization is included in the plan.

• You know, of this portion of the organization, which business functions are so critical that the business would fail were these functions to be interrupted for long (or even short) periods of time.

• You have some idea of the degree of impact on the business when one of the critical functions fails. This idea comes from quantitative and qualitative data.

The hard part of the Business Continuity Project begins now: This is where you develop the strategy for continuing each critical business function when disasters occur. This is known as the Continuity Strategy.

Developing a Continuity Strategy is the time for looking at the excruciating details of critical business functions. This is the time for strong coffee, pizzas, buckets of Rolaids, and cool heads.

Identifying success factors

The critical success factors for this important and time-consuming phase of the project include

• Call things as you see them: No biases. No angles. No politics. No favorites. No favors. This isn’t the time for screwing around - you’re trying to save the business before the disaster strikes.

• Build smaller teams of experts: Each critical business function should have teams dedicated to just that function. That team’s job is to analyze just one critical business function and figure out how it can be made to continue despite a disaster of some sort. Pick the right people for each team - people who really understand the details of the business process being examined.

• Brainstorm: Proper brainstorming considers all ideas, even silly ones (to a point). Even a silly idea can lead to a good idea.

• Have teams share results with each other: Teams working on individual continuity strategies can learn from each other. Each team can share highlights of its work over the past week or two. Some of the things that they say will spark ideas on other teams. The entire effort will be better off for it.

• No competition or politics in or between teams: Don’t pit teams against each other. This is not a zero-sum game: Everyone needs to do an excellent job.

• Retain a BCP mentor/expert: If your organization doesn’t have experienced business continuity planners on staff, you need to bring in a consultant - someone who has helped to develop plans for other organizations. Even more important than that - someone who has been there when disaster struck and who saw the BCP in action.

It is amazing what you can accomplish if you don’t care who gets the credit. Nowhere is this more true in business than in Business Continuity Planning. A BCP project is a setting where people will jostle for power, influence, and credit.

These forces must be neutralized. Business Continuity Planning should be apolitical, meaning differences and personal agendas are set aside. Only then is there a reasonable chance of success. The business, and its employees and customers, deserve nothing less.

Simplifying large or complex critical functions

Some critical business functions may be too large and complex to examine in one big chunk. Complex functions can be broken down into smaller components, perhaps like this:

• People: The team can identify the critical people - or more appropriately, the critical subfunctions - required to keep the function running.

• Facilities: In the event that the function’s primary facilities are unavailable, where will the function be performed?

• Technology: What hardware, software, and other computing/network components support the critical function? If parts or all these components are unavailable, what other equipment will support the critical business functions? Will the functions be performed any differently?

• Miscellaneous: What supplies, other equipment, and services are required to support the critical business function?

Analyzing processes is like disassembling Tinker Toy houses - you’ve got to break them down to the individual component level. You really do need to understand each step in even the largest processes in order to be able to develop good continuity plans for them.

If a team analyzing a large complex business function breaks into groups such as these listed here, these groups need to get together frequently to ensure that their respective strategies eventually become a cohesive whole. Eventually, these four (or whatever number) groups need to come back together and integrate their separate materials into one complete plan.

Documenting the strategy

Now for the part that everyone loves: documentation. The details of the continuity plans for each critical function must be described in minute detail, step by step by step.

Why? The people who develop the strategy may very well not be the people who execute it. The people who develop the strategy may change roles in the company or change jobs altogether. Or, the scope of an actual disaster may be wide enough that the critical personnel just aren’t available. Any skeptics should consider September 11 and the impact that this disaster had on a number of companies that lost practically everyone and everything.

Most of us don’t do Business Continuity Planning for a living. Although we may be the experts on our business processes, we’re not necessarily the right people for knowing all the angles of contingency planning.

Turn this question around for a minute: What would you think if an IT shop developed a security strategy without having a security expert’s help? Do you think that this would result in a sound, viable strategy?

The same argument fits equally well with BCP.

For the remaining skeptics, do yourself a favor: Hire a BCP expert for just a short time to help validate your framework and plan. If your expert says that your plan is great, then you can consider it money well spent to confirm your suspicions. If the consultant says that your plan needs help, ask for details on where and how. Then you decide whether to rework and improve your plan.

When disaster strikes, it’s too late to wish that you had a good business continuity plan.

Best practices for documenting Business Continuity Plans exist. Here is another reason to have that expert around. For $300 an hour, a consultant can spend a couple of weeks developing templates. But watch out - your consultant might just download templates from a BCP Web site, tweak them a little bit, and spend the rest of his time playing World of Warcraft.