This is Jose Castro, Channel Manager with Superb Internet Corp. and IT consultant. While working for a Managed Services Provider in the year 2001 and 2002 I learned how important and critical it is to have a BCP (Business Continuity Plan). After all, without your data: Can you continue doing business normally?
The first step towards creating a serious BCP is to identify the potential disasters one by one and determining what the potential impact might be on your business. In order to generate a professional and sound BCP, you have to understand the degree of the potential loss, which could occur. Some of the factors you could identify are: Financial loss, lost of customer confidence, damage to your reputation, data loss, to name a few. Having a good grasp and understanding of the potential incident and its impact on your business, will help you generate a solid BCP. One of the pillars, in which you will build the foundation of your BCP, is to work on your Business Impact Analysis (BIA). The BIA is the understanding of the incidents and the potential impact of each of them when a disaster occurs.
There are several methods; one of the most widely used is COBRA (Consultative, Objective and Bi-Functional Risk Analysis). For the sake of this article, we will discuss the basics elements that need to be included in pretty much any risk assessment methodology, including COBRA, of course.
Business / Impact:
The main objective is to identify the significance of each of your systems and data. The result of your study will help you determine which areas need the most attention (example: MS SQL database: critical importance. The result of your analysis will help you identify that your MS SQL database is critical and extremely important to your success. As a result you will concentrate your efforts in having a “hot-hot” or “active-active” backup plan, which in essence will replicate your MS SQL database in real time. This is called a fail-over solution; if one database “dies” the other system takes over in real time).
System Audit:
Performing an audit will help you determine what systems are less vulnerable to attacks or disasters, what your current processes and practices are, and what procedures you employ. The bottom line is to identify what procedures you have adapted and the objective is to improve your current practices, processes and procedures (example: since your current web server is exposed 24x7 to the Internet, you need to understand what your current plan is to deal with DoS attacks, Trojans, Hacker attacks and a number of malicious practices). Defining how secure is your system (Business / Impact) and what your procedure is to deal with the potential risks (System Audit) will enable you to fully understand what areas need improvement and which need to be more elaborated).
Contingency:
The objective is to define a contingency plan. Once you have analyzed your business and the potential impact of a disaster on each of your systems and having performed a system audit to understand and improve your current processes and procedures, the next step is to define what the contingency plan will be all about.
Some important parameters:
-Backup practice and policy
-What systems will be backed up and what policy will be implemented for each system
-Recovery plan (define the process to recover your data and the time in which the data will be recovered)
-The recovery location (define if you need to set up a location somewhere else to quickly host your data)
-Network Contingency (more likely you outsource your systems to a Tier 1 hosting provider, you need to understand whether or not the Network you are in is bullet proof and fault tolerant)
System Design:
The main objective is to plan, design and implement the new contingency plan. It is absolutely important to define what systems will be needed to support your new Business Continuity Plan.
Development and Control:
Once you have defined what you will need to support your new BCP, you will need to develop your plan, new procedure, develop “in-house” or buy “outsource” an “out of the box” solution to replicate your data, design / develop or “outsource” a fail over solution (using either software or hardware, or perhaps both). Remember to go back to your Business / Impact analysis: Each system must have a priority. From this exercise you will generate a report prior to defining what your entire BCP will be.
Reporting:
From your report, you will conclude what you will need in terms of personnel, budget, IT systems, time, etc. The reporting aspect will be your guide to complete your Business Continuity Plan.
Most of you are business owners and while IT is your forte, Security and Risk assessment might not be. I highly suggest working hand by hand with a security expert or consultant to complete your entire BCP.
If you require any recommendations or assistance prior to generating your own BCP, give me a quick call or drop me a line and I will be happy to point out some options available to you out there.
I hope this article added value to your day.
Kind Regards,
Jose.
Jose Castro - Channel Manager, Superb Internet Corporation
JCastro@Superb.Net
1-888: 1.888.354.6128 x 208
ICQ: 267648779 - MSN:
perupoint@hotmail.com
Business Continuity Plan (BCP) Do you have one?
